1. Parties
This Data Processing Agreement ("DPA") forms part of the LaunchPulse Terms of Service between Customer (the "Controller") and LaunchPulse Inc. (the "Processor"). It governs LaunchPulse's processing of personal data on Customer's behalf in connection with the Service.
2. Roles + scope
Customer is the data controller for personal data processed via the Service. LaunchPulse is the data processor and processes personal data only on Customer's documented instructions, including instructions in the Customer's order form and account configuration.
Scope of processing: identification and engagement of B2B prospects for the purpose of Customer's outbound GTM activities. Duration: for as long as Customer maintains an active subscription, plus 90 days for data export.
3. Security measures
LaunchPulse implements the following technical and organizational measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Role-based access control with least-privilege defaults
- Multi-factor authentication required for all production access
- Annual penetration testing by an accredited third party
- SOC 2 Type II in progress (target: Q3 2026)
- Documented incident response procedures with 24-hour notification commitment
- Vendor risk assessments for every subprocessor before onboarding
4. Subprocessors
LaunchPulse engages the following subprocessors to deliver the Service. Customer hereby provides general authorization for the subprocessors listed below. LaunchPulse will give at least 30 days' notice before adding or replacing a subprocessor, during which Customer may object on reasonable grounds.
| Subprocessor | Purpose | Region |
|---|---|---|
| Anthropic | LLM inference (draft generation, classification) | United States |
| Supabase | Database + auth | European Union (eu-west-1) |
| Railway | Workflow orchestration + compute | United States |
| Perplexity | Public-signal research | United States |
| Apollo | B2B contact + firmographic enrichment | United States |
| Unipile | LinkedIn outbound execution | European Union |
| Smartlead | Email delivery infrastructure | United States |
| Plausible | Privacy-preserving analytics | European Union (Germany) |
5. International transfers
Where personal data is transferred outside the EEA or UK, transfers are made under the EU Standard Contractual Clauses (Commission Decision 2021/914/EU) or, where applicable, the UK International Data Transfer Addendum. LaunchPulse performs Transfer Impact Assessments for each subprocessor handling EU/UK data in third countries.
6. Standard Contractual Clauses
The EU SCCs (Module 2: controller-to-processor) are deemed incorporated into this DPA by reference, with LaunchPulse as the data importer and Customer as the data exporter. The optional docking clause is included to permit accession of third-party Customer affiliates.
7. Incident response
LaunchPulse notifies Customer without undue delay (and in any event within 24 hours of becoming aware) of any personal data breach affecting Customer Data. Notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the remediation measures taken or proposed.
8. Audit + assistance
Customer may audit LaunchPulse's compliance with this DPA no more than once per year (more frequently in case of a substantiated incident), with 30 days' written notice. LaunchPulse will provide reasonable assistance to Customer in responding to data subject rights requests, DPIAs, and prior consultations with supervisory authorities.
For DPA-related questions, contact privacy@launchpulse.io.