GDPR Information

If you would like to receive notifications whenever our sub-processors change please fill out this form.

You can find more information on all of Pulley's sub-processors at this link.

PULLEY CUSTOMER DATA PROCESSING ADDENDUM (DPA)

This Data Processing Addendum ("DPA") supplements the SaaS Services Agreement, Master Services Agreement, or other agreement governing Customer’s use of Pulley’s services (the "Agreement"), entered into by and between Prolific Labs, Inc. d/b/a Pulley ("Pulley", "Company", or "Processor") and the customer identified in the Agreement ("Customer" or "Controller"). Capitalized terms not defined in this DPA have the meanings set forth in the Agreement.

This DPA applies where Pulley processes Personal Data on behalf of Customer in connection with the Services. If Customer is itself a processor on behalf of a third-party controller, Pulley will act as a sub-processor to Customer for such processing, as described herein.

1. Definitions

"Affiliate" means an entity that directly or indirectly Controls, is Controlled by, or is under common Control with a party, where "Control" means ownership of more than fifty percent (50%) of the voting interests (or equivalent).

"Customer Personal Data" means Personal Data that Customer provides to Pulley (or that Pulley processes at Customer’s direction) in the course of providing the Services, and that is subject to applicable Data Protection Laws.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including as applicable: (i) the EU GDPR; (ii) the UK GDPR and UK Data Protection Act 2018; (iii) the Swiss Federal Act on Data Protection; and (iv) the CCPA/CPRA, in each case as amended, replaced, or superseded from time to time.

"EEA" means the European Economic Area.

"Personal Data" has the meaning given under applicable Data Protection Laws.

"Personal Data Breach" means any unlawful or unauthorized breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data on systems managed or otherwise controlled by Pulley.

"Services" means the Pulley SaaS platform and related services provided under the Agreement.

"Subprocessor" means any third party engaged by Pulley (including Affiliates) to process Customer Personal Data in connection with the Services.

"EU SCCs" means the standard contractual clauses approved by the European Commission in Commission Implementing Decision (EU) 2021/914 dated 4 June 2021, as may be amended or updated from time to time.

"UK Addendum" means the UK ICO International Data Transfer Addendum to the EU SCCs (issued and laid before Parliament in February 2022), as may be amended or updated from time to time.

"SCCs" means the EU SCCs and, as applicable, the UK Addendum (together, where applicable, the "Standard Contractual Clauses").

"Account Data" means personal data relating to Pulley’s relationship with Customer, including names and contact information of Customer’s authorized users and billing/administrative contacts.

"Usage Data" means aggregated and de-identified analytics and metrics about use of the Services that cannot reasonably be linked to an identified or identifiable individual.

2. Roles of the Parties; Scope

2.1 Customer is the controller of Customer Personal Data and Pulley is the processor of Customer Personal Data, except as expressly set forth in Section 12 (Pulley as Independent Controller). Where Customer is a processor on behalf of another controller, Pulley will act as a sub-processor.

2.2 Customer is responsible for: (a) providing lawful instructions to Pulley; (b) ensuring a valid legal basis for processing and transfer of Customer Personal Data; and (c) providing required notices and obtaining required consents. Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.

2.3 Pulley will process Customer Personal Data only (a) to provide, maintain, and support the Services; (b) in accordance with the Agreement, this DPA, and Customer’s documented instructions; and (c) as required by applicable law.  The parties agree that the Agreement, including this DPA, along with the Customer’s configuration of or use of any settings, features, or options in the Service (as the Customer may be able to modify from time to time) constitute the Customer’s complete and final instructions to Pulley  in relation to the processing of Customer Data (including for the purposes of the SCCs), and processing outside the scope of these instructions (if any) shall require prior written agreement between the parties. If Pulley is required by law to process Customer Personal Data beyond Customer’s instructions, Pulley will notify Customer unless prohibited by law.

2.4 The subject matter, nature, purpose, duration of processing, categories of data subjects, and types of Personal Data are set out in Exhibit A (Details of Processing).

3. Pulley’s Obligations as Processor

3.1 Pulley will comply with its obligations as a processor under applicable Data Protection Laws with respect to Customer Personal Data.

3.2 Pulley will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

3.3 Pulley will implement and maintain appropriate technical and organizational measures ("TOMs") designed to protect Customer Personal Data, as described in Exhibit C.

3.4 Pulley will limit access to Customer Personal Data to personnel who require access to perform the Services and are bound by confidentiality obligations; access will be granted on a least-privilege and need-to-know basis.

3.5 Pulley will not sell Customer Personal Data or share Customer Personal Data for cross-context behavioral advertising, as those terms are defined under CCPA/CPRA.

4. Subprocessors

4.1 Customer grants Pulley a general written authorization to engage Subprocessors or process Customer Personal Data to assist Pulley in fulfilling its obligations with respect to providing the Services.

4.2 Pulley maintains an online list of current Subprocessors at https://pulley.com/gdpr (the "Subprocessor List"). Pulley may update the Subprocessor List from time to time.

4.3 Pulley will provide at least ten (10) days’ prior notice before adding or replacing a Subprocessor if Customer ops in to receive such email notifications at  https://pulley.com/gdpr. Customer may object in writing on reasonable data protection grounds within fifteen (15) days after the notice. If the parties cannot resolve the objection within a commercially reasonable period, Customer may discontinue use of the affected Service as its sole and exclusive remedy for that Subprocessor change.

4.4 Pulley shall: (i) enter into a written agreement with each Subprocessor containing data protection obligations that provide at least the same level of protection for Customer Personal Data as those in this DPA, to the extent applicable to the nature of the service provided by such Subprocessor; and (ii) remain responsible for such Subprocessor’s compliance with the obligations of this DPA and for any acts or omissions of such Subprocessor that cause Pulley to breach any of its obligations under this DPA. Customer acknowledges and agrees that, where applicable, Pulley fulfills its obligations under Clause 9 of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) by complying with this Section 3 and that Pulley may be prevented from disclosing Subprocessor agreements to Customer due to confidentiality restrictions but Pulley shall, upon request, use reasonable efforts to provide Customer with all relevant information it reasonably can in connection with Subprocessor agreements.

5. Security of Processing

5.1 Pulley will maintain a level of security appropriate to the risk, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing in accordance with Pulley’s Technical and Organizational Measures (“TOMs”) as described in Exhibit C.

5.2 Customer is responsible for reviewing the information made available by Pulley relating to data security and making an independent determination as to whether the Service meets Customer’s requirements and legal obligations under Data Protection Laws. Pulley may update its TOMs from time to time, provided such updates do not materially diminish the overall level of protection for Customer Personal Data.

5.3 Customer responsibilities. Notwithstanding the above, Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Service, including securing its account authentication credentials, protecting the security of Customer Personal Data when in transit to and from the Service, and taking any appropriate steps to securely encrypt or backup any Customer Data uploaded to the Service.

6. Data Subject Requests

6.1 If Pulley receives a request from a data subject relating to Customer Personal Data, Pulley will, where reasonably possible and legally permissible, direct the data subject to Customer. Pulley will not respond directly except as required by law.

6.2 Taking into account the nature of the processing, Pulley will provide commercially reasonable assistance to Customer to enable Customer to respond to data subject requests, to the extent required by Data Protection Laws.

7. Assistance with DPIAs and Supervisory Authorities

Pulley will provide reasonable assistance to Customer, at Customer’s request, in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Data Protection Laws and limited to the processing of Customer Personal Data by Pulley.

8. Personal Data Breach

8.1 Upon becoming aware of a Personal Data Breach, Pulley shall: (i) notify Customer without undue delay; (ii) provide Customer with information, subject Pulley's privacy and data security policies, confidentiality and legal requirements, as may be reasonably necessary to assist Customer with its notification and reporting responsibilities; and (iii) take appropriate steps to identify the cause of the Personal Data Breach and minimize and secure the Customer Personal Data, to the extent remediation is within Pulley's reasonable control. Pulley’s notification of or response to a Personal Data under this DPA shall not be construed as an acknowledgment by Pulley of any fault or liability with respect to the Personal Data Breach. Pulley will not assess the contents of Customer Personal Data to identify any specific reporting or other legal obligations that are applicable to the Customer. Any and all regulatory and/or data subject reporting obligations related to the Personal Data Breach are the responsibility to the Customer. Notification(s) of any Personal Data Breach(s) by Pulley shall be delivered to the notification email or address provided in the Agreement. Customer is solely responsible for ensuring that the notification contact details (e.g., phone and email) are valid and accurate.

9. Deletion or Return of Data

9.1 Upon termination or expiration of the Agreement, Pulley shall shall take reasonable measures to provide tools for Customer (at Customer’s election) to delete or return to Customer all Customer Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Pulley is required by applicable law or industry rules to retain some or all of the Customer Personal Data, or to Customer Data it has archived on back-up systems, which Customer Personal Data Pulley shall securely isolate, protect from any further processing and eventually delete in accordance with Pulley’s deletion policies, except to the extent required by applicable law. The parties agree that the certification of deletion of Customer Personal Data described in Clause 8.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) shall be provided by Pulley to Customer only upon Customer’s written request.

10. International Transfers and SCCs

10.1 Customer acknowledges that Pulley’s primary processing operations occur in the United States and that Customer Personal Data may be transferred from the EEA, the United Kingdom, or Switzerland to the United States or other countries not subject to an adequacy decision, as necessary to provide the Services. Pulley shall at all times ensure that such transfers are made in compliance with the requirements of Data Protection Laws and this DPA.

10.2 Where required by Data Protection Laws, the EU SCCs are incorporated into this DPA by reference and completed as set forth in Exhibit B and Exhibit C. The parties agree that: (i) if and to the extent the terms contained in the EU SCCs conflict with any provision of this DPA, the terms of the SCCs shall prevail to the extent of such conflict; (ii) the execution of this DPA shall constitute execution of the applicable EU SCCs as of the effective date hereof; and (iii) the relevant selections, terms, and modifications set forth in Exhibit B, Exhibit C and Exhibit D shall apply, as applicable. In no event does this DPA restrict or limit the rights of any Data Subject or of any supervisory authority.

10.3 For transfers subject to the UK GDPR, the UK Addendum is incorporated and completed as set forth in Exhibit D.

10.4 Transfers from Switzerland are made pursuant to the EU SCCs as modified in Exhibit B (Swiss Addendum section).

10.5 To the extent that Pulley is a recipient of Customer Data protected by the Australian Privacy Law, the parties acknowledge and agree that Pulley may transfer such Customer Personal Data outside of Australia as permitted by the terms agreed upon by the parties and subject to Pulley complying with this DPA and the Australian Privacy Law.

10.6 If a transfer mechanism becomes invalid or is replaced, the parties will cooperate in good faith to implement an alternative lawful transfer mechanism.

10.7 To the extent Pulley adopts an alternative lawful data transfer mechanism for the transfer of European Data not described in this DPA (“Alternative Transfer Mechanism”), the Alternative Transfer Mechanism shall apply instead of the transfer mechanisms described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with applicable European Data Protection Laws and extends to the countries to which European Data is transferred). In addition, if and to the extent that a court of competent jurisdiction or supervisory authority orders (for whatever reason) that the measures described in this DPA cannot be relied on to lawfully transfer European Data (within the meaning of applicable European Data Protection Laws), Pulley may implement any additional measures or safeguards that may be reasonably required to enable the lawful transfer of European Data.

11. CCPA/CPRA

This section applies to Customer Personal Data that is subject to the CCPA/CPRA only.

To the extent the CCPA/CPRA applies and Customer is a "business", Pulley acts as a "service provider" and/or "contractor" and will not sell or share Customer Personal Data (as those terms are defined under CCPA/CPRA). Pulley will not retain, use, or disclose Customer Personal Data: (i) for any purposes other than as necessary to provide the Services,  (ii) for any commercial purpose other than providing the Services; or (iii) outside of the direct business relationship between Customer and Pulley.   If Pulley is unable to comply with the terms of the CCPA/CPRA, Pulley shall promptly notify Customer.  Customer has the right to take reasonable and appropriate steps to stop and remediate Pulley’s unauthorized processing of any Customer Personal Data.

12. Canada

To the extent Pulley is a recipient for Customer Personal Data protected by Canadian Privacy Law, the following apply:

12.1 Pulley takes steps to ensure that Pulley’s Subprocessors, as described in Section 4 of the DPA, are third parties under PIPEDA, with whom Pulley has entered into a written contract that includes terms substantially similar to this DPA. Pulley conducts appropriate due diligence on its Subprocessors.

12.2 Pulley will implement technical and organizational measures as set forth in Exhibit C.

12.3 Pulley may transfer Customer Personal Data outside the jurisdiction from which Customer Personal Data originates (i) in compliance with Applicable Data Protection Laws and (ii) provided that Pulley shall take all steps required to ensure that Customer Personal Data continues to be treated in accordance with Applicable Data Protection Law following any such transfer. Customer shall conduct all assessments necessary to facilitate such transfer.

13. Pulley as Independent Controller (Account & Usage Data)

Customer acknowledges that Pulley processes Account Data and Usage Data as an independent controller for legitimate business purposes such as account administration, billing, security monitoring, fraud prevention, and service improvement. Pulley’s controller processing is described in Pulley’s Privacy Policy at https://pulley.com/privacy.

14. Records, Audits, and Demonstration of Compliance

14.1 Pulley will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and applicability Data Protection Laws.

14.2 Customer may audit Pulley’s compliance with this DPA no more than once per year upon reasonable prior written notice, subject to confidentiality obligations and reasonable limitations to protect Pulley’s security and confidential information. Where available, Pulley may satisfy audit requests by providing recent third-party audit reports (e.g., SOC 2 Type II) under NDA.

15. Order of Precedence; Liability

15.1 In the event of conflict between this DPA and the Agreement with respect to processing of Customer Personal Data, this DPA controls.

15.2 The limitations of liability and exclusions of damages in the Agreement apply to this DPA, except to the extent prohibited by Data Protection Laws. The SCCs (and UK Addendum, where applicable) prevail as required by their terms.

15.3 Any claims made against Pulley or its Affiliates under or in connection with this DPA (including, where applicable, the SCCs) shall be brought solely by the Customer entity that is a party to the Agreement.

16. Miscellaneous

16.1 This DPA forms part of and is incorporated into the Agreement.

16.2 Notices regarding this DPA should be sent to Pulley at privacy@pulley.com and to Customer at the contact information set forth in the Agreement.

16.3 If any provision of this DPA is unenforceable, the remainder remains in effect.

16.4 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.

‍

 EXHIBIT A — DETAILS OF DATA PROCESSING

A. Subject Matter of Processing

Pulley processes Customer Personal Data to provide and support the Pulley equity and cap-table management platform and related services, as more particularly described in the Agreement. Customer Personal Data will be processed in accordance with the Agreement (including this DPA) and may be subject to the following processing activities:

• Storage and other processing necessary to provide, maintain and improve the Service provided to Customer pursuant to the Agreement; and/or
• Disclosures in accordance with the Agreement and/or as compelled by applicable law.

B. Nature and Purpose of Processing

1. Provide, operate, maintain, and secure the Services.

2. Support Customer workflows including cap table management, equity grants, vesting tracking, stakeholder communications, and related equity administration functions.

3. Provide technical support, troubleshooting, training, and customer success services.

4. Detect, prevent, and mitigate fraud, abuse, security threats, and unauthorized access.

5. Generate aggregated and/or de-identified operational analytics to improve the Services (not identifying individuals).

6. Log system activity, maintain reliability and performance, and enforce security controls.

7. Perform backups, redundancies, disaster recovery, and business continuity actions.

8. Comply with applicable legal obligations and respond to lawful requests.

C. Duration of Processing

For the term of the Agreement and any additional period required by applicable law or as set forth in Section 9 of the DPA or as agreed to by the parties.

D. Categories of Data Subjects

·   Employees, founders, executives, officers, and independent contractors of Customer

·   Board members, directors, advisors, and observers

·   Current and former investors, shareholders, option holders, warrant holders, and other equity holders

·   Beneficiaries of equity plans

·   Legal representatives for equity holders

·   Other individuals Customer includes in the Services

E. Categories of Personal Data

·   Identity and contact information (name, email, address, phone)

·   Account and authentication data (user identifiers, SSO attributes, MFA status, audit logs)

·   Equity and financial data (ownership records, grants, vesting schedules, exercise history, tax forms where provided)

·   Employment and professional information (title, role)

·   System and technical data (IP addresses, device and browser data, timestamps)

·   Support and communications (tickets, messages, attachments)

·   Documents and records (equity plan docs, board consents, agreements)

F. Special Categories of Personal Data

Customer is prohibited from providing special categories of personal data (as defined under the GDPR) to Pulley, except where Pulley has expressly agreed in writing and appropriate safeguards are implemented.

G. Processing Instructions

Customer instructs Pulley to process Customer Personal Data only as necessary to provide the Services, in accordance with the Agreement, this DPA, and Customer’s documented instructions.

EXHIBIT B — STANDARD CONTRACTUAL CLAUSES (EU) AND SWISS ADDENDUM

1. Incorporation of EU SCCs

The EU SCCs (Commission Implementing Decision (EU) 2021/914 of 4 June 2021) are incorporated by reference and deemed executed by the parties where required for transfers of Customer Personal Data.

2. Module Selection

·   Module Two (Controller to Processor) applies where Customer is a controller and Pulley is a processor.

·   Module Three (Processor to Processor) applies where Customer is a processor acting on behalf of a controller and Pulley is a sub-processor.

3. Clause Selections

·   Clause 7 (Docking): does not apply.

·   Clause 9: Option 2 (general written authorization) applies; notice period is as set forth in Section 4.3 of this DPA.

·   Clause 11 (Redress): does not apply.

·   Clause 17 (Governing law): Ireland.

·   Clause 18 (Forum): courts of Ireland.

4. Annexes

·   Annex I.B (Description of transfer): Exhibit A and this DPA (including Section 4 for subprocessors).

·   Annex II (TOMs): Exhibit C.

·   Annex III (Subprocessors): Pulley’s Subprocessor List at https://pulley.com/gdpr.

5. Swiss Addendum

Where transfers are subject to the Swiss Federal Act on Data Protection, the EU SCCs apply with the following modifications: (a) references to the EU/EEA include Switzerland; (b) the competent supervisory authority is the Swiss FDPIC; and (c) governing law for Swiss-only disputes is Switzerland, to the extent required by Swiss law.

EXHIBIT C — TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)

Pulley implements and maintains technical and organizational measures designed to protect Customer Personal Data and ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.

1. Governance: documented security policies, management oversight, designated security/privacy responsibilities.

2.  Personnel security: confidentiality obligations and periodic training.

3.  Access controls: role-based access control, least privilege, periodic reviews, prompt deprovisioning.

4.  Authentication: SSO support; MFA available and can be enforced by Customer configuration where supported.

5.  Encryption in transit: TLS 1.2+ for data in transit.

6.  Encryption at rest: industry-standard encryption for production data and backups with secure key management.

7.  Network security: firewalls/security groups, default-deny configurations, segmentation of environments.

8.  Secure development: SDLC practices, code review, testing, separation of environments, change management.

9.  Logging and monitoring: security-relevant logs, alerting, and protection of log integrity.

10.  Vulnerability management: scanning, patching, and remediation processes.

11.  Incident response: documented incident response plan; escalation and post-incident reviews.

12.  Business continuity: backups, restoration capability, and disaster recovery processes.

13.  Subprocessor security: due diligence and contractual requirements for comparable protections.

‍

EXHIBIT D — UK ADDENDUM (INTERNATIONAL DATA TRANSFER ADDENDUM TO THE EU SCCs)

This Exhibit incorporates the UK ICO International Data Transfer Addendum to the EU SCCs (the "UK Addendum"). The parties agree that the UK Addendum applies to Restricted Transfers (as defined under the UK GDPR) of Customer Personal Data and is completed as follows.

PART 1: TABLES