Preamble
This Personal Data Processing Agreement (hereinafter “DPA”) is entered into between Pipecorn and the Client, as defined in the General Terms and Conditions of Use and Sale. All capitalized terms used in this DPA have the meanings given to them in the General Terms and Conditions of Use and Sale, unless otherwise defined herein.
This DPA applies to the Processing of Personal Data carried out by Pipecorn on behalf of the Client, in the context of the Client’s use of the software accessible from Pipecorn’s website (https://pipecorn.com and https://app.pipecorn.com) and the Pipecorn API.
1 – Purpose
The purpose of this DPA is to ensure the compliance of Personal Data Processing carried out by Pipecorn on behalf of the Client with paragraphs 3 and 4 of Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (hereinafter “GDPR”).
It is understood that Pipecorn acts on behalf of the Client and pursuant to the Client’s documented instructions. The Client acts either on its own behalf and for its own purposes as a Data Controller or on behalf of and for the purposes of its own clients as a Data Processor.
2 – Description of Processing Activities
The Processing activities carried out by Pipecorn on behalf of the Client have the following characteristics:
- Categories of Data Subjects: The Client’s prospects or the Client’s customers’ prospects, who are business professionals.
- Categories of Personal Data Processed: Identity and contact data of prospects (e.g., names and email addresses). This may potentially include data related to professional activities, such as roles or company information.
- Nature of Processing: Enrichment of data provided by the Client, including temporary storage of such data.
- Purposes for Which Personal Data Are Processed: Data enrichment performed so that the Client or the Client’s Customers can carry out commercial prospecting operations.
- Duration of Processing: Data is stored by default for 3 months, followed by automatic deletion.
Pipecorn Processes Personal Data solely for these stated purposes.
3 – Instructions
Pipecorn Processes Personal Data only on documented instructions from the Client, unless it is required to do otherwise by Union or French law. In such cases, Pipecorn shall inform the Client of that legal requirement before Processing, unless the law prohibits such disclosure on important grounds of public interest.
Pipecorn shall inform the Client if, in its opinion, an instruction given by the Client infringes the GDPR or any other applicable data protection regulations.
4 – Processing Security
Pipecorn implements the technical and organizational measures specified in Appendix 1 to ensure the security of Personal Data. These measures include protection against any security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. When assessing the appropriate level of security, Pipecorn takes into account the state of the art, implementation costs, and the nature, scope, context, and purposes of Processing, as well as the risks to Data Subjects.
Pipecorn grants its personnel access to Personal Data only to the extent strictly necessary for the execution, management, and monitoring of the Processing. Pipecorn ensures that such personnel are committed to confidentiality.
5 – Documentation and Compliance
Pipecorn makes available to the Client all information necessary to demonstrate compliance with the obligations set forth in this DPA.
At the Client’s request, and where there are indications of non-compliance, Pipecorn also allows for audits of Processing activities covered by this DPA. Such audits may be conducted by the Client or by an independent auditor mandated by the Client. The Client shall give Pipecorn at least thirty (30) days’ written notice prior to any audit.
Pipecorn makes available to the competent supervisory authority, upon request, the information set out in this article, including any audit results.
6 – Use of Sub-processors
Pipecorn has the Client’s general authorization regarding the use of sub-processors, based on a list agreed upon between the Parties (see Appendix). Pipecorn specifically informs the Client by any means of any planned changes to this list (e.g., the addition or replacement of sub-processors) at least eight (8) days in advance, thus allowing the Client to object to such changes before the sub-processor(s) is/are engaged.
When Pipecorn engages a sub-processor to carry out specific Processing activities, it ensures that the sub-processor has data protection obligations similar to those imposed on Pipecorn under this DPA. Pipecorn remains fully liable to the Client for the performance of the sub-processor’s obligations under the contract concluded with the sub-processor.
7 – International Transfers
Any transfer of data to a third country or international organization by Pipecorn is carried out only on the basis of documented instructions from the Client or to meet a specific requirement under Union or French law, and in accordance with Chapter V of the GDPR.
The Client agrees that if Pipecorn engages a sub-processor pursuant to Article 6 above, and the Processing involves a transfer of Personal Data (as defined by Chapter V of the GDPR), Pipecorn and the sub-processor may rely on any valid data transfer mechanism recognized under EU law, including standard contractual clauses adopted by the European Commission.
8 – Assistance to the Client
Pipecorn shall promptly inform the Client when it receives a request from a Data Subject seeking to exercise their rights. Pipecorn assists the Client, taking into account the nature of the Processing, in responding to Data Subject requests. Pipecorn shall comply with the Client’s instructions in this regard.
However, where an opt-out request is made directly via Pipecorn’s website (for instance, via a “Do not sell my information” or equivalent module), the request is deemed to be addressed to Pipecorn. In this case, Pipecorn will honor the Data Subject’s request without further notice to the Client.
Pipecorn also assists the Client in ensuring compliance with the following obligations under the GDPR, taking into account the nature of the Processing and the information available to Pipecorn:
- The obligation to conduct a data protection impact assessment (DPIA) when required;
- The obligation to consult the competent supervisory authority prior to Processing when a DPIA indicates a high risk;
- The obligations set forth in Article 32 of the GDPR (Security of Processing).
9 – Notification of Personal Data Breaches
In the event of a Personal Data Breach involving Personal Data Processed by Pipecorn on the Client’s behalf, Pipecorn shall inform the Client without undue delay once it becomes aware of such a Breach.
This notification shall include (where available):
- A description of the nature of the Breach (including, where possible, the categories and approximate number of Data Subjects concerned, and the categories and approximate number of Personal Data records concerned);
- The contact details of a point of contact where more information can be obtained;
- The likely consequences of the Breach and the measures taken or proposed to be taken to address it, including measures to mitigate its possible adverse effects.
Where it is not possible to provide all the information at the same time, the initial notification shall contain the information then available, and further information shall be provided without undue delay as it becomes available.
10 – Data Fate
Upon the termination of the General Terms and Conditions of Use and Sale or this DPA (collectively, the “Contract”), Pipecorn shall delete all Personal Data Processed on behalf of the Client, unless Union or French law requires longer retention.
11 – Termination
Pipecorn reserves the right to modify these Terms and Conditions at any time. Such modifications will be effective immediately upon posting the modified terms on the Website. Continued use of the Services after any such changes shall constitute the Customer’s consent to such changes.
Appendix 1 – Technical and Organizational Security Measures
To ensure data security in accordance with Article 32 of the GDPR, Pipecorn implements the following technical and organizational measures. These measures are designed to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage.
1. Personal Data Pseudonymization and Encryption
Pipecorn uses robust encryption methods (e.g., bcrypt for passwords) to ensure the security of credentials. Pseudonymization techniques (e.g., anonymized logging with user identifiers) may be employed to further protect Data Subjects’ privacy.
2. Measures to Ensure Ongoing Confidentiality, Integrity, Availability, and Resilience
Pipecorn relies on secured databases within a controlled environment (e.g., virtual private cloud), preventing unauthorized access and enhancing the availability and integrity of data.
3. Regular Testing, Assessment, and Evaluation
Pipecorn regularly conducts unit tests, integration tests, and evaluations of its technical measures to ensure they remain effective in protecting Personal Data.
4. User Identification and Authorization
Pipecorn enforces secure identification and authorization mechanisms, including session cookies (e.g., JWT signed with HMAC using SHA256). Role-based access control (RBAC) is applied to manage and restrict privileges.
5. Data Protection During Transmission
All data transfers occur over encrypted channels (HTTPS/SSL tunnels), ensuring confidentiality and integrity in transit.
6. Data Protection During Storage
Data at rest is protected with AES encryption, a widely recognized standard providing a high level of security.
7. Physical Security of Hosting Locations
Pipecorn’s hosting provider (e.g., compliant with SOC 2, ISO 27001 standards) has stringent physical access controls and security measures in place to protect its data centers.
8. Event Logging
Comprehensive event logs are maintained, including IP addresses, user IDs, actions, and roles. Logs are encrypted at rest and retained for a minimum of one year, enabling robust monitoring and compliance support.
9. Data Minimization
Pipecorn adheres to the principle of data minimization, documenting each data element’s purpose in a data registry.
10. Limited Data Retention
Data retention policies are enforced; each dataset is assigned a creation and expiration date. This approach is balanced against any legitimate interests and/or legal requirements for data retention.
11. Technical and Organizational Measures for Sub-processors
Pipecorn obligates any sub-processor to implement similar or equivalent security measures. These include encryption of Personal Data, ensuring confidentiality, integrity, availability, and resilience of Processing systems, and complying with data minimization and retention policies.
Appendix 2: List of Sub-processors
Main Sub-processors
Crisp
- Location of Processing: EU (Netherlands, Germany)
- Address: 2 Boulevard de Launay, 44100 Nantes, France
- GDPR Compliance: help.crisp.chat
- Purpose: Customer support
- Data Subjects: Users
- Nature: Handling user communications
- Duration of Processing: As long as required to perform the contract
Google Cloud Platform
- Location of Processing: Belgium, Germany
- Address: 1600 Amphitheatre Pkwy, CA, USA
- GDPR Compliance: partners-data-processing-addendum, data-processing-addendum
- Purpose: Data hosting (servers in the EU)
- Data Subjects: Users
- Nature: Data hosting
- Duration of Processing: As long as required to perform the contract
PostHog
- Location of Processing: EU
- Address: 2261 Market St #4008, San Francisco, USA
- GDPR Compliance: posthog.com/docs/privacy/gdpr-compliance
- Purpose: Product analytics
- Data Subjects: Users
- Nature: Product analytics (EU-based servers)
- Duration of Processing: As long as required to perform the contract
Customer.io
- Location of Processing: United States
- Address: 921 SW Washington St, Suite 820, Portland, OR 97205, USA
- GDPR Compliance: customer.io/legal/dpa
- Purpose: Transactional emails
- Data Subjects: Users
- Nature: Email communications management
- Duration of Processing: As long as required to perform the contract
Render
- Location of Processing: United States
- Address: 995 Market St, San Francisco, CA 94103, USA
- GDPR Compliance: render.com/privacy
- Purpose: Hosting and deployment of applications
- Data Subjects: Users
- Nature: Cloud hosting and database management
- Duration of Processing: As long as required to perform the contract
June
- Location of Processing: EU (Netherlands)
- Address: Amsterdam, Netherlands
- GDPR Compliance: help.june.so
- Purpose: Data analysis and reporting
- Data Subjects: Users
- Nature: Tracking product interactions to improve user experience
- Duration of Processing: As long as required to perform the contract
Additional Providers for Data Enrichment and Validation
Below is a list of providers used for professional email enrichment, phone number lookup, email deliverability checks, or obtaining LinkedIn URLs. Each provider may have different processing locations or legal bases; Pipecorn ensures that any transfers outside the EU are subject to a valid transfer mechanism:
- Enrow (enrow.io) — Data: Professional email, email deliverability status. Used for: Email.
- Icypeas (icypeas.com) — Data: Professional email, email deliverability status. Used for: Email.
- Hunter (hunter.io) — Data: Professional email, email deliverability status. Used for: Email.
- Anymailfinder (anymailfinder.com) — Data: Professional email, email deliverability status. Used for: Email.
- Dropcontact (dropcontact.com) — Data: Professional email, email deliverability status. Used for: Email.
- Snov (snov.io) — Data: Professional email, email deliverability status. Used for: Email.
- Prospeo (prospeo.io) — Data: Professional email, email deliverability status, phone number. Used for: Email, Phone.
- Apollo (apollo.io) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Email, Phone.
- PeopleDataLabs (peopledatalabs.com) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Email, Phone.
- ContactOut (contactout.com) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Email, Phone.
- LeadMagic (leadmagic.io) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Email, Phone.
- Pipl (US Only) (pipl.com) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Email, Phone.
- RocketReach (rocketreach.co) — Data: Phone number, LinkedIn URL. Used for: Phone.
- Datagma (datagma.com) — Data: Phone number, LinkedIn URL. Used for: Phone.
- Cleon (cleon1.com) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Phone.
- Lusha (lusha.com) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Email, Phone.
- Findymail (findymail.com) — Data: Professional email, email deliverability status. Used for: Email.
- Wiza (wiza.co) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Email, Phone.
- Kaspr (kaspr.io) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Email, Phone.
- Firmable (firmable.com) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Email, Phone.
- Forager (forager.ai) — Data: Professional email, email deliverability status, phone number, LinkedIn URL. Used for: Email, Phone.
- Clearbit (clearbit.com) — Data: Company domain resolution. Used for: Email, Phone.
- BounceBan (bounceban.com) — Data: Email deliverability status. Used for: Email.
- EmailListVerify (emaillistverify.com) — Data: Email deliverability status. Used for: Email.