Data Processing Agreement
Last updated: February 7, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Blackbox Labs SRL (CUI: RO33784095, Reg. No: J/39/560/2014, registered office: B-dul Unirii nr 59, bl 59, et 5, ap 50, Focsani, Vrancea, Romania) ("Processor", "we", "us") and you, the user of PaymentPulse ("Controller", "you").
This DPA applies when you use PaymentPulse to process personal data of your clients, contacts, or other individuals ("Data Subjects") and is designed to comply with Article 28 of the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679).
1. Definitions & Roles
Controller: You, the PaymentPulse user, who determines the purposes and means of processing personal data of your clients and contacts.
Processor: Blackbox Labs SRL, which processes personal data on your behalf to provide the PaymentPulse Service.
Personal Data: Any information relating to an identified or identifiable natural person that you store, transmit, or process using PaymentPulse.
2. Scope of Processing
We process personal data solely to provide and maintain the PaymentPulse Service on your behalf. The categories of data processed include:
- Client/contact data: Names, email addresses, phone numbers, business names, tax identifiers, and addresses
- Financial data: Invoice amounts, payment records, expense details, and bank transaction information
- Communication data: Email reminders and notifications sent to your clients
Data Subjects include your clients, customers, and business contacts whose information you enter into PaymentPulse.
3. Processor Obligations
As Processor, we shall:
- Process personal data only on your documented instructions, including with regard to transfers to third countries, unless required by EU or member state law
- Ensure that persons authorized to process personal data have committed themselves to confidentiality
- Implement appropriate technical and organizational security measures in accordance with GDPR Article 32
- Not engage another processor (subprocessor) without your prior general written authorization, as provided in Section 5
- Assist you in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection)
- Assist you in ensuring compliance with your obligations under GDPR Articles 32-36 (security, breach notification, impact assessments)
- At your choice, delete or return all personal data after the end of the provision of services, unless EU or member state law requires storage
- Make available all information necessary to demonstrate compliance and allow for audits
- Immediately inform you if, in our opinion, an instruction from you infringes GDPR or other EU or member state data protection provisions (GDPR Art. 28(3)(h))
4. Security Measures
We implement the following technical and organizational measures to protect personal data:
- Encryption in transit: All data transmitted via TLS 1.2+
- Encryption at rest: Sensitive data (bank credentials) encrypted with AES-256-GCM
- Password hashing: User passwords hashed with bcrypt
- Access control: Role-based access, production data restricted to authorized personnel
- Rate limiting: API rate limiting to prevent abuse
- Monitoring: Logging and monitoring of access to personal data
- Data minimization: We collect and process only the data necessary to provide the Service
5. Subprocessors
You provide general authorization for us to engage the subprocessors listed below. We will inform you of any intended changes to the list of subprocessors, giving you the opportunity to object. If you object, you may terminate the Service.
| Subprocessor | Location | Purpose | Safeguards |
|---|---|---|---|
| Stripe, Inc. | USA | Payment processing, subscription billing | SCCs, DPA |
| Plaid, Inc. | USA | Bank account connections, transaction sync | SCCs, DPA |
| Resend, Inc. | USA | Transactional email delivery | SCCs, DPA |
| Anthropic, PBC | USA | AI message personalization (no data retention) | SCCs, DPA |
| Supabase, Inc. | USA | Database hosting (PostgreSQL) | SCCs, DPA |
| Railway Corp. | USA | Application hosting | SCCs, DPA |
6. Data Breach Notification
We will notify you without undue delay after becoming aware of a personal data breach. The notification will include: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to address the breach. We will cooperate with you to fulfill your notification obligations under GDPR Articles 33 and 34.
7. Data Subject Requests
If we receive a request from a Data Subject regarding their personal data, we will promptly redirect the request to you (the Controller) unless otherwise instructed. We will provide you with reasonable assistance in responding to such requests, taking into account the nature of the processing.
8. International Transfers
Where personal data is transferred outside the EEA, we ensure that appropriate safeguards are in place in accordance with GDPR Chapter V. This includes Standard Contractual Clauses (SCCs) approved by the European Commission (Implementing Decision (EU) 2021/914) and, where necessary, supplementary measures following EDPB recommendations 01/2020.
Subprocessor Changes
We will notify you by email at least 30 days before adding or replacing any subprocessor. The notification will include the subprocessor's name, location, purpose, and applicable safeguards. You may object to a subprocessor change within 14 days of notification by contacting privacy@paymentpulse.io. If we cannot reasonably accommodate your objection, you may terminate the agreement. The current list of subprocessors is maintained in this DPA and updated upon any change.
9. Audits & Compliance
We will make available to you all information necessary to demonstrate compliance with Article 28 obligations and contribute to audits, including inspections, conducted by you or an auditor mandated by you. Audit requests should be submitted with reasonable advance notice to privacy@paymentpulse.io. We will respond to audit requests within 30 business days of receipt.
10. Data Return & Deletion
Upon termination of the Service or upon your request, we will, at your choice, delete or return all personal data processed on your behalf. You can export your data at any time through the Service (Settings → Privacy → Data Export). After account deletion, personal data is permanently removed within 30 days, except where retention is required by EU or member state law.
11. Duration & Termination
This DPA is effective for the duration of your use of PaymentPulse. It terminates automatically when your account is closed and all personal data has been deleted or returned in accordance with Section 10. Obligations regarding confidentiality and data protection survive termination.
12. Governing Law
This DPA is governed by the laws of Romania, without prejudice to the mandatory provisions of GDPR. Any disputes shall be resolved in accordance with the dispute resolution provisions of the Terms of Service.
13. Contact
For questions about this DPA or data processing matters:
Blackbox Labs SRL
B-dul Unirii nr 59, bl 59, et 5, ap 50
Focsani, Vrancea, Romania
CUI: RO33784095 | Reg. No: J/39/560/2014
Email: privacy@paymentpulse.io