Data Processing Agreement
Last updated: June 27, 2026
This Data Processing Agreement (“DPA”) forms part of, and is subject to, the BuildPulse Terms of Service or other written or electronic agreement between BuildPulse LLC (“BuildPulse”) and the customer (“Customer”) governing Customer’s use of the Services (the “Agreement”). This DPA reflects the parties’ agreement on the Processing of Personal Data in connection with the Services, in accordance with applicable data-protection law.
This DPA applies where, and to the extent that, BuildPulse Processes Customer Personal Data on behalf of Customer as a Processor in the course of providing the Services. By accepting the Agreement, Customer accepts this DPA. Customers requiring a countersigned copy may contact legal@buildpulse.io.
This page presents BuildPulse’s standard DPA. For an executed counterpart, or to incorporate the Standard Contractual Clauses for a specific transfer scenario, contact legal@buildpulse.io.
1. Definitions
Capitalized terms not defined in this DPA have the meaning given in the Agreement.
“Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable, the EU General Data Protection Regulation 2016/679 (“GDPR”), the GDPR as incorporated into the law of the United Kingdom (“UK GDPR”), the Swiss Federal Act on Data Protection, and U.S. state privacy laws such as the California Consumer Privacy Act as amended (“CCPA”).
“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Personal Data Breach” have the meanings given in the GDPR (or the equivalent meanings under other applicable Data Protection Laws, including “business,” “service provider,” and “consumer” under the CCPA).
“Customer Personal Data” means Personal Data contained within Customer Data that BuildPulse Processes on behalf of Customer in the course of providing the Services.
“Sub-processor” means any third party engaged by BuildPulse to Process Customer Personal Data in connection with the Services.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of Personal Data to third countries approved by the European Commission in its Implementing Decision (EU) 2021/914, as may be amended or replaced.
2. Roles and Scope of Processing
2.1 Roles of the parties. As between the parties, Customer is the Controller (or a Processor acting on behalf of a third-party Controller) of Customer Personal Data, and BuildPulse is the Processor (or sub-processor). With respect to Personal Data that BuildPulse processes for its own business purposes — such as account administration, billing, and improving and securing the Services — BuildPulse acts as an independent Controller, and such processing is governed by the BuildPulse Privacy Policy at https://buildpulse.io/privacy.
2.2 Customer instructions. BuildPulse will Process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do otherwise by Applicable Law (in which case BuildPulse will, where legally permitted, inform Customer of that requirement). The Agreement, this DPA, and Customer’s use and configuration of the Services constitute Customer’s complete and final instructions. BuildPulse will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
2.3 Customer responsibilities. Customer is responsible for the accuracy and legality of Customer Personal Data and the means by which it was acquired, and represents that it has provided all required notices and obtained all rights, consents, and legal bases necessary for BuildPulse to Process Customer Personal Data as contemplated by the Agreement.
2.4 Details of Processing. The subject matter, duration, nature and purpose of the Processing, the categories of Personal Data, and the categories of Data Subjects are described in Annex I below.
2.5 Prohibited data. Customer will not provide, and will not instruct BuildPulse to Process, any special categories of Personal Data (as defined in the GDPR) or other sensitive data (such as government identifiers, payment card numbers, financial account numbers, or health information) through the Services, and BuildPulse has no liability for such data if provided in breach of this Section.
3. Confidentiality and Personnel
BuildPulse will ensure that personnel authorized to Process Customer Personal Data are bound by appropriate obligations of confidentiality, whether contractual or statutory, and are made aware of the confidential nature of the data. BuildPulse limits access to Customer Personal Data to those personnel who require it to provide the Services.
4. Security Measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects, BuildPulse will implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, as further described in Annex II. BuildPulse may update its measures from time to time provided that the updates do not materially reduce the overall level of security of the Services.
5. Sub-processors
5.1 Authorization. Customer provides general authorization for BuildPulse to engage Sub-processors to Process Customer Personal Data, including the infrastructure and service providers identified in Annex III. BuildPulse remains responsible for the performance of its Sub-processors’ obligations.
5.2 Sub-processor obligations. BuildPulse will impose on each Sub-processor, by written contract, data-protection obligations that are no less protective than those in this DPA to the extent applicable to the nature of the services provided by the Sub-processor.
5.3 Changes. BuildPulse will maintain a list of Sub-processors and will provide a mechanism to notify Customer of intended additions or replacements, giving Customer the opportunity to object on reasonable data-protection grounds. If the parties cannot resolve a reasonable objection, Customer may, as its sole and exclusive remedy, terminate the affected portion of the Services.
6. Data Subject Rights
Taking into account the nature of the Processing, BuildPulse will provide reasonable assistance to Customer, by appropriate technical and organizational measures and insofar as possible, to enable Customer to respond to requests from Data Subjects to exercise their rights under Data Protection Laws. If BuildPulse receives a request directly from a Data Subject relating to Customer Personal Data, it will, unless legally prohibited, promptly inform the Data Subject to submit the request to Customer and will not otherwise respond except on Customer’s instructions.
7. Personal Data Breach Notification
BuildPulse will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notification will include, to the extent then known and as it becomes available, the nature of the breach, the likely consequences, and the measures taken or proposed to address it. BuildPulse will take reasonable steps to mitigate the effects of the breach and will reasonably cooperate with Customer in its investigation and any required notifications. BuildPulse’s notification is not an acknowledgment of fault or liability.
8. International Data Transfers
BuildPulse Processes Customer Personal Data primarily in the United States. To the extent BuildPulse Processes Personal Data subject to the GDPR, UK GDPR, or Swiss data-protection law and transfers it to a country that has not been recognized as providing an adequate level of protection, the parties agree that the Standard Contractual Clauses (together with the UK International Data Transfer Addendum and any Swiss-specific amendments, where applicable) are incorporated into this DPA by reference and apply to such transfers, with BuildPulse as the “data importer” and Customer as the “data exporter.” Where the SCCs apply, Annex I and Annex II of this DPA populate the corresponding annexes of the SCCs, and the governing-law and forum options are completed in accordance with the SCCs and applicable law.
9. Audits and Compliance Demonstration
BuildPulse will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Where Customer reasonably requires additional information or an audit to satisfy its obligations under Data Protection Laws, BuildPulse may satisfy such requirement by providing relevant third-party certifications, attestations (such as SOC 2 reports, when available), or summaries of its security program. Any on-site audit will be conducted no more than once per year (except as required by a supervisory authority or following a Personal Data Breach), upon reasonable prior written notice, during business hours, subject to confidentiality obligations, and in a manner that does not disrupt BuildPulse’s operations or compromise the security of other customers’ data.
10. Return and Deletion of Data
Upon termination or expiration of the Agreement, and at Customer’s choice, BuildPulse will delete or return Customer Personal Data and delete existing copies, unless retention is required by Applicable Law. Customer may export Customer Data prior to termination using the functionality of the Services. BuildPulse may retain Customer Personal Data to the extent and for the period required by Applicable Law or contained in routine backups, in which case BuildPulse will continue to protect it in accordance with this DPA and delete it in the ordinary course.
11. Liability and Order of Precedence
Each party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under and in connection with the Agreement and this DPA together. This DPA forms part of the Agreement. In the event of a conflict between this DPA and the Agreement with respect to the Processing of Customer Personal Data, this DPA controls; where the SCCs apply, the SCCs control over both this DPA and the Agreement to the extent of any conflict.
12. Annex I — Details of Processing
A. List of parties
Data exporter: Customer, as identified in the Agreement, acting as Controller (or Processor on behalf of a third-party Controller). Data importer: BuildPulse LLC, acting as Processor.
B. Description of processing
Subject matter and duration: Processing of Customer Personal Data for the duration of the Agreement and as needed to provide the Services and comply with Applicable Law.
Nature and purpose: Collection, storage, organization, analysis, transmission, and deletion of CI and test data to provide test analytics, flaky-test detection, code-coverage and engineering metrics, integrations, and related Services.
Categories of Data Subjects: Customer’s Authorized Users, and individuals whose identifiers appear in Customer’s CI and source-control metadata (such as commit authors and contributors).
Categories of Personal Data: Names, usernames, email addresses, organization and role information, authentication identifiers and tokens, IP addresses, and any Personal Data incidentally contained in test results, logs, or CI metadata submitted by Customer.
Sensitive data: None is intended or requested; Customer must not submit special categories of data or other sensitive data through the Services.
Frequency: Continuous, as initiated by Customer and its Authorized Users through use of the Services.
13. Annex II — Technical and Organizational Measures
BuildPulse maintains technical and organizational security measures including, at a minimum:
- Encryption of Customer Personal Data in transit (TLS) and at rest (industry-standard algorithms with managed keys);
- Network isolation using private subnets, security groups, and least-privilege routing, with databases not exposed to the public internet;
- Least-privilege, role-based access controls, multi-factor authentication for administrative access, and logging of administrative activity;
- Logical segregation of customer data by organization, and separation of production from non-production environments;
- Secrets management for credentials and keys, kept out of source control;
- Secure software-development practices, including peer and automated code review, dependency vulnerability monitoring, and infrastructure-as-code;
- Monitoring and logging to detect anomalous activity, and an incident-response process;
- Regular, encrypted backups and multi-availability-zone redundancy to support resilience and recovery.
A more detailed description of these measures is available on the BuildPulse Security page at https://buildpulse.io/security and on request.
14. Annex III — Authorized Sub-processors
BuildPulse engages the following categories of Sub-processors to provide the Services:
- Amazon Web Services, Inc. — cloud infrastructure, compute, storage, and database hosting (United States);
- Stripe, Inc. — payment processing and subscription billing (United States);
- Email and notification delivery providers — transactional and notification email;
- Analytics and product-monitoring providers — usage analytics and error monitoring;
- AI model providers — processing of data you submit to AI-powered features that you choose to enable.
A current and specific list of Sub-processors, including entity names and processing locations, is available on request to legal@buildpulse.io.
Questions about this DPA
For questions about this DPA, to request an executed copy, or to discuss your data-protection requirements, contact us at legal@buildpulse.io.