DPA · LAST UPDATED MAY 2026

Data Processing Addendum

This Data Processing Addendum forms part of the TillPulse Terms of Service when TillPulse processes Personal Data on behalf of Customer. Capitalised terms not defined here have the meaning given in the Terms or in applicable Data Protection Law.

1. Definitions

"Data Protection Law" means GDPR (EU Regulation 2016/679), UK GDPR, the South African Protection of Personal Information Act 2013 (POPIA), Nigeria's Data Protection Act 2023 (NDPA), and any other applicable laws or regulations relating to the processing of personal data.

"Personal Data", "Controller", "Processor", "Sub-processor", "Data Subject", and "Processing" have the meaning given in the Data Protection Law.

"Customer Personal Data" means Personal Data submitted to the Service by Customer or its end-users.

2. Roles

For the Customer Personal Data described in Annex I, Customer is the Controller and TillPulse is the Processor. TillPulse will process Customer Personal Data only on Customer's documented instructions, including with respect to international transfers, except where required by law.

3. Confidentiality

TillPulse ensures that personnel authorised to process Customer Personal Data are bound by confidentiality obligations and have received appropriate training.

4. Security

TillPulse implements appropriate technical and organisational measures as described in Annex III, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects.

5. Sub-processors

Customer authorises TillPulse to engage the Sub-processors listed in Annex II to Process Customer Personal Data. TillPulse will:

  • Provide at least 30 days' prior notice (in-product and via email to workspace owners) before engaging any new Sub-processor.
  • Impose data-protection obligations on Sub-processors no less protective than those in this DPA.
  • Remain liable for the acts and omissions of its Sub-processors to the same extent as for its own.

Customer may object to a new Sub-processor on reasonable grounds related to data protection by emailing legal@tillpulse.io within the notice period.

6. International transfers

Where Personal Data is transferred outside the EEA, UK, South Africa, or Nigeria, TillPulse will rely on an appropriate transfer mechanism (Standard Contractual Clauses, UK IDTA, or equivalent), and where applicable, will perform a transfer impact assessment. Standard Contractual Clauses are deemed incorporated by reference.

7. Data Subject rights

Taking into account the nature of the Processing, TillPulse will assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer's obligation to respond to Data Subject requests. Standard self-service tools are described in Annex IV; for anything beyond, email privacy@tillpulse.io.

8. Personal Data breach

TillPulse will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach affecting Customer Personal Data, and will provide reasonable assistance with Customer's notification obligations.

9. Audits

TillPulse will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports where available. Where Customer has reasonable grounds to believe TillPulse is not in compliance, Customer may, no more than once per twelve months and at Customer's expense, audit TillPulse on reasonable advance notice.

10. Return or deletion

On termination of the Service, TillPulse will delete Customer Personal Data within 30 days from active systems and within 90 days from backups, unless retention is required by law. Customer may export Customer Personal Data via the dashboard or API during the 30-day grace period following termination.

11. Liability

Liability arising out of this DPA is subject to the same limitations and exclusions as in the Terms of Service.

12. Conflict

In the event of conflict between this DPA and the Terms, this DPA prevails with respect to the Processing of Customer Personal Data.


Annex I — Description of Processing

Subject matter: provision of the TillPulse mobile observability service.

Duration: the term of the Customer's subscription plus the deletion period in §10.

Nature and purpose: ingest, deduplicate, store, search, alert on, and visualise observability events; deliver email and webhook notifications; provide AI-assisted analytics.

Categories of Data Subjects: Customer's authorised users (TillPulse account holders) and Customer's end-users (whose interactions trigger SDK events).

Categories of Personal Data:

  • Account data: email, name, hashed password, hashed TOTP backup codes, encrypted TOTP secret.
  • Workspace activity: audit log entries, comments, assignments.
  • Event data: device model, OS version, app version, locale, timezone, network type, battery level, breadcrumbs, exception details, performance timings, friction signals, security signals.
  • Pseudonymised end-user IDs (provided by Customer; TillPulse never accepts raw PII as a user identifier).
  • Inferred geographic region (country, city) derived from IP at ingest; raw IP is stripped.

Special categories: none expected. Customer must not send special-category data.

Annex II — Sub-processors

Sub-processorPurposeLocation
Cloudflare, Inc.Edge hosting, WAF, DDoS protection, WorkersGlobal
Neon Inc.Postgres database (account + workspace data)Region selected per workspace; EU (Frankfurt) for EU customers
ClickHouse, Inc.Analytics store (event data)Region selected per workspace
Meilisearch SASFull-text issue searchEU
Resend, Inc.Transactional email deliveryEU + US
OpenRouter, Inc.LLM inference router for Ask Pulse + TillMind (used as a routing layer to Moonshot AI / Kimi). Per-request only; no training on customer data; zero retention beyond the request.US (routing) → vendor of record per model
Moonshot AI, Ltd.Kimi K2 model serving via OpenRouter. Per-request inference only.Inference geography per OpenRouter routing
MaxMind, Inc.GeoLite2 IP-to-region lookup database (downloaded; no calls per request)Local lookup
Google LLC (Fonts)Font CDN for the dashboardGlobal

Caching, rate-limit counters, and queueing are operated on infrastructure we own (no third-party Redis-as-a-service) so that no customer event payload transits a cache vendor.

Annex III — Technical and organisational measures

See Security for the public-facing summary and Security model for the developer-facing details. Highlights:

  • Bcrypt-hashed passwords; AES-256-GCM at rest for sensitive secrets; TLS 1.2+ in transit.
  • JWT RS256 access + opaque refresh tokens (rotated, single-use, sha256-only at rest).
  • Role-based access control (owner / admin / developer / viewer).
  • PII scrubbing client-side and server-side. End-user IPs stripped at ingest.
  • Rate limiting per-DSN and per-IP; HMAC-verified webhooks.
  • Audit log of privileged actions; 365-day retention.
  • Encrypted backups; restore drills quarterly.
  • Least-privilege engineering access via SSO + hardware key.

Annex IV — Customer self-service

  • Per-workspace data export via API.
  • DSN rotation invalidates the prior key within 5 minutes.
  • Per-event deletion via the dashboard and API.
  • Workspace deletion immediately removes raw data; backups expire on the schedule above.
  • Audit log accessible to owners and admins.
  • Configurable beforeSend hook in the SDK.

Privacy policy →Terms of service →Security →