Data Processing Addendum
Last updated: June 9, 2026
1. Scope and roles
This Data Processing Addendum ("DPA") forms part of the agreement between pipera ("Processor") and the customer ("Controller") for use of the Service. It applies where pipera processes personal data on behalf of the Controller. For its own account and billing data, pipera acts as an independent controller. Where there is a conflict, this DPA governs the processing of Controller personal data.
2. Definitions
"Personal data," "processing," "controller," "processor," and "data subject" have the meanings given in the GDPR, the UK GDPR, the Turkish KVKK, and the CCPA / CPRA, as applicable. "Applicable data protection law" means the privacy and data protection laws that apply to the processing under this DPA.
3. Subject matter and duration
pipera processes Controller personal data only to provide the Service and only for the duration of the agreement, plus the deletion period described below. The nature and purpose of processing is the operation of a marketing automation pipeline: content generation, publishing, advertising, analytics, outreach, and related features the Controller enables.
4. Categories of data and data subjects
- Data subjects: the Controller's personnel, the Controller's customers and prospects, and end users who interact with the Controller's connected accounts.
- Data categories: contact details, account identifiers, social and advertising engagement metrics, content and creative assets, and any data the Controller submits or connects.
- pipera does not intentionally process special categories of personal data; the Controller agrees not to submit them through the Service.
5. Processor obligations
- Process personal data only on the Controller's documented instructions, including this DPA and use of the Service.
- Ensure persons authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational security measures (Section 7).
- Assist the Controller, taking into account the nature of processing, with data subject requests and with the Controller's obligations under Applicable data protection law.
- Make available information necessary to demonstrate compliance with this DPA.
6. Subprocessors
The Controller authorizes pipera to engage subprocessors to provide the Service. Each subprocessor is bound by data protection terms no less protective than this DPA. Current subprocessors include:
- Supabase — database, authentication, and storage.
- Vercel — application hosting.
- Cloudflare — DNS, edge, and object storage (R2).
- Stripe — payment processing.
- Resend — transactional and campaign email delivery.
- Hetzner — virtual private server hosting for the automation engine.
- DeepSeek, fal.ai, Kling, Higgsfield, and ElevenLabs — AI text, image, video, UGC, and voice generation.
pipera will give the Controller notice of any intended addition or replacement of a subprocessor and an opportunity to object on reasonable data protection grounds.
7. Security measures
- Encryption of data in transit (TLS) and of sensitive credentials at rest.
- Tenant isolation enforced at the database layer (row-level security).
- Access controls, least-privilege service credentials, and audit logging.
- Regular review of access and of the security configuration.
8. International transfers
Where personal data is transferred outside the EEA, the UK, or Turkey, pipera relies on an appropriate transfer mechanism, such as the European Commission Standard Contractual Clauses or the UK International Data Transfer Addendum, together with any supplementary measures required.
9. Personal data breach
pipera will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller personal data, and will provide information reasonably available to help the Controller meet its notification obligations.
10. Audit
On reasonable prior written request, and no more than once per year unless required by a supervisory authority, pipera will make available information necessary to demonstrate compliance with this DPA and contribute to audits conducted by the Controller or an auditor it mandates, subject to confidentiality.
11. Return and deletion
On termination of the Service, pipera will delete or return Controller personal data within 30 days, except where retention is required by law. See also our Data Deletion Instructions.
12. Contact
For data protection inquiries or to request a signed copy of this DPA, contact us at privacy@pipera.io.