DPA at a glance
| Role of Excis | Processor |
|---|---|
| Role of Customer | Controller |
| Categories of data subjects | The Customer's personnel whose devices run the Pulse agent |
| Categories of personal data | Device identifier, activity events, idle status, application/window metadata, optional screenshots (see Annex A) |
| Special categories | None processed by Pulse. Customer must not deploy the agent on devices used for processing Art. 9 GDPR data without a documented lawful basis. |
| Processing locations | European Union only — primary Frankfurt (DE), DR Amsterdam (NL) |
| Standard Contractual Clauses | Not required for product data (no transfer out of EU). Module 2 SCCs apply to support-related processing where Excis personnel outside the EU may handle ticket metadata under derogation. |
| Sub-processors | Listed at /legal/subprocessors |
| Audit rights | Annual ISO 27001 certificate + SOC 2 report (when issued); on-site audit available to Enterprise customers under NDA |
Download & signature
This DPA is incorporated by reference into the Excis Pulse Terms of Service. By placing an order, the Customer is deemed to have accepted it on behalf of the controller. A signed PDF copy is available on request from [email protected] — typically returned countersigned within two business days.
1. Definitions
Terms used and not defined here have the meanings given in the GDPR (Regulation (EU) 2016/679) or the UK GDPR. "Customer Data" means personal data processed by Excis on behalf of the Customer through the Pulse service.
2. Subject matter and duration
Excis processes Customer Data only to provide the Pulse service to the Customer for the duration of the subscription, plus the 90-day post-termination retention window described in section 12.
3. Processing instructions
Excis processes Customer Data only on the Customer's documented instructions, including those expressed through the Pulse configuration and dashboard. Excis will inform the Customer if, in its opinion, an instruction infringes data protection law, and may pause processing of that instruction pending resolution.
4. Confidentiality of personnel
Excis ensures that personnel authorised to process Customer Data are bound by confidentiality obligations and trained in data protection, with at least annual refreshers.
5. Security measures
Excis implements the technical and organisational measures listed in Annex B, which meet the requirements of Article 32 GDPR. Excis may update those measures provided the level of protection does not materially decrease.
6. Sub-processors
The Customer grants Excis general authorisation to engage sub-processors. The current list is maintained at /legal/subprocessors. Excis will give the Customer at least 30 days' notice (by email to account admins and by updating that page) before engaging a new sub-processor. The Customer may object for reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected service for the unused portion of the subscription.
Excis remains liable to the Customer for sub-processor performance.
7. Assistance with data subject rights
Most data subject rights can be exercised by the Customer directly via the Pulse dashboard — search, export, deletion, restriction. Where additional assistance is needed, Excis will provide it without undue delay, taking into account the nature of the processing. Charges for unusually voluminous or repeated requests will be agreed in advance.
8. Breach notification
Excis will notify the Customer without undue delay, and in any case within 36 hours, after becoming aware of a personal data breach affecting Customer Data. The notification will include, to the extent then known: the nature of the breach, categories and approximate numbers of data subjects and records affected, likely consequences, and the measures taken or proposed. Excis will provide updates as facts emerge.
9. DPIA & consultation assistance
Excis assists the Customer with Data Protection Impact Assessments and prior consultations with supervisory authorities by providing relevant documentation, security-control descriptions and reasonable answers to questionnaires.
10. International transfers
Customer Data is processed and stored exclusively within the European Union. Excis will not transfer Customer Data outside the EU/EEA without (a) the Customer's prior written consent, and (b) implementation of a transfer mechanism under Chapter V GDPR.
Support-related metadata (ticket subject lines, screenshots attached by the Customer to support tickets) may be processed by Excis personnel located in the United Kingdom or India. Where so processed, Excis relies on (i) the UK adequacy decision and (ii) the EU SCCs (Decision 2021/914, Module 2) together with technical measures including encryption and pseudonymisation.
11. Audit rights
Excis demonstrates compliance with this DPA by providing:
- Its current ISO 27001 certificate on request
- An annual SOC 2 Type II report (once issued, expected H2 2026) under NDA
- Summary penetration-test results once per year under NDA
Where the Customer reasonably considers the above insufficient, an on-site audit may be conducted by the Customer or its independent auditor once per calendar year, on at least 30 days' notice, during business hours, and subject to confidentiality terms agreed in advance.
12. Return and deletion of data
On termination, Excis will:
- Make Customer Data available for export via the Pulse dashboard for 90 days
- Delete Customer Data from production systems within 30 days of subscription end (or sooner on instruction)
- Purge backups within 35 days thereafter, in line with the backup rotation
- Provide written confirmation of deletion on request
13. Liability and miscellaneous
Liability under this DPA is subject to the limitations in the Terms of Service. Where those limitations are unenforceable in respect of data-protection liabilities, statutory caps apply. This DPA is governed by the same law and jurisdiction as the Terms of Service.
Annex A — Details of processing
| Nature & purpose | Collection, transmission, storage, organisation, structuring and provision-of-access to workforce analytics data, in order to deliver the Pulse service. |
|---|---|
| Duration | The subscription term plus the 90-day post-termination window. |
| Categories of data subjects | The Customer's personnel whose devices are running the Pulse agent. |
| Categories of personal data |
|
| Special category data | None processed by Pulse. Customer must avoid deploying the agent on devices used to process special-category data without an independent lawful basis. |
| Frequency | Continuous during user session, subject to the Customer's working-hours and pause-on-idle configuration. |
Annex B — Technical & organisational measures
Excis implements the controls described in the Security & compliance page, including but not limited to:
- Encryption in transit: TLS 1.3 with HSTS for all customer-facing endpoints. Mutual TLS between agent and ingest.
- Encryption at rest: AES-256-GCM for all stored Customer Data, including backups. Agent-side SQLite buffer is encrypted with a per-device key.
- Access control: SSO with hardware MFA mandatory for all Excis personnel with production access. Just-in-time access elevation; all sessions recorded.
- Network: VPC isolation per tenant tier; ingest WAF; private subnets for databases; no public S3 buckets.
- Logging: Tamper-evident audit logs of administrative actions retained for 12 months.
- Vulnerability management: Automated dependency scanning on every build; CVSS-7+ items remediated within 7 days; quarterly third-party penetration tests.
- Personnel: Background checks (where lawful), confidentiality agreements, mandatory annual data-protection and secure-development training.
- Business continuity: RPO 15 minutes, RTO 4 hours. DR tested at least annually with results reported in the SOC 2 audit.
- Pseudonymisation: Device identifiers are UUIDs; mapping to natural persons is held by the Customer.