Data Processing Agreement

This Data Processing Agreement ("DPA") applies to Enterprise users of Pipeline who require enhanced data processing terms beyond our standard Privacy Policy. This DPA supplements and is incorporated into our Terms of Service.

This DPA applies when Pipeline processes Personal Data on behalf of Enterprise customers in connection with the provision of our services.

• "Personal Data": Any information relating to an identified or identifiable natural person, as defined under GDPR and other applicable data protection laws.
• "Processing": Any operation performed on Personal Data, including collection, storage, use, transmission, or deletion.
• "Controller": The Enterprise user who determines the purposes and means of processing Personal Data.
• "Processor": Christex Foundation (Pipeline) who processes Personal Data on behalf of the Controller.
• "Sub-processor": Third parties engaged by the Processor to process Personal Data.
• "Data Protection Laws": GDPR, CCPA, PIPEDA, and other applicable data protection regulations.

The Processor shall:

• Process Personal Data only on documented instructions from the Controller
• Ensure personnel processing Personal Data are subject to confidentiality obligations
• Implement appropriate technical and organizational security measures
• Assist the Controller in responding to data subject requests
• Delete or return all Personal Data upon termination of the agreement
• Make available information necessary to demonstrate compliance

We use the following sub-processors to provide and improve our services:

We will notify Enterprise customers of any changes to sub-processors. Enterprise customers may object to changes within 30 days.

We implement appropriate technical and organizational measures to ensure security appropriate to the risk:

Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA).

For transfers outside the EEA, we ensure appropriate safeguards through:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions where available
• Binding Corporate Rules for intra-group transfers

Enterprise users may request information about specific transfer mechanisms in place.

Enterprise customers have the right to audit our compliance with this DPA. We provide:

• Annual SOC 2 Type II audit reports
• ISO 27001 certification
• GDPR compliance documentation

Enterprise customers may request additional audits at their own expense, with reasonable notice (minimum 30 days).

In the event of a Personal Data breach, we shall:

• Notify the Controller without undue delay, and within 72 hours of becoming aware
• Provide details of the nature of the breach
• Describe likely consequences
• Describe measures taken to address the breach
• Cooperate with the Controller in responding to the breach

• Termination: Either party may terminate this DPA with 30 days written notice
• Effect: Upon termination, we will delete or return all Personal Data within 30 days
• Retention: We may retain Personal Data as required by law, with documentation
• Survival: Confidentiality and security obligations survive termination

For questions about this DPA or to request a custom agreement, contact us:

• Email: hello@christex.foundation
• General: hello@christex.foundation