Data Processing Agreement

GDPR-compliant data processing terms

Last updated January 2026 10 min read

1. Introduction

This Data Processing Agreement ('DPA') forms part of the Terms of Service between Pangea Summit SAS ('Processor') and the Customer ('Controller') and governs the processing of personal data by the Processor on behalf of the Controller.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data.
  • Sub-processor: Any third party engaged by the Processor to process personal data.

Processing

3.1 Subject Matter and Duration

The Processor will process personal data for the duration of the service agreement to provide the PangeaGTM platform services.

3.2 Nature and Purpose

Processing activities include:

  • Storage and retrieval of customer content
  • AI-powered analysis and content generation
  • Compliance check completed
  • User authentication and access management

3.3 Types of Personal Data

  • Contact information (name, email, phone)
  • Professional information (job title, company)
  • New content uploaded
  • Usage and analytics data

3.4 Categories of Data Subjects

  • Customer employees and contractors
  • Customer's clients and prospects (as contained in uploaded content)

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller
  • Ensure persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests
  • Delete or return all personal data upon termination
  • Make available information necessary to demonstrate compliance

5. Security Measures

Technical and organizational measures include:

  • Encryption: TLS 1.3 in transit, AES-256 at rest
  • Access Control: Role-based access, MFA, SSO
  • Monitoring: 24/7 security monitoring, intrusion detection
  • Backup: Daily encrypted backups with geographic redundancy
  • Incident Response: Documented procedures, 72-hour breach notification

6. Sub-processors

The Controller authorizes the use of sub-processors for infrastructure and support services. A current list of sub-processors is available upon request. The Processor will notify the Controller of any new sub-processors with 30 days notice.

7. Data Transfers

Personal data may be transferred outside the EEA only with appropriate safeguards in place, including Standard Contractual Clauses. Data residency options are available for EU, US, and Private Cloud deployments.

8. Data Subject Rights

The Processor will assist the Controller in fulfilling data subject rights requests, including access, rectification, erasure, restriction, portability, and objection.

9. Audit Rights

The Controller may audit the Processor's compliance with this DPA upon reasonable notice. The Processor will provide cooperation and access to relevant documentation.

10. Breach Notification

The Processor will notify the Controller of any personal data breach without undue delay and within 72 hours of becoming aware, providing all information necessary for the Controller to fulfill its notification obligations.

Back to Home Contact Legal