DPA | Pensero








[Let's talk](./book-demo)

[Login](/auth/login/)

[Login](/auth/login/)

[Let's talk](./book-demo)

[Login](/auth/login/)

Standard Data Processing Agreement (DPA)

Standard Data Processing Agreement (DPA)

**Pensero Inc.**STE 2998 New York, NY 10016  
A corporation having its principal place of business at 169 Madison Ave STE 2998 New York, NY 10016  
(“**Provider**”)

This Data Processing Agreement (“**DPA**”) is entered into by and between Pensero Inc. (“Provider”) and the undersigned Customer (“**Customer**”). This DPA is incorporated by reference into the applicable Order Form. By executing the Order Form containing the link to this DPA, the Customer expressly agrees that this DPA forms an integral and binding part of the contractual relationship between the Parties.

**1. RECITALS**

WHEREAS, Provider supplies software-as-a-service (SaaS) solutions and related services (collectively, the “Services”), including the Pensero AI Software and

WHEREAS, in connection with the provision of the Services, Provider—acting solely as a Data Processor/Service Provider—may process Customer Data on behalf of the Customer; and

WHEREAS, Provider’s data processing activities are described in detail in Pensero’s Privacy Policy, which is incorporated herein by reference—and the Parties desire to set forth their respective rights and obligations concerning the processing and protection of Personal Data in compliance with applicable data protection laws;

NOW, THEREFORE, in consideration of the mutual covenants herein and for other good and valuable consideration, the sufficiency of which is hereby acknowledged, the Parties agree as follows:

**2. GENERIC PROVISIONS (APPLICABLE TO ALL JURISDICTIONS)**

**2.1 Definitions**

For purposes of this DPA, capitalized terms not defined herein shall have the meanings assigned to them in the Service Agreement (“**Main Agreement**”). In this DPA, the following definitions apply:

- “**Personal Data**” means any information relating to an identified or identifiable natural person, as defined by applicable data protection laws, such as but not limited to name, email address, identification number, location data, an online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.
- [“](https://www.berlinheart.de/en/medical-professionals/berlin-heart-academy/)**Processing**[”](https://www.berlinheart.de/en/medical-professionals/berlin-heart-academy/) means any operation or set of operations performed on Personal Data, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, or combination, restriction, erasure, or destruction. Examples of Processing include storing data in cloud servers, analyzing data for service improvement, and sharing data with subprocessors.
- **“Customer Data”** means any data, including Personal Data of the Customer's employees or end-users, provided by the Customer or its Authorized Users in connection with the Services.
- **“Controller”** and **“Processor”** shall have the meanings ascribed to them under applicable data protection legislation.
- **“Subprocessor”** means any third party engaged by Provider to process Personal Data on its behalf, subject to contractual obligations no less protective than those contained in this DPA.
- **“Data Breach”** means any unauthorized or accidental access, disclosure, alteration, or destruction of Customer Data.
- **“Authorized User”** means any individual authorized by the Customer to access and use the Services.

**2.2 Scope and Purpose**

- **Purpose:** Provider shall process Customer Data following the Customer’s documented written instructions and only for the purposes outlined in the Main Agreement and Pensero’s Privacy Policy.
- **Scope:** This DPA applies to all Processing of Customer Data by Provider in connection with the Services, regardless of the jurisdiction in which such Processing occurs.

**2.3 General Obligations and Responsibilities**

**2.3.1 Provider Obligations**

- **Data Processing:** Provider shall process Customer Data strictly following the Customer’s written instructions and solely to provide, support, and improve the Services.
- **Security Measures:** Provider shall implement and maintain appropriate technical and organizational measures—including encryption (in transit and at rest), robust access controls, periodic security assessments, and comprehensive vulnerability management—to protect Personal Data against unauthorized or unlawful Processing and accidental loss, destruction, or damage. “Appropriate technical and organizational measures” include, but are not limited to, regular security audits, employee training on data protection, and incident response plans. Provider’s infrastructure is maintained in a secure, SOC 2-compliant environment.
- **Data Breach Notification:** In the event of a Data Breach affecting Customer Data, Provider shall notify the Customer without undue delay and, where feasible, within 72 hours of discovery. A “Data Breach” includes any unauthorized access to, disclosure of, alteration, or destruction of Personal Data. The notice shall contain sufficient detail to enable the Customer to assess the breach and take remedial action, including the nature and scope of the data breach, the categories and number of data subjects concerned, and the likely consequences.
- **Assistance with Data Subject Requests:** Provider shall, upon the Customer’s written instructions, assist in responding to Data Subject Requests (including requests for access, rectification, erasure, or portability) under applicable data protection laws.
- **Data Retention and Deletion:**  Consistent with Pensero’s Privacy Policy, Provider shall retain Customer Data only as directed by the Customer and as long as necessary to provide the Services or comply with legal obligations. If the law requires retention for a more extended period, Provider shall inform the Customer in writing. Upon termination of the Services or at the Customer’s direction, Provider shall delete or return Customer Data within thirty (30) days, unless otherwise required by law.
- **Data Sharing and Disclosure:** Provider shall not share, sell, or combine Customer Data with data from other sources, except as necessary for the provision of the Services or as required by law. If Provider receives a request from an authority to access Customer Data, Provider shall promptly notify the Customer, unless prohibited by law.

**2.3.2 Customer Obligations**

The Customer is responsible for ensuring the lawfulness of its data to the Provider. The Customer shall provide clear, documented instructions regarding Processing its data and ensure that such instructions, including any referenced in the Privacy Policy, comply with applicable data protection laws. The Customer shall promptly notify Provider of any changes to these instructions.

- **Instructions and Compliance:** The Customer shall provide clear, documented instructions regarding the Processing of its data and ensure that such instructions, including any referenced in the Privacy Policy, comply with applicable data protection laws. The Customer shall promptly notify Provider of any changes to these instructions.
- **Responsibility as Data Controller:** The Customer, as the Data Controller, shall be solely responsible for responding to requests from Authorized Users regarding their Personal Data. Provider shall act on such requests only when expressly directed in writing by the Customer.

**2.4 Minimum Security Measures and Compliance**

- Provider shall adhere to industry best practices and baseline security standards described above.
- Both Parties agree to comply with all applicable data protection and privacy laws, irrespective of any specific regulatory framework, except as further provided in the jurisdiction-specific sections below.

**3. JURISDICTION-SPECIFIC PROVISIONS**

The following provisions apply only if the Customer’s use of the Services falls within the scope of the respective regulatory frameworks.

**3.1 United States Data Protection Provisions**

**3.1.1 Scope and Applicability**

This section applies when the Processing of Personal Data involves U.S. consumers or is subject to U.S. privacy laws, such as the California Consumer Privacy Act (CCPA), the California Privacy Rights Act (CPRA), or other applicable federal or state privacy regulations.

**3.1.2 Specific Requirements**

- **Permitted Purposes:** The provider shall process Personal Data solely for the purposes specified in the Main Agreement and follow the Customer’s instructions.
- **Restrictions on Use:** The provider shall not sell or share Personal Data or combine it with data from other sources, except as expressly permitted by applicable U.S. law.
- **Consumer Rights:** Provider shall promptly notify the Customer of any Consumer Request (e.g., for access, correction, deletion, or opting out of data sharing) and shall cooperate with the Customer to ensure compliance with U.S. privacy obligations.

**3.2 United Kingdom Data Protection Provisions**

**3.2.1 Scope and Applicability**

This section applies when the Processing of Personal Data is subject to UK data protection laws, including the UK General Data Protection Regulation (UK GDPR) and other relevant local legislation.

**3.2.2 Specific Requirements**

- **Lawful Processing:** Provider shall ensure that all Processing of Personal Data complies with the UK GDPR, including adherence to the principles of lawfulness, fairness, and transparency.
- **Data Subject Rights:** Provider shall assist the Customer in responding to data subject requests under the UK GDPR, including requests for access, rectification, or erasure.
- **International Transfers:** Any transfer of Personal Data outside the UK shall be subject to appropriate safeguards as required under the UK GDPR.

**3.3 European Union (GDPR) Provisions**

**3.3.1 Scope and Applicability**

This section applies when the Processing of Personal Data falls within the EU General Data Protection Regulation (GDPR) scope.

**3.3.2 Specific Requirements**

- **Lawfulness of Processing:** Provider shall process Personal Data following the Customer’s documented instructions and ensure that all Processing activities have a lawful basis under the GDPR.
- **Data Subject Rights:** Provider shall assist the Customer in fulfilling its obligations to respond to data subject requests under the GDPR, including requests for access, rectification, deletion, restriction, or data portability.
- **Subprocessors:** Provider shall ensure that any Subprocessor engaged in Processing is contractually bound to provide protections at least as robust as those outlined in this DPA.
- **Data Protection Impact Assessments (DPIAs):** If required by the GDPR, Provider shall cooperate with the Customer in conducting DPIAs and implementing any necessary measures identified through such assessments.

**4. SUBPROCESSORS**

Provider may engage Subprocessors to process Customer Data on its behalf, provided that each Subprocessor is bound by contractual obligations no less protective than those contained herein. Provider shall notify the Customer before engaging new Subprocessors.

**5. LIABILITY AND INDEMNIFICATION**

**5.1 Limitation of Liability**

Except as required by applicable law, Provider’s total aggregate liability under this DPA shall not exceed the fees paid by the Customer for the Services during the twelve (12) months immediately preceding the event giving rise to the claim.

**5.2 Indemnification**

Each Party shall indemnify, defend, and hold harmless the other Party from and against any claims, losses, or damages arising out of its breach of its obligations under this DPA or any violation of applicable data protection laws, subject to any mandatory provisions under law.

**6. GOVERNING LAW AND DISPUTE RESOLUTION**

- The governing law and jurisdiction for any disputes arising under this DPA shall be as specified in the Main Agreement, subject to any mandatory provisions under applicable data protection laws.
- Any disputes shall be resolved per the dispute resolution procedures outlined in the Main Agreement. In the event of any conflict between this DPA and the Main Agreement, the provisions of this DPA shall govern data processing matters.

**7. MISCELLANEOUS**

**7.1 Entire Agreement**

This DPA, together with the Main Agreement and the Order Forms executed by the Parties, constitutes the entire agreement between the Parties regarding data Processing and supersedes all prior agreements, understandings, or representations related thereto.

**7.2 Amendments**

No amendment to this DPA shall be effective unless it is in writing and signed by both Parties.

**7.3 Severability**

If any provision of this DPA is held invalid or unenforceable, the remaining provisions shall continue in full force and effect.

**7.4 Conditional Applicability**

The jurisdiction-specific provisions in Sections 3.1, 3.2, and 3.3 shall apply only if the Customer’s use of the Services falls within the scope of the respective regulatory framework. Where such regulatory requirements are not applicable, the generic provisions outlined in Sections 2, 4, 5, 6, and 7 shall govern the Processing of Customer Data.

**8. ACCEPTANCE**

By signing the Order Forms linked to the Main Agreement that incorporates this DPA via the provided link, the Customer acknowledges that it has read, understood, and agrees to be bound by the terms of this DPA. The Customer further confirms that executing the Order Form constitutes accepting all data protection obligations. The signing of the Service Agreement and any associated Order Forms shall constitute acceptance of this DPA.

[![](https://framerusercontent.com/images/1v1teeWpH0SzUYk5hDKcYFScErY.png?width=180&height=180)](./)

© 2026

[Careers](./careers)

[Blog](./blog)

[Privacy policy](./privacy-policy)

[Cookie policy](./cookie-policy)

[Terms of service](./terms)

[DPA](./dpa)

[LinkedIn](https://www.linkedin.com/company/penseroai/)

[Support](./support)

[Security](https://pensero.trust.site/?ph_distinct_id=undefined&ph_session_id=undefined&ph_source=framer_landing)

![](https://framerusercontent.com/images/iXlw4NDLGJLJbTHbLklPOeLqP5o.svg?width=102&height=20)

[![](https://framerusercontent.com/images/1v1teeWpH0SzUYk5hDKcYFScErY.png?width=180&height=180)](./)

© 2026

[Careers](./careers)

[Blog](./blog)

[Privacy policy](./privacy-policy)

[Cookie policy](./cookie-policy)

[Terms of service](./terms)

[DPA](./dpa)

[LinkedIn](https://www.linkedin.com/company/penseroai/)

[Support](./support)

[Security](https://pensero.trust.site/?ph_distinct_id=undefined&ph_session_id=undefined&ph_source=framer_landing)

![](https://framerusercontent.com/images/iXlw4NDLGJLJbTHbLklPOeLqP5o.svg?width=102&height=20)

[![](https://framerusercontent.com/images/1v1teeWpH0SzUYk5hDKcYFScErY.png?width=180&height=180)](./)

© 2026

[Careers](./careers)

[Blog](./blog)

[Privacy policy](./privacy-policy)

[Cookie policy](./cookie-policy)

[Terms of service](./terms)

[DPA](./dpa)

[LinkedIn](https://www.linkedin.com/company/penseroai/)

[Support](./support)

[Security](https://pensero.trust.site/?ph_distinct_id=undefined&ph_session_id=undefined&ph_source=framer_landing)

![](https://framerusercontent.com/images/iXlw4NDLGJLJbTHbLklPOeLqP5o.svg?width=102&height=20)