Data Processing Agreement Template — PipSync

Between:

Data Controller:The Customer identified in the PipSync Order Form / Service Agreement ("Customer", "Controller")

Data Processor: PipSync Ltd (in incorporation)
Email: [email protected]

Preamble

This Data Processing Agreement ("DPA") forms part of the PipSync Terms of Service or any other agreement between the Parties governing the Customer's use of the PipSync platform ("Principal Agreement"). It establishes the terms under which PipSync processes Personal Data on behalf of the Customer in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR").

Article 1 — Nature, Purpose, and Scope of Processing

PipSync processes Personal Data solely to provide the services described in the Principal Agreement, including: user authentication, trading signal ingestion and execution, ML-based automated trading, performance analytics, customer support, and billing.

Processing occurs only on documented instructions from the Customer.

Article 2 — Categories of Personal Data

Identification data (name, email, user ID)
Authentication data (hashed passwords, OAuth tokens)
Financial data (subscription status, billing address, payment references)
Trading data (broker account identifiers, signals, trade records, P&L)
Technical data (IP address, device/browser, session tokens)
Communications data (support ticket content)
Behavioural data (usage events, audit log entries)

Article 3 — Processor Obligations

PipSync commits to:

Process data only on Controller's documented instructions
Bind all authorised personnel to confidentiality
Implement appropriate technical and organisational security measures (see Annex 2)
Assist with data subject rights (Art. 12–22 GDPR)
Notify the Controller of data breaches within 48 hours
Delete or return all data within 30 days of termination
Enable audits (with reasonable advance notice)

Article 4 — Sub-processors

Approved sub-processors are listed below. PipSync will notify the Controller 30 days in advance of any changes.

Sub-processor	Location	Purpose	Safeguard
Hetzner Online GmbH	Germany (EU)	Infrastructure hosting	EU — no transfer
Stripe Payments Europe Ltd	Ireland (EU)	Payment processing	EU entity
Stripe, Inc.	USA	Stripe network gateway	SCCs Module 2
Anthropic, Inc.	USA	AI signal analysis (LLM)	SCCs Module 2 + TIA
OpenAI OpCo LLC	USA	AI signal analysis (fallback)	SCCs Module 2 + TIA
Google LLC	USA	AI signal analysis (fallback)	SCCs Module 2 + TIA
mailbox.org / Heinlein Support GmbH	Germany (EU)	Transactional email	EU — no transfer

Full SCC texts and transfer-impact assessments available on written request to [email protected]. See also: Sub-processor list.

Article 5 — Third-Country Transfers

PipSync processes all primary data within the EU/EEA (Hetzner Cloud, Germany). Transfers to third countries are limited to the sub-processors listed above and governed by Standard Contractual Clauses.

Article 6 — Security Measures (Summary)

AES-256 encryption at rest for credentials and OAuth tokens
TLS 1.2+ for all data in transit
Role-based access control; SSH-key-only admin access
Daily automated backups (30-day retention)
Append-only audit log
sendDefaultPii: false in Sentry error monitoring; performance consent required for traces

Article 7 — Governing Law

This DPA is governed by the laws of the Republic of Cyprus. Disputes are subject to the exclusive jurisdiction of the courts of Nicosia, Cyprus.

Request a Signed DPA

Enterprise customers require a countersigned DPA

If you need a countersigned copy of this DPA for your compliance records, or if you require the German version (Auftragsverarbeitungsvertrag), please contact:

Request signed DPA — [email protected]

Data Processing Agreement (Art. 28 GDPR)