Pinvale

Data Processing Agreement

Last updated: May 23, 2026

This Data Processing Agreement (the "DPA") forms part of, and is incorporated by reference into, the Terms of Service between Mesquite Dev LLC, an Arizona limited liability company operating Pinvale ("Pinvale", "we", "Processor"), and you, the customer ("Customer", "Controller"). By using Pinvale to process personal data of third parties (your leads, your contacts, your teammates), you agree to be bound by this DPA. If your organization requires a counter-signed copy, email legal@pinvale.com and we will return a signed PDF.

1. Definitions

Terms used here that are defined in the EU General Data Protection Regulation ("GDPR") or the UK GDPR carry the meaning given there: "personal data", "processing", "controller", "processor", "data subject", "personal data breach", "supervisory authority". References to "Customer Data" mean any personal data the Customer (or its workspace members) submits to or stores in Pinvale.

2. Roles

The Customer is the Controller of Customer Data. Pinvale is the Processor and processes Customer Data only on the documented instructions of the Customer, which are the Customer's configuration of the Service plus the Terms of Service plus this DPA.

3. Subject matter, duration, nature and purpose

  • Subject matter: processing of Customer Data necessary to provide the Pinvale CRM Service.
  • Duration: for the term of the Terms of Service plus any data-retention period stated in the Privacy Policy (90 days after cancellation, then deletion).
  • Nature: storage, organization, structuring, retrieval, geocoding, display, export, and deletion of Customer Data; email transmission of workspace invites and lifecycle notices.
  • Purpose: to provide the Customer with the Service the Customer has subscribed to.

4. Categories of personal data and data subjects

  • Categories of data subjects:the Customer's leads, the Customer's contacts, the Customer's workspace members (employees / contractors).
  • Categories of personal data: names, business and personal email addresses, business and personal phone numbers, postal addresses, company affiliations, freeform notes the Customer writes, dates and titles of meetings the Customer logs.
  • Special categories: none requested by Pinvale. Customer must not upload special-category data (health, biometric, political opinions, etc.) without first contacting Pinvale to agree additional safeguards. The Service is not designed for special categories.

5. Pinvale's obligations as Processor

Pinvale will:

  1. process Customer Data only on the documented instructions of the Customer (configuration + ToS + this DPA);
  2. ensure persons authorised to process Customer Data are bound by confidentiality (employment contract + onboarding policy);
  3. implement appropriate technical and organisational measures (see Annex A);
  4. assist the Customer in responding to data-subject requests by providing access, export, correction, and deletion tools within the Service (Settings → Account; Settings → Export);
  5. assist the Customer with data-protection impact assessments and consultations with supervisory authorities on request;
  6. at the Customer's choice, delete or return all Customer Data at the end of the Service relationship, in accordance with the retention timeline in the Privacy Policy.

6. Sub-processors

The Customer authorises Pinvale to engage the sub-processors listed in the Pinvale Privacy Policy. Pinvale will impose data-protection obligations on each sub-processor that are equivalent to those in this DPA. Pinvale remains liable to the Customer for any sub-processor's non-compliance.

Pinvale will notify the Customer by email at least 14 days before adding or replacing any sub-processor. The Customer may object on reasonable, documented data-protection grounds; if Pinvale cannot accommodate the objection, the Customer may terminate without penalty.

7. International transfers

Pinvale is established in the United States. When Customer Data is transferred from the EEA, UK, or Switzerland to the United States or another non-adequate country, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module 4 (Processor to Controller) where relevant and Module 2 (Controller to Processor) for the primary flow, with the following selections:

  • Clause 7 (Docking Clause): not applicable.
  • Clause 9 (Sub-processors): Option 2 (general written authorisation), 14 days' notice.
  • Clause 11 (Redress): the optional clause does not apply.
  • Clause 17 (Governing law): laws of Ireland (as a representative EEA jurisdiction).
  • Clause 18 (Choice of forum): courts of Ireland; the data subject retains rights under Clause 18(c).
  • Annex I.A (Parties): Customer (Controller) and Pinvale (Processor); contact details in the Terms of Service.
  • Annex I.B (Description of transfer): Sections 3 and 4 of this DPA.
  • Annex II (Security): Annex A below.
  • Annex III (Sub-processors): the sub-processor list in the Privacy Policy.

For transfers from the UK, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs (issued by the ICO). The SCCs as supplemented by the Addendum apply with references to EU law replaced by the equivalent UK law.

Pinvale will pursue active certification under the EU-US Data Privacy Framework and its UK Extension. Once certified, Customers may rely on the DPF in addition to or in place of the SCCs. Status: pursued, not yet certified as of May 23, 2026.

8. Personal data breach notification

Pinvale will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Data, by email to the Customer's account email and any designated security contact. The notification will describe (so far as known): the nature of the breach, categories and approximate number of affected records, likely consequences, measures taken or proposed. Pinvale will cooperate with the Customer's notification obligations to supervisory authorities and data subjects.

9. Audit rights

On reasonable prior notice and not more than once per year (or more frequently if required by a supervisory authority or following a confirmed personal data breach), the Customer may audit Pinvale's compliance with this DPA. Pinvale will respond to written questionnaires, share most recent third-party security audit reports if any, and make a knowledgeable employee available for a call. Audits will be conducted during business hours and in a manner that does not unreasonably interfere with Pinvale's operations.

10. Termination and return / deletion of data

On termination of the Terms of Service, Customer Data will be retained for 90 days during which the Customer may export it. After 90 days the Customer Data is deleted from production systems; encrypted backups rotate within 30 days of that deletion. If the Customer requests immediate deletion (Settings → Delete my account), retention is reduced to immediate, with no 90-day window.

11. Liability

Liability under this DPA is subject to the limitation of liability in the Terms of Service, except that the limitation does not apply to either party's liability to data subjects under Article 82 GDPR or equivalent.

12. Governing law and jurisdiction

The DPA is governed by the law of the State of Arizona, USA, except the SCCs and UK Addendum incorporated in Section 7, which are governed by the law stated there. Any dispute outside the SCCs is resolved in the state or federal courts of Maricopa County, Arizona.

13. Contact

Data-protection questions, DPA requests, breach notifications: legal@pinvale.com (subject line: DPA).

Annex A. Technical and Organisational Measures

The current measures Pinvale applies to protect Customer Data (updated as the architecture evolves):

  • Encryption in transit: TLS 1.2+ enforced on all public endpoints; HSTS with preload directive; no plaintext HTTP.
  • Encryption at rest: Customer Data is stored in Supabase (managed Postgres) which encrypts data at rest using AES-256.
  • Tenant isolation:row-level security (RLS) enforced on every Customer-data table in Postgres; a tenant cannot read or write another tenant's rows even with a valid session.
  • Access control: production database access is limited to the principal engineer and is granted only via a dedicated service-role key that is rotated on personnel changes. The Pinvale public web application uses a short-lived JWT bound to the signed-in user.
  • Application security: Content Security Policy with per-request nonce and strict-dynamic; X-Frame-Options DENY; X-Content-Type-Options nosniff; constant-time comparisons on cron-secret authorisation; rate limiting on all public endpoints.
  • Authentication:Customer accounts use email + password via Supabase Auth, with password hashing handled by Supabase's managed bcrypt pipeline. Magic-link and OAuth providers may be added in the future.
  • API security: public REST endpoints under /api/v1 require a per-workspace API key minted by an owner or admin; key prefixes are masked in audit logs.
  • Backups: Supabase Pro automated backups, retained 7 days, rotated daily. Backup data is encrypted at rest and inherits the RLS isolation of the source.
  • Vulnerability management: regular static analysis (Biome cognitive-complexity rule); third-party security audits via internal tooling (most recent: 2026-05-22). Public security disclosure programme at /security.
  • Incident response: a single principal engineer monitors error logs (Sentry) and Cloudflare Workers Logs. Breach notification within 72 hours per Section 8 of this DPA.
  • Personnel: all personnel with access to Customer Data are bound by confidentiality and security obligations in their employment or contractor agreement.

Annex A is updated as the architecture evolves. Material reductions in security posture will be notified to Customers at least 30 days in advance with the right to terminate without penalty.