Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement”) forms part of the Terms of Service between Pendul.ai (“Processor”) and the Customer (“Controller”) regarding the processing of personal data under applicable data protection laws (including UK GDPR and EU GDPR).

1. Subject Matter and Duration

This Agreement covers the processing of personal data necessary for providing the Pendul.ai Service.
Processing will continue for as long as the Controller uses the Service.

2. Nature and Purpose of Processing

The Processor will process data for the purposes of:

  • Managing connected social media accounts;

  • Generating, scheduling, and publishing content;

  • Providing analytics and customer support;

  • Hosting and maintaining the platform infrastructure.

3. Categories of Data Subjects

Data subjects may include:

  • Controller’s employees or agents;

  • Controller’s social media followers, customers, or contacts;

  • End users interacting with social media content.

4. Categories of Personal Data

Data processed may include:

  • Names, email addresses, usernames;

  • Social media account identifiers;

  • Uploaded text, images, or metadata;

  • Engagement analytics and statistics.

5. Obligations of the Processor (Pendul.ai)

Pendul.ai shall:

  • Process data only on documented instructions from the Controller;

  • Implement appropriate technical and organisational measures to protect data;

  • Ensure personnel confidentiality;

  • Assist the Controller in responding to data subject requests;

  • Notify the Controller promptly of any data breach;

  • Delete or return personal data upon termination, unless legally required to retain it;

  • Maintain records of processing activities;

  • Cooperate with supervisory authorities as required.

6. Subprocessors

Pendul.ai may engage subprocessors (e.g., AWS, Stripe, SendGrid).
We will ensure all subprocessors are bound by equivalent data protection obligations.
A current list of subprocessors is available upon request.

7. International Transfers

Any transfer of data outside the UK/EEA shall comply with applicable data transfer mechanisms (e.g., SCCs or adequacy decisions).

8. Controller Responsibilities

The Controller shall:

  • Ensure data shared with Pendul.ai is lawfully collected;

  • Provide lawful basis for processing;

  • Manage social media integrations in compliance with platform terms.

9. Security and Incident Notification

Pendul.ai will notify the Controller without undue delay after becoming aware of any personal data breach and will provide:

  • Details of the incident;

  • Likely consequences;

  • Measures taken to mitigate risks.

10. Data Return or Deletion

Upon termination or request, Pendul.ai will delete or return all personal data (unless retention is required by law).

11. Liability and Indemnity

Each party’s liability under this Agreement shall be subject to the limitations of liability in the main Terms of Service.

12. Governing Law and Jurisdiction

This DPA shall be governed by the laws of England and Wales, and disputes will be subject to the exclusive jurisdiction of the English courts.