Pebb LLC Data Processing Addendum (DPA)
DPA
Last Updated: July 22, 2025
This Data Processing Addendum (“DPA”) forms part of the Pebb Terms of Service (the “Agreement”) between Pebb LLC (“Pebb”, “we”, “our”) and the customer entity agreeing to these terms (“Customer”, “you”).
This DPA reflects the parties’ agreement regarding the processing of Personal Data in accordance with applicable Data Protection Laws, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), as amended.
1. Definitions
“Personal Data” means any information relating to an identified or identifiable natural person processed by Pebb on behalf of Customer.
“Processing” means any operation performed on Personal Data, including storage, access, transfer, or deletion.
“Data Protection Laws” means all applicable privacy and data protection laws, including the GDPR, UK GDPR, and CCPA.
“Subprocessor” means any third-party service provider engaged by Pebb to process Personal Data on behalf of Customer.
2. Roles of the Parties
Customer acts as the Data Controller (or “Business” under CCPA).
Pebb acts as the Data Processor (or “Service Provider” under CCPA).
Pebb will process Personal Data solely to provide and improve the services described in the Agreement.
3. Customer Responsibilities
Customer will ensure that it has the necessary legal basis to transfer Personal Data to Pebb.
Customer is responsible for the accuracy, quality, and legality of the Personal Data provided to Pebb.
4. Pebb Responsibilities
Pebb agrees to:
Process Personal Data only in accordance with Customer’s documented instructions.
Implement appropriate technical and organizational measures to protect Personal Data, including:
Encryption at rest and in transit
Access controls and multi-factor authentication
Security logging and monitoring
Limit access to Personal Data to authorized Pebb employees who require access for support, troubleshooting, or maintenance.
Ensure all authorized personnel are bound by confidentiality obligations.
Promptly notify Customer of any Personal Data Breach without undue delay.
Assist Customer in responding to data subject rights requests (access, correction, deletion, etc.).
5. Subprocessors
Pebb may engage trusted third-party Subprocessors to provide the Services. A current list of Subprocessors is available at: https://pebb.io/subprocessor
Pebb will:
Ensure Subprocessors are subject to written agreements with data protection obligations at least as protective as this DPA.
Notify Customer of any new Subprocessors and provide an opportunity to object.
6. International Data Transfers
Pebb is a U.S.-based company, and production servers are hosted on Amazon Web Services (AWS) in U.S. regions.
For transfers of Personal Data from the UK/EU to the U.S., the parties agree to incorporate the EU Standard Contractual Clauses (SCCs) (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum.
Additional safeguards include encryption, strict access controls, and ongoing monitoring.
7. Data Subject Rights
Taking into account the nature of processing, Pebb will assist Customer in fulfilling obligations regarding data subject rights, including:
Right of access
Right to rectification
Right to erasure
Right to data portability
Right to object to processing
8. Security
Pebb maintains a comprehensive security program, including:
Regular penetration testing
Encryption (TLS 1.2/1.3 in transit, AES-256 at rest)
Role-based access controls
Secure software development lifecycle (SDLC)
Continuous monitoring of systems and infrastructure
9. Audits & Certifications
Upon request, Pebb will provide Customer with information necessary to demonstrate compliance with this DPA.
Pebb may allow for on-site audits, subject to reasonable notice and conditions, no more than once annually.
10. Return & Deletion of Data
Upon termination of the Agreement, Pebb will:
Delete or return all Customer Personal Data within 30 days, unless retention is required by law.
Ensure that any Subprocessors also delete such data.
11. Liability & Governing Law
This DPA is governed by the laws specified in the Agreement.
Any disputes shall be handled in accordance with the dispute resolution terms of the Agreement.
12. Miscellaneous
In the event of a conflict between this DPA and the Agreement, this DPA shall prevail.
Pebb may update this DPA to reflect changes in Data Protection Laws, with prior notice to Customer.
Standard Contractual Clauses (SCCs)
The 2021 EU SCCs and the UK Addendum are incorporated by reference into this DPA.
