Data Processing Agreement

Also referred to as Auftragsverarbeitungsvertrag (AVV) under German law.

Last updated: April 28, 2026

This Data Processing Agreement (the "DPA") forms part of the agreement between the customer ("Customer", also referred to as the "Controller") and ARTELL SOLUÇÕES TECNOLÓGICAS LTDA, a limited liability company registered in Brazil (CNPJ 53.540.982/0001-70), trading as Pipeboard ("Pipeboard", "we", or the "Processor"), governing the use of the Pipeboard service (the "Service") under the Pipeboard Terms of Service and Privacy Policy (together, the "Principal Agreement").

This DPA applies whenever Pipeboard processes Personal Data (as defined below) on behalf of the Customer in the course of providing the Service, and is intended to satisfy Article 28 of Regulation (EU) 2016/679 (the "GDPR"), the United Kingdom Data Protection Act 2018 together with the UK GDPR (the "UK GDPR"), and the Swiss Federal Act on Data Protection ("FADP"), to the extent each applies.

By using the Service, the Customer accepts this DPA. The canonical version is maintained as Markdown in the public repository pipeboard-co/Data-Processing-Agreement; the same content is rendered at pipeboard.co/dpa. A counter-signed PDF version is available on request from privacy@pipeboard.co.

Subscribe to changes: click "Watch" on the public repository (Releases or all activity) to receive a GitHub notification on every change, or point a page-monitoring tool of your choice (for example, Visualping, Distill, or Wachete) at this page.

1. Definitions

Capitalized terms used but not defined in this DPA have the meanings given in the Principal Agreement or in applicable Data Protection Laws. For the purposes of this DPA:

• "Data Protection Laws" means the GDPR, the UK GDPR, the FADP, and any other applicable laws and regulations relating to the protection of Personal Data.
• "Personal Data", "Controller", "Processor", "Data Subject", "Processing", and "Personal Data Breach" have the meanings given to them in the GDPR.
• "Customer Personal Data" means the Personal Data Processed by Pipeboard on behalf of the Customer in connection with the Service, as further described in Annex I.
• "Sub-processor" means any third party engaged by Pipeboard to Process Customer Personal Data, as further described in Annex III.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to third countries pursuant to the GDPR adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021, including any successor or related clauses adopted by a competent authority.
• "UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner's Office (Version B1.0).

2. Scope and Roles

The Customer is the Controller and Pipeboard is the Processor of Customer Personal Data. Where the Customer acts as a Processor for a third party (the "Ultimate Controller"), Pipeboard acts as a Sub-processor. The Customer represents and warrants that it has all necessary authority and lawful basis to instruct Pipeboard to Process Customer Personal Data as described in this DPA.

For Personal Data that Pipeboard processes for its own purposes (for example, account registration data, billing information, security and abuse prevention, and aggregated service analytics), Pipeboard acts as an independent Controller. Pipeboard's processing of such data is described in our Privacy Policy and is outside the scope of this DPA.

3. Subject Matter, Duration, Nature, and Purpose of Processing

The subject matter, duration, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of Data Subjects are described in Annex I.

4. Customer Instructions

Pipeboard will Process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do so by Union or Member State law to which Pipeboard is subject. In such a case, Pipeboard will inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

The Customer's use of the Service in accordance with the Principal Agreement, including configuration of features, connections to ad and commerce platforms (Meta Ads, Google Ads, Pinterest Ads, TikTok Ads, Snap Ads, Shopify), creation and use of API tokens, scheduled reports, and prompts issued through the Customer's chosen MCP client or AI assistant, constitutes documented instructions for the purposes of this DPA. Additional or different instructions may be issued in writing to privacy@pipeboard.co; Pipeboard will accommodate them where they fall within the scope of the Service and are technically feasible.

Pipeboard will inform the Customer immediately if, in its opinion, an instruction infringes Data Protection Laws.

5. Confidentiality of Personnel

Pipeboard will ensure that all personnel authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Personal Data is restricted to personnel who have a need to know in order to operate, maintain, and support the Service.

6. Security of Processing

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Pipeboard will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as set out in Annex II.

Pipeboard reviews and updates its technical and organizational measures on an ongoing basis. Updated measures will be at least equivalent to those described in Annex II.

7. Sub-processors

The Customer authorizes Pipeboard to engage Sub-processors to Process Customer Personal Data, subject to the conditions set out in this Section 7 and in Annex III.

Pipeboard imposes contractual data protection obligations on each Sub-processor that are no less protective than those set out in this DPA, including the obligation to implement appropriate technical and organizational measures in accordance with Article 28(3) GDPR. Pipeboard remains liable to the Customer for the performance of each Sub-processor's obligations.

The current list of Sub-processors is published, and kept up to date, in the public repository pipeboard-co/Data-Processing-Agreement and rendered at pipeboard.co/dpa. The repository's commit history is the authoritative record of changes. Pipeboard will update the list before engaging a new Sub-processor and will provide at least seven (7) days' advance publication for additions, except where a Sub-processor is engaged on shorter notice for urgent security or service-continuity reasons (in which case the list will be updated as soon as reasonably practicable). Customers may subscribe to changes by clicking "Watch" on the GitHub repository or by pointing a page-monitoring tool of their choice at the rendered DPA page.

If the Customer reasonably objects to a new Sub-processor on data-protection grounds, the Customer should write to privacy@pipeboard.co and the parties will discuss the objection in good faith. If no resolution is reached, the Customer may stop using the affected feature of the Service.

Pipeboard does not consider its hyperscale infrastructure providers (such as Vercel, Supabase, and AWS) to be Sub-processors of any Personal Data they cannot in practice read in cleartext as a result of encryption in transit and at rest combined with access controls; nevertheless, those providers are listed in Annex III for transparency.

8. Assistance with Data Subject Rights

Taking into account the nature of the Processing, Pipeboard will assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under Chapter III GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

Where a Data Subject contacts Pipeboard directly with a request relating to Customer Personal Data, Pipeboard will promptly forward the request to the Customer and will not respond on the substance of the request itself, unless the Customer instructs Pipeboard to do so. Customers can also delete the data of an end user themselves by following the steps on the User Data Protection page.

9. Personal Data Breaches

Pipeboard will notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will, to the extent then known, describe:

• the nature of the Personal Data Breach,
• the categories and approximate number of Data Subjects concerned,
• the categories and approximate number of records concerned,
• the likely consequences of the Personal Data Breach, and
• the measures taken or proposed to address the Personal Data Breach and to mitigate its possible adverse effects.

Pipeboard will provide reasonable cooperation and information to assist the Customer in fulfilling its own notification obligations under Articles 33 and 34 GDPR. Notifications will be sent to the email address associated with the Customer's account; the Customer is responsible for keeping that address current.

10. Data Protection Impact Assessments and Prior Consultation

Taking into account the nature of the Processing and the information available to Pipeboard, Pipeboard will provide reasonable assistance to the Customer in carrying out data protection impact assessments and prior consultations with supervisory authorities under Articles 35 and 36 GDPR.

11. International Data Transfers

Pipeboard's production infrastructure is hosted in the United States (Vercel edge regions, Supabase on AWS us-east-1, and DigitalOcean droplets that operate the MCP gateway nodes). Customer Personal Data may therefore be transferred to, and Processed in, the United States and other countries in which Pipeboard or its Sub-processors operate, including Brazil (where Pipeboard is established).

Where Customer Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country that is not subject to an adequacy decision under the relevant Data Protection Laws, the parties agree that such transfer is governed by the Standard Contractual Clauses, which are hereby incorporated into this DPA by reference, with the following selections and completions:

• Module: Module Two (Controller-to-Processor) where the Customer is a Controller; Module Three (Processor-to-Processor) where the Customer is itself a Processor.
• Clause 7 (Docking clause): applies.
• Clause 9 (Use of sub-processors): Option 2 (general written authorization) applies, with the change-publication mechanism set out in Section 7 of this DPA.
• Clause 11 (Redress): the optional independent dispute resolution language does not apply.
• Clause 17 (Governing law): the law of the Republic of Ireland.
• Clause 18 (Choice of forum and jurisdiction): the courts of the Republic of Ireland.
• Annex I.A (List of Parties): the Customer (data exporter) and Pipeboard (data importer), with contact details as in the Principal Agreement and in Section 18 below.
• Annex I.B (Description of Transfer): as set out in Annex I to this DPA.
• Annex I.C (Competent supervisory authority): the supervisory authority of the Member State in which the Customer is established, or where the Customer is established outside the EEA, the Irish Data Protection Commission.
• Annex II (TOMs): as set out in Annex II to this DPA.
• Annex III (List of sub-processors): as set out in Annex III to this DPA.

For transfers from the United Kingdom, the parties agree that the UK Addendum applies and is hereby incorporated, with Tables 1, 2, and 3 completed by reference to the foregoing selections and Annexes, and Table 4 set so that neither party may end the UK Addendum on the basis of changes to the Approved Addendum.

For transfers from Switzerland, the SCCs apply with the modifications required by the Swiss Federal Data Protection and Information Commissioner: references to the GDPR are construed as references to the FADP, and the competent supervisory authority is the Swiss FDPIC for data subjects in Switzerland.

12. Audits

Pipeboard will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.

The Customer's audit right will ordinarily be satisfied by Pipeboard providing, on written request and subject to reasonable confidentiality undertakings, copies of its then-current Security Profile, Data Classification, Handling, Protection and Retention Policy, sub-processor list, and any third-party audit reports of its Sub-processors that Pipeboard is permitted to share. Where the Customer reasonably determines that this information is insufficient, the Customer may, at its own expense and on at least thirty (30) days' prior written notice (or with shorter notice in the event of a Personal Data Breach or as required by a competent supervisory authority), request an on-site audit of Pipeboard's relevant facilities, no more than once per twelve-month period. Audits must be conducted during normal business hours, must not unreasonably interfere with Pipeboard's operations, and may be conducted by an independent third-party auditor acceptable to both parties under appropriate confidentiality obligations.

13. Return and Deletion

At the choice of the Customer, Pipeboard will delete or return all Customer Personal Data after the end of the provision of services relating to Processing, and delete existing copies, unless storage is required by Union or Member State law.

The Customer may at any time use the in-product self-service deletion controls (see the User Data Protection page) or write to privacy@pipeboard.co to request deletion. Deletion is performed within thirty (30) days of the request and propagates to backups in accordance with Pipeboard's standard backup rotation. Logs containing Customer-related metadata are retained for up to thirty (30) days from creation and are deleted automatically thereafter.

14. Liability

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Principal Agreement. Nothing in this DPA limits any liability that cannot be excluded or limited under applicable law, including liability of a party to a Data Subject under Article 82 GDPR.

15. Term and Termination

This DPA takes effect on the date of acceptance and remains in force for as long as Pipeboard Processes Customer Personal Data on behalf of the Customer. Sections that by their nature survive termination (including Sections 9, 12, 13, and 14) will continue to apply.

16. Order of Precedence and Changes

In the event of any conflict between this DPA and the Principal Agreement, this DPA will prevail to the extent of the conflict. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail to the extent of the conflict.

Pipeboard may update this DPA from time to time. Each update is published as a commit in the public repository pipeboard-co/Data-Processing-Agreement; the commit history is the authoritative change log. Where a change materially reduces the protection afforded to Customer Personal Data, Pipeboard will additionally announce the change at least seven (7) days in advance via email to the Customer's account contact and via the GitHub release notes.

17. Governing Law

This DPA is governed by the law specified in the Principal Agreement, except that the Standard Contractual Clauses are governed by the law identified in Section 11 and the UK Addendum is governed by the laws of England and Wales.

18. Contact

For matters relating to this DPA, including data protection questions, sub-processor notifications, audit requests, and deletion requests, please contact:

ARTELL SOLUÇÕES TECNOLÓGICAS LTDA R 72, 223 Quadra C16 Lote 12/15 Sala 1507, Cond QS 01, Jd Goias, Goiânia, GO, Brazil, CEP 74805-480 CNPJ: 53.540.982/0001-70 Email: privacy@pipeboard.co Web: https://pipeboard.co

No formal Data Protection Officer (DPO) is appointed; Pipeboard's privacy contact for all inquiries is privacy@pipeboard.co.

Annex I — Description of Processing

A. List of Parties

Data exporter / Controller: the Customer, as identified in its Pipeboard account.

Data importer / Processor: ARTELL SOLUÇÕES TECNOLÓGICAS LTDA (Pipeboard), contact details in Section 18.

B. Subject Matter and Duration

Subject matter: the provision of the Pipeboard Service, including the MCP gateway, web application, scheduled reports, and AI-assisted analysis and management of advertising and commerce data on connected platforms.

Duration: for the term of the Principal Agreement, plus any additional period during which Pipeboard is required to retain Customer Personal Data to provide the Service or to comply with applicable law.

C. Nature and Purpose of Processing

Pipeboard Processes Customer Personal Data in order to: (i) authenticate users via email/password or OAuth providers; (ii) read and, where the Customer instructs, modify advertising and commerce data on connected platforms (Meta Ads, Google Ads, Pinterest Ads, TikTok Ads, Snap Ads, Shopify); (iii) generate insights, reports, and recommendations through the Customer's chosen MCP client or AI assistant; (iv) operate, secure, monitor, and support the Service; and (v) bill the Customer.

D. Types of Personal Data

• Account data: name, email address, hashed password (where email/password sign-in is used), provider user ID for OAuth sign-ins (Facebook, Google, GitHub, SSO).
• Authentication tokens: OAuth access and refresh tokens for Meta Ads, Google Ads, Pinterest Ads, TikTok Ads, Snap Ads, and Shopify; Pipeboard API tokens. Stored encrypted.
• Advertising and commerce data: ad account, campaign, ad group, ad, creative, audience, keyword, placement, and performance metrics retrieved from the connected platforms; pixel and conversion configuration metadata; identifiers of ad accounts, business managers, MCC accounts, advertisers, organizations, and Shopify shops.
• Shopify-customer data (only where the Customer enables features that require it): Pipeboard accesses Shopify customer personal data only to the extent necessary to provide the requested feature, in accordance with Shopify's Protected Customer Data requirements.
• Service usage and operational metadata: request and response metadata for MCP and HTTP requests (timestamps, tool name, request ID, status, duration, response size), error events, IP addresses, user-agent strings, and other technical telemetry.
• Billing data: billing email, company name, billing address, tax ID/VAT, and Stripe customer/subscription identifiers. Card numbers are processed directly by Stripe and are not stored by Pipeboard.
• Support and communications data: messages exchanged with Pipeboard support (for example, via Crisp) and the email address used.

E. Special Categories of Personal Data

The Service is not designed to Process special categories of Personal Data within the meaning of Article 9 GDPR or data relating to criminal convictions and offences. The Customer is responsible for not entering, uploading, or instructing Pipeboard to retrieve such data unless the parties have agreed in writing on additional safeguards.

F. Categories of Data Subjects

• The Customer's users and team members who access the Service.
• The Customer's end users and prospects whose information appears in the connected advertising or commerce platforms (for example, Shopify customers, where that feature is enabled by the Customer).
• Authorized contacts of the Customer (for example, billing and security contacts).

G. Frequency of Transfer

Continuous, on a transactional basis, for the duration of the Service.

H. Retention

• User account data: retained for the duration of the account, and deleted within thirty (30) days after account closure or a verified deletion request.
• OAuth tokens and Pipeboard API tokens: retained while the account is active or until revoked by the Customer; deleted on account closure.
• Advertising and commerce data accessed via platform APIs: not retained long-term; cached briefly (typically minutes to a few hours) for performance and reliability. Pipeboard may store a small per-user cache of recent aggregate metrics and the ad-account list to accelerate Insights reports.
• Application and request logs: retained for up to thirty (30) days, then deleted automatically.
• Backups: encrypted and retained in accordance with Pipeboard's managed-database backup rotation, after which deleted Personal Data is purged from backups by normal rotation.
• Billing records: retained for as long as required by tax and accounting law applicable to Pipeboard.

Annex II — Technical and Organizational Measures

Pipeboard maintains the following technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, in line with Article 32 GDPR.

1. Pseudonymization and Encryption

• In transit: all traffic to and from the Service is protected by TLS 1.2 or higher.
• At rest: Customer Personal Data stored in Pipeboard's managed PostgreSQL database (Supabase on AWS) is encrypted at rest using AES-256. Backups are encrypted.
• Application-level: sensitive credentials (OAuth tokens, API tokens) are stored with additional application-level controls and are never returned to the client.

2. Confidentiality, Integrity, Availability, and Resilience

• Access control: least-privilege access; row-level security (RLS) enforced at the database level so each user can only access their own records; administrative features gated and require explicit authorization; no shared credentials or standing access to production data.
• Authentication: Pipeboard sign-in via email/password or OAuth providers (Facebook, GitHub, corporate SSO via SAML/OIDC) using authentication flows aligned with current best practices, including PKCE.
• Network security: all production endpoints are served over HTTPS; MCP gateways behind nginx with TLS termination.
• Application security: TypeScript strict mode, parameterized database queries, input validation via Zod schemas, dependency scanning via GitHub Dependabot, automated tests (Jest), pre-commit linting and formatting, and code review before merge to production branches.
• Resilience: serverless application hosting with auto-scaling and automated recovery; managed PostgreSQL with multi-AZ availability and automated backups with point-in-time recovery; target recovery time objective (RTO) of one hour for the application and four hours for the database.

3. Restoration of Availability

Backups are performed automatically on a regular schedule by the managed database provider, are encrypted, and are tested in line with the provider's standards. The full codebase is maintained in version control (Git), enabling rapid redeployment.

4. Testing, Assessment, and Evaluation

• Automated CI/CD pipeline with build, lint, and test gates required before merge to production branches.
• Continuous dependency scanning and automated upgrade pull requests for security patches.
• Public bug bounty program; vulnerability remediation targets aligned with severity (Critical: 24 hours, High: 7 days, Medium: 30 days).
• Annual review of policies and security controls; ad-hoc review after material changes to the architecture or sub-processor list.

5. Logging and Monitoring

• Structured logging of MCP and HTTP requests (request ID, user ID, tool name, status, duration) via OpenTelemetry, exported to SigNoz.
• Product analytics via PostHog; anomalies and error events surfaced through dashboards and alerts.
• Logs containing Customer-related metadata are retained for up to thirty (30) days.

6. Personnel and Organizational Measures

• Personnel are bound by confidentiality obligations and receive role-appropriate security guidance.
• Documented internal policies covering incident response, vulnerability management, secure development, change management, and data classification, handling, protection, and retention.
• Documented incident response procedure aligned with the GDPR's 72-hour notification requirement.

7. AI-Specific Measures

• Pipeboard does not use Customer Personal Data or connected advertising and commerce data to train AI models. If we ever introduce features that benefit from cross-account learning, we will provide advance notice and an account-level opt-out before any such use.
• Where Pipeboard sends data to a hosted LLM provider on the Customer's instructions, only the data necessary for the requested operation is sent, and the provider is configured with privacy-preserving and no-training settings where available.
• Pipeboard does not allow human review of Google user data without the affirmative agreement of the user, except where necessary for security, to comply with applicable law, or in aggregated and anonymized form for internal operations.

Annex III — Sub-processors

Pipeboard engages the following Sub-processors to support the delivery of the Service. Each Sub-processor is bound by a written contract that includes data protection obligations no less protective than those in this DPA.

The list above is current as of the date stated at the top of this DPA. The authoritative, current list lives in pipeboard-co/Data-Processing-Agreement on GitHub; the commit history is the change log. Subscribe to changes by clicking "Watch" on the repository.

Note on connected advertising and commerce platforms: Meta, Google, Pinterest, TikTok, Snap, and Shopify are independent Controllers of the data on their platforms. Pipeboard accesses those platforms on the Customer's instructions under the Customer's own platform credentials, and does not engage them as Sub-processors of Customer Personal Data.