Data Processing Addendum

Pact processes personal data on behalf of its customers. This page summarises the terms of that processing; the bilateral DPA attached to your order form is the binding instrument.

The full counsel-reviewed DPA text is in flight. Until it lands here, the operative DPA for an existing tenant is the one signed with their order form; this page won't override it.

The structural elements of the agreement are:

Roles. Customer is the controller. Pact is the processor. Sub-processors are listed below and refreshed when they change, with at least 30 days' notice for any addition that materially expands the scope of processing.
Sub-processors. Pact uses sub-processors in the following categories: application hosting, managed Postgres database, managed Redis cache, secrets management, CDN + DNS + WAF, frontend hosting, transactional email, and an AI / LLM provider used only for features the customer explicitly enables. The complete sub-processor schedule — including specific provider names, certifications, DPA-on-file dates, and change-notification subscription — is available to customers under their order form. legal@pact.place or view the public schedule on our Trust Center.
Transfers. Standard Contractual Clauses (SCCs) cover EU-to-US data flow. UK and Swiss addenda are available on request.
Security. See the privacy notice for the operative encryption, access-control, and incident-response posture.
Audit. Customers may audit Pact's controls once per year on reasonable notice; the SOC 2 Type II report (in progress) will cover the same controls for most customer audit needs.

For DPA negotiation or a current sub-processor list: legal@pact.place.