Data Processing Addendum (“DPA”)

Last updated: 28 August 2025

This DPA is by and between:

The entity or person defined as “Client” under the Terms ("Client“) and,

Pipedrive (meaning the legal entity with which Client has a contractual relationship according to the Terms, “Pipedrive”).

Client and Pipedrive are also referred to as a “Party” and collectively as the “Parties”.

This DPA forms part of and is subject to the Pipedrive Terms of Service, available at https://www.pipedrive.com/en/terms-of-service (“Terms”). This DPA shall take effect upon Client’s acceptance, or other execution, of the Terms and shall continue in accordance with the provisions here.

1. Background

1.1 The Client has agreed to the Terms, according to which Pipedrive has agreed to provide certain services to Client (“Services”).

1.2 When providing the Services, Pipedrive may collect, gain access to, or otherwise Process Personal Data of individuals (Data Subjects) on behalf of Client. Unless otherwise agreed to between the Parties, Client will be the Data Controller, and Pipedrive will be the Data Processor of such Personal Data.

1.3 This DPA specifies the data protection obligations of the Parties under the Terms. It applies to all activities performed by Pipedrive in connection with the Terms in which Pipedrive, its staff, or a third party acting on behalf of Pipedrive comes into contact with Personal Data as a Data Processor on behalf of the Client.

1.4 The DPA is based on the provision of Article 28 of the GDPR and the definitions contained in the GDPR. Annex 1 to this DPA specifies the jurisdiction-specific requirements for California.

1.5 If there is a conflict between the terms of the Terms and those of this DPA, the provisions of this DPA will prevail.

2. Definitions

2.1 All capitalized terms used herein and not otherwise defined herein, shall have the meaning ascribed to such term in the Terms.

2.2 “Brazil Standard Contractual Clauses” means “Annex II – Standard contractual clauses” of the Regulation on International Transfer of Personal Data (Resolution CD/ANPD No. 19 of August 23, 2024) issued by the Brazil Autoridade Nacional de Proteção de Dados (“ANPD”) as set forth here: https://www.gov.br/anpd/pt-br/centrais-de-conteudo/outros-documentos-e-publicacoes-institucionais/regulation-on-international-transfer-of-personal-data.pdf.

2.3 “Data Controller” means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

2.4 “Data Processor” means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.

2.5 “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective Party in the role of Processing Personal Data in question under the Terms, including but not limited to the European Union Regulation 2016/679 (the “General Data Protection Regulation” or “GDPR”), the United Kingdom Data Protection Act of 2018 and the European Union Regulation 2016/679 as applicable by virtue of Section 3 of the European Union (withdrawal) Act of 2018 and as amended by Schedule 1 to the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419) (the “UK GDPR”), the Swiss Federal Data Protection Act (the “Swiss DPA”) as revised on 25 September 2020, as well as the California Consumer Privacy Act (the “CCPA”), in each case as amended, repealed, consolidated or replaced from time to time.

2.6 “Data Subject” means the individual to whom Personal Data relates.

2.7 “Instructions” means the written, documented instructions issued by Client to Pipedrive, including by using the Services, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, deleting or making available).

2.8 “Personal Data” means any information relating to an identified or identifiable individual (Data Subject) where such information is contained within Client Data and is recognised as personal data, personal information or personally identifiable information under Data Protection Laws.

2.9 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Pipedrive and/or its Sub-Processors in connection with the provision of the Services. Personal Data Breach will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

2.10 “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction or erasure of Personal Data. The terms “Process”, “Processes” and “Processed” will be construed accordingly.

2.11 “Processor-to-Processor Clauses” means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of personal data to third countries set out in Commission Decision 2021/914 of 4 June 2021, specifically including Module 3 (Processor to Processor); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner, in each case as amended, updated or replaced from time to time.

2.12 “Sub-Processor” means any Data Processor engaged by Pipedrive to assist in fulfilling its obligations with respect to the provision of the Services under the Terms.

2.13 “Standard Contractual Clauses" means (i) in respect of transfers of Personal Data subject to the GDPR, the standard contractual clauses for the transfer of Personal Data to third countries set out in Commission Implementing Decision 2021/914 of 4 June 2021, available at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj, specifically including Module 2 (Controller to Processor) and Module 3 (Processor to Processor) ("EU SCCs"); and (ii) in respect of transfers of Personal Data subject to the UK GDPR, the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses (version B.1.0) issued by the UK Information Commissioner ("UK Addendum"), available at https://ico.org.uk/for-organisations/uk-gdpr-guidance-and-resources/international-transfers/international-data-transfer-agreement-and-guidance/, in each case as amended, updated or replaced from time to time.

2.14 “Third Country” means any country or territory outside of the scope of the data protection laws of the European Economic Area or the UK, as relevant, excluding countries or territories approved as providing adequate protection for Personal Data by the relevant competent authority from time to time.

2.15 “UK Addendum” means the International Data Transfer Addendum issued by the United Kingdom Information Commissioners Office and laid before Parliament in accordance with s119A(1) of the Data Protection Act 2018 on 2 February 2022.

3. Details of Processing

3.1 Purpose of Processing. Subject to Section 5.1 below, Pipedrive will Process Personal Data in connection with the Terms only for the purpose of providing and maintaining the Services. Pipedrive will carry out the Processing operations in accordance with the Terms, as well as any reasonable Instructions received from Client that do not conflict with the provisions of this DPA, the Terms, or Data Protection Laws. Copies or duplicates of any Personal Data made available hereunder may only be compiled as may be technically required for the provision of the Services, or required for lawful data retention.

3.2 Nature of Processing. Pipedrive is a cloud-based, self-service, SaaS (software as a service) CRM (customer relationship management) tool. Personal Data will be Processed in accordance with the Terms and may be subject to the following Processing activities:

Storage and other Processing necessary to provide and maintain the Services; and
Disclosure in accordance with the Terms and/or as compelled by applicable laws.

3.3 Controller Instructions. The Parties agree that the Terms together with the Client’s use of the Services constitute the Client’s complete and final Instructions to Pipedrive in relation to the Processing of Personal Data, and any additional Instructions outside the scope of the Instructions shall require prior written agreement between the Parties.

3.4 Categories of Data Subjects. Pipedrive will not have any knowledge or control over the categories of Data Subjects whose Personal Data the Client may elect to record or upload into the Services, except as provided in the Terms. Personal Data to which Pipedrive may receive access usually concerns, in particular, the following categories of Data Subjects:

Client’s directors, officers, employees, interns, trainees, agents, contractors, job applicants, customers, suppliers, subcontractors, business contacts; and
Any other individuals for which Client enters Personal Data or information into the Services.

3.5 Categories and Nature of Personal Data. Pipedrive will not have any knowledge or control over the categories or nature of the Personal Data that Client may elect to record or upload into the Services, except as provided in the Terms. The Processing activities will generally include the following categories of Personal Data:

Name, title, street address, email address, phone number, other contact information;
Customer history;
IP addresses;
Free-text notes, such as references and meeting notes, as entered by Client; and
Other data collected by Client and entered or uploaded into the Services, the nature of which is determined solely by Client.

In accordance with the restrictions of Section 7.3 of the Terms, the Parties do not anticipate the Processing of Sensitive Information.

4. Client’s Obligations

4.1 Compliance with Laws. Within the scope of the Terms and in their use of the Services, Client will be responsible for complying with all requirements that apply to them under Data Protection Laws and other applicable laws with respect to their Processing of Personal Data and the Instructions they issue to Pipedrive. Pipedrive has no obligation to assess Client Data in order to identify information subject to any specific legal requirements.

4.2 In particular, but without prejudice to the generality of the foregoing, Client acknowledges and agrees that they will be solely responsible for:

4.2.1 The accuracy, quality, and legality of Personal Data and the means by which they acquired Personal Data;

4.2.2 Complying with all necessary transparency and lawfulness requirements under Data Protection Laws for the collection and use of the Personal Data, including providing the necessary notifications and obtaining any necessary consents and authorizations (particularly for use by Client for marketing purposes);

4.2.3 Ensuring Client has the right to transfer, or provide access to, the Personal Data to Pipedrive for Processing in accordance with the Terms;

4.2.4 Ensuring that Client’s Instructions to Pipedrive regarding the Processing of Personal Data comply with applicable laws, including Data Protection Laws; and

4.2.5 Complying with all laws (including Data Protection Laws) applicable to any emails or other content created, sent or managed through the Services, including those relating to obtaining consents (where required) to send emails, the content of the emails and its email deployment practices.

4.3 Client will inform Pipedrive without undue delay if Client is not able to comply with its responsibilities under this Section 4 or Data Protection Laws.

5. Pipedrive’s Obligations

5.1 Scope of Processing. Pipedrive commits to Processing Personal Data received within the scope of the Terms only based on the documented Instructions from the Client. This does not apply to cases in which Pipedrive is obliged to Process Personal Data under European Union or European Union Member State law to which Pipedrive is subject. In such a case, Pipedrive shall inform the Client of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.

5.2 Confidentiality. Pipedrive will ensure that persons authorized to Process Personal Data have committed themselves to confidentiality concerning Personal Data or are under an appropriate statutory obligation of confidentiality.

5.3 Qualified Personnel. Pipedrive will use qualified personnel with data protection training to provide the Services.

5.4 Instructions to Personnel. Pipedrive will oblige its personnel to Process Personal Data only in accordance with the Terms and any Instructions received from Client.

5.5 Notification of Violation. Pipedrive will notify Client without undue delay if Pipedrive is of the opinion that an Instruction received from Client is in violation of Data Protection Laws and/or in violation of contractual duties under the Terms.

5.6 Notification of Personal Data Breach and Cooperation. Pipedrive will notify Client’s designated Account Administrator(s) (or the applicable User(s)) via email or other appropriate means without undue delay (with a targeted notification time of no greater than 72 business hours) after becoming aware of a Personal Data Breach involving Personal Data for which Client is the Data Controller, and will assist Client in fulfilling its statutory obligations under Data Protection Laws taking into account the nature of Processing and the information available to Pipedrive. If the assistance requested by the Client exceeds reasonable cooperation or imposes an undue burden on Pipedrive, Pipedrive reserves the right to charge a fee for the provision of this additional assistance and cooperation. Pipedrive’s notification of a Personal Data Breach will not be, and shall not be, construed as an acknowledgement by Pipedrive of any fault or liability with respect to the Personal Data Breach. Notwithstanding the foregoing, Pipedrive may notify Client via status page or Account when the Services are temporarily unavailable or malfunctioning.

5.7 Third Parties. Pipedrive will keep confidential and will not make available any Personal Data received in connection with the Services to any third party except in accordance with the Terms or as required by applicable law.

5.8 Data Subjects’ Requests. Taking into account the nature of the Processing, Pipedrive will support Client by implementing appropriate technical and organisational measures in fulfilling the rights of the Data Subject, as laid down in Chapter III of the GDPR, including but not limited to the correction, objection to the Processing of, deletion, and provision of Personal Data. If so instructed by Client, and if feasible, Pipedrive will correct, delete, and take other required actions with the Personal Data in accordance with Client’s Instructions. Considering the self-service nature of the Services, Client understands that they can undertake many of those actions themselves within the Services and that Pipedrive’s obligations under this Section 5.8 may be satisfied by directing Client to such features and functionalities permitting Client’s self-service as necessary to address any requests. If a Data Subject contacts Pipedrive directly in order to have their Personal Data corrected, deleted, or to use any other rights under Chapter III of the GDPR, Pipedrive will instruct the Data Subject to contact the Data Controller without undue delay after receipt of such request.

5.9 Security. Taking into account the nature of Processing and the information available to Pipedrive, Pipedrive will assist Client in ensuring compliance with its obligations under Article 32 of the GDPR regarding security of Processing.

5.10 Cooperation with Supervisory Authorities. Pipedrive will use reasonable efforts to fully cooperate and to comply with any instructions, guidelines, and orders received from the relevant supervisory authority when such instructions, guidelines, or orders pertain to the Personal Data.

5.11 Deletion and Return of Personal Data. Upon termination of Services under the Terms or, if applicable, an agreed exit phase, Pipedrive will, in accordance with Client’s Instructions, either delete or return all Personal Data to Client unless Pipedrive is under a legal obligation to retain the Personal Data or to the extent the Personal Data is a part of Pipedrive’s regular back-up files or archive systems. The return and deletion of the Personal Data shall be deemed to have been achieved via Client initiating the export or deletion (as the case may be) of such Personal Data via the user interface or through Pipedrive support in-app made available by Pipedrive and noted as completed by Pipedrive. If the Client terminates the Services but does not give any Instructions, Pipedrive will delete the Personal Data as follows:

The contents of closed Accounts are typically deleted within 180 days of the date of closures;
The content of closed Free Trial Accounts are typically deleted within 60 days of the date of closure; and
Server archival backups are typically kept for 90 days.

5.12 Data Protection Impact Assessment and Prior Consultation. To the extent that the required information is reasonably available to Pipedrive, and Client does not otherwise have access to the required information, Pipedrive will provide reasonable assistance to Client with any data protection impact assessments and prior consultations with supervisory authorities or other competent data privacy authorities to the extent required by Data Protection Laws.

6. Sub-Processors

6.1 General Authorization. Client grants Pipedrive a general authorization in line with Article 28(2) of the GDPR to engage Sub-Processors for the purposes of providing the Services.

6.2 Authorized Sub-Processors. Client authorizes Pipedrive’s engagement of the Sub-Processors listed in www.pipedrive.com/subprocessors. Pipedrive shall ensure that authorized Sub-Processors comply with the conditions provided for in Section 6.5 below at all times during provision of the Services.

6.3 Notification of Changes in Sub-Processors. Pipedrive shall provide Client notification prior to the appointment of any new Sub-Processor (irrespective of whether such new Sub-Processor is appointed for carrying out an existing Processing function or a new Processing function). The notification will be sent via email to the designated account Administrator(s). Upon notification regarding Pipedrive’s intention to engage a new Sub-Processor, Client may object to such engagement on good faith grounds relating to data protection by notifying Pipedrive promptly in writing via email at [email protected] within ten (10) calendar days after receipt of Pipedrive's notice.

6.4 Objection to New Sub-Processor. In the event that Client objects to the use of any Sub-Processor, Pipedrive will recommend to Client commercially reasonable changes in the configuration or use of the Services to avoid Processing of Personal Data by the proposed Sub-Processor. If Pipedrive is unable to assist Client with its objection regarding engagement of a Sub-Processor within a reasonable period of time which shall not exceed thirty (30) calendar days, Client may, upon written notice to Pipedrive, terminate the affected Services. In the event of such termination, Pipedrive will refund Company on a pro-rata basis any amounts paid by such Client for use of the affected Services.

6.5 Conditions for Engaging Sub-Processors. Pipedrive may only engage Sub-Processors for providing the Services under the Terms, if Pipedrive:

Communicates the name and the services to be provided by the Sub-Processor prior to engaging or replacing the Sub-Processor;
Has in place, or concludes prior to engaging the Sub-Processor, an agreement between Pipedrive and the Sub-Processor that imposes similar, and in no way less protective, obligations than as set out in this DPA; and
Ensures that an adequate level of data protection for Sub-Processors that are located in Third Countries exists as per GDPR or is created (e.g., by concluding Processor-to-Processor Clauses).

6.6 Responsibility for Sub-Processors. Pipedrive shall be fully responsible for any violations of this DPA by the Sub-Processors in connection with the provision of Services, and shall remain fully liable to Client for any such violations in accordance with Section 10 of this DPA.

7. Place of Data Processing and Data Transfers

7.1 Places of Processing. Client acknowledges and agrees that Pipedrive may access and Process Personal Data on a global basis as necessary to provide the Services in accordance with the Terms and, in particular, that Personal Data may be transferred to and Processed by:

7.1.1 Pipedrive affiliates in the United States and any other jurisdictions where Pipedrive is registered. Client acknowledges that in connection with the performance of the Services, Pipedrive, Inc. is a recipient of Personal Data in the United States; and

7.1.2 Pipedrive Sub-Processors in jurisdictions where they have operations.

7.2 Compliance with Data Protection Laws. Whenever Personal Data is transferred outside its country of origin, each Party will ensure such transfers are made in compliance with the requirements of Data Protection Laws, especially the conditions pursuant to Chapter V of the GDPR.

7.3 Transfers outside the EEA and UK. Where Client is based in the European Economic Area (EEA) or the UK, the Parties acknowledge that the transfer of Personal Data by Client to Pipedrive will involve the transfer of data outside the EEA and the UK. To the extent Pipedrive’s Processing of Personal Data includes transfers of Personal Data to a Third Country, and Pipedrive is acting as the data importer, Pipedrive will comply with the data importer obligations set out in the Standard Contractual Clauses, which are hereby incorporated into and form part of this Addendum, and:

7.3.1 For the purposes of Annex I or Part 1 (as relevant), Client is a Data Controller and Pipedrive is a Data Processor, and the parties, contact person's details and processing details are as described in the Terms and this DPA;

7.3.2 If applicable, for the purposes of Part 1 of the UK Addendum, the relevant Addendum EU SCCs (as such term is defined in the UK Addendum) are the EU SCCs as incorporated into this Addendum by virtue of this Section 7.3;

7.3.3 For the purposes of Annex II or Part 1 (as relevant), the technical and organizational security measures, and the technical and organizational measures taken by Pipedrive are as Section 5.9, Section 8, and Annex 2 of this DPA, shall apply;

7.3.4 If applicable, for the purposes of Annex III or Part 1 (as relevant), the list of Sub-Processors set forth in Section 6.2 of this DPA shall apply; and

7.3.5 If applicable, for the purposes of: (i) Clause 7 is not included; (ii) Clause 9, Option 2 ("general prior authorization") is deemed to be selected and a notice period of 10 calendar days shall apply; (iii) Clause 11(a), the optional wording in relation to independent dispute resolution is deemed to be included; (iv) Clause 13 and Annex I.C, the competent supervisory authority shall be the Estonian Data Protection Inspectorate; (v) Clauses 17 and 18, Option 1 is deemed to be selected and the governing law and the competent courts shall be Estonia; (vi) Part 1, Customer as exporter may terminate the UK Addendum pursuant to Section 19 of such UK Addendum.

7.4 Transfers Subject to the Swiss DPA. For transfers of Personal Data that are subject to the Swiss DPA, the EU SCCs form part of this DPA as set forth in Section 7.3 of this DPA, but with the following differences to the extent required by the Swiss DPA: (i) references to the GDPR in the EU SCCs are to be understood as references to the Swiss DPA insofar as the data transfers are subject exclusively to the Swiss DPA and not to the GDPR; (ii) the term “member state” in EU SCCs shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (Switzerland) in accordance with Clause 18(c) of the EU SCCs; and (iii) the relevant supervisory authority is the Swiss Federal Data Protection and Information Commissioner (for transfers subject to the Swiss DPA and not the GDPR), or both such Commissioner and the supervisory authority identified in the EU SCCs (where the Swiss DPA and GDPR apply, respectively).

7.5 Transfers from Brazil. To the extent the Processing of Personal Data pursuant to this DPA includes transfers of Personal Data from Brazil to a non-adequate country as determined by ANPD, the Parties will respectively comply with obligations set forth in the Brazil Standard Contractual Clauses (as applicable to their respective roles). The Parties hereby agree that the Brazil Standard Contractual Clauses are hereby incorporated into and form part of this DPA, and:

7.5.1 For purposes of Clause 1 of the Brazil Standard Contractual Clauses, Pipedrive shall be the Importer (as a Data Processor) and Client shall be the Exporter (as a Data Controller), and their respective contact information shall be the same as set forth in the Terms;

7.5.2 The description of international data transfer shall be as set forth in Section 3 of this DPA and the period of data storage shall be as set forth in Section 5.11 of this DPA;

7.5.3 For purposes of Clause 3 of the Brazil Standard Contractual Clauses, the Parties select option B and the details of onward transfer are as set forth in Section 6.2 of this DPA;

7.5.4 For purposes of Clause 4 of the Brazil Standard Contractual Clauses, the Parties selection option A and designate the Exporter as the Designated Party;

7.5.6 Section 2 of the Brazil Standard Contractual Clauses shall include the security measures set forth in Annex 2 of the DPA.

For clarity, any capitalized terms used but not defined in this Section 7.5 shall have the mean ascribed to it in the Brazil Standard Contractual Clauses.

7.6 Transfers within Pipedrive. Pipedrive and its entities have concluded an Intra Group Data Transfer Agreement (“IGDTA”) for any transfers of Personal Data between Pipedrive entities. This way Pipedrive ensures that adequate safeguards are in place for protecting Personal Data when transferred by data exporters to data importers. In particular, all Pipedrive entities have entered into the EU Standard Contractual Clauses for the transfer of Personal Data between Pipedrive entities acting as data exporters and data importers, and Pipedrive Inc. is a registered entity of the EU-U.S. Data Privacy Framework and the UK Extension to the EU-U.S. Data Privacy Framework.

8. Technical and Organizational Measures

Taking into account the state of the art, the costs of implementation, the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of the Data Subjects, Pipedrive will implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk (Article 32 of the GDPR) to ensure the ongoing confidentiality, integrity, availability and resilience of Processing systems and Services. The technical and organizational measures implemented by Pipedrive are set forth in Annex 2 to this DPA.

9. Audits

Pipedrive will grant to Client and its designees during the term of the DPA all requested information and access rights strictly in accordance with Pipedrive’s security policies in order to verify Pipedrive’s compliance with the Terms and with Data Protection Laws upon written request by Client. Client may determine Pipedrive’s compliance with the agreed technical and organizational measures (see Annex 2 of this DPA) at Pipedrive’s facilities upon a reasonable request in writing once a year, which is subject to confidentiality. If and to the extent Client engages third parties to conduct an audit, such third parties must be bound by confidentiality obligations similar to and no less protective than those agreed to under this DPA. Client shall reimburse Pipedrive for any time expended for any on-site audits at Pipedrive’s then-current professional services rates. Client shall promptly notify Pipedrive and provide information about any actual or suspected non-compliance discovered during an audit. Any reports or information derived from any inquiry or audit under this Section 9 shall be considered Pipedrive Confidential Information.

10. Liability

The Parties’ obligations under this DPA or breach thereof shall be subject to the limitations on liability set forth in the Terms, including, without limitation, those limitations on the types or amounts of a Party’s liability to the other set forth in the Terms.

11. Miscellaneous

11.1 Governing Law. The DPA is governed by the law indicated as the governing law in the respective provisions of the Terms.

11.2 Changes to the DPA. Notwithstanding anything else to the contrary in the Terms, Pipedrive may periodically make modifications to this DPA where necessary to (i) comply with a request or order by a supervisory authority or other government or regulatory entity; (ii) as may be required to comply with Data Protection Laws; (iii) implement or adhere to new standard contractual clauses, approved codes of conduct or certifications, or other compliance mechanisms, which may be permitted under Data Protection Laws; or (iv) reflect any changes in its data processing practices. Unless otherwise specified by Pipedrive, these changes will become effective for Client upon posting of the modified DPA (see “Last Updated” date above). In any event, continued use of the Services will constitute Client’s acceptance of the version of the DPA in effect.

Annex 1 – Jurisdiction Specific Requirements – California

1. Applicability

This Annex 1 applies where Pipedrive’s Processing of Personal Data (“Personal Information” in this Annex 1) under the Terms is subject to the CCPA.

2. Definitions

When processing Personal Information subject to the CCPA under this DPA, the Parties acknowledge and agree that Client is a Business and Pipedrive is a Service Provider for the purposes of the CCPA.

For the purpose of this Annex 1, "Business", “Business Purpose”, “Consumer,” “Personal Information”, “Process,” “Sell”, "Service Provider", and “Share” have the meanings given to them in the CCPA.

3. CCPA Specific Provisions

3.1 The Parties agree that all Personal Information that is subject to the CCPA is disclosed to Pipedrive by Client for one or more Business Purpose(s) and its use or sharing by Client with Pipedrive is necessary to perform such Business Purpose(s), or as otherwise permitted by CCPA.

3.2 Pipedrive will only process Personal Information that is subject to the CCPA for the Business Purpose(s) or as otherwise permitted by the CCPA. Specifically, Pipedrive will not:

Sell or Share Personal Information to third parties;
Process Personal Information outside the direct business relationship between the Parties, unless required by applicable law; and
Combine Personal Information included in Client Data with Personal Information Pipedrive collects or receives from another source, except where required to perform the Services or as permitted by the CCPA.

3.3 Pipedrive, as a Service Provider, certifies that it will:

Comply with the obligations applicable to it as a Service Provider under the CCPA;
Provide the same level of privacy protection for Personal Information as required by the CCPA;
Implement reasonable security measures to protect Personal Information; and
Notify Client without undue delay if Pipedrive determines that it can no longer meet its obligations under the CCPA.

3.4 Pipedrive will assist Client in responding to any Consumer requests to exercise their rights under the CCPA, including requests for access, deletion, or opt-out, to the extent applicable.

3.5 Client has the right to audit and verify that Pipedrive processes Personal Information in a manner consistent with Client’s obligations under the CCPA and in accordance with Section 9 of the DPA above. Upon notice, Client has the right, in accordance with the Terms (including this DPA) and Pipedrive security policies, to take reasonable and appropriate steps to stop and remediate any non-compliant use of Personal Information.

4. Conflict

In the event of a conflict or inconsistency between the requirements of the Terms (including the DPA) and any applicable requirements of this Annex 1, the requirements of this Annex 1 shall take precedence to the extent of the conflict or inconsistency.

Annex 2 – Technical and Organizational Measures

Description of the technical and organizational security measures implemented by Pipedrive at the time of the conclusion of this DPA according to Section 8 of the DPA:

Pipedrive is committed to protecting the Personal Data entrusted to it and has a broad corporate governance structure regarding information security in place. The program provides internal standards and best practices for personnel with access to Personal Data. The contents of the program reflect many of the security controls found within the International Organization for Standardization and the International Electrotechnical Commission’s ISO/IEC 27001:2013 – Information security management systems – requirements but are also based on industry guidance and best practices.

Pipedrive reserves the right to revise these Technical and Organizational Measures at any time, without notice, so long as any such revisions will not materially reduce or weaken the protection provided for Personal Data that Pipedrive processes under the Terms.

Further details of Pipedrive’s technical and organizational security measures to protect Client Data are available at:

Technical and Organizational Security Measures	Evidence of Technical and Organizational Security Measures
Measures of pseudonymization and encryption of Personal Data	Client Data at rest: is encrypted with 256-bit Advanced Encryption Standard (AES-256). Client Data in transit: Pipedrive uses HTTP Strict Transport Security (HSTS) via Transport Layer Security (TLS) provided by HTTPS.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services and measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident	Incident Management: Pipedrive operates a dedicated 24x7 on-call incident management function, ready to immediately respond to and mitigate any Client-impacting issues. Pipedrive has implemented a formal procedure for handling security events and incidents. When security incidents are detected, all relevant parties are notified and assembled to rapidly address the event. After resolving a security incident, a postmortem analysis is written and discussed with the relevant teams. This review also includes lessons learned from the incident and action items that will make detecting, preventing and reacting to similar events easier. Resilience: Pipedrive’s business continuity plan provides guidance for successfully recovering people, business functions, and systems in the event of a business disruption (i.e., emergency or disaster). Client Data stored on the Pipedrive platform is backed up for disaster recovery in accordance with Pipedrive’s backup and disaster recovery policies. Backups are stored off-site and available for restoration in the event of data corruption or destruction. Pipedrive conducts periodic data recovery exercises to validate its ability to recover critical infrastructure and data to full operation in the data loss event. Infrastructure redundancy: Pipedrive utilizes reputable Infrastructure-As-A-Service providers and leverages their globally redundant services to ensure Services run reliably. Pipedrive benefits from dynamically scaling up or completely reprovisioning its infrastructure resources on an as-needed basis across multiple geographical areas, using the same vendor, tools, and APIs. This includes not just compute resources but storage and database resources, networking, security, and DNS. Every component in Pipedrive’s infrastructure is designed and built for high availability. Client Data will be stored on clustered database servers.
Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing	Pipedrive conducts weekly scans of systems and analyzes the results for vulnerabilities, from which the IT department maintains accountability and response to minimize vulnerability risk. Critical zero-day vulnerabilities are expedited using Pipedrive’s incident response process. Penetration testing is conducted continuously by a bug bounty program and periodically by an industry-recognized offensive security company to identify external-facing vulnerabilities. The physical and environmental security controls are audited for SOC 2 Type II and ISO 27001 compliance.
Measures for user identification and authorization	Pipedrive controls access to Client Data for permitted purposes and implements Identity Access Management capabilities, such as Just-in-Time access and the least privilege principle. Strong password policy, device trust controls and multi-factor authentication where feasible. Identity Lifecycle Management processes in place. Entitlements Management to ensure an appropriate level of access. Active sessions will expire automatically for users that have not been active for a substantial period of time.
Measures for the protection of data during transmission	Encryption of data-in-transit and security perimeter controls (e.g., web application firewalls, cloud-native firewalls, IPS). Implement appropriate monitoring tools and procedures to detect and mitigate compromise attempts.
Measures for the protection of data during storage	Network-based intrusion detection and prevention capabilities are deployed to endpoints. Securing data processing equipment and personal computers. Implementation of physical security controls for Pipedrive premises. Establishing access authorizations for employees and third parties, including the respective documentation. Input Control: Implemented protective measures for the data input into memory, as well as for the reading, alteration, and deletion of stored data. Secrets management (e.g., passwords, encryption keys). Information security awareness training occurs at employee onboarding and annually thereafter. Pipedrive updates its systems and software with upgrades, updates, bug fixes, new versions, and other modifications necessary to secure the Client Data. Pipedrive uses Endpoint Detection and Response software and keeps it up to date. Client’s instances are logically separated, and attempts to access data outside allowed domain boundaries are prevented and logged.
Measures for ensuring physical security of locations at which Personal Data are processed	Physical Access Control. Pipedrive’s services and data are hosted in AWS’ facilities and protected in accordance with their security protocols. See: https://aws.amazon.com/compliance/data-center/controls
Measures for ensuring events logging	See “Measures for the protection of data during storage” above.
Measures for ensuring system configuration, including default configuration	Change and Configuration Management: Pipedrive uses continuous automation for application and operating systems deployment for new releases. Integration and unit testing are done upon every build with safeguards for availability and reliability. Pipedrive has a process for critical emergency fixes that can be deployed to Clients promptly. As such, Pipedrive can roll out security updates as required based on criticality.
Measures for internal IT and IT security governance and management	Pipedrive maintains an information security risk management program to evaluate threats and vulnerabilities to ensure appropriate corrective action plans are created. Pipedrive maintains a separate vendor risk management program to assess vendors’ information security posture, including business continuity, security operations, data loss prevention, and third-party risk management. Pipedrive leverages ISO27001, and ISO27701 certifications / SOC2 Type II reports and/or company policies to determine risk acceptance. Critical vendors are reviewed on at least an annual basis. Pipedrive has implemented privacy and security-by-design mandatory reviews with the information security team into our software development lifecycle. All email communications on Pipedrive-owned and managed devices are subject to inbound filters to identify and block or warn about known phishing and SPAM parameters. Phishing campaign exercises are coordinated and exercised on at least a semi-annual basis to help raise staff awareness regarding common phishing threat vectors. Employee policies and training in respect of each employee’s access rights to Personal Data. Effective and measured disciplinary action against individuals who violate our Code of Conduct and other internal regulations.
Measures for certification/assurance of processes and products	Pipedrive is ISO27001 and ISO27701 certified, and SOC2 Type 2 attestation is independently audited. Pipedrive engages a recognized, independent third party to conduct an Auditors’ Report Statement on “Pipedrive’s Description of its Sales Management System” based on Service Organization Control 2, Type 2 to provide reasonable assurance that Pipedrive’s service commitments and system requirements were achieved based on the trust services criteria relevant to security, availability, confidentiality, and privacy (applicable trust services criteria) outlined in TSP 100, 2017 Trust Services Criteria for Security, Availability, Processing Integrity, Confidentiality, and Privacy (AICPA, Trust Services Criteria). Pipedrive engages a recognized, independent third party to conduct external audits and certifications of its information security and privacy management programs. This includes ISO/IEC 27001:2013, which certifies our information security management program and the administrative, technical, and physical safeguards for facilities and systems used to deliver our Services. Additionally, Pipedrive is certified under ISO/IEC 27701:2019, further demonstrating our commitment to robust privacy controls and compliance with global data protection standards.
Measures for ensuring data minimization	Data collection is limited to the purposes of processing (or the data that the Client chooses to provide). Security measures are in place to provide only the minimum amount of access (least privilege) necessary to perform required functions. Upon termination of Services under the Terms or, if applicable, an agreed exit phase, upon Instruction from Client, Pipedrive will, in accordance with Client’s Instructions, either delete and/or return all Personal Data to Client unless Pipedrive is under a legal obligation to retain the Personal Data. The return and/or destruction of the Personal Data transferred shall be deemed to have been achieved via the Client initiating the export or deletion (as the case may be) of such Personal Data via the user interface or through Pipedrive support in-app made available by Pipedrive and noted as completed by Pipedrive. If the Client terminates the Services but does not give any Instructions, the standard data retention period applies as described in the Privacy Notice https://www.pipedrive.com/en/privacy#data-retention. More information about how Pipedrive processes personal data is set forth in the Privacy Notice, available at https://www.pipedrive.com/en/privacy.
Measures for ensuring data quality	See “Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services” above.
Measures for ensuring limited data retention	See “Measures for ensuring data minimization” above.
Measures for ensuring accountability	Pipedrive has implemented data protection policies. Pipedrive follows a compliance-by-design approach. Pipedrive maintains records of processing activities. Pipedrive has appointed a data protection officer. Pipedrive adheres to relevant codes of conduct and signs up to certification schemes (see “Measures for certification/assurance of processes and products” above).
Measures for allowing data portability and ensuring erasure	Client is able to export or delete Client Data using the self-service features of the Services as set forth in the applicable documentation for the Services.
Technical and organizational measures to be taken by the [Sub]–Processor to provide assistance to the controller and, for transfers from a processor to a [Sub]–Processor, to Client	When Pipedrive engages a Sub-Processor under Section 6 of this DPA, Pipedrive and the Sub-Processor enter into an agreement with data protection obligations substantially similar to those contained in this DPA. Each sub-processor agreement must ensure that Pipedrive is able to meet its obligations to the Client. In addition to implementing technical and organizational measures to protect Personal Data, Sub-Processors must (a) notify Pipedrive in the event of a Security Incident so Pipedrive may notify Client; (b) delete Personal Data when instructed by Pipedrive in accordance with Client’s instructions to Pipedrive; (c) not engage additional Sub-Processors without Pipedrive’s authorization; d) not change the location where Personal Data is processed; or (e) process Personal Data in a manner which conflicts with Client’s instructions to Pipedrive. We periodically audit our Sub-Processors by obtaining and reviewing their ISMS framework auditing statements (ISO27k/SOC2 Type 2) from 3rd parties (auditors) and any other provided documentation.
Measures to ensure that data collected for different purposes can be processed separately	Access to data will be separated through application security for the appropriate users. Modules within the Pipedrive application will separate which data is used for which purpose, i.e., by functionality and function. At the database level, data will be stored in different normalized tables, separated per module or function they support. Interfaces, batch processes, and reports will be designed for only specific purposes and functions, so data collected for specific purposes are processed separately.
Additional Organizational Requirements	Pipedrive maintains written processes and procedures that provide for review of and limit the scope of Personal Data disclosed by Pipedrive in response to requests from public authorities. Pipedrive maintains internal records of requests made by public authorities concerning Personal Data. Pipedrive takes steps to limit the volume of disclosed data where possible.
Recourse mechanisms for EU individuals	Pipedrive, having its roots in Europe, has committed to dispute resolution at EU data protection authorities. We remain open to any Data Subject or Data Controller enforcing their rights under the EU GDPR locally in Europe based on the SCCs.
Controls for Implementing AI/ML in Product and Operations	Pipedrive ensures that all relevant teams receive comprehensive training on the secure and responsible use of AI/ML technologies. All AI/ML-related use cases are reviewed by Legal, Privacy, and Security teams to ensure compliance with applicable regulations, Pipedrive's Terms, and to promote the safe and ethical use of such technologies.