ANNEX I – DATA PROTECTION AGREEMENT

This Annex is an integral and inseparable part of the Pipefy Solution Terms and Conditions of Use License (“Contract”). 

This Data Protection Agreement (“DPA”) establishes the obligations and responsibilities of the parties involved regarding the privacy and security of processed information, as well as detailing the security practices and measures adopted by Pipefy to ensure the integrity, confidentiality, and availability of data, in accordance with applicable laws and regulations. The provisions of this Annex complement the Terms of Use and apply to all Customers when personal and sensitive data is processed within the Pipefy Solution.

As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “the General Data Protection Regulation”).

1. Pipefy will act exclusively as a data processor, processing information in accordance with the documented and specific instructions provided by the Client, who is the data controller. Pipefy does not have the autonomy to define the purposes or methods of processing the personal data by the Parties.
2. For the purposes of this Annex, the following definitions apply:

1. Configuration Data: Information automatically generated or collected by the platform or system, related to the configuration, customization, and parameterization of the contracted product or service. This data may be accessed by Pipefy exclusively for technical support, continuous platform improvement, and understanding product usage, always in compliance with applicable data protection and privacy regulations.
2. Customer Data: Data directly inputted by the Client or its representatives, including but not limited to personal or corporate information, strategic or sensitive content related to platform usage. This data is owned and exclusively processed by the Client. Pipefy’s access to Data Entered into Cards is expressly limited and will only occur when necessary for technical support or specific consulting requested by the Client; with the Client’s prior, express, and specific authorization, detailing the purpose and scope of the access; or to comply with a legal or regulatory obligation, upon notifying the Client.

2. The Client shall be responsible for ensuring that the data entered into the Cards complies with applicable legislation and for maintaining adequate security measures within its internal environment to prevent unauthorized access.
3. As the Controller of Personal Data, it is the Customer’s responsibility to handle requests for the exercise of rights by Data Subjects, and it is Pipefy’s responsibility, as Processor, to assist in the fulfillment of requests made by Data Subjects whenever necessary and requested by the Customer, such as requests for access to Personal Data, correction of incomplete, inaccurate, or outdated Personal Data, blocking or deletion of unnecessary or excessive Personal Data, portability of Personal Data, among other rights provided by law, the granting or denial of which shall be at the sole discretion of the Customer.

2.  Pipefy is solely responsible for all costs incurred in fulfilling requests made by Data Subjects in which Pipefy is considered the Controller, with the Customer being solely responsible for fulfilling requests made by Data Subjects in which the Customer is considered the Controller, as well as the costs incurred for such purposes.
3. Pipefy and Customer agree and acknowledge as follows:  

1. Both Parties shall comply with all applicable laws, rules, and regulations concerning the Personal Data processed in connection with the performance of their obligations, including but not limited to Law No. 13.709/18 (General Data Protection Law – LGPD) when processing data subjects residing in Brazil and/or Regulation (EU) 2016/679 (General Data Protection Regulation – GDPR) when processing data of data subjects residing in the European Union, and/or the California Consumer Privacy Act (CCPA) when processing data of data subjects residing in California, USA.;
2. Pipefy uses the personal data received under this legal relationship only for the purpose agreed upon between the Parties, and under no circumstances shall Pipefy use this Personal Data for a different purpose, under penalty of immediate termination and full assumption of any damages caused to the other Party and/or third parties.
3. Pipefy does not store or share personal data with third parties, except with the prior express authorization of the other Party or as a requirement for the fulfillment of the Agreement, under the terms of this Annex.
4. Both Pipefy and Customer shall treat all non-public Personal Data as confidential, even if this legal relationship is terminated regardless of the reasons for its termination or resolution.
5. The duration of the Processing shall respect the contractual object, as well as the provisions of applicable law.
6. Pipefy adopts appropriate mechanisms for processing Personal Data in accordance with legal provisions, in order to prevent loss, destruction, theft, damage, alteration, manipulation, or accidental interception and/or disclosure.
7. Both Pipefy and Customer shall limit access to Personal Data originating from this Agreement only to employees, agents, and/or representatives who need it to complete the task/activity to be carried out, with each party being responsible for the actions of its employees, agents, and/or representative.
8. It is the sole responsibility of the Client, as the data controller, to ensure that all personal data included or processed on the Pipefy platform has a valid legal basis for processing. This includes, but is not limited to, obtaining consent from data subjects, when applicable, or complying with another legal basis as provided in Article 7 of the LGPD.
9. The Client will be fully responsible for any violation of the LGPD resulting from their failure to ensure a valid legal basis for the processing of personal data, including, but not limited to, any administrative sanctions or damage payable to third parties.

3.1. The Parties acknowledge that the Pipefy Solution is not designed to handle Sensitive Data and that the Customer shall not use the Pipefy Solution for such data without prior written consent or another applicable legal basis. Sensitive Data includes special categories as defined by privacy legislations, such as, but not limited to, medical information regulated by HIPAA, financial data, government identification numbers, and other information regulated by specific laws. The Customer understands that the Pipefy Solution does not meet legal requirements such as HIPAA, GLBA, and others, and Pipefy is not liable for any Sensitive Data processed.

4. Vulnerability Management. The Parties undertake to manage vulnerabilities in their tools used in the processing of personal data, conducting periodic tests to identify and promptly correct any vulnerabilities that may be identified.
5. Purpose of Storage. Pipefy undertakes to store Personal Data only for the periods necessary to: (a) achieve the purpose of processing the Personal Data under this Agreement; (b) process payments; (c) prevent or address technical problems; (d) whenever feasible, in anonymized form, to improve and enhance the Pipefy Solution; (e) as expressly authorized by the Customer, including cases of sharing Customer Data with Non-Pipefy Applications; and (f) compliance with legal and/or regulatory requirements.
6. Log Keeping. Pipefy will record the “logs” of changes and processing of the personal data for which it is the controller, keeping in these records the minimum elements that allow assessing the activity and who carried it out and when, as regulated by law, with the management of changes in data where Pipefy is only the processor being the responsibility of the Customer.
7. Retention and Deletion of Personal Data. Provided that the contract between the parties is valid, Customer data will be stored in Pipefy’s database on servers located in the United States, even if they have been deleted through the application or a set of routines and programming standards for accessing a web-based software application or platform (“API”). In cases of contractual termination, regardless of the cause, Pipefy reserves the right to delete the Customer’s Personal Data in accordance with written instructions from the Customer, or within a maximum of one hundred and eighty (180) days after termination of the Agreement.
8. Sub-Processing. Pipefy may use specialized third parties to perform the processing of Personal Data, as available at https://www.pipefy.com/sub-processors/ (“Sub-Processors”). It is Pipefy’s obligation to ensure that the Sub-Processors undertake to ensure a security level equal to or greater than that described in this Section before transferring any Personal Data or authorizing any sub-processing, as well as to conduct periodic audits to verify compliance with privacy rules and legal obligations. Pipefy shall be fully and severally liable for any breach, violation, irregularity, or illegality committed by its Sub-Processors.
9. Disclosure Scenarios. Pipefy will not disclose Personal Data to third parties at any time except in the following scenarios: (a) with prior written authorization from the Customer; (b) in accordance with the sub-processing rules described above; or (c) under applicable data protection legislation, provided that Pipefy makes reasonable efforts to share only the minimum amount of Personal Data necessary for a specific purpose, and the Customer is notified in advance, in accordance with and as provided for in this Agreement.

9.1 Requests from Authorities. If Pipefy receives any judicial order and/or official communication that determines the provision or disclosure of personal information, unless expressly prohibited by legal force, regulation, judicial or administrative order, Pipefy must notify the Customer within a maximum of thirty-six (36) hours of becoming aware, providing an opportunity for timely adoption of legal measures to prevent or mitigate the effects resulting from the disclosure of Personal Data related to this request or its objects.

10. Third-Party Applications. If the Customer installs, activates, and/or otherwise uses a Non-Pipefy Application in conjunction with the Pipefy Solution, the Customer acknowledges and agrees that the provider of this Non-Pipefy Application may access Customer Data, including Personal Data, as necessary, for the integration of this Non-Pipefy Application with the Pipefy Solution and/or in accordance with the activities of this Non-Pipefy Application. In this context, Pipefy is not responsible for any incident, disclosure, modification, or deletion of any Customer Data and Personal Data resulting from access by a Non-Pipefy Application.
11. Obligations of Pipefy. Pipefy ensures and guarantees:

1. Confidentiality and integrity of the information shared by the Customer;
2. Non-violation of the privacy of Personal Data in its relationship with clients, suppliers, researchers, patients, consumers, and employees;
3. Adopt technical and administrative measures of information security to prevent misuse and unauthorized use of Personal Data;
4. Immediately and adequately respond to all requests from the Customer regarding Personal Data Processing, as well as consider the guidance of the National Data Protection Authority regarding the Processing of Personal Data transferred;
5. Be responsible for maintaining a written record of activities related to compliance with applicable data privacy legislation;
6. Restrict access to Personal Data by defining qualified individuals responsible for Processing, as well as ensuring and being responsible for the reliability of its employees, agents, and representatives who will have access to Personal Data, considering the nature of such Personal Data;
7. Maintain a detailed inventory of access to Personal Data and access logs to applications, containing the time, duration, identity of the employee or person responsible for access, and the accessed file, including when such access is made to comply with legal obligations or determinations defined by a competent authority;
8. The processing of Personal Data, i.e., any operation or set of operations performed on the Personal Data of its clients, suppliers, and employees; including, but not limited to obtaining, recording, storing, altering, analyzing, using, transmitting, combining, blocking, deleting, or destroying, are in absolute accordance with the rights of the data subject and will be carried out in accordance with the established purpose;
9. Protect Personal Data of its clients, suppliers, and employees, ensuring to them, within legal limits, the right to be informed about any processing of their data; as well as to have access to their own data, among other rights provided by applicable law;
10. Record activities involving international transfer of Personal Data, indicating the country/organization of destination and adopting the necessary safeguards to ensure that the transfer is carried out in accordance with applicable legislation and guidelines defined by a competent authority;
11. Meet requests for information made by the Customer within thirty-six (36) hours, justifying any delays; and
12. Cooperate with the fulfillment of requests from data subjects of the Customer (clients of the Customer), using appropriate technical and organizational measures, in accordance with Customer instructions.
13. send 1 (one) executive report, in the last quarter of the current fiscal year, upon demand, regarding information security and data privacy (“Report”), made available free of charge, provided that it is requested 45 days in advance as regulated in clause 15.6 of the Terms, or, when in different frequency or quantity, upon feasibility analysis, which may result in additional costs, to be negotiated between the Parties.

12. Contingency Plan. Pipefy undertakes to create contingency mechanisms to prevent data leaks, and must test and keep it up to date, committing to present its contingency plan to the Customer upon request for compliance with requests from the authority or in case of any eventual judicial demands.
13. Incident Notification. If, at any time, there is an actual breach, suspicion, or potential threat to the security of Personal Data, or if there is suspicion of loss, destruction, deletion, damage, corruption, or unauthorized disclosure to a third party, the Party that becomes aware of the incident shall notify the other Party within a maximum of 3 (three) business days from the moment it becomes aware of it, and the notification shall contain the full and complete details regarding the breach, including:

1. date and time of the incident;
2. date and time of acknowledgment by the Party that had its data leaked;
3. list of types of data affected by the incident;
4. list of data subjects affected by the incident;
5. the nature and facts of such breach, including the data subject, if possible;
6. contact details of the data protection officer or appointed and named representative to deal with data leaks in the company, responsible for additional information regarding the incident;
7. the likely consequences and/or potential consequences of such incident; and
8. the measures adopted or proposed by Pipefy or by the data protection officer to remedy such breach and mitigate any possible adverse effects and the dates of implementation of these measures (action plan).

14. Incident Handling. In the event of an incident, Pipefy must promptly comply with the instructions provided by the Customer, aiming to remedy or mitigate adverse consequences, as well as practice all necessary acts and resources to contain the breach and recover and/or restore Personal Data (where possible) and meet any requests, notifications, or investigations by Authorities.
15. Contact information. Pipefy’s support regarding privacy and personal data matters can be accessed at the following email address: [email protected]. 

APPENDIX 1 – COMPLIANCE WITH CALIFORNIA CONSUMER PRIVACY ACT OF 2018

1. The purpose of this CCPA Data Protection Agreement (“CCPA DPA”) is to define the conditions in which Pipefy, Inc. (“Pipefy” or the “Processor”) undertakes to carry out, on Customer’s (“Customer” or the “Controller”) behalf, the personal data processing operations defined below.
2. As part of their contractual relations, the parties shall undertake to comply with the applicable regulations on personal data processing and, in particular, Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 (hereinafter “the General Data Protection Regulation”, or “GDPR”), and the California Consumer Privacy Act of 2018, as amended (Cal. Civ. Code §§ 1798.100 to 1798.199), and any related regulations or guidance provided by the California Attorney General (hereinafter “the CCPA”).
3. Terms defined in the CCPA, including ‘consumer’, ‘personal information’, ‘service provider’, ‘commercial purposes’, ‘third-party’, and ‘business purposes’, carry the same meaning in this DPA.
4. “Contracted Business Purposes” means the database management, hosting and related services performed on behalf of the Customer pursuant to the Service Agreement for which Pipefy receives or accesses Customer Personal Information.
5. “Customer Personal Information” means Customer Data (as defined in the Service Agreement and Privacy Policy) that constitutes personal information of a consumer subject to the CCPA. For the avoidance of doubt, Customer Personal Information does not include User Personal Information (as defined in the Privacy Policy), with respect to which Pipefy is not a service provider, and this DPA does not apply to such User Personal Information.

1. Pipefy shall use the Customer Personal Information received under this relationship solely for the purposes agreed upon between the Parties. Under no circumstances shall Pipefy use this Personal Data for any other purpose than performing the Contracted Business Purposes or as otherwise permitted by the CCPA (as a service provider or “exempt” third party) or required by law. Any violation of this provision shall result in the immediate termination of this Agreement and full liability for any damages caused to the other Party and/or third parties.
2. Pipefy shall not retain, use, disclose, store or share Customer Personal Information outside of this direct business relationship between Pipefy and Customer unless otherwise permitted by the CCPA (as a service provider or “exempt” third party) or as required by law, or, upon the prior express authorization of the Customer, in accordance with the terms of this DPA.
3. Pipefy shall adopt appropriate mechanisms for processing Customer Personal Information in accordance with legal provisions, to prevent loss, destruction, theft, damage, alteration, sale, manipulation, or accidental interception and/or disclosure.
4. Pipefy may use aggregated, de-identified, or anonymized data for its own purposes. Pipefy shall not attempt to, nor will it actually, re-identify any data that has been aggregated, de-identified, or anonymized. For the avoidance of doubt, and to the extent permitted by the CCPA, Pipefy may use Customer Personal Information to detect data security incidents, prevent fraudulent or illegal activity, or enhance its services.
5. both parties shall comply with all applicable requirements of the CCPA regarding the collection, use, retention, or disclosure of Customer Personal Information. In the event that any request is made by end users of the Customer, the Customer will be responsible for providing customer service. Pipefy does not control or manage the Customer Personal Information.

6. Sub-Processing. Pipefy may engage specialized third parties to provide the Contracted Business Services, as listed at www.pipefy.com/sub-processors/ (“Sub-Processors”). Pipefy is responsible for ensuring that its Sub-Processors agree to maintain a level of security that is equal to or exceeds the standards described in this DPA before any Personal Data is transferred or sub-processing is authorized. Any sub-processor must qualify as a service provider under the CCPA, and Pipefy shall ensure that no disclosures to the sub-processor are made that would be considered a sale under the CCPA. Pipefy shall also conduct periodic audits to verify that its Sub-Processors comply with applicable privacy rules and legal obligations. Pipefy shall be fully and jointly liable for any breach, violation, irregularity, or non-compliance committed by its Sub-Processors.
7. If the Customer is unable to delete Customer Personal Information held within Pipefy’s records in response to a verified Consumer request for deletion pursuant to the CCPA. Pipefy shall promptly effectuate such deletion upon receipt of the Customer’s written instruction to do so, provided that no exception to deletion under the CCPA is applicable and/or Pipefy is not legally restricted from doing so. Pipefy may charge its then-current standard fees for this service. Requests for deletion should be submitted to: https://app.pipefy.com/public/form/CxbZakYy.  
8. Changes to this CCPA DPA. Pipefy may amend this CCPA DPA under the following conditions:

1. To reflect a change in the name or form of a legal entity;
2. To comply with the applicable law, regulation, court order, or guidance issued by a governmental regulator or agency; or
3. If the change does not expand the scope of Pipefy’s processing of Customer Personal Data, or otherwise materially adversely affect Customer’s rights under this DPA.
4. Pursuant to Section 6(a)(ii) or (iii), notify the Customer at least 30 days prior to the effective date of the change (or such shorter period as may be required to comply with the applicable law), provided that, if the Customer object to any such changes, the Customer may terminate the Agreement with Pipefy by providing a written notice to Pipefy within 90 days of receiving notification of the change.