You’re the controller. We’re the processor.

This Data Processing Agreement (“DPA”) is entered between:

• The Customer (the “Controller”) — the Pagenta account holder.
• Tendra Advisory LLC, trading as Pagenta, a Delaware limited liability company (the “Processor”).

This DPA forms part of, and is subject to, the Pagenta Terms of Service at /terms. It governs the processing of personal data carried out by the Processor on behalf of the Controller through the Pagenta service.

Subject-matter:hosting deployed pages, delivering push notifications and email broadcasts the Controller sends from those pages, and producing aggregate analytics for the Controller’s Command Center.

Duration:for the duration of the Controller’s Pagenta subscription, plus a 30-day post-termination period during which data may be exported, after which it is deleted (see § 10).

The Processor processes personal data only to:

• Operate and secure the Pagenta service.
• Deliver push notifications and email broadcasts that the Controller initiates from the Command Center.
• Produce aggregated, non-identifying analytics for the Controller.
• Prevent abuse, including rate-limiting and dead-endpoint pruning.
• Comply with applicable law.

The Processor will not use personal data for any other purpose, and will not sell, share for advertising, or use it to train AI models.

Data subjects:visitors of pages the Controller deploys via Pagenta, and any of the Controller’s end-users who interact with those pages.

Personal data processed for the Controller:

• Push subscription data — browser-vendor endpoint URL (pseudonymous device identifier), VAPID public keys, truncated user-agent string, timestamp, and the visitor’s Pagenta user_id where applicable.
• Email subscription data — email address, double opt-in confirmation timestamp, unsubscribe token, per-broadcast delivery log.
• Page view analytics — aggregate counts, coarse referrer, coarse region (no precise geolocation), no persistent visitor identifier, no IP storage against view rows.

No special-category personal data (Article 9 GDPR) is intentionally collected. The Controller is responsible for ensuring its own page content does not solicit special-category data.

The Processor will:

• Process personal data only on the documented instructions of the Controller, including with regard to transfers to third countries, unless required to do so by EU or Member State law.
• Ensure that persons authorised to process personal data have committed themselves to confidentiality.
• Implement appropriate technical and organisational security measures (see § 8).
• Engage sub-processors only as set out in § 7.
• Assist the Controller in responding to data subject rights requests (see § 9).
• Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits as set out in § 11.
• Notify the Controller without undue delay of any personal data breach affecting the Controller’s data (see § 12).

The Controller will:

• Ensure it has a lawful basis for the processing it instructs the Processor to perform.
• Provide clear privacy information to its own end-users and obtain any consents required by ePrivacy or other applicable law (including, where relevant, for push and email opt-ins).
• Not use the service to process special-category data without first agreeing additional safeguards with the Processor.
• Honour valid data subject requests in respect of its end-users.

The Controller authorises the Processor to engage the following sub-processors. The full and current list is maintained in the Privacy Policy at /privacy§ 3.

• Supabase — database and authentication (EU, Ireland).
• Vercel — hosting and edge functions (US/EU).
• Resend — transactional email and broadcast email.
• Stripe — payments (paid plans only).
• OpenRouter, OpenAI, Anthropic — AI generation services.
• PostHog — product analytics (configured without IP collection).
• Sentry — error tracking (configured without default PII).
• Apple Push Notification Service, Google FCM, Mozilla autopush — browser push notification delivery (end-to-end encrypted payloads).

The Processor will notify the Controller of any intended changes concerning the addition or replacement of sub-processors with at least 30 days’ advance notice via email to the Controller’s account email, giving the Controller the opportunity to object. If the Controller objects on reasonable data-protection grounds, the parties will work in good faith to resolve the concern; if no resolution is reached, the Controller may terminate the affected services.

The Processor maintains appropriate technical and organisational measures, including:

• TLS encryption in transit for all client-server traffic.
• Encryption at rest for database storage, secrets, and customer-supplied API keys.
• Row-level security in the database, scoped per-account.
• Service-role access restricted to a small number of named personnel.
• VAPID end-to-end encryption for push notification payloads.
• Rate limiting and per-endpoint daily caps to mitigate abuse.
• Logging of administrative access; alerting on anomalous patterns.
• Background and reference checks for personnel handling production data.

The Processor will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures — insofar as this is possible — for the fulfilment of the Controller’s obligation to respond to requests for exercising the data subject’s rights, including access, rectification, erasure, restriction, portability, and objection.

Standard tooling: the Command Center surfaces per-page aggregate counts and unsubscribe management. Individual subscription deletions and export of an end-user’s data can be requested via help@tendra.io; the Processor will respond within 14 days for routine requests and without undue delay for urgent ones.

Personal data may be transferred outside the EEA to sub-processors in the United States. For such transfers, the parties rely on the European Commission’s Standard Contractual Clauses (Module Two: controller-to-processor; Module Three where onward transfers occur), incorporated by reference into this DPA. Where the UK GDPR applies, the UK International Data Transfer Addendum is incorporated likewise.

On reasonable prior notice (at least 30 days, except where required sooner by a supervisory authority), and no more than once per calendar year except in case of a substantiated breach, the Controller may request information necessary to demonstrate compliance with Article 28 GDPR. Audits may be carried out by the Controller or by an independent auditor mandated by the Controller, subject to confidentiality and reasonable scope. Routine compliance evidence (security questionnaires, sub-processor lists, breach history summaries) will be made available without on-site audit where it would satisfy the request.

The Processor will notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data processed under this DPA. The notification will include, to the extent known: the nature of the breach, categories and approximate numbers of data subjects and records concerned, likely consequences, and mitigation measures taken or proposed.

On termination of the service, the Processor will, at the choice of the Controller, return or delete all personal data processed on its behalf, unless retention is required by EU or Member State law. The default behaviour is: a 30-day export window, after which primary-storage deletion occurs; backup retention follows the schedule set out in the Privacy Policy § 6.

Liability under this DPA is governed by the limitations and exclusions in the Pagenta Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA prevails as to the subject matter of data processing. The Standard Contractual Clauses prevail over this DPA where they conflict.

Email help@tendra.io with:

• Your legal entity name and registered address.
• The Pagenta account email this DPA should attach to.
• The name and title of your authorised signatory.
• Any internal redlines you need.

We can also work from your standard DPA template. We aim to turn around an executable version within five business days.