Back to home

Legal · DPA

Data Processing Agreement

How Pegalio processes personal data on your behalf.

This summary explains the key terms of Pegalio's Data Processing Agreement (DPA). The DPA forms part of our customer agreement and governs how we process personal data on your instructions as a processor. A signable PDF is available on request.

Key terms

Roles of the parties

For personal data you submit to the service, you act as the data controller and Pegalio acts as the data processor, processing personal data only on your documented instructions.

Scope & purpose

Pegalio processes personal data solely to provide and support the onboarding platform — hosting, workflow, communications, and the features you enable — and not for any independent purpose.

Sub-processing

You authorize Pegalio to engage the sub-processors listed at /subprocessors. We impose data-protection obligations on each sub-processor and notify you of changes so you can object.

International transfers

Where personal data is transferred across borders, transfers are governed by appropriate safeguards, including the EU Standard Contractual Clauses (SCCs) and the UK Addendum where applicable. EU data residency is available.

Security measures

Pegalio maintains technical and organizational measures appropriate to the risk, including encryption in transit and at rest, role-based access control, MFA, logging, and regular testing — described in our Trust Center.

Data-subject rights

Pegalio provides reasonable assistance to help you respond to data-subject requests (access, rectification, erasure, portability, and objection) through platform tooling and support.

Personal-data breaches

Pegalio notifies you without undue delay after becoming aware of a personal-data breach affecting your data, with the information you need to meet your own notification obligations.

Retention & deletion

Pegalio processes personal data for the term of the agreement and deletes or returns it on termination, subject to limited legal retention requirements, after which it is securely deleted.

Audits & assurance

Pegalio makes available the information needed to demonstrate compliance, including third-party audit reports (such as SOC 2) under NDA, and supports audits subject to reasonable conditions.

Request a signable DPA

Email [email protected] to receive an executable DPA. We typically return a countersigned copy within two business days.