Data Processing Agreement

Palpaca Platform

Effective Date: February 16, 2026

Parties

This Data Processing Agreement (the “Agreement”) is entered into by and between:

Sagewill S.r.l., trading as Palpaca, with registered office at Via Panciatichi 16, 50141 Florence (FI), Italy, VAT No. IT07481150485 (hereinafter “Palpaca” or the “Processor”),

and

The entity that accepts the Palpaca Terms of Service and accesses the Palpaca platform (hereinafter the “Customer” or the “Controller”).

Recitals

The Customer has accepted the Palpaca Terms of Service (the “Principal Agreement”), under which Palpaca provides an AI-powered code generation platform for HubSpot UI Extensions.
In connection with the performance of the Principal Agreement, the Parties acknowledge that Palpaca may process personal data on behalf of the Customer.
The Customer acts as data controller within the meaning of Regulation (EU) 2016/679 (“GDPR”) and, where applicable, the UK GDPR, while Palpaca acts as data processor.
Pursuant to Article 28 GDPR, the Parties are required to enter into a written agreement governing such processing.
This Agreement is entered into as an addendum to, and forms an integral part of, the Principal Agreement. In the event of any inconsistency between this Agreement and the Principal Agreement, the provisions of this Agreement shall prevail with respect to the processing of personal data.

Section I

Clause 1 — Purpose and Scope

(a) The purpose of this Agreement is to ensure compliance with Article 28(3) and (4) of Regulation (EU) 2016/679 (“EU GDPR”), and, where applicable, with the corresponding provisions of the United Kingdom General Data Protection Regulation (“UK GDPR”), with regard to the processing of personal data carried out by Palpaca on behalf of the Customer under the Principal Agreement.

(b) These Clauses apply to the processing of personal data as specified in Annex II.

(d) This Agreement is without prejudice to the obligations to which the Controller is subject under the EU GDPR and, where applicable, the UK GDPR.

(e) These Clauses do not by themselves ensure compliance with obligations related to international transfers in accordance with Chapter V of Regulation (EU) 2016/679.

Clause 2 — Invariability of the Clauses

(a) The Parties undertake not to modify the Clauses, except for adding information to the Annexes or updating information in them.

(b) This does not prevent the Parties from including the standard contractual clauses laid down in these Clauses in a broader contract, or from adding other clauses or additional safeguards provided that they do not directly or indirectly contradict the Clauses or detract from the fundamental rights or freedoms of data subjects.

Clause 3 — Interpretation

(a) Where these Clauses use the terms defined in Regulation (EU) 2016/679, those terms shall have the same meaning as in that Regulation.

(b) These Clauses shall be read and interpreted in the light of the provisions of Regulation (EU) 2016/679.

(c) These Clauses shall not be interpreted in a way that runs counter to the rights and obligations provided for in Regulation (EU) 2016/679 or in a way that prejudices the fundamental rights or freedoms of the data subjects.

Clause 4 — Hierarchy

In the event of a contradiction between these Clauses and the provisions of related agreements between the Parties existing at the time when these Clauses are agreed or entered into thereafter, these Clauses shall prevail.

Section II — Obligations of the Parties

Clause 5 — Description of Processing

The details of the processing operations, in particular the categories of personal data and the purposes of processing for which the personal data is processed on behalf of the Controller, are specified in Annex II.

Clause 6 — Obligations of the Parties

6.1 Instructions

(a) The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law to which the Processor is subject. In this case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits this on important grounds of public interest. The Controller’s instructions are documented in the Principal Agreement and this Agreement, including Annex II.

(b) The Processor shall immediately inform the Controller if, in the Processor’s opinion, instructions given by the Controller infringe Regulation (EU) 2016/679 or the applicable Union or Member State data protection provisions.

6.2 Purpose Limitation

The Processor shall process the personal data only for the specific purpose(s) of the processing, as set out in Annex II.

6.3 Duration of Processing

Processing by the Processor shall only take place for the duration specified in Annex II.

6.4 Security of Processing

(a) The Processor shall at least implement the technical and organisational measures specified in Annex III to ensure the security of the personal data. This includes protecting the data against a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access to the data (personal data breach). In assessing the appropriate level of security, the Parties shall take due account of the state of the art, the costs of implementation, the nature, scope, context and purposes of processing and the risks involved for the data subjects.

(b) The Processor shall grant access to the personal data undergoing processing to members of its personnel only to the extent strictly necessary for implementing, managing and monitoring the platform. The Processor shall ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6.5 Sensitive Data

The Palpaca platform is not designed to process sensitive data as defined in Article 9 of the GDPR (special categories of personal data) or data relating to criminal convictions and offences under Article 10. The Controller shall not submit sensitive data to the platform. If sensitive data is inadvertently processed, the Processor shall apply specific restrictions and/or additional safeguards and shall notify the Controller to enable appropriate remedial measures.

6.6 Documentation and Compliance

(a) The Parties shall be able to demonstrate compliance with these Clauses.

(b) The Processor shall deal promptly and adequately with inquiries from the Controller about the processing of data in accordance with these Clauses.

(c) The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations that are set out in these Clauses and stem directly from Regulation (EU) 2016/679 and, where applicable, the UK GDPR. At the Controller’s request, the Processor shall also permit and contribute to audits of the processing activities covered by these Clauses, at reasonable intervals or if there are indications of non-compliance. In deciding on a review or an audit, the Controller may take into account relevant certifications held by the Processor.

(d) The Controller may choose to conduct the audit by itself or mandate an independent auditor. Audits may also include inspections at the premises or physical facilities of the Processor and shall, where appropriate, be carried out with reasonable notice.

(e) The Parties shall make the information referred to in this Clause, including the results of any audits, available to the competent supervisory authority/ies on request.

6.7 Use of Sub-processors

(a) The Controller provides general written authorisation for the Processor to engage sub-processors listed in Annex IV. The Processor shall inform the Controller of any intended changes to the list of sub-processors by updating Annex IV and providing at least fifteen (15) days’ prior notice via the email address associated with the Controller’s Palpaca account, thereby giving the Controller the opportunity to object to such changes before the engagement of the sub-processor(s). The Processor shall keep an up-to-date list of sub-processors available at palpaca.app/legal/subprocessors.

(b) Where the Processor engages a sub-processor for carrying out specific processing activities (on behalf of the Controller), it shall do so by way of a contract which imposes on the sub-processor, in substance, the same data protection obligations as the ones imposed on the Processor in accordance with these Clauses.

(c) At the Controller’s request, the Processor shall provide a copy of such a sub-processor agreement and any subsequent amendments to the Controller. To the extent necessary to protect business secret or other confidential information, the Processor may redact the text of the agreement prior to sharing the copy.

(d) The Processor shall remain fully responsible to the Controller for the performance of the sub-processor’s obligations in accordance with its contract with the Processor. The Processor shall notify the Controller of any failure by the sub-processor to fulfil its contractual obligations.

(e) If the Controller objects to a new sub-processor on reasonable grounds relating to data protection, the Processor shall use reasonable efforts to make available an alternative arrangement. If no alternative is reasonably available, either Party may terminate the Principal Agreement with respect to the affected processing.

6.8 International Transfers

(a) Any transfer of data to a third country or an international organisation by the Processor shall be done only on the basis of documented instructions from the Controller or in order to fulfil a specific requirement under Union or Member State law to which the Processor is subject and shall take place in compliance with Chapter V of Regulation (EU) 2016/679 and, where applicable, the UK GDPR.

(b) The Controller acknowledges that the use of certain sub-processors listed in Annex IV may involve the transfer of personal data to the United States. Such transfers are made in compliance with applicable adequacy decisions, including the EU-U.S. Data Privacy Framework, and/or Standard Contractual Clauses adopted by the European Commission under Article 46(2) EU GDPR, as applicable.

Clause 7 — Assistance to the Controller

(a) The Processor shall promptly notify the Controller of any request it has received from the data subject. It shall not respond to the request itself, unless authorised to do so by the Controller.

(b) The Processor shall assist the Controller in fulfilling its obligations to respond to data subjects’ requests to exercise their rights, taking into account the nature of the processing.

(c) In addition, the Processor shall assist the Controller in ensuring compliance with the following obligations, taking into account the nature of the data processing and the information available to the Processor:

1. the obligation to carry out a data protection impact assessment
   where a type of processing is likely to result in a high risk to the
   rights and freedoms of natural persons;

2. the obligation to consult the competent supervisory authority/ies
   prior to processing where a data protection impact assessment
   indicates that the processing would result in a high risk;

3. the obligation to ensure that personal data is accurate and up to
   date, by informing the Controller without delay if the Processor
   becomes aware that the personal data it is processing is inaccurate
   or has become outdated;

4. the obligations under Article 32 of Regulation (EU) 2016/679 and,
   where applicable, the equivalent provisions of the UK GDPR.

Clause 8 — Notification of Personal Data Breach

In the event of a personal data breach, the Processor shall cooperate with and assist the Controller in complying with its obligations under Articles 33 and 34 of Regulation (EU) 2016/679 and, where applicable, the UK GDPR.

8.1 Breach Concerning Data Processed by the Controller

In the event of a personal data breach concerning data processed by the Controller, the Processor shall assist the Controller:

(a) in notifying the personal data breach to the competent supervisory authority/ies, without undue delay after the Controller has become aware of it;

(b) in obtaining the following information which shall be included in the Controller’s notification: (1) the nature of the personal data including the categories and approximate number of data subjects and records concerned; (2) the likely consequences of the breach; (3) the measures taken or proposed to address the breach;

8.2 Breach Concerning Data Processed by the Processor

In the event of a personal data breach concerning data processed by the Processor, the Processor shall notify the Controller without undue delay and in any event within 48 hours after the Processor becomes aware of the breach. Such notification shall contain, at least:

(a) a description of the nature of the breach (including, where possible, the categories and approximate number of data subjects and data records concerned);

(b) the details of a contact point where more information concerning the breach can be obtained;

(c) its likely consequences and the measures taken or proposed to address the breach, including to mitigate its possible adverse effects.

Section III — Final Provisions

Clause 9 — Non-compliance and Termination

(a) Without prejudice to any provisions of the EU GDPR and UK GDPR, in the event that the Processor is in breach of its obligations under these Clauses, the Controller may instruct the Processor to suspend the processing of personal data until compliance is restored or the Principal Agreement is terminated. The Processor shall promptly inform the Controller if it is unable to comply with these Clauses, for whatever reason.

(b) The Controller shall be entitled to terminate the Principal Agreement insofar as it concerns processing of personal data if: (1) compliance is not restored within a reasonable time and in any event within one month following suspension; (2) the Processor is in substantial or persistent breach of these Clauses or of the GDPR; (3) the Processor fails to comply with a binding decision of a competent court or supervisory authority.

(c) The Processor shall be entitled to terminate the Principal Agreement insofar as it concerns processing of personal data where, after having informed the Controller that its instructions infringe applicable legal requirements, the Controller insists on compliance with the instructions.

(d) Following termination, the Processor shall, at the choice of the Controller, delete all personal data processed on behalf of the Controller and certify that it has done so, or return all the personal data to the Controller and delete existing copies unless Union or Member State law requires storage. The Controller may export their data via the platform’s export functionality prior to termination. Until the data is deleted or returned, the Processor shall continue to ensure compliance with these Clauses.

Clause 10 — Governing Law

This Agreement shall be governed by and construed in accordance with Italian law. Any dispute arising out of or in connection with this Agreement shall be subject to the exclusive jurisdiction of the courts of Florence, Italy.

Annex I — List of Parties

Controller:

Name: The entity that accepts the Palpaca Terms of Service

Address: As provided during account registration

Contact: As provided during account registration

Role: Data Controller under Article 4(7) GDPR

Processor:

Name: Sagewill S.r.l., trading as Palpaca

Address: Via Panciatichi 16, 50141 Florence (FI), Italy

Contact: support@palpaca.dev

Role: Data Processor under Article 4(8) GDPR

Annex II — Description of the Processing

Categories of Data Subjects

Users of the Palpaca platform (the Controller’s employees, contractors, or agents who access the platform);
Contacts, companies, deals, or other CRM records stored in the Controller’s HubSpot account, whose schema metadata (property names, field types, object structures) may be transmitted to the platform during code generation.

Categories of Personal Data Processed

The Palpaca platform processes personal data in three distinct zones:

Zone 1 — Transient Data (not stored):

HubSpot CRM schema metadata (object names, property names, property types, association labels) transmitted to the Anthropic API during code generation sessions. This data is used solely to generate contextually accurate code and is not retained by Palpaca after the generation session concludes. No actual CRM record values (e.g., contact names, email addresses, deal amounts) are transmitted.

Zone 2 — Stored Data:

User account information: name, email address, organisation name;
Project data: natural language descriptions, generated source code, project configurations;
Usage data: credit balances, generation history (timestamps and token counts), project metadata;
Authentication tokens: encrypted OAuth 2.0 tokens for HubSpot API access.

Zone 3 — Payment Data:

Payment processing is handled entirely by Stripe, Inc. as a separate data controller. Palpaca does not store credit card numbers, bank account details, or other payment instrument data. Palpaca stores only Stripe customer IDs and transaction references.

Nature of the Processing

Palpaca provides an AI-powered platform that enables users to create custom HubSpot UI Extensions through natural language descriptions. The platform processes data as follows:

Collection and storage of user account and project data necessary for platform operation;
Transmission of HubSpot CRM schema metadata to the Anthropic API for AI-powered code generation;
Storage and retrieval of generated source code and project configurations;
Secure storage and management of HubSpot OAuth 2.0 authentication tokens;
Usage tracking for credit-based billing.

Purpose(s) for Which Personal Data is Processed

The personal data is processed solely for the purpose of:

providing the Palpaca platform service as described in the Principal Agreement;
generating source code based on the Controller’s natural language descriptions and HubSpot CRM schema;
managing user accounts, authentication, and authorisation;
tracking usage for credit-based billing and platform analytics;
providing technical support to the Controller.

Duration of the Processing

The processing shall last for the duration of the Controller’s use of the Palpaca platform under the Principal Agreement and shall cease upon account deletion or termination, subject to the return or deletion of personal data in accordance with the Controller’s instructions and Clause 9(d) of this Agreement.

Annex III — Technical and Organisational Measures

1. Data Minimisation by Design

The platform transmits only HubSpot CRM schema metadata (property names, types, object structures) to the AI code generation service. No actual CRM record values are transmitted.
Transient data processed by the Anthropic API is not stored by Palpaca after the generation session concludes.
The Anthropic API is configured with zero data retention for Palpaca’s API usage, meaning prompts and outputs are not stored by Anthropic for model training or any other purpose beyond providing the immediate service response.

2. Encryption

All data in transit is encrypted using TLS 1.2 or higher.
HubSpot OAuth 2.0 tokens are encrypted at rest.
Database storage (Cloudflare D1) and object storage (Cloudflare R2) are encrypted at rest using provider-managed encryption keys.

3. Access Control

Access to production infrastructure (Cloudflare) is restricted to authorised Palpaca engineering personnel only.
Multi-Factor Authentication (MFA) is enforced for all internal accounts.
User access to the platform is authenticated via HubSpot OAuth 2.0 with minimal required scopes.

4. Infrastructure Security

The platform is hosted on Cloudflare’s global network, which maintains ISO 27001 and SOC 2 Type II certifications.
The platform infrastructure provides process-level isolation between tenants.
Cloudflare’s Web Application Firewall (WAF) and DDoS protection are enabled for all platform endpoints.

5. Logging and Monitoring

Automated logging captures request/response metadata and error events.
Logs are retained for a limited period sufficient for debugging and security auditing.
All access and error events can be traced to a specific timestamp and request ID.

6. Secrets Management

API keys, OAuth tokens, and other credentials are stored in secure environment variables or encrypted storage, never in plain text within source code.

7. Development Practices

Separate development, staging, and production environments are maintained.
Code changes undergo review before deployment to production.
Employee workstations are equipped with disk encryption and automatic screen locking.

8. Data Portability and Deletion

Users may export their project data (generated code, configurations) via the platform’s export functionality.
Upon account deletion or termination, all personal data associated with the Controller is deleted within 30 days, except where retention is required by applicable law.

9. Incident Response

Palpaca maintains an incident response procedure for identifying, containing, and remediating personal data breaches.
The Controller shall be notified of any personal data breach in accordance with Clause 8.2 of this Agreement.

Annex IV — List of Sub-processors

The Controller has authorised the use of the following sub-processors:

Sub-processor	Address	Description of Processing	Data Location
Anthropic PBC	548 Market St, San Francisco, CA 94104, USA	AI model inference for code generation. Receives HubSpot CRM schema metadata as input and returns generated source code. Configured with zero data retention.	USA (EU-U.S. Data Privacy Framework)
Cloudflare, Inc.	101 Townsend St, San Francisco, CA 94107, USA	Cloud infrastructure for application hosting, relational database storage (D1), object storage (R2), DNS, CDN, and security services (WAF, DDoS protection).	EU (where configured for D1/R2 storage)
Stripe, Inc.	354 Oyster Point Blvd, South San Francisco, CA 94080, USA	Payment processing for credit purchases. Stripe acts as an independent data controller for payment instrument data. Palpaca stores only Stripe customer IDs and transaction references.	USA / EU (EU-U.S. Data Privacy Framework)
HubSpot, Inc.	25 First Street, Cambridge, MA 02141, USA	Customer relationship management platform used to store Controller’s account and contact information for the purposes of providing customer support, delivering marketing communications, and analysing platform usage to continuously improve the Palpaca product.	USA / EU (EU-U.S. Data Privacy Framework)

An up-to-date list of sub-processors is maintained at palpaca.app/legal/subprocessors.