Pluralize
Toggle menu

Data Processing Agreement

Last updated: 2026-04-27

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller", "Developer", "Customer") and Pluralize, operated by Pablo Llorens, sole proprietor in Spain ("Processor", "we", "us"). It governs the processing of personal data we perform on your behalf when you use the Pluralize platform to operate your application ("App") and authenticate its end-users ("Tenants").

By creating an account on pluralize.app and storing tenant data through the Service, you accept this DPA on behalf of your organisation. The DPA enters into force on first such use and remains in force for as long as we process personal data on your behalf.

1. Roles and scope

You are the controller of tenant personal data — you decide what your App collects, why, and how long it is kept. We are the processor acting on your documented instructions, which are the configuration choices you make in the dashboard, the SDK methods you call, and any further written instructions you send to hello@pluralize.app.

This DPA covers all processing of personal data we perform in the course of delivering the Service to you. It does not cover personal data of your own employees on the Pluralize dashboard — for that we are an independent controller and the Privacy Policy applies.

2. Subject-matter and details of processing

| Item | Details | | --- | --- | | Subject-matter | Authentication, billing, multi-tenancy, document storage and file storage on behalf of the Controller | | Duration | The term of the Customer's account, plus any post-termination period required to return or delete the data | | Nature and purpose | Hosting, transmitting, indexing, caching, backing up and serving tenant data so the Customer's App can function | | Categories of data subjects | Tenants — the end-users of the Customer's App | | Categories of personal data | Email address, password hash, IP address and user agent at sign-in, OAuth claims if used, and any further records and files the Customer chooses to store via the SDK | | Special categories (Art. 9 GDPR) | None unless the Customer chooses to store them; we strongly recommend not doing so without an additional risk assessment |

3. Customer instructions

You instruct us to process tenant personal data only:

  • to provide and maintain the Service in accordance with the Terms;
  • as required by EU or Spanish law applicable to us, in which case we will inform you before processing unless that law prohibits notice on important grounds of public interest;
  • as further documented in writing through the dashboard or by email to hello@pluralize.app.

We will inform you immediately if, in our opinion, an instruction infringes the GDPR or other Union or Member State data protection provisions.

4. Confidentiality

We ensure that any person we authorize to process tenant personal data is bound by an obligation of confidentiality (contractual or statutory) and is trained on data protection.

5. Security measures (Art. 32 GDPR)

We implement appropriate technical and organisational measures including:

  • TLS 1.2+ for all data in transit; HSTS on pluralize.app.
  • AES-256 encryption at rest at the storage layer (Vercel Postgres / Neon and Vercel Blob).
  • Bcrypt password hashing with per-account salt, cost factor 12.
  • Signed JWTs for sessions, delivered as HttpOnly, Secure, SameSite=Lax cookies, with a 30-day rolling lifetime and revocation on sign-out.
  • Per-app CORS origin allowlist enforced at the edge.
  • Hardware-backed multi-factor authentication for all administrative access.
  • Daily automated backups of the production database with at least 7 days of point-in-time recovery.
  • Logical separation of tenant data by app and by tenant ID at the query layer; row-level constraints in the schema.
  • Documented incident response plan and a quarterly review of dependencies and access lists.

We will keep these measures under review and may update them so long as the overall level of protection is not reduced.

6. Sub-processors

You give us general written authorisation to engage the sub-processors listed at /legal/subprocessors. We will publish any intended addition or replacement on that page at least 30 days before the change takes effect, giving you the opportunity to object. If you reasonably object on data-protection grounds and we cannot accommodate your objection, you may terminate the affected service for convenience and we will refund any prepaid fees pro rata.

We impose on each sub-processor, by written contract, data protection obligations no less protective than those set out in this DPA, in line with Art. 28(4) GDPR.

7. International transfers

Where personal data is transferred outside the European Economic Area, we rely on the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) with the relevant module:

  • Module 2 (controller-to-processor) between you and Pluralize where you are established outside the EEA;
  • Module 3 (processor-to-sub-processor) between Pluralize and any sub-processor outside the EEA.

Where the importer is certified, we additionally rely on the EU–US Data Privacy Framework. We supplement these transfers with technical measures including encryption in transit and at rest and pseudonymisation where practical.

8. Data subject rights

We will assist you, by appropriate technical and organisational measures and insofar as possible, in fulfilling your obligation to respond to requests from tenants exercising their rights under Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection). The dashboard exposes tenant export and deletion APIs for this purpose. If a tenant contacts us directly we will refer them to you and forward the request without undue delay.

9. Personal data breach (Art. 33 GDPR)

We will notify you without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting tenant data we process on your behalf. The notification will describe, to the extent known:

  • the nature of the breach, including categories and approximate number of data subjects and records concerned;
  • the likely consequences;
  • the measures taken or proposed to address it and mitigate adverse effects;
  • contact details for follow-up.

We will assist you in meeting any notification obligations you have toward your supervisory authority and affected tenants under Articles 33 and 34 GDPR.

10. Data Protection Impact Assessments

We will provide reasonable assistance with DPIAs and prior consultations required under Articles 35 and 36 GDPR, taking into account the information available to us as processor.

11. Audits and inspections (Art. 28(3)(h))

We will make available all information necessary to demonstrate compliance with this DPA and contribute to audits, including inspections, conducted by you or an auditor mandated by you.

In practice, we will satisfy this obligation by providing on request our current security documentation, sub-processor list, and most recent penetration test summary. On-site audits may be requested in writing with at least 30 days' notice, no more than once per year unless required by a supervisory authority or following a confirmed breach, conducted during business hours, subject to confidentiality, and at your cost.

12. Return and deletion

On termination of your account, and at your written choice expressed within 30 days, we will:

  • return all tenant personal data via the dashboard export endpoints in a structured, commonly used, machine-readable format; and/or
  • delete all such data from production systems within 30 days and from backups within a further 35 days as backups roll off.

After deletion we will provide written confirmation on request. We may retain personal data only to the extent and for as long as required by EU or Spanish law (e.g. 6 years for invoices under Spanish tax law), and only for that purpose.

13. Liability and term

The liability cap and exclusions set out in the Terms of Service apply equally to claims under this DPA. This DPA terminates automatically upon termination of the Terms but the obligations relating to confidentiality, return and deletion, and audit cooperation survive for as long as necessary to give them effect.

14. Governing law

This DPA is governed by the laws of Spain and subject to the exclusive jurisdiction of the courts of Madrid, in line with the Terms of Service.

Questions? Email hello@pluralize.app — we'll route to the right person.