Data Processing Agreement

Last modified 10.07.2025
This Data Processing Agreement, including its Schedules ("DPA"), between Pumpkin Intelligence, Inc. ("Pumpkin Intelligence", "White Circle," "we," "us" or "our") and the party identified as the Customer in the Agreement (defined below) (each a "Party" and together the "Parties"), forms part of and is subject to the Platform Agreement (located at https://whitecircle.ai/terms) or other written or electronic agreement incorporating this DPA governing the Customer's access and use of the Services ("Agreement"). Capitalized terms used and not otherwise defined in this DPA shall have the meaning set forth in the Agreement.
Customer enters into this DPA on behalf of itself and any Affiliates authorized to use the Services under the Agreement and who have not entered into a separate contractual arrangement with White Circle. For the purposes of this DPA only, and except where otherwise indicated, the term "Customer" shall include Customer and such Affiliates.
The Parties agree as follows:


1. Definitions

1.1 "Affiliates" means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
1.2 "Applicable Data Protection Law" means US Data Protection Law and European Data Protection Law applicable to the Processing of Customer Personal Data under this DPA.
1.3 "Europe" means for the purposes of this DPA, the European Economic Area and/or its member states ("EEA"), the United Kingdom ("UK") and/or Switzerland.
1.4 "European Data Protection Law" means all data protection and privacy laws and regulations enacted in Europe and applicable (in whole or in part) to the respective Party's Processing of Personal Data including (as applicable) (i) EU Regulation 2016/679 (General Data Protection Regulation) ("EU GDPR"); (ii) EU e-Privacy Directive (Directive 2002/58/EC), (iii) any national data protection laws made under or pursuant to (i) or (ii); (iv) in respect of the UK, the EU GDPR as it forms part of UK law by virtue of section 3 of the European Union (Withdrawal) Act 2018 ("UK GDPR"), the Data Protection Act 2018, the Privacy and Electronic Communications (EC Directive) Regulations 2003, and any other laws in force in the UK applicable to the Processing of Personal Data (together, "UK Data Protection Law"); and (v) the Swiss Federal Data Protection Act and its implementing regulations ("Swiss DPA"); in each case as may be amended, superseded or replaced from time to time.
1.5 "Controller" means an entity that alone or jointly determines the purposes and means of the Processing of Personal Data. It shall have the same meaning ascribed to "controller" under the GDPR and other equivalent terms under Applicable Data Protection Law (including "Business" as defined under the CCPA), as applicable.
1.6 "Customer Personal Data" means Customer Data that constitutes Personal Data, as described in more detail in Schedule A below.
1.7 "Personal Data" has the meaning assigned to the term "personal data" or "personal information" under Applicable Data Protection Laws.
1.8 "Processing" means any operation or set of operations that are performed upon Personal Data, whether or not by automatic means, such as collection, recording, securing, organization, storage, adaptation or alteration, access to, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure, or destruction. "Processes", "Processed" and "Process" shall be construed accordingly.
1.9 "Processor" means an entity that processes Personal Data on behalf, and in accordance with the instructions, of a Controller. It shall have the same meaning ascribed to "processor" under the GDPR and other equivalent terms under other Applicable Data Protection Law (including "Service Provider" as defined under the CCPA), as applicable.
1.10 "Restricted Transfer" means a transfer (directly or via onward transfer) of Personal Data that is subject to Applicable Data Protection Law to a country outside Europe which is not subject to an adequacy determination by the European Commission, United Kingdom or Swiss authorities (as applicable).
1.11 "Security Documentation" means the security measures described in White Circle’s Trust Center, accessible here https://trust.whitecircle.ai/controls (or such other URL as may be notified to Customer from time to time).
1.12 "Security Incident" means any actual breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Data processed by White Circle and/or its Subprocessors. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.
1.13 "Standard Contractual Clauses" or "SCC" means the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council.
1.14 "Subprocessor" means any third party appointed by White Circle to Process Customer Personal Data in connection with the provision of Services. Subprocessors may include White Circle Affiliates but shall exclude White Circle employees, contractors and consultants.
1.15 "Supervisory Authority" means any regulatory, supervisory, governmental, state agency, Attorney General or other competent authority with jurisdiction or oversight over compliance with Applicable Data Protection Law.
1.16 "UK Addendum" means the International Data Transfer Addendum to the Standard Contractual Clauses (version B1.0) issued by Information Commissioners Office under S.119(A) of the UK Data Protection Act 2018, as it is revised under Section 18 therein; as may be amended, superseded or replaced from time to time.
1.17 "US Data Protection Law" means all privacy laws and regulations applicable in the United States, including the California Consumer Privacy Act ("CCPA"), as amended by the California Privacy Rights Act ("CPRA") when effective, as well as any regulations and guidance that may be issued thereunder; and, where applicable, (ii) the Virginia Consumer Data Protection Act ("CDPA") when effective; (iii) the Colorado Privacy Act ("CPA") when effective; (iv) the Utah Consumer Privacy Act when effective ("UCPA"); (v) the Connecticut Data Privacy Act ("CTDPA") when effective; in each case as may be amended or superseded from time to time.


2. Processing of Personal Data

2.1 Scope of this DPA. This DPA applies only where and to the extent that White Circle Processes Customer Personal Data protected by Applicable Data Protection Law as a Processor (or functionally equivalent role) on behalf of Customer in connection with the provision of the Services pursuant to the Agreement. Nothing in this DPA shall act to restrict or prevent White Circle from Processing any information (including Personal Data) that White Circle collects and maintains independently of providing the Services to Customer for the purpose of improving White Circle's product and service offerings.
2.2 Roles of the Parties. The Parties acknowledge and agree that for the purposes of this DPA, Customer is the Controller (or Processor acting on behalf of a third party Controller) of Customer Personal Data and White Circle shall Process Customer Personal Data as a Processor on behalf of Customer. Any Processing of Customer Personal Data under the Agreement shall be performed in accordance with Applicable Data Protection Law. However, White Circle is not responsible for compliance with any Applicable Data Protection Law applicable to Customer or Customer's industry that is not generally applicable to White Circle as a service provider.
2.3 Customer obligations. Customer is solely responsible for the accuracy, quality and legality of the Customer Personal Data. Customer shall: (a) ensure all Customer Personal Data provided to White Circle has been collected following Applicable Data Protection Law and that you have provided notice and obtained all consents, permissions and rights necessary for White Circle and its Subprocessors to lawfully Process Customer Personal Data for the purposes contemplated by the Agreement, (b) use the Services in compliance with Applicable Data Protection Law and (c) it will notify White Circle if it is unable to comply with its obligations under Applicable Data Protection Law or its Processing instructions will cause White Circle or its Subprocessors to be in breach of Applicable Data Protection Law.
2.4 Processing instructions. White Circle shall process Customer Personal Data in accordance with Customer's documented lawful instructions, except where required by applicable law(s). For these purposes, Customer instructs White Circle to process Customer Personal Data for the following purposes: (a) to perform any steps necessary for the performance of the Agreement; (b) to provide, maintain and improve the Services provided to Customer in accordance with the Agreement; (c) Processing initiated by end users in their use of the Services; (d) to comply with other reasonable instructions provided by Customer (e.g., via email or support tickets) that are consistent with the terms of the Agreement (including this DPA); and (e) to comply with White Circle's legal obligations under applicable law, including Applicable Data Protection Law (collectively and individually the "Permitted Purpose"). White Circle will promptly notify Customer if White Circle reasonably believes that the instructions are inconsistent with Applicable Data Protection Law and, in such event, White Circle shall not be obligated to undertake such Processing until such time as Customer has updated its Processing instructions and White Circle has determined that the incidence of non-compliance is resolved.
2.5 Sale or Sharing of Customer Personal Data Prohibited. For the purposes of US Data Protection Law (to the extent applicable), White Circle shall not (a) sell Customer Personal Data, as the term "sell" is defined by US Data Protection Law, (b) share Customer Personal Data, as the term "share" is defined by the CPRA, (c) disclose or transfer Customer Personal Data to a Subprocessor or any other parties that would constitute "selling" as the term is defined by US Data Protection Law or "sharing" as the term is defined by the CPRA, and (d) unless otherwise permitted by US Data Protection Law, retain, use, disclose, or otherwise Process the Customer Personal Data for any purposes other than the Permitted Purposes described in this DPA.


3. Subprocessors

3.1 General authorization. Customer provides a general written authorization for White Circle to engage Subprocessors to Process Customer Personal Data. White Circle maintains an up-to-date list of its Subprocessors in the White Circle's Trust Center accessible here: https://trust.whitecircle.ai/subprocessors (or such other successor URL notified to Customer from time to time) ("Subprocessor List"). White Circle shall: (a) enter into a written agreement with each Subprocessor containing data protection obligations not less protective of Customer Personal Data than those in this DPA to the extent applicable to the nature of the Services provided by such Subprocessor; and (b) will remain responsible for any acts or omissions of Subprocessors to the extent they cause White Circle to breach its obligations under this DPA.
3.2 Notice of Changes to Subprocessors. The Subprocessor List contains a mechanism for Customers to subscribe to notifications of new Subprocessors. White Circle will provide notice to the emails subscribed, at least fifteen (15) days before such changes take effect.
3.3 Objection to New Subprocessors. Customer may object to White Circle's engagement of any new or replacement Subprocessor on reasonable grounds relating to the protection of Personal Data by notifying White Circle in writing to [email protected] within five (5) days of receipt of White Circle's notice. In such case, the Parties shall discuss Customer's concerns in good faith with a view to achieving a mutually acceptable resolution. If the Parties cannot resolve the objection, White Circle shall, at its sole discretion, either not appoint the Subprocessor, or permit Customer to terminate the affected Services in accordance with the termination provisions in the Agreement without liability to either Party (but without prejudice to any fees incurred by Customer prior to suspension or termination). If such objection right is not exercised by Customer in the terms defined above, silence shall be deemed to constitute an approval of such engagement.


4. Security

4.1 White Circle shall implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of Customer Personal Data, as more particularly described in the Security Documentation ("Security Measures"). Customer acknowledges that the Security Measures are subject to technical progress and development and that White Circle may update or modify its Security Measures from time to time, provided that such updates and modifications do not result in the degradation of the overall security of the Services purchased by Customer.
4.2 White Circle restricts its personnel from Processing Customer Personal Data without authorization and shall ensure that any person who is authorized by White Circle to process Customer Personal Data is under an appropriate obligation of confidentiality (whether a contractual or statutory duty).
4.3 Notwithstanding the above, Customer is responsible for reviewing the information made available by White Circle relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Applicable Data Protection Law. Customer further agrees that it is responsible for its secure use of the Services, including securing its account authentication credentials and taking any appropriate steps to backup any Customer Personal Data processed in connection with the Services.


5. Security Incident Management And Notification

5.1 Upon becoming aware of a Security Incident, White Circle shall notify Customer without undue delay and, where feasible, within 72 hours. White Circle shall provide Customer with timely information relating to the Security Incident as it becomes known or is reasonably requested by Customer to fulfil its obligations under Applicable Data Protection Law.
5.2 White Circle will also take reasonable steps to contain, investigate, and mitigate any Security Incident. The notification of or response to a Security Incident under this DPA will not be construed as an acknowledgment by White Circle of any fault or liability with respect to the Security Incident.


6. Return Or Deletion

6.1 Upon termination or expiry of the Agreement, at Customer's written request White Circle shall return or delete all Customer Personal Data in its possession or control in accordance with the terms of the Agreement and this DPA. In the event that no election is made by Customer in accordance with this Section 6, White Circle will delete all Customer Personal Data in its possession in accordance with the procedures and timeframes specified in the Security Documentation. This requirement shall not apply to the extent White Circle is required by applicable law to retain some or all of the Personal Data, or to Personal Data archived on back-up systems, which White Circle shall securely isolate and protect from any further Processing (to the extent permitted by applicable law).
6.2 The Parties agree that the certification of deletion of Customer Personal Data described in Clause 8.5 and 16(d) of the SCC shall be provided by White Circle to Customer only upon Customer's written request.


7. Audit Rights

White Circle utilizes external auditors to verify the adequacy of its Security Measures with respect to its Processing of Customer Personal Data in connection with the Services. To the extent required under Applicable Data Protection Law and on Customer’s written request, White Circle shall provide to Customer (subject to obligations of confidentiality) written responses (which may include audit report summaries/ extracts) to all reasonable requests for information made by Customer related to its Processing of Customer Personal Data necessary to confirm White Circle’s compliance with this DPA, provided that Customer shall not exercise this right more than once in any twelve (12) month rolling period. Notwithstanding the foregoing, Customer may also exercise such audit right in the event Customer is expressly requested or required to provide this information to a Supervisory Authority, or White Circle has experienced a Security Incident. Nothing herein shall be construed to require White Circle to provide: (i) trade secrets or any proprietary information; (ii) any information that would violate White Circle’s confidentiality obligations, contractual obligations, or applicable law; or (iii) any information, the disclosure of which could threaten, compromise, or otherwise put at risk the security, confidentiality, or integrity of White Circle’s infrastructure, networks, systems, or data.


8. International Transfers

8.1 Customer acknowledges and agrees that White Circle may transfer and Process Customer Personal Data to and in the United States and other locations in which White Circle, its Affiliates or its Subprocessors maintain Processing operations, as more particularly described in Section 3 (Subprocessors) (as applicable). White Circle shall at all times ensure such transfers are made in compliance with the requirements of Applicable Data Protection Law.
8.2 The Parties agree that when the transfer of Customer Personal Data from Customer (as "data exporter") to White Circle (as "data importer") is a Restricted Transfer and European Data Protection Law require that appropriate safeguards are put in place, such transfer shall be subject to the SCC, which shall be deemed incorporated into and form a part of this DPA, as follows: (a) Module Two applies where you are a Controller and White Circle is a Processor and Module Three applies where you are a Processor and White Circle is a Processor; (b) in Clause 7, the optional docking clause will apply; (c) in Clause 9, Option 2 applies, and the period for prior notice of Subprocessor changes is set forth in Section 3 of this DPA; (d) in Clause 11, the optional language does not apply; (e) in Clause 17, Option 1 applies with the governing law being that of Ireland; (f) in Clause 18(b), disputes will be resolved before the courts in Ireland; (g) Annex I and II of the SCCs is completed with the information in Schedule A and the Security Measures respectively; If and to the extent the SCC conflict with any provision of this DPA, the SCC will prevail to the extent of such conflict.
8.3 In relation to transfers of Customer Personal Data that are protected by UK Data Protection Law, the SCCs: (i) shall apply as completed in accordance with Section 8.1 above; and (ii) shall be deemed amended as specified by the UK Addendum, which shall be deemed executed by the Parties and incorporated into and form an integral part of this DPA. Tables 1, 2, and 3 in Part 1 of the UK Addendum will be deemed completed with the information set out in Schedule A of this DPA and the Security Measures, and Table 4 in Part 1 will be deemed completed by selecting "neither party". Any conflict between the terms of the SCC and the UK Addendum will be resolved in accordance with Section 10 and Section 11 of the UK Addendum.
8.4 In relation to transfers of Customer Personal Data protected by the Swiss DPA, the SCC will also apply in accordance with Section 8.1 above, with the following modifications: (i) references to "Regulation(EU) 2016/679" will be interpreted as references to the Swiss DPA and references to specific articles shall be replaced with the equivalent article or section; (ii) references to "EU", "Union", "Member State" and "Member State law" will be interpreted as references to "Switzerland", or "Swiss law"; (iii) the term "member state" shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland); (iv) Clause 13(a) and Part C of Annex I are not used; (v) references to the "competent supervisory authority" and "competent courts" will be replaced with the "Swiss Federal Data Protection Information Commissioner" and "applicable courts in Switzerland"; (vii) in Clause 17 the SCC shall be governed by the laws of Switzerland.; and (viii) with respect to transfers to which the Swiss DPA applies, Clause 18(b) shall state that disputes shall be resolved before the applicable courts of Switzerland.
8.5 To the extent White Circle adopts an alternative lawful data export mechanism for the transfer of Customer Personal Data not described in this DPA ("Alternative Transfer Mechanism"), the Alternative Transfer Mechanism shall upon notice to Customer apply instead of any applicable transfer mechanism described in this DPA (but only to the extent such Alternative Transfer Mechanism complies with European Data Protection Law and extends to the territories to which Customer Personal Data is transferred) and Customer agrees to execute such other and further documents and take such other and further actions as may be reasonably necessary to give legal effect such Alternative Transfer Mechanism.


9. Cooperation

9.1 Data subject requests. To the extent that Customer is unable to independently access the relevant Customer Personal Data within the Services, White Circle shall, taking into account the nature of the Processing, provide reasonable cooperation to assist Customer in responding to any requests from individuals relating to the Processing of Customer Personal Data under the Agreement. In the event that any such request is made to White Circle directly, White Circle shall promptly notify Customer and shall not respond to the request directly except to direct the data subject to the Customer without Customer's prior authorization, unless and to the extent legally compelled to do so.
9.2 Law enforcement requests. If a law enforcement agency sends White Circle a demand for Customer Personal Data (for example, through a subpoena or court order), White Circle will attempt to redirect the law enforcement agency to request that Customer Personal Data directly from Customer. As part of this effort, White Circle may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Personal Data to a law enforcement agency, then White Circle will give Customer reasonable notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless White Circle is legally prohibited from doing so.
9.3 Data Protection Impact Assessments. To the extent White Circle is required under applicable European Data Protection Law, White Circle shall provide reasonably requested information regarding White Circle's Processing of Customer Personal Data under the Agreement to enable Customer to carry out data protection impact assessments or prior consultations with Supervisory Authorities as required by law.
9.4 General cooperation. Each Party will reasonably cooperate with the other in any activities contemplated by this DPA and to enable each Party to comply with its respective obligations under Applicable Data Protection Law.


10. Liability of the Parties

Each Party’s and its Affiliates’ liability, taken together in the aggregate, arising out of or related to this DPA (including the SCC), whether in contract, tort (including negligence), or under any other theory of liability, is subject to the limitations and exclusions of liability in the Agreement. Accordingly, any reference in the Agreement to the liability of a Party means the aggregate liability of that Party and its Affiliates under and in connection with the Agreement and this DPA together.


11. General Provisions

11.1 In the event of a conflict or inconsistency with respect to the subject matter of the Processing of Customer Personal Data between the Agreement, this DPA, an Order Form or any other documentation, the terms of the following documents will prevail (in order of precedence): the SCCs; then this DPA; and then the Agreement.
11.2 The DPA will, notwithstanding the expiration or termination of the Services, remain in effect until, and automatically expire upon, White Circle’s deletion or return of all Customer Personal Data.
11.3 If any provision of this DPA is found to be unenforceable or invalid, that provision will be limited or eliminated to the minimum extent necessary so that this DPA will otherwise remain in full force and effect and enforceable.
11.4 Neither Party may assign any of its rights or obligations hereunder, whether by operation of law or otherwise, without the other Party’s prior written consent (not to be unreasonably withheld); provided, however, either Party may assign this DPA, without the other Party’s consent (but upon providing notice) in connection with a merger, acquisition, corporate reorganization, or sale of all or substantially all of its assets, except in the event that this assignment involves a competitor of the non-assigning Party.
11.5 Notwithstanding anything else to the contrary in the Agreement and without prejudice to Section 2.4 above, White Circle may periodically make modifications to this DPA where necessary to (i) comply with a request or order by a Supervisory Authority or other government or regulatory entity; (ii) comply with Applicable Data Protection Law; (iii) implement or adhere to new standard contractual clauses, approved codes of conduct or certifications, or other compliance mechanisms, which may be permitted under Applicable Data Protection Law; or (iv) the change is commercially reasonable, does not materially reduce the security of the Services, does not change the scope of White Circle’s Processing of Customer Personal Data, and does not have a material adverse impact on your rights under this DPA. Unless otherwise specified by White Circle, these changes will become effective for Customer upon posting of the modified DPA (see "Last Updated" date above). White Circle will use reasonable efforts to notify Customer of the changes through Customer's account, email, or other means. In any event, continued use of the Services will constitute Customer's acceptance of the version of the DPA in effect.
11.6 No agency, partnership, joint venture, or employment is created as a result of this DPA and Customer does not have any authority of any kind to bind White Circle in any respect whatsoever.
11.7 This DPA shall be governed by and construed in accordance with the governing law and jurisdiction provisions in the Agreement, unless otherwise required by this DPA or Applicable Data Protection Laws.


SCHEDULE A: DESCRIPTION OF DATA


PROCESSING / TRANSFER


Annex 1(A): List of parties

  • Data exporter:
    • Name of the data exporter: The entity identified as the Customer in this DPA or the Agreement.
    • Address: The address for the Customer associated with its White Circle account or otherwise specified in this DPA or the Agreement.
    • Contact person’s name, position and contact details: The contact details associated with the Customer's account, or otherwise specified in this DPA or the Agreement.
    • Activities relevant to the data transferred: The activities specified in Annex 1(B) below.
    • Role (Controller/Processor): Controller/ Processor.
  • Data importer:
    • Name of the data importer: Pumpkin Intelligence, Inc.
    • Address: 111 S Governors Ave, STE 25003, Dover, Delaware, 19904, USA
    • Contact person’s name, position and contact details: Legal Department, [email protected]
    • Activities relevant to the data transferred: The activities specified in Annex 1(B) below.
    • Role (Controller/Processor): Processor.


Annex 1(B): Description of the Processing / transfer

  • Categories of Data Subjects whose Personal Data is transferred: Current and former employees and other personnel of the Customer who are authorized users of the Services ("Users"), as well as end users of Customer's products, services or applications that access the Services, whose information is provided to White Circle through the White Circle API or other business services ("End Users").
  • Categories of Personal Data transferred: In connection with the Services, White Circle may Process certain Personal Data, the extent to which is determined and controlled by the Customer in its sole discretion, but which may include:
    • Users:
      • Business email address
      • User ID
      • Organization ID
      • IP address
      • Support data (including personal data within support tickets)
    • End Users
      • Any Personal Data incidentally included within prompt and output data processed through the Services, as well as within support data.
  • Sensitive Data Transferred (if appropriate) and applied Restrictions or Safeguards: The types of Personal Data processed by White Circle are determined and controlled by the Customer in its sole discretion. White Circle does not intentionally collect any special categories of data in connection with the Services. Any sensitive data (if any) will be protected in accordance with the Security Measures.
  • Frequency of the Transfer (e.g. whether the data is transferred on a one-off or continuous basis): Continuous basis.
  • Subject matter of the Processing: The Customer Personal Data described in this Schedule A.
  • Nature of the Processing: The provision of the Services as described in the Agreement and initiated by the Customer from time to time.
  • Duration of the Processing: The duration of the Agreement plus the period from the expiry of the Agreement until deletion of the Customer Personal Data in accordance with the Agreement and DPA.
  • Purposes of the data transfer and further Processing: The Permitted Purposes (as defined in this DPA).
  • Period for which the Personal Data will be retained, or if that is not possible the criteria used to determine that period, if applicable: The Customer determines the duration in accordance with the Agreement and this DPA.


Annex 1(C): Competent supervisory authority

  • Competent supervisory authority: The data exporter's competent supervisory authority will be determined in accordance with European Data Protection Law.

Get on the list

All systems operational
White Circle is compliant with current security standards. All data is secure and encrypted.
Features
TestProtect
Company
ContactCareers
Legal
Industries
FinanceHealthCareEducationCreative AIE-commerceGaming
Other