Data Processing Agreement
Last updated: March 13, 2026
1. Scope
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Context Engine Ltd ("Processor") and the subscribing organisation ("Controller") for the use of PulseMI. This DPA applies to all personal data processed by the Processor on behalf of the Controller through the Service.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person
- Processing: Any operation performed on personal data, including collection, storage, analysis, and deletion
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller
3. Nature and Purpose of Processing
The Processor processes personal data for the purpose of providing media intelligence services, specifically:
- User account management and authentication
- Analysis of publicly available media content for sentiment, topics, and trends
- Generation of analytics reports and executive briefings
- Delivery of alerts and notifications
- Payment processing and subscription management
4. Categories of Data
- Account Data: Names, email addresses, organisation details, roles
- Usage Data: Platform interaction logs, IP addresses, session data
- Media Data: Publicly available news articles, social media posts, and derived analytics (sentiment scores, summaries)
- Payment Data: Billing information processed through our payment provider
5. Sub-processors
The following sub-processors are authorised to process personal data in connection with the Service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Zitadel | Authentication & identity management | EU |
| Google (Gemini API) | AI content analysis & sentiment scoring | US |
| LightningPDF | PDF report rendering | EU |
| S3-compatible storage | Report & asset storage | EU |
| Redis (self-hosted) | Session management & caching | Same as app server |
The Processor will notify the Controller before engaging any new sub-processor. The Controller may object to a new sub-processor within 14 days of notification.
6. Security Measures
The Processor implements appropriate technical and organisational measures to protect personal data:
- Encryption in transit (TLS 1.2+) and at rest
- Multi-tenant data isolation at the database level
- OAuth2 PKCE authentication with JWT validation
- Role-based access control (RBAC)
- CSRF protection and Content Security Policy headers
- Rate limiting on all API endpoints
- Automated daily database backups
7. Data Subject Rights
The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) within the timeframes required by applicable law. The Processor will notify the Controller promptly upon receiving any data subject request directly.
8. Data Breach Notification
In the event of a personal data breach, the Processor will notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of the breach. The notification will include:
- The nature of the breach, including categories and approximate number of data subjects affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
9. Data Deletion
Upon termination of the Service agreement, the Processor will delete all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law. The Controller may request a data export before termination.
10. International Transfers
Where personal data is transferred outside Kenya or the EEA, the Processor ensures appropriate safeguards are in place, including standard contractual clauses or adequacy decisions as applicable.
11. Contact
For questions about this DPA, contact us at:
Context Engine Ltd
Nairobi, Kenya
support@contextengine.tech