Data Processing Agreement

Effective Date: May 3, 2026  ·  Version 1.1

1. Definitions

Capitalized terms not defined herein have the meanings given in the Terms of Service and Privacy Policy.

• “Controller” means you, the Pluse user who determines the purposes and means of processing Personal Data through the Service.
• “Processor” means Emmber, Inc., a Delaware corporation qualified to do business in the State of Florida, which operates the Pluse platform and processes Personal Data on behalf of the Controller. References in this DPA to either “Emmber” or “Pluse” identify the same legal entity (Emmber, Inc.).
• “Personal Data” means any information relating to an identified or identifiable natural person that is processed by Pluse on your behalf through the Service. This includes client names, contact information, addresses, financial records, and any other personal information you enter into Pluse.
• “Data Subject” means the identified or identifiable natural person to whom Personal Data relates (e.g., your clients, employees, or vendors whose information you store in Pluse).
• “Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, or deletion.
• “Subprocessor” means a third party engaged by Pluse to process Personal Data on behalf of the Controller.
• “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data, including the GDPR, CCPA/CPRA, and other state, federal, or international data protection laws.

2. Scope & Roles

2.1 Applicability

This DPA applies to all Personal Data that Pluse processes on your behalf through the Service. It supplements (and is incorporated into) the Terms of Service.

2.2 Roles

You are the Controller (and a “business” under the California Consumer Privacy Act / California Privacy Rights Act). You determine what Personal Data is entered into the Service, why it is processed, and who has access to it within your account.

Emmber, Inc. is the Processor (and a “service provider” under the CCPA/CPRA). Emmber, Inc. processes Personal Data solely on your behalf and in accordance with your documented instructions (as described in Section 3). Emmber does not retain, use, or disclose Personal Data for any purpose other than the specific business purposes set forth in this DPA and the Terms of Service, and does not sell or share Personal Data as those terms are defined under the CCPA/CPRA.

2.3 Categories of Data Processed

2.4 Data Subjects

Data Subjects may include your clients, customers, employees, contractors, vendors, and any other individuals whose Personal Data you enter into the Service.

3. Processing Instructions

Pluse will process Personal Data only in accordance with your documented instructions, which include:

• The functionality you use within the Service (invoicing, time tracking, expense management, client management, Lux AI queries, etc.);
• Your configuration choices and settings within the Service;
• The instructions described in this DPA, the Terms of Service, and the Privacy Policy.

If Pluse believes an instruction from you infringes Applicable Data Protection Law, Pluse will notify you promptly and may suspend processing of the affected data until the issue is resolved.

Pluse will not process Personal Data for any purpose other than providing the Service to you, unless required by law. If Pluse is compelled by law to process Personal Data for another purpose, Pluse will inform you of that legal requirement before processing (unless the law prohibits such notification).

4. Security Measures

Emmber, Inc. implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are governed by Emmber’s Written Information Security Program (“WISP”), which is designed to comply with 201 CMR 17.00 (Standards for the Protection of Personal Information of Residents of the Commonwealth of Massachusetts) and is maintained as the baseline security standard for all users regardless of location. Specific measures include:

• Encryption in transit: All data transmitted between your device and Emmber’s servers is encrypted using TLS 1.2 or higher.
• Encryption at rest: Personal Data stored in Emmber’s databases is encrypted at rest using AES-256 encryption.
• Access controls: Access to production systems and Personal Data is restricted to authorized personnel on a need-to-know basis, protected by multi-factor authentication.
• Infrastructure: Emmber’s production infrastructure is hosted on DigitalOcean, which maintains SOC 2 Type II and ISO 27001 certifications.
• Monitoring: Emmber uses Sentry for real-time error monitoring and logging to detect and respond to security incidents.
• Backups: Automated database backups with encrypted storage and tested recovery procedures.
• Personnel: Emmber personnel with access to Personal Data are bound by confidentiality obligations.

Emmber will regularly review and update these measures to maintain an appropriate level of security, taking into account the state of the art, cost of implementation, and the nature, scope, context, and purposes of processing. For a fuller description of Emmber’s technical and organizational security measures, see the Information Security Policy.

5. Subprocessors

5.1 Authorized Subprocessors

You authorize Pluse to engage the following subprocessors to assist in providing the Service:

5.2 Changes to Subprocessors

Pluse will notify you at least 30 days before engaging a new subprocessor or replacing an existing one by updating this page and, where practicable, by email notification. If you object to a new subprocessor, you may terminate the affected portion of the Service by contacting Pluse within 30 days of notification.

5.3 Subprocessor Obligations

Pluse ensures that each subprocessor is bound by data protection obligations no less protective than those in this DPA. Pluse remains fully liable to you for the acts and omissions of its subprocessors.

6. Data Subject Rights

Pluse will assist you in fulfilling your obligations to respond to Data Subject requests under Applicable Data Protection Law (access, rectification, erasure, portability, restriction, or objection).

• If Pluse receives a request directly from a Data Subject, Pluse will promptly redirect the request to you, unless legally prohibited from doing so.
• Pluse provides self-service tools within the Service for you to access, export, correct, and delete Personal Data. For requests that cannot be fulfilled through the Service, contact Pluse at privacy@pluse.to.
• Pluse will provide reasonable assistance at no additional charge, unless requests are excessive or manifestly unfounded, in which case Pluse may charge a reasonable fee.

7. Data Breach Notification

In the event of a security breach affecting Personal Data processed on your behalf, Pluse will:

1. Notify you without undue delay and in any event within 72 hours of becoming aware of the breach, via the email address associated with your account;
2. Provide details including: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the breach;
3. Cooperate with your investigation and any notifications you are required to make to supervisory authorities or Data Subjects under Applicable Data Protection Law;
4. Document the breach, including facts, effects, and remedial actions taken, and make this documentation available to you upon request.

This obligation does not apply to breaches of Personal Data for which you are the sole controller and processor (e.g., data you store outside of the Service).

8. International Data Transfers

Personal Data processed through the Service is stored on servers located in the United States. If you are located outside the United States, your use of the Service involves the transfer of Personal Data to the United States.

For transfers of Personal Data from the European Economic Area (EEA), United Kingdom (UK), or Switzerland to the United States, Pluse relies on:

• Standard Contractual Clauses (SCCs): Where required, Pluse will enter into the EU Commission’s Standard Contractual Clauses (Module 2: Controller to Processor) with you as an addendum to this DPA;
• Supplementary measures: Pluse implements encryption in transit and at rest, access controls, and other technical safeguards as described in Section 4.

To request execution of Standard Contractual Clauses, contact privacy@pluse.to.

9. Data Retention & Deletion

9.1 During the Term

Pluse retains Personal Data for the duration of your active account and in accordance with the data retention periods described in the Privacy Policy.

9.2 Upon Termination

Upon termination of your account or this DPA:

• You may export your data through the Service’s export functionality before account closure;
• Pluse will delete or anonymize all Personal Data within 90 days of account closure, except where retention is required by Applicable Data Protection Law or for the establishment, exercise, or defense of legal claims;
• Pluse will provide written confirmation of deletion upon your request.

9.3 Lux AI Conversations

Lux AI conversation history is deleted within 30 days of account closure. Your business data is not used to train AI models, as described in Section 2.1 of the Privacy Policy.

10. Audit Rights

Upon reasonable request and subject to confidentiality obligations, Pluse will make available to you information necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.

Pluse will permit and contribute to audits, including inspections, conducted by you or an independent auditor mandated by you, subject to the following:

• You must provide at least 30 days’ written notice of an audit request;
• Audits will be conducted during normal business hours and will not unreasonably disrupt Pluse’s operations;
• You bear the cost of the audit unless the audit reveals a material breach of this DPA by Pluse;
• Audit frequency is limited to once per 12-month period, unless required by a supervisory authority or following a data breach.

Where available, Pluse may satisfy audit requests by providing relevant third-party certifications, audit reports, or compliance documentation from its infrastructure providers.

11. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the Terms of Service.

Nothing in this DPA limits either party’s liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any liability that cannot be excluded or limited by Applicable Data Protection Law.

12. Term & Termination

This DPA takes effect when you accept the Terms of Service and remains in effect for as long as Pluse processes Personal Data on your behalf.

Termination or expiration of the Terms of Service automatically terminates this DPA, subject to the data deletion obligations in Section 9.

The provisions of this DPA that by their nature should survive termination (including Sections 7, 9, 10, and 11) will survive.

13. Contact

For questions about this DPA, data protection requests, or to exercise any rights described herein:

• Email: legal@pluse.to or support@pluse.to
• Mail: Emmber, Inc., c/o Registered Agent, 131 Continental Dr, Suite 305, Newark, Delaware 19713, United States, Attn: Data Protection

© 2024–2026 Emmber, Inc. All rights reserved. Pluse™ and Lux™ are trademarks of Emmber, Inc.