Data Processing Agreement (DPA)

Last Updated: June 18, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Use between PinealOS ("Processor") and the Customer ("Controller") using the Platform. This DPA governs the processing of personal data by PinealOS on behalf of the Controller in compliance with Article 28 of the General Data Protection Regulation (GDPR).

1. Definitions

  • "Controller": The user of the PinealOS Platform who determines the purposes and means of processing personal data.
  • "Processor": PinealOS, which processes personal data on behalf of the Controller.
  • "Personal Data": Any information relating to an identified or identifiable natural person as defined by Article 4(1) of the GDPR.
  • "Sub-processor": Any third party engaged by the Processor to process personal data on behalf of the Controller.

2. Processing Details

Subject matter: Provision of AI-powered software development platform services, including code generation, project management, domain registration, and deployment.

Duration: The term of the Controller's account plus the retention periods specified in the Privacy Policy.

Nature and purpose: Processing of personal data for account management, service delivery, billing, support, and domain registration.

Categories of data subjects: End users of the Controller (Platform account holders) whose personal data is submitted to the Platform.

Categories of personal data: Name, email address, phone number, billing information, T.C. ID / Passport number, API tokens, project files, chat history, IP address, device information.

3. Controller Obligations

The Controller represents and warrants that:

  • The processing of personal data by the Processor has been lawfully authorized.
  • The Controller has provided all necessary privacy notices and obtained all necessary consents required under applicable data protection laws.
  • The Controller shall respond to data subject requests within the timeframes required by applicable law.
  • The Controller shall not submit any special category data (Article 9 GDPR) to the Platform without explicit consent.

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller (Article 28(3)(a)).
  • Ensure that persons authorized to process personal data are bound by appropriate confidentiality obligations (Article 28(3)(b)).
  • Implement appropriate technical and organizational security measures (Article 32).
  • Not engage another processor without prior specific or general written authorization (Article 28(2)).
  • Assist the Controller by appropriate technical and organizational measures to fulfill the Controller's obligation to respond to data subject requests (Article 28(3)(e)).
  • Assist the Controller in ensuring compliance with Articles 32-36 of the GDPR.
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28.
  • Delete or return all personal data to the Controller after the end of the provision of services (Article 28(3)(g)).

5. Sub-processors

The Controller provides general authorization for the Processor to engage the following Sub-processors:

Sub-processorServiceLocation
Cloudflare Inc.DNS, CDN, Workers, R2, D1, KV, PagesUS (Global)
Lemon Squeezy (Blindspot Inc.)Payment processingUS
GitHub Inc.Code repository hostingUS
DomainNameAPI (Atak Domain)Domain registrationTurkey

The Processor shall notify the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 14 days in advance. The Controller may object to such changes within 7 days of notification.

6. International Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area, including the United States and Turkey. Such transfers shall be governed by:

  • EU-US Data Privacy Framework for transfers to certified US Sub-processors.
  • Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision 2021/914).
  • Any other valid transfer mechanism under Chapter V of the GDPR.

7. Security Measures

The Processor shall implement appropriate technical and organizational measures as required by Article 32 of the GDPR, including:

  • Encryption of personal data in transit (TLS 1.3) and at rest.
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems.
  • Measures to restore access to personal data in a timely manner in the event of a physical or technical incident (automated backups).
  • Regular testing and evaluation of the effectiveness of technical and organizational measures.
  • Access controls and authentication requirements for administrative personnel.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay (and within 48 hours) after becoming aware of a personal data breach affecting the Controller's data. The notification shall include:

  • Description of the nature of the breach.
  • Categories and approximate number of affected data subjects and personal data records.
  • Contact details for further information.
  • Description of measures taken or proposed to address the breach.

9. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests under Articles 15-22 of the GDPR. If a data subject makes a request directly to the Processor, the Processor shall forward it to the Controller without delay and shall not respond without the Controller's authorization.

10. Deletion and Return of Data

Upon termination of the Controller's account or upon written request, the Processor shall delete all personal data belonging to the Controller within 30 days, except where retention is required by applicable law (e.g., tax records, domain registration records). The Processor shall provide written certification of deletion upon request.

11. Audits

The Controller may audit the Processor's compliance with this DPA no more than once per calendar year, upon 30 days' written notice, during regular business hours, and at the Controller's expense. The Processor shall provide access to relevant records and systems necessary to demonstrate compliance.

12. Limitation of Liability

The liability of each party under this DPA shall be subject to the limitations set forth in the Terms of Use. Neither party shall be liable for any indirect, incidental, or consequential damages arising out of or relating to this DPA, except in cases of gross negligence or willful misconduct.

13. Governing Law

This DPA shall be governed by the laws of the Republic of Turkey. Any dispute arising out of or relating to this DPA shall be resolved in accordance with the dispute resolution provisions in the Terms of Use.

14. Contact

Email: info@pinealos.com
Phone: +90 212 909 93 23

Supported Integrations

VS Code DeepSeek OpenAI Claude Gemini GitHub Cloudflare xAI Lemon Squeezy
๏ปฟ