Contents
As used in this DPA, the following terms have the meanings set forth below. Capitalized terms not defined here have the meanings given in the Principal Agreement.
The parties acknowledge that with respect to Customer Data:
To the extent PILLAR processes any personal data in connection with its own business operations (such as account management, billing, or support), PILLAR acts as a Controller for that processing and it is governed by PILLAR's Privacy Policy, not this DPA.
Schedule 1 below sets out the key details of the processing PILLAR performs under this DPA.
| Subject matter | PILLAR Revenue Architecture Operating System — scoring, signal generation, pipeline analytics, renewal forecasting, and AI-assisted decision support for revenue teams. |
| Duration | For the term of the Principal Agreement, plus any post-termination retention period specified in Section 13 of this DPA. |
| Nature of processing | Ingestion, storage, analysis, scoring, aggregation, and display of revenue-related data. Outbound sync of computed scores to Customer's CRM. Email metadata ingestion (headers only, no body content). No profiling of individuals for purposes other than those specified in the Principal Agreement. |
| Purpose of processing | To deliver the features of the PILLAR platform, including account health scoring, renewal risk monitoring, pipeline intelligence, signal generation, and AI-assisted narratives. Processing is strictly for the provision of services to Customer. |
| Categories of personal data | Contact names, email addresses, job titles, employer/organization names, LinkedIn profile URLs (where present in CRM), email metadata (sender, recipient, timestamp, subject line), calendar event metadata (participants, timestamp, title), and user identity data for PILLAR workspace users (name, email, role). |
| Categories of data subjects | Customer's contacts and leads (buyers, prospects, renewal contacts), Customer's employees who use the PILLAR platform (sales reps, CSMs, RevOps, leaders), and individuals referenced in Customer's CRM records. |
| Special category data | PILLAR does not intentionally process special category data (e.g., health, racial origin, biometric, political, or religious data). Customers must not submit such data to PILLAR. |
| Location of processing | United States (Supabase / AWS US East, Vercel US infrastructure). See the Sub-Processors List for full details. |
PILLAR will process Customer Data only on Customer's documented instructions, as set out in the Principal Agreement, this DPA, and any additional written instructions provided by Customer. PILLAR will notify Customer if, in PILLAR's reasonable assessment, any instruction violates Applicable Data Protection Law.
PILLAR will ensure that all personnel authorized to process Customer Data are bound by confidentiality obligations with respect to that data, whether by employment agreement, contractor agreement, or applicable law.
PILLAR will provide Customer with reasonable assistance to fulfill Customer's obligations under Applicable Data Protection Law, including responding to requests from Data Subjects exercising their rights, conducting data protection impact assessments, and complying with regulatory inquiries, to the extent the obligation relates to PILLAR's processing of Customer Data and taking into account the nature of that processing.
PILLAR will not sell, rent, or otherwise transfer Customer Data to third parties for their independent business purposes. Customer Data is used exclusively to provide the PILLAR service to Customer.
PILLAR will not use Customer Data to train, fine-tune, or improve any machine learning model that is shared with, or made available to, any other customer. Model improvements derived from usage patterns (not from Customer Data itself) are not restricted by this provision.
Customer represents and warrants that:
Customer provides general authorization for PILLAR to engage sub-processors to assist in providing the service, subject to the conditions in this Section 6.
PILLAR maintains a current list of approved sub-processors at pillargtm.com/legal/sub-processors/. This list is updated to reflect any additions, replacements, or removals.
PILLAR will notify Customer at least 30 days before adding a new sub-processor that processes Customer Data. Notification is provided by posting an update to the sub-processors page and emailing the Customer's designated admin contact.
Customer may object to a new sub-processor by notifying PILLAR in writing within the 30-day notice period. If Customer's objection is reasonable and cannot be resolved through commercially reasonable measures, Customer may terminate the affected portion of the service with written notice, subject to the terms of the Principal Agreement.
PILLAR will impose data protection obligations on each sub-processor that are at least as protective as those in this DPA. PILLAR remains responsible to Customer for the performance of each sub-processor's obligations to the extent PILLAR is responsible for the acts and omissions of its own employees.
PILLAR maintains technical and organizational security measures appropriate to the risk presented by its processing of Customer Data, including:
PILLAR will regularly evaluate, test, and update its security measures. Where PILLAR makes material changes that reduce the level of security applicable to Customer Data, PILLAR will notify Customer in advance.
Customer is responsible for the security of its own credentials, the configuration of user access within the PILLAR workspace, and the security of the systems Customer uses to access PILLAR.
Taking into account the nature of the processing, PILLAR will provide Customer with reasonable technical assistance to respond to requests from Data Subjects seeking to exercise their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).
If PILLAR receives a request directly from a Data Subject concerning Customer Data, PILLAR will promptly notify Customer (where legally permitted) and will not respond substantively to the request without Customer's authorization, except as required by law.
To the extent Customer is an educational institution subject to the Family Educational Rights and Privacy Act (FERPA) and Customer Data contains education records, PILLAR acknowledges that it processes such records as a "school official" with a legitimate educational interest, as defined by FERPA, solely for the purpose of providing the services under the Principal Agreement. PILLAR will not re-disclose education records without Customer's prior written consent, except as permitted by applicable law.
PILLAR processes Customer Data in the United States. Customers located outside the United States acknowledge that their data will be transferred to and processed in the United States.
Where transfer of personal data from the European Economic Area, United Kingdom, or Switzerland to the United States is subject to cross-border transfer restrictions under Applicable Data Protection Law, the parties agree to execute any additional transfer mechanisms required (such as Standard Contractual Clauses) upon Customer's request. Contact security@pillargtm.com to initiate this process.
PILLAR will ensure that all PILLAR personnel who access Customer Data as part of providing the service are subject to binding confidentiality obligations. PILLAR will not disclose Customer Data to any third party except: (a) to sub-processors under Section 6; (b) as required by applicable law, regulation, or legal process; or (c) with Customer's prior written consent. Where disclosure is required by law, PILLAR will notify Customer to the extent legally permitted and will cooperate with Customer in seeking a protective order or equivalent protection.
Upon Customer's written request (no more than once per 12-month period, unless required by a supervisory authority), PILLAR will make available to Customer information reasonably necessary to demonstrate PILLAR's compliance with this DPA, including relevant third-party audit reports and certifications (such as SOC 2 Type II reports) subject to confidentiality obligations.
If Customer reasonably determines, after reviewing available documentation under Section 11.1, that additional audit activity is necessary to verify compliance with this DPA, the parties will negotiate in good faith the scope, timing, and cost of such an audit. Any such audit must: (a) be conducted with at least 30 days written notice; (b) occur during normal business hours with minimal disruption to PILLAR's operations; (c) be conducted by a mutually agreed independent auditor bound by confidentiality; and (d) be conducted at Customer's expense.
Note: PILLAR's standard audit documentation package (SOC 2 Type II report, penetration test summary, and security questionnaire responses) satisfies most enterprise procurement and legal requirements. Contact security@pillargtm.com to request this package.
PILLAR will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a Data Breach affecting Customer Data, to the extent such notification is possible within that timeframe. Where notification within 72 hours is not possible, PILLAR will provide the initial notification as soon as practicable, along with the reasons for the delay.
PILLAR's breach notification will include, to the extent then known and available: a description of the nature of the Data Breach; the categories and approximate number of Data Subjects and records affected; the likely consequences of the Data Breach; and the measures PILLAR has taken or proposes to take to address the breach.
Customer is responsible for any required notifications to supervisory authorities or Data Subjects under Applicable Data Protection Law. PILLAR will provide Customer with reasonable cooperation and assistance in connection with any such notifications.
A breach notification under this Section does not constitute an admission of fault or liability by PILLAR.
Customer may export Customer Data at any time during the term of the Principal Agreement using PILLAR's data export functionality or via the PILLAR API. All data remains Customer's at all times.
Upon expiration or termination of the Principal Agreement, Customer may request a full export of Customer Data within 30 days of termination. Following that 30-day window (or at Customer's earlier written instruction), PILLAR will delete all Customer Data from its systems, including backup systems, within 30 days. Upon completion, PILLAR will provide written confirmation of deletion to Customer's designated contact.
PILLAR may retain Customer Data beyond the periods described above only to the extent required by applicable law or regulation, and solely for the period and purposes required by such law. Any retained data remains subject to the confidentiality obligations of this DPA.
This DPA is effective as of the date the Principal Agreement becomes effective and remains in force for the duration of the Principal Agreement and any post-termination data retention period under Section 13. Termination or expiration of the Principal Agreement automatically terminates this DPA, subject to the survival of provisions that by their nature survive termination (including Sections 10, 13, 15, and 16).
Each party's liability to the other party under or in connection with this DPA is subject to the limitation of liability provisions in the Principal Agreement. To the extent Applicable Data Protection Law imposes liability that cannot be excluded or limited by contract, those statutory liabilities are unaffected. Nothing in this DPA limits either party's liability for fraud, willful misconduct, or gross negligence.
This DPA and any disputes arising from it are governed by the laws of the State of California, United States, without regard to conflict-of-law principles, except to the extent Applicable Data Protection Law requires otherwise. The parties consent to the exclusive jurisdiction of the state and federal courts located in California for the resolution of disputes under this DPA.
Questions about this agreement? Contact security@pillargtm.com. For signed DPA requests or security questionnaire packages, include your company name and contract reference in the subject line.