Data Processing Addendum (DPA)
Effective date: 2025-04-17
Updated on: 2025-11-24
This Data Processing Addendum ("DPA") forms an integral part of the Terms of Service ("Agreement") between 3F Venture S.A., a company established under the laws of Luxembourg ("Pismo.ai" or "Processor") and the user or entity agreeing to the Agreement ("Client" or "Controller").
This DPA applies to the extent that Pismo.ai processes Personal Data on behalf of the Client in the course of providing its SaaS services (the "Services"). By using the Services, the Client agrees to be bound by this DPA.
1. Definitions
2. Scope and Responsibilities
2.1. Roles. The parties acknowledge that for the purposes of the GDPR, the Client is the Controller (or a Processor acting on behalf of a third-party Controller) and Pismo.ai is the Processor.
2.2. Instructions. Pismo.ai shall process Personal Data only on the documented instructions of the Client. The Client's instructions are hereby given as: (a) processing necessary to provide the Services in accordance with the Agreement; and (b) processing initiated by the Client’s authorized users through the Service (e.g., submitting prompts to the AI).
3. Sub-processors
3.1. Authorization. The Client grants Pismo.ai a general written authorization to engage third-party Sub-processors to support the delivery of the Services.
3.2. Current Sub-processors. The Client consents to the engagement of the Sub-processors listed in Annex III.
3.3. Changes. Pismo.ai will inform the Client of any intended changes concerning the addition or replacement of Sub-processors (e.g., by updating this DPA on the website or via email notification). The Client may object to such changes within 14 days of notification. If no objection is made, the new Sub-processor is deemed accepted.
4. International Data Transfers
4.1. Transfer Mechanism. Pismo.ai operates globally. Where Personal Data is transferred outside the European Economic Area (EEA) to a country not deemed to have adequate data protection (including the United States), such transfers shall be governed by:
5. Security and Confidentiality
5.1. Measures. Pismo.ai shall implement and maintain appropriate technical and organizational measures ("TOMs") to protect Personal Data, as described in Annex II.
5.2. Confidentiality. Pismo.ai ensures that persons authorized to process the Personal Data (employees, contractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6. Client-Directed Integrations (Bring Your Own Key)
6.1. If the Client elects to connect third-party services to Pismo.ai using the Client’s own API keys or credentials (e.g., connecting OpenRouter or a custom LLM endpoint via the Client's own subscription), the Client acknowledges that:
7. AI Specific Clauses
7.1. No Training on Customer Data. Pismo.ai will not use the Client’s Input Data (prompts) or Output Data to train Pismo.ai’s internal foundation models, unless the Client explicitly opts-in or as otherwise permitted by the specific AI provider’s enterprise policies (e.g., regarding zero data retention).
8. Data Subject Rights and Assistance
8.1. Assistance. Pismo.ai shall, to the extent legally permitted and technically feasible, assist the Client in responding to requests from Data Subjects (e.g., right to delete, access) related to the Client’s data.
8.2. Breach Notification. Pismo.ai shall notify the Client without undue delay after becoming aware of a confirmed Personal Data Breach affecting the Client's data.
9. Audit Rights
9.1. Limitation. Due to the mass-market nature of the Service and the security risks associated with physical access, the Client agrees that its audit rights under Article 28(3)(h) of the GDPR shall be satisfied by Pismo.ai providing, upon written request, a summary of its most recent security assessments or answering a security questionnaire no more than once per year. Physical inspections of data centers (which are operated by third parties) are not permitted.
10. Governing Law
This DPA is governed by the laws of the Grand Duchy of Luxembourg. Any disputes arising from or in connection with this DPA shall be resolved in the courts of Luxembourg City.
ANNEX I: DETAILS OF PROCESSING
1. Subject matter and duration:
The subject matter is the provision of the Pismo.ai SaaS platform (AI writing, analysis, and productivity tools). The duration is equal to the term of the Agreement.
2. Nature and Purpose:
Processing of text inputs ("prompts"), documents, and user account data to generate text outputs via Artificial Intelligence models.
3. Categories of Data:
Employees, agents, or customers of the Client using the Service.
ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
Pismo.ai utilizes industry-standard infrastructure to ensure data security:
ANNEX III: LIST OF SUB-PROCESSORS
The Client authorizes the use of the following Sub-processors:
Updated on: 2025-11-24
This Data Processing Addendum ("DPA") forms an integral part of the Terms of Service ("Agreement") between 3F Venture S.A., a company established under the laws of Luxembourg ("Pismo.ai" or "Processor") and the user or entity agreeing to the Agreement ("Client" or "Controller").
This DPA applies to the extent that Pismo.ai processes Personal Data on behalf of the Client in the course of providing its SaaS services (the "Services"). By using the Services, the Client agrees to be bound by this DPA.
1. Definitions
- "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
- "Personal Data", "Controller", "Processor", "Sub-processor", and "Processing" have the meanings given to them in the GDPR.
- "Standard Contractual Clauses" (SCCs) means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, approved by the European Commission.
2. Scope and Responsibilities
2.1. Roles. The parties acknowledge that for the purposes of the GDPR, the Client is the Controller (or a Processor acting on behalf of a third-party Controller) and Pismo.ai is the Processor.
2.2. Instructions. Pismo.ai shall process Personal Data only on the documented instructions of the Client. The Client's instructions are hereby given as: (a) processing necessary to provide the Services in accordance with the Agreement; and (b) processing initiated by the Client’s authorized users through the Service (e.g., submitting prompts to the AI).
3. Sub-processors
3.1. Authorization. The Client grants Pismo.ai a general written authorization to engage third-party Sub-processors to support the delivery of the Services.
3.2. Current Sub-processors. The Client consents to the engagement of the Sub-processors listed in Annex III.
3.3. Changes. Pismo.ai will inform the Client of any intended changes concerning the addition or replacement of Sub-processors (e.g., by updating this DPA on the website or via email notification). The Client may object to such changes within 14 days of notification. If no objection is made, the new Sub-processor is deemed accepted.
4. International Data Transfers
4.1. Transfer Mechanism. Pismo.ai operates globally. Where Personal Data is transferred outside the European Economic Area (EEA) to a country not deemed to have adequate data protection (including the United States), such transfers shall be governed by:
- (a) The EU-US Data Privacy Framework (DPF), provided the recipient is certified thereunder; or
- (b) The Standard Contractual Clauses (SCCs), which are hereby incorporated into this DPA by reference.
5. Security and Confidentiality
5.1. Measures. Pismo.ai shall implement and maintain appropriate technical and organizational measures ("TOMs") to protect Personal Data, as described in Annex II.
5.2. Confidentiality. Pismo.ai ensures that persons authorized to process the Personal Data (employees, contractors) have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
6. Client-Directed Integrations (Bring Your Own Key)
6.1. If the Client elects to connect third-party services to Pismo.ai using the Client’s own API keys or credentials (e.g., connecting OpenRouter or a custom LLM endpoint via the Client's own subscription), the Client acknowledges that:
- (a) Such third-party services are not Sub-processors engaged by Pismo.ai;
- (b) Pismo.ai acts solely as a technical conduit for the transmission of data; and
- (c) The Client is solely responsible for ensuring such transmission complies with applicable laws and for the data protection practices of the selected third party.
7. AI Specific Clauses
7.1. No Training on Customer Data. Pismo.ai will not use the Client’s Input Data (prompts) or Output Data to train Pismo.ai’s internal foundation models, unless the Client explicitly opts-in or as otherwise permitted by the specific AI provider’s enterprise policies (e.g., regarding zero data retention).
8. Data Subject Rights and Assistance
8.1. Assistance. Pismo.ai shall, to the extent legally permitted and technically feasible, assist the Client in responding to requests from Data Subjects (e.g., right to delete, access) related to the Client’s data.
8.2. Breach Notification. Pismo.ai shall notify the Client without undue delay after becoming aware of a confirmed Personal Data Breach affecting the Client's data.
9. Audit Rights
9.1. Limitation. Due to the mass-market nature of the Service and the security risks associated with physical access, the Client agrees that its audit rights under Article 28(3)(h) of the GDPR shall be satisfied by Pismo.ai providing, upon written request, a summary of its most recent security assessments or answering a security questionnaire no more than once per year. Physical inspections of data centers (which are operated by third parties) are not permitted.
10. Governing Law
This DPA is governed by the laws of the Grand Duchy of Luxembourg. Any disputes arising from or in connection with this DPA shall be resolved in the courts of Luxembourg City.
ANNEX I: DETAILS OF PROCESSING
1. Subject matter and duration:
The subject matter is the provision of the Pismo.ai SaaS platform (AI writing, analysis, and productivity tools). The duration is equal to the term of the Agreement.
2. Nature and Purpose:
Processing of text inputs ("prompts"), documents, and user account data to generate text outputs via Artificial Intelligence models.
3. Categories of Data:
- Account Data: Name, email address, IP address, billing information.
- Content Data: Text inputs (prompts), uploaded files, and generated outputs.
Employees, agents, or customers of the Client using the Service.
ANNEX II: TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
Pismo.ai utilizes industry-standard infrastructure to ensure data security:
- Encryption: All data in transit is encrypted via TLS 1.2/1.3 (HTTPS). We utilize Cloudflare for edge security and SSL termination. API keys are stored using encryption at rest.
- Hosting: The Service is hosted on GigaElixir (utilizing Google Cloud Platform / AWS infrastructure), which maintains industry-standard certifications (e.g., SOC 2, ISO 27001).
- Access Control: Access to production data is restricted to authorized personnel on a need-to-know basis. Multi-Factor Authentication (MFA) is enforced for administrative access.
- Network Security: We use Cloudflare for DDoS protection, Web Application Firewall (WAF), and global CDN distribution to ensure availability and integrity.
- Backups: Regular automated backups of critical databases are performed to ensure business continuity and data restorability.
ANNEX III: LIST OF SUB-PROCESSORS
The Client authorizes the use of the following Sub-processors:
Sub-processor | Location | Function | Transfer Mechanism |
GigaElixir | EU | Cloud Hosting & Database (PaaS) | SCCs / DPF |
Cloudflare, Inc. | USA (Global) | DNS, CDN, WAF, DDoS Protection | Data Privacy Framework |
OpenAI, L.L.C. | USA | AI Model Provider (LLM Processing) | Data Privacy Framework |
Stripe, Inc. | USA | Payment Processing | Data Privacy Framework |
Google (via GigaElixir) | EU | Underlying Infrastructure | SCCs / DPF |
Security
Your information’s security is important to us. https://pismo.ai utilizes a range of security measures to prevent the misuse, loss, or alteration of the information you have given us. However, because we cannot guarantee the security of the information you provide us, you must access our service at your own risk.
Pismo is not responsible for the performance of websites operated by third parties or your interactions with them. When you leave this website, we recommend you review the privacy practices of other websites you interact with and determine the adequacy of those practices.
Contact Us
For any questions, please contact us through the following methods:
Name: 3F Venture S.A.
Address: 9 Rue du Laboratoire L-1911, Luxembourg
Email: contact@pismo.ai
Website: https://pismo.ai
Your information’s security is important to us. https://pismo.ai utilizes a range of security measures to prevent the misuse, loss, or alteration of the information you have given us. However, because we cannot guarantee the security of the information you provide us, you must access our service at your own risk.
Pismo is not responsible for the performance of websites operated by third parties or your interactions with them. When you leave this website, we recommend you review the privacy practices of other websites you interact with and determine the adequacy of those practices.
Contact Us
For any questions, please contact us through the following methods:
Name: 3F Venture S.A.
Address: 9 Rue du Laboratoire L-1911, Luxembourg
Email: contact@pismo.ai
Website: https://pismo.ai