Skip to main content

WARNING: The Spanish version of this document is the original and official version. This translation is automatic and is provided for informational purposes only. In case of discrepancy, the content of the Spanish document shall prevail.

Data Processing Addendum (“DPA”)

Last updated: November 27, 2025

This DPA is entered into by and between:

  • The entity or person defined as “Client” under the Terms (“Client”) and,
  • Fintesk (meaning the legal entity with which the Client has a contractual relationship according to the Terms, “Fintesk”).

The Client and Fintesk are also referred to as a “Party” and collectively as the “Parties”.

This DPA forms part of and is subject to the Fintesk Terms of Service, available at (“Terms”). This DPA shall take effect upon Client’s acceptance, or other execution, of the Terms and shall continue in accordance with the provisions set out herein.

1. Background

1.1 The Client has agreed to the Terms, according to which Fintesk has agreed to provide certain services to Client (“Services”).

1.2 When providing the Services, Fintesk may collect, gain access to, or otherwise Process Personal Data of individuals (Data Subjects) on behalf of Client. Unless otherwise agreed to between the Parties, Client will be the Data Controller (Responsable del Tratamiento) and Fintesk will be the Data Processor (Encargado del Tratamiento) of such Personal Data.

1.3 This DPA specifies the data protection obligations of the Parties under the Terms. It applies to all activities performed by Fintesk in connection with the Terms in which Fintesk, its staff, or a third party acting on behalf of Fintesk comes into contact with Personal Data as a Data Processor on behalf of the Client.

1.4 The DPA is based on the provisions of Law No. 21,719, on the protection of personal data, and the definitions contained therein.

1.5 If there is a conflict between the terms of the Terms and those of this DPA, the provisions of this DPA will prevail.

2. Definitions

2.1 All capitalized terms used herein and not otherwise defined herein, shall have the meaning ascribed to such term in the Terms.

2.2 “Data Controller” (Responsable del Tratamiento) means the natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

2.3 “Data Processor” (Encargado del Tratamiento) means a natural or legal person, public authority, agency or other body which Processes Personal Data on behalf of the Data Controller.

2.4 “Data Protection Laws” means all applicable worldwide legislation relating to data protection and privacy which applies to the respective Party in the role of Processing Personal Data in question under the Terms, in each case as amended.

2.5 “Data Subject” (Interesado) means the individual to whom Personal Data relates.

2.6 “Instructions” means the written, documented instructions issued by Client to Fintesk, including by using the Services, and directing the same to perform a specific or general action with regard to Personal Data (including, but not limited to, deleting or making available).

2.7 “Personal Data” means any information relating to an identified or identifiable individual (Data Subject) where such information is contained within Client Data and is recognized as personal data under Data Protection Laws.

2.8 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by Fintesk and/or its Sub-Processors. Personal Data Breach will not include unsuccessful attempts or activities that do not compromise the security of Personal Data (pings, port scans, denial of service attacks, etc.).

2.9 “Processing” means any operation or set of operations which is performed on Personal Data, encompassing the collection, recording, organization, storage, adaptation, retrieval, use, disclosure, restriction or erasure.

2.10 “Sub-Processor” (Subencargado) means any Data Processor engaged by Fintesk to assist in fulfilling its obligations with respect to the provision of the Services.

2.11 “Third Country” means any country outside of Chile that does not provide recognized adequate protection.

3. Details of Processing

3.1 Purpose of Processing. Subject to Section 5.1, Fintesk will Process Personal Data only for the purpose of providing and maintaining the Services. Fintesk will follow reasonable Instructions from the Client that do not conflict with this DPA or the laws.

3.2 Nature of Processing. Fintesk is a cloud-based SaaS CRM tool. Personal Data will be subject to storage and other Processing necessary to provide and maintain the Services and disclosure according to the Terms or law.

3.3 Controller Instructions. The Terms together with the Client’s use of the Services constitute the Client’s complete and final Instructions. Additional Instructions require prior written agreement.

3.4 Categories of Data Subjects. Fintesk has no control over the categories, but they usually include: directors, employees, interns, contractors, job applicants, customers, suppliers, and business contacts of the Client.

3.5 Categories and Nature of Personal Data. Will generally include: Name, address, email, phone number, customer history, IP addresses, free-text notes and other data entered by Client. The Parties do not anticipate the Processing of Sensitive Information.

4. Client’s Obligations

4.1 Compliance with Laws. Client will be responsible for complying with all requirements under Data Protection Laws in their use of the Services and in their Instructions to Fintesk. Fintesk has no obligation to assess Client Data to identify specific legal requirements.

4.2 Specific Responsibilities. Client accepts that they will be solely responsible for:

  • 4.2.1 The accuracy, quality, and legality of Personal Data.
  • 4.2.2 Complying with transparency and lawfulness requirements (notifications and consents, including marketing).
  • 4.2.3 Ensuring Client has the right to transfer or provide access to the Personal Data to Fintesk.
  • 4.2.4 Ensuring that Instructions comply with applicable laws.
  • 4.2.5 Complying with laws applicable to emails or content managed through the Services.

4.3 Client will inform Fintesk without undue delay if Client is not able to comply with its responsibilities.

5. Fintesk’s Obligations

5.1 Scope of Processing. Fintesk commits to Processing Personal Data only based on documented Instructions.

5.2 Confidentiality. Fintesk will ensure that authorized persons have committed themselves to confidentiality.

5.3 Qualified Personnel. Fintesk will use qualified personnel with data protection training.

5.4 Instructions to Personnel. Fintesk will oblige its personnel to Process Personal Data only in accordance with the Terms and Instructions.

5.5 Notification of Violation (Instructions). Fintesk will notify Client if Fintesk is of the opinion that an Instruction is in violation of Data Protection Laws.

5.6 Notification of Personal Data Breach and Cooperation. Fintesk will notify Client without undue delay (with a targeted notification time of no greater than 72 business hours) after becoming aware of a Personal Data Breach and will assist Client in fulfilling its statutory obligations.

5.7 Third Parties. Fintesk will keep confidential and will not make available any Personal Data to any third party except in accordance with the Terms or as required by applicable law.

5.8 Data Subjects’ Requests. Fintesk will support Client by implementing appropriate technical and organizational measures in fulfilling the rights of the Data Subject. If a Data Subject contacts Fintesk directly, Fintesk will instruct the Data Subject to contact the Data Controller.

5.9 Security. Fintesk will assist Client in the fulfillment of its obligations.

5.10 Cooperation with Authorities. Fintesk will cooperate with the relevant supervisory authorities.

5.11 Deletion and Return. Upon termination of Services, Fintesk will delete or return Personal Data according to Instructions. If Client does not give Instructions, Fintesk will delete the data as follows:

  • Contents of closed Accounts: ~180 days.
  • Contents of closed Free Trial Accounts: ~60 days.
  • Copias de seguridad (backups): ~90 days.

5.12 Data Protection Impact Assessment. Fintesk will provide reasonable assistance with data protection impact assessments.

6. Sub-Processors

6.1 General Authorization. Client grants Fintesk a general authorization to engage Sub-Processors.

6.2 Authorized Sub-Processors. Listed in www.pipedrive.com/subprocessors.

6.3 Notification of Changes. Fintesk will notify Client prior to the appointment of any new Sub-Processor via email. Client may object within ten (10) calendar days by sending an email to privacidad@fintesk.com.

6.4 Objection. If Client objects, Fintesk will recommend changes. If it cannot be resolved within 30 days, Client may terminate the affected Services and receive a pro-rata refund.

6.5 Conditions for Engagement. Fintesk will ensure agreements with Sub-Processors that impose similar, and in no way less protective, obligations than as set out in this DPA, and will ensure an adequate level of protection for transfers to Third Countries.

6.6 Responsibility. Fintesk shall be fully responsible to Client for any violations of this DPA by the Sub-Processors.

7. Place of Data Processing and Data Transfers

7.1 Places of Processing. Client accepts that Fintesk may access and Process Personal Data on a global basis, including transfers to affiliates and Sub-Processors in their jurisdictions.

7.2 Compliance. Each Party will ensure such transfers are made in compliance with the Data Protection Laws of Chile.

7.3 Transfers subject to the Swiss DPA. For transfers subject to the Swiss DPA, references to the GDPR in the SCCs are to be understood as references to the Swiss DPA and the authority is the Swiss Federal Data Protection and Information Commissioner.

7.4 Transfers from Brazil. If applicable, the Parties will comply with the Brazil Standard Contractual Clauses, incorporated into this DPA. Fintesk is the Importer and Client is the Exporter.

7.5 Transfers within Fintesk. Fintesk has concluded an Intra Group Data Transfer Agreement (IGDTA) and Fintesk Inc. is a registered entity of the EU-U.S. Data Privacy Framework.

8. Technical and Organizational Measures

Fintesk will implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk (in accordance with Law No. 21,719), described in Annex 2.

9. Audits

Fintesk will grant to Client rights of access and information to verify compliance, upon written request. Client may determine compliance via an on-site audit once a year, subject to confidentiality and reimbursement of costs at Fintesk’s then-current professional services rates (see Annex 2 of this DPA).

10. Liability

The Parties’ obligations or breach thereof under this DPA shall be subject to the limitations on liability set forth in the Terms.

11. Miscellaneous

11.1 Governing Law. The law indicated in the Terms.
11.2 Changes. Fintesk may make modifications to this DPA to comply with laws, regulatory orders, or new practices. Continued use of the Services constitutes Client’s acceptance.

Annex 2 – Technical and Organizational Measures

Description of the technical and organizational security measures implemented by Fintesk:

1. Pseudonymization and Encryption

  • Data at rest: Encrypted with AES-256.
  • Data in transit: Use of HSTS via TLS (HTTPS).

2. Confidentiality, Integrity, and Availability

  • Incident Management:
    • Dedicated 24x7 on-call function for immediate response.
    • Formal procedure for security events and post-mortem analysis.
  • Resilience:
    • Business continuity and disaster recovery plan.
    • Backups stored off-site and tested.
  • Redundancy:
    • Globally redundant and scalable Infrastructure (IaaS).
    • High availability in all components.

3. Regular Testing and Evaluation

  • Annual vulnerability scans.
  • Annual penetration tests performed internally.

4. Identification and Authorization

  • Access control (Just-in-Time, least privilege).
  • Strong password policy.
  • Identity lifecycle management and automatic session expiration.

5. Protection during Transmission

  • Encryption of data-in-transit, firewalls (WAF, cloud-native), IPS.
  • Monitoring for compromise attempts.

6. Protection during Storage

  • Endpoint intrusion detection.
  • Physical security in facilities.
  • Secrets management (keys).
  • Security training for employees.
  • Software updates and patches.
  • Logical separation of client instances.

7. Physical Security

  • AWS facilities protected in accordance with their security protocols (see aws.amazon.com/compliance).

8. Configuration Management

  • Continuous automation for deployment.
  • Integration testing.
  • Process for critical emergency fixes.

9. IT Governance and Security

  • Information security and vendor risk management program.
  • Security-by-design reviews.
  • Email filters and phishing exercises.
  • Internal disciplinary actions.

10. Minimization and Retention

  • Collection limited to processing purposes.
  • Deletion/return of data upon termination of services.
  • Retention according to privacy policy.

11. Portability and Erasure

  • Self-service features to export or delete Client Data.

12. Data Separation

  • Access separation by application and user.
  • Database tables normalized and separated by module.
  • Interfaces designed for specific purposes.

13. Artificial Intelligence (AI/ML)

  • Training for teams on secure use of AI.
  • Legal, Privacy, and Security review of AI/ML use cases.
Tags:
Last updated on by Fabrizzio Andrioli