Legal

Data Processing Addendum.

How we handle personal data on your behalf. Plain English up front, full terms below.

The short version

  • You're the controller, we're the processor. Your audience's data belongs to you. Trellis moves and serves it on your instructions — we never use it for our own purposes.
  • Your subprocessors are the platforms you connect. Trellis only sends data to services you've explicitly connected (Airtable, Webflow, etc.), plus Google Cloud, where Trellis runs.
  • We never touch payment-card data. Payments on your site are processed by your payment or ticketing platform on their own pages — card details never pass through Trellis.
  • Sensitive data stays private by default. Per-user data served through private fields is delivered only to authenticated users — never published to a public CMS.
  • Delete means delete. Disconnect a platform or close your account and we remove the associated data from our systems.

Last updated: June 12, 2026

1. Scope & Roles

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Customer") and Pitch Space LLC ("Trellis," "we," "us"). It applies whenever Trellis processes personal data contained in the content, records, form submissions, or audience data you manage through the Service.

For that data, you are the data controller (you decide what is collected and why) and Trellis is your data processor (we process it only to provide the Service, on your documented instructions). Data about your own Trellis account (your email, billing, settings) is covered by our Privacy Policy, where we act as a controller.

2. What We Process, and Why

Depending on which features and connectors you enable, Trellis may process personal data such as: names, email addresses, and contact details in your connected databases; event registration and attendance records; form submissions from your website; and per-user records served through private fields (for example, a supporter's own history shown on their dashboard). We process this data solely to sync, transform, cache, and serve it between the platforms you connect and your website — never for advertising, profiling, training, or any purpose of our own.

3. Your Instructions

Your instructions are given through the product: connecting a platform, mapping fields, enabling a sync, configuring a form, or marking fields private. We process personal data only per those configurations and this DPA. If we believe an instruction violates applicable data protection law, we'll tell you instead of silently complying.

4. Subprocessors

Trellis uses a small set of subprocessors, and the list is largely under your control:

  • Infrastructure (always): Google Cloud / Firebase (United States) — hosting, database, authentication, file storage.
  • Connected platforms (only the ones you enable): every platform you connect (e.g., Airtable, Webflow, Ticket Tailor, Salesforce, Smartsheet) receives the data you've mapped to it. You contract with these platforms directly; each has its own privacy terms.

We will notify account owners by email before adding a new infrastructure subprocessor. Connecting a new platform yourself is your instruction to share data with it.

5. Security

We maintain technical and organizational safeguards, including:

  • Encryption in transit (TLS) for all data movement, and AES-256-GCM encryption at rest for platform credentials and OAuth tokens
  • Per-user access rules enforced at the database layer — no customer's data is readable by another customer
  • App and domain verification on public endpoints, rate limiting, and server-side-only access to connected platforms (your credentials never reach a browser)
  • Private fields served exclusively to authenticated end users via short-lived tokens

6. Payment-Card Data

Trellis never collects, transmits, or stores payment-card or bank account data. Payments connected to your site (donations, tickets, bookings) are processed by the relevant payment or ticketing platform on its own PCI-compliant pages. Trellis only receives non-card transaction metadata (e.g., order totals and status) where you've configured a sync.

7. Assistance with Data Subject Requests

If a person exercises privacy rights (access, correction, deletion) for data we process on your behalf, we'll assist you in fulfilling the request — typically by helping you locate, export, correct, or delete the relevant records across your connected platforms and our caches. Requests that reach us directly will be forwarded to you.

8. Personal Data Breach

If we become aware of a personal data breach affecting data we process for you, we will notify you without undue delay, describe what happened and what data was affected, and cooperate with your notification obligations.

9. International Transfers

Trellis processes data in the United States. Where data protection law requires a transfer mechanism (for example, for EU/UK personal data), the EU Standard Contractual Clauses and the UK Addendum are incorporated into this DPA by reference, with you as data exporter and Trellis as data importer.

10. Deletion & Return

When you disconnect a platform, delete a site, or close your account, we delete the associated personal data from our systems within 30 days, except where retention is required by law. During your subscription you can export your data at any time — it lives in your own connected platforms by design.

11. Audits & Information

We'll make available the information reasonably necessary to demonstrate compliance with this DPA, including our current subprocessor list and security practices. Reasonable written audits are available on request, no more than once per year.

12. Term & Precedence

This DPA applies for as long as we process personal data on your behalf and survives termination until that processing ends. If this DPA conflicts with the Terms of Service regarding personal data processing, this DPA controls.

Contact

Questions about this DPA or our data practices: skye@trelliscms.com.