Last Update: June 1, 2026
This Data Processing Addendum ("DPA") supplements and forms part of the Crunchafi Subscription Agreement or other written or electronic agreement between Crunchafi LLC or its Affiliate Crunchafi Data Extraction, Inc. (as referenced in the applicable Order Form) ("Crunchafi") and the customer identified in the applicable Order Form ("Customer") governing Customer's access to and use of the Crunchafi services (the "Agreement"). This DPA reflects the parties' agreement with respect to the Processing of Customer Personal Data in connection with the Services. Capitalized terms used but not defined herein have the meanings given to them in the Agreement.
In the event of any conflict or inconsistency between this DPA and the Agreement with respect to the Processing of Customer Personal Data, this DPA shall prevail. In the event of any conflict between this DPA and any Standard Contractual Clauses or UK International Data Transfer Addendum executed between the parties, the Standard Contractual Clauses or Addendum (as applicable) shall prevail.
For purposes of this DPA:
"Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including, where applicable: (i) Regulation (EU) 2016/679 (the "EU GDPR"); (ii) the EU GDPR as incorporated into the laws of the United Kingdom by the Data Protection Act 2018 and the European Union (Withdrawal) Act 2018 (the "UK GDPR") (together with the EU GDPR, the "GDPR"); (iii) the Swiss Federal Act on Data Protection of 25 September 2020 and its implementing ordinance (the "Swiss FADP"); and (iv) any other national, state, or local privacy or data protection laws applicable to the Processing of Personal Data under the Agreement, in each case as amended, superseded, or replaced from time to time.
"Controller" has the meaning given in the GDPR, and for the avoidance of doubt includes a "controller" under the Swiss FADP.
"Customer Personal Data" means Personal Data contained within Content that Crunchafi Processes on behalf of Customer in connection with providing the Services, as further described in Annex I.
"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.
"EEA" means the European Economic Area.
"Europe" means, collectively, the EEA, the United Kingdom, and Switzerland.
"Personal Data" has the meaning given in the GDPR, and for the avoidance of doubt includes "personal data" under the Swiss FADP.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data transmitted, stored, or otherwise Processed by Crunchafi or a Sub-processor. A Personal Data Breach does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, including unsuccessful log-in attempts, pings, port scans, denial-of-service attacks, or other network attacks on firewalls or networked systems.
"Processing" (and "Process," "Processes," "Processed") has the meaning given in the GDPR.
"Processor" has the meaning given in the GDPR, and for the avoidance of doubt includes a "processor" under the Swiss FADP.
"Restricted Transfer" means: (i) where the EU GDPR applies, a transfer of Personal Data from the EEA to a country outside of the EEA that is not subject to an adequacy decision by the European Commission; (ii) where the UK GDPR applies, a transfer of Personal Data from the United Kingdom to a country outside the United Kingdom that is not subject to adequacy regulations under the UK GDPR; and (iii) where the Swiss FADP applies, a transfer of Personal Data from Switzerland to a country outside Switzerland that is not deemed adequate by the Swiss Federal Data Protection and Information Commissioner or the Swiss Federal Council.
"SCCs" or "Standard Contractual Clauses" means the standard contractual clauses for the transfer of personal data to third countries approved by the European Commission in Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended, superseded, or replaced from time to time.
"Sub-processor" means any third party (including any Crunchafi affiliate) engaged by Crunchafi to Process Customer Personal Data on behalf of Customer in connection with the Services.
"Supervisory Authority" has the meaning given in the GDPR, and for the avoidance of doubt includes a competent data protection supervisory authority under the Swiss FADP.
"UK IDTA" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner and in force as of 21 March 2022, as amended, superseded, or replaced from time to time.
2.1 Scope. This DPA applies to the Processing of Customer Personal Data by Crunchafi and its Sub-processors in connection with the Services. This DPA does not apply to Personal Data that Crunchafi Processes as a Controller for its own business purposes, which is addressed in the Crunchafi Privacy Notice.
2.2 Roles. With respect to Customer Personal Data, Customer is the Controller and Crunchafi is a Processor. Where Customer itself acts as a processor on behalf of a third-party controller, Crunchafi shall be deemed a sub-processor. Each party shall comply with its respective obligations under the Applicable Data Protection Laws.
2.3 Details of Processing. The subject matter, nature and purpose, duration, types of Personal Data, and categories of Data Subjects are set forth in Annex I to this DPA.
3.1 Customer Instructions. Crunchafi shall Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers of Customer Personal Data to a third country or an international organization, unless required to do otherwise by applicable law. Where Crunchafi is required by law to Process Customer Personal Data otherwise than on Customer's instructions, Crunchafi shall inform Customer of that legal requirement before Processing, unless the law prohibits such disclosure on important grounds of public interest. The Agreement (including this DPA) and Customer's use of the Services in accordance with the Agreement constitute Customer's complete and final instructions to Crunchafi regarding the Processing of Customer Personal Data. Any additional or alternative instructions must be agreed to in writing by the parties.
3.2 Compliance with Laws. Each party shall comply with its respective obligations under the Applicable Data Protection Laws. Customer is responsible for the lawfulness of Customer Personal Data and the means by which Customer acquired it, including ensuring that it has established a valid legal basis for the Processing and has provided all notices and obtained all consents required under the Applicable Data Protection Laws.
3.3 Unlawful Instructions. Crunchafi shall promptly inform Customer if, in Crunchafi's opinion, an instruction from Customer infringes the Applicable Data Protection Laws. Crunchafi shall not be required to comply with such instruction unless and until it is modified to comply with Applicable Data Protection Laws.
3.4 Confidentiality. Crunchafi shall ensure that personnel authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.1 Security Measures. Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Crunchafi shall implement and maintain appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, as further described in Annex II to this DPA (the "Security Measures"). Crunchafi may update or modify the Security Measures from time to time, provided that such updates and modifications do not materially degrade the overall security of the Services.
4.2 Customer Security Responsibilities. Customer is responsible for: (i) reviewing the Security Measures and independently determining that they meet Customer's requirements and legal obligations under the Applicable Data Protection Laws; (ii) securing account authentication credentials and protecting systems and devices Customer uses to access the Services; (iii) backing up Customer Personal Data; and (iv) configuring the Services and using features and functionalities made available by Crunchafi to maintain appropriate security for Customer Personal Data.
5.1 Notification. Crunchafi shall notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. Such notice shall, to the extent known and reasonably available to Crunchafi at the time of notification, include: (i) a description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and records concerned; (ii) the likely consequences of the Personal Data Breach; and (iii) the measures taken or proposed to be taken by Crunchafi to address the Personal Data Breach and mitigate its possible adverse effects.
5.2 Cooperation. Crunchafi shall provide Customer with timely information and reasonable assistance to enable Customer to meet its obligations under Articles 33 and 34 of the GDPR (and equivalent provisions of other Applicable Data Protection Laws), including, where required, to notify the relevant Supervisory Authority and affected Data Subjects.
5.3 No Acknowledgment of Fault. Crunchafi's notification of, or response to, a Personal Data Breach under this Section 5 shall not be construed as an acknowledgment by Crunchafi of any fault or liability with respect to the Personal Data Breach.
6.1 General Authorization. Customer provides Crunchafi with general written authorization to engage Sub-processors to Process Customer Personal Data, subject to the requirements of this Section 6. A current list of Sub-processors is set forth in Annex III and is also made available at https://www.crunchafi.com/legal/sub-processors (or such successor URL as Crunchafi may designate).
6.2 Sub-processor Obligations. Crunchafi shall: (i) enter into a written agreement with each Sub-processor imposing data protection obligations that are substantially similar to and no less protective than those set forth in this DPA, to the extent applicable to the nature of the services provided by the Sub-processor; and (ii) remain liable to Customer for the acts and omissions of its Sub-processors in connection with the Processing of Customer Personal Data to the same extent as if Crunchafi had performed such acts or omissions directly.
6.3 Changes to Sub-processors. Crunchafi shall post any additional or replacement of a Sub-processor (including details of the Processing to be performed) to the Sub-processor list referenced in Section 6.1 at least thirty (30) days before the new or replacement Sub-processor begins Processing Customer Personal Data. The current Sub-processor list is maintained at https://www.crunchafi.com/legal/sub-processors. Customer is responsible for periodically consulting the Sub-processor list to monitor for changes. Crunchafi does not provide individualized notice of Sub-processor updates.
6.4 Right to Object. If Customer has a reasonable basis to object to Crunchafi's use of a new Sub-processor on data protection grounds, Customer shall notify Crunchafi in writing within thirty (30) days after the date on which Crunchafi posts the new or replacement Sub-processor to the Sub-processor list at https://www.crunchafi.com/legal/sub-processors. Such notice shall explain the reasonable grounds for the objection. In such event, the parties shall discuss the objection in good faith with a view to achieving a commercially reasonable resolution. If no such resolution can be reached, Crunchafi will, at its sole discretion, either (i) not appoint the objected-to Sub-processor, or (ii) permit Customer to terminate the affected Services in accordance with the termination provisions of the Agreement, with a pro-rata refund of prepaid fees for the terminated portion of the subscription term, as Customer's sole and exclusive remedy.
7.1 Assistance. Taking into account the nature of the Processing, Crunchafi shall provide reasonable assistance to Customer, insofar as this is possible through appropriate technical and organizational measures, to enable Customer to respond to requests from Data Subjects to exercise their rights under the Applicable Data Protection Laws, including rights of access, rectification, erasure, restriction of Processing, data portability, objection, and rights relating to automated decision-making.
7.2 Requests Directed to Crunchafi. If Crunchafi receives a request from a Data Subject to exercise rights under the Applicable Data Protection Laws relating to Customer Personal Data, Crunchafi shall, to the extent legally permitted, promptly notify Customer of the request and shall not respond to the Data Subject directly (other than to acknowledge receipt and to direct the Data Subject to Customer), unless Crunchafi is legally required to do so or Customer instructs otherwise in writing.
7.3 Fees. To the extent legally permitted, Customer shall be responsible for any costs arising from Crunchafi's assistance under this Section 7 that are materially beyond the standard functionality made available in the Services.
Taking into account the nature of the Processing and the information available to Crunchafi, Crunchafi shall provide reasonable assistance to Customer with any data protection impact assessments and prior consultations with Supervisory Authorities that Customer is required to carry out under Articles 35 and 36 of the GDPR (or equivalent provisions of other Applicable Data Protection Laws).
9.1 Restricted Transfers Generally. To the extent that Crunchafi's Processing of Customer Personal Data under this DPA involves a Restricted Transfer, the parties agree that such transfer shall be made subject to the applicable transfer mechanism set forth in this Section 9.
9.2 EU Standard Contractual Clauses. Where the Restricted Transfer is subject to the EU GDPR, the parties hereby enter into the SCCs, which are hereby incorporated into this DPA by reference, with the following elections and completions:
(a) Module Two (controller-to-processor) shall apply where Customer is a Controller of Customer Personal Data and Crunchafi is a Processor. Module Three (processor-to-processor) shall apply where Customer is itself a processor and Crunchafi is a sub-processor.
(b) In Clause 7 (Docking clause), the optional docking clause shall apply.
(c) In Clause 9(a) (Use of sub-processors), Option 2 (general written authorization) shall apply, with the advance posting period for Sub-processor changes being as set forth in Section 6.3 of this DPA.
(d) In Clause 11 (Redress), the optional independent-dispute-resolution language shall not apply.
(e) In Clause 17 (Governing law), the SCCs shall be governed by the law of the Republic of Ireland.
(f) In Clause 18(b) (Choice of forum and jurisdiction), the parties shall submit to the courts of the Republic of Ireland.
(g) Annex I.A (List of parties), Annex I.B (Description of transfer), and Annex III (List of sub-processors) of the SCCs shall be deemed completed with the information set forth in Annexes I and III to this DPA, respectively. Annex II (Technical and organisational measures) of the SCCs shall be deemed completed with the information set forth in Annex II to this DPA.
(h) Annex I.C (Competent supervisory authority) shall be the supervisory authority of the EEA Member State in which the data exporter is established, or, where the data exporter is not established in the EEA, the Irish Data Protection Commission.
9.3 UK International Data Transfer Addendum. Where the Restricted Transfer is subject to the UK GDPR, the parties hereby enter into the UK IDTA, which is incorporated into this DPA by reference, with the SCCs completed in accordance with Section 9.2 and the following elections in respect of Part 1 of the UK IDTA: (i) Table 1 (Parties) shall be completed with the information set forth in Annex I to this DPA; (ii) Table 2 (Selected SCCs, Modules and Selected Clauses) shall be deemed completed with the selections made in Section 9.2 above; (iii) Table 3 (Appendix Information) shall be deemed completed with the information set forth in Annexes I, II, and III to this DPA; and (iv) in Table 4 (Ending this Addendum when the Approved Addendum Changes), neither party may end the UK IDTA on the basis of changes to the Approved Addendum.
9.4 Swiss Transfers. Where the Restricted Transfer is subject to the Swiss FADP, the SCCs shall apply with the following modifications: (i) references to the GDPR shall be deemed to include the Swiss FADP; (ii) the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner with respect to transfers governed by the Swiss FADP; (iii) references to "Member State" shall not be interpreted to exclude Data Subjects in Switzerland from exercising their rights in their place of habitual residence; and (iv) until the entry into force of the revised Swiss FADP on 1 September 2023, references to natural persons shall be deemed to include legal persons with respect to transfers governed by the Swiss FADP.
9.5 Alternative Transfer Mechanism. If at any time any transfer mechanism under this Section 9 is invalidated or if a different transfer mechanism is required by law or Supervisory Authority guidance, Crunchafi may, on notice to Customer, adopt an alternative lawful transfer mechanism (including, without limitation, binding corporate rules or an approved code of conduct) in place of or in addition to the mechanisms set forth above, and the parties shall cooperate in good faith to implement such mechanism.
9.6 Conflict. In the event of any conflict between this DPA and the SCCs or UK IDTA, the SCCs or UK IDTA (as applicable) shall prevail with respect to the Restricted Transfers to which they apply.
10.1 Audit Reports. Crunchafi shall make available to Customer, on written request, summaries of Crunchafi's then-current third-party audit reports and certifications (such as SOC 2 Type II, ISO/IEC 27001, or equivalent) relating to the Services (each, an "Audit Report"). Audit Reports are Crunchafi's Confidential Information.
10.2 Additional Information. Crunchafi shall respond to reasonable written requests from Customer for information necessary to demonstrate compliance with this DPA, provided that Customer shall not exercise this right more than once in any twelve (12) month period, except where required by a Supervisory Authority or where Customer has a reasonable and documented belief of material non-compliance with this DPA by Crunchafi.
10.3 On-site Audits. To the extent the Audit Reports and additional information made available by Crunchafi under Sections 10.1 and 10.2 are insufficient to demonstrate Crunchafi's compliance with this DPA, and only where required by the Applicable Data Protection Laws (including the SCCs), Customer may, on at least thirty (30) days' prior written notice and not more than once in any twelve (12) month period (except as required by a Supervisory Authority), conduct an audit of Crunchafi's facilities and operations relevant to the Processing of Customer Personal Data. Any such audit shall: (i) be conducted during normal business hours and in a manner that does not unreasonably interfere with Crunchafi's business operations; (ii) be subject to Crunchafi's reasonable confidentiality and security requirements; (iii) not include access to other customers' data, Crunchafi personnel data, or Crunchafi's proprietary technical, financial, or commercial information; and (iv) be conducted by Customer or by an independent third-party auditor mutually agreed by the parties (not a competitor of Crunchafi). Customer shall bear its own costs of any such audit, as well as Crunchafi's reasonable costs incurred in connection with the audit, except where the audit reveals a material breach of this DPA by Crunchafi, in which case Crunchafi shall bear its own costs.
11.1 Return or Deletion. Upon termination or expiration of the Agreement, Crunchafi shall, at Customer's election (and to the extent permitted by applicable law), either delete or return to Customer all Customer Personal Data in its possession or control, and delete any existing copies. Customer may export Customer Personal Data using the standard export functionality of the Services at any time prior to termination or during any applicable post-termination access period described in the Agreement.
11.2 Post-termination Retention. Notwithstanding Section 11.1, Crunchafi may retain Customer Personal Data: (i) as required by applicable law; (ii) in encrypted or otherwise secured backup media in accordance with Crunchafi's standard retention and deletion schedule; and (iii) in anonymized or aggregated form that no longer constitutes Personal Data. Any Customer Personal Data retained under clauses (i) or (ii) shall remain subject to the confidentiality and security obligations of this DPA until deletion.
12.1 Definitions. For purposes of this Section 12, “AI Features” has the meaning given in the Agreement, “AI Sub-processor” means a third-party provider of artificial intelligence or machine-learning services engaged by Crunchafi as a Sub-processor in connection with AI Features, and “AI Inputs” and “AI Outputs” mean, respectively, the prompts, queries, and other Content submitted to an AI Feature, and the responses, completions, classifications, extractions, summaries, or other content generated by an AI Feature in response.
12.2 No Training on Customer Personal Data. Crunchafi shall not and shall contractually require each AI Sub-processor not to, use Customer Personal Data (whether contained in AI Inputs or AI Outputs) to train, fine-tune, retrain, or otherwise improve any general-purpose foundation model or any other AI model that is or will be made available to third parties. Crunchafi shall maintain written agreements with each AI Sub-processor that reflect this restriction and shall make summaries of the relevant contractual provisions available to Customer on reasonable written request, subject to confidentiality obligations.
12.3 Confidentiality of AI Inputs and Outputs. Crunchafi shall treat AI Inputs and AI Outputs that contain Customer Personal Data with the same level of confidentiality and security as other Customer Personal Data Processed under this DPA, and shall require its AI Sub-processors to do the same. AI Inputs and AI Outputs shall not be used by Crunchafi or any AI Sub-processor for any purpose other than: (i) providing the relevant AI Feature to Customer; (ii) maintaining the security and integrity of the Services and detecting fraud, abuse, or misuse; and (iii) complying with applicable law.
12.4 Retention of AI Inputs and Outputs. Crunchafi shall ensure that AI Sub-processors do not retain AI Inputs or AI Outputs containing Customer Personal Data beyond the period reasonably necessary to (i) deliver the AI Feature response to Customer and (ii) comply with the AI Sub-processor's documented abuse-monitoring obligations, which in any event shall not exceed the maximum retention periods set forth in the Sub-processor Schedule referenced in the DPA. Following such retention period, AI Inputs and AI Outputs containing Customer Personal Data shall be deleted by the AI Sub-processor in the ordinary course of its operations.
12.5 No Automated Decision-Making. The AI Features are designed and provided as decision-support tools and are not designed or intended to produce decisions that are based solely on automated Processing and that produce legal effects concerning, or similarly significantly affect, any Data Subject within the meaning of Article 22 of the GDPR (or equivalent provisions of other Applicable Data Protection Laws). Customer shall not configure or use the AI Features in a manner that would constitute solely automated decision-making within the meaning of Article 22 of the GDPR without Crunchafi's prior written consent, and Customer shall be solely responsible for compliance with Article 22 (including for providing notice and a means of human intervention to affected Data Subjects) in connection with any such use.
12.6 AI Sub-processor Access Controls. Crunchafi shall maintain access controls, logging, and monitoring with respect to internal personnel access to AI Inputs and AI Outputs containing Customer Personal Data that are no less protective than the controls applied to other Customer Personal Data, taking into account the heightened sensitivity of prompt and completion data.
12.7 International Transfers. To the extent the engagement of an AI Sub-processor results in a Restricted Transfer, the transfer mechanisms set forth in Section 9 of this DPA shall apply.
12.8 Customer Restrictions on AI Inputs. Customer shall comply with the restrictions on AI Inputs set forth in the Agreement, including the prohibition on submitting special categories of Personal Data and other restricted categories. Crunchafi shall not be liable for any consequences arising from Customer's submission of AI Inputs in violation of those restrictions.
12.9 DPIA Assistance. The assistance provided by Crunchafi under Section 8 of this DPA (Data Protection Impact Assessments and Prior Consultation) extends to data protection impact assessments that Customer is required to conduct in respect of the use of AI Features.
Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the exclusions and limitations of liability set forth in the Agreement. Any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this DPA taken together. For the avoidance of doubt, nothing in this DPA is intended to limit the rights of Data Subjects under Clause 12 of the SCCs (Liability) with respect to Restricted Transfers governed by the SCCs, nor is it intended to limit any liability that cannot be limited under Applicable Data Protection Laws.
This DPA shall take effect on the effective date of the Agreement and shall continue in force until the termination or expiration of the Agreement, except that the provisions of this DPA that are intended to survive termination (including, without limitation, Sections 9, 11, and 12, and any Standard Contractual Clauses or UK IDTA entered into pursuant to Section 9) shall survive until all Customer Personal Data has been deleted or returned in accordance with Section 11.
15.1 Updates. Crunchafi may update this DPA from time to time to reflect changes in Applicable Data Protection Laws or Crunchafi's privacy practices, provided that such updates do not materially reduce the protections afforded to Customer Personal Data. The current version of this DPA is maintained at https://www.crunchafi.com/legal/data-processing-addendum Customer is responsible for periodically reviewing the DPA for updates. Continued use of the Services following the posting of an updated DPA constitutes Customer’s acceptance of the updated terms.
15.2 Order of Precedence. In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Customer Personal Data. In the event of any conflict between this DPA and any SCCs or the UK IDTA executed between the parties, the SCCs or UK IDTA (as applicable) shall prevail.
15.3 Governing Law. Except as required by the Applicable Data Protection Laws or expressly provided in this DPA (including Section 9 with respect to the SCCs and UK IDTA), this DPA shall be governed by the governing law and exclusive jurisdiction provisions of the Agreement.
15.4 Severability. If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect.
15.5 No Third-Party Beneficiaries. Except as expressly provided in the SCCs or the UK IDTA, this DPA does not confer any rights or remedies on any person other than the parties.
15.6 Execution. This DPA is executed and made effective automatically through Customer's acceptance of the Agreement. Customer may request a separately signed counterpart of this DPA by contacting Crunchafi at privacy@crunchafi.com, in which case Crunchafi and Customer shall each execute a counterpart signature page and the executed DPA shall be deemed to supersede the online version as between those parties.
Data Exporter: The Customer identified in the applicable Order Form.
Role of the Data Exporter: Controller (or, where Customer is itself a processor, a processor acting on behalf of a third-party controller).
Data Importer: Crunchafi LLC, 790 North Milwaukee Street, Suite 302, Milwaukee, Wisconsin 53202, United States of America.
Contact person: privacy@crunchafi.com.
Role of the Data Importer: Processor (or, where Customer acts as a processor, sub-processor).
Activities relevant to the transfer: Provision of the Services to Customer as described in the Agreement.
|
Item |
Description |
|
Categories of Data Subjects |
Data Subjects whose Personal Data is included in Content that Customer or its End Users submit to the Services, which may include: (i) Customer's employees, contractors, and authorized users (End Users); (ii) Customer's clients, counterparties, vendors, and their personnel; (iii) tenants and landlords under leases managed through the Services; and (iv) other individuals identified in financial records, lease documents, or other Content uploaded to the Services. |
|
Categories of Personal Data |
Personal Data contained within Content submitted to the Services, which typically includes: name, business contact information (email, telephone, postal address), job title, employer, account credentials and user IDs, transaction and billing information, lease terms and counterparty identifiers, and other Personal Data that Customer or its End Users choose to upload. Customer controls the categories of Personal Data submitted to the Services. |
|
Special Categories of Data |
Customer should not submit special categories of Personal Data (as defined in Article 9 of the GDPR) or data relating to criminal convictions and offenses (as defined in Article 10 of the GDPR) to the Services. If, notwithstanding this restriction, Customer submits such data, it is Processed as part of Customer Personal Data under this DPA. |
|
Frequency of Transfer |
Continuous, for the duration of the Agreement. |
|
Nature of Processing |
Hosting, storage, backup, logging, indexing, searching, transmission, analysis, and display of Customer Personal Data as required to provide the Services, as well as Processing to detect and prevent fraud, abuse, and security incidents. |
|
Purpose of Processing |
Provision of the Services to Customer in accordance with the Agreement, including related support, maintenance, and security operations. |
|
Duration of Processing |
For the term of the Agreement, plus any post-termination retention permitted by Section 11.2 of the DPA. |
|
Transfers to Sub-processors |
See Annex III. Sub-processors Process Customer Personal Data for the duration of their engagement and subject to the data protection terms required by Section 6 of the DPA. Customer Personal Data Processed in connection with the Services is hosted in the United States, United Kingdom, Netherlands and Australia.. A limited subset comprising billing-contact information and the content of billing-related support tickets is, in addition, accessible to Crunchafi's billing operations Sub-processor in Pakistan, as further described in Annex III. Such Sub-processor does not have access to Customer Content within the Services. |
For Restricted Transfers subject to the EU GDPR, the competent Supervisory Authority shall be the Supervisory Authority of the EEA Member State in which the data exporter is established, or, where the data exporter is not established in the EEA, the Irish Data Protection Commission. For Restricted Transfers subject to the UK GDPR, the competent Supervisory Authority shall be the UK Information Commissioner's Office. For Restricted Transfers subject to the Swiss FADP, the competent Supervisory Authority shall be the Swiss Federal Data Protection and Information Commissioner.
Crunchafi implements and maintains the following technical and organizational measures to ensure the security of Customer Personal Data. These measures are subject to technical progress and development, and Crunchafi may update or modify them provided that such updates do not materially degrade the overall security of the Services.
Logical access to systems Processing Customer Personal Data is restricted to authorized personnel based on the principle of least privilege. Access is granted on a role-based basis, reviewed periodically, and revoked promptly upon termination of employment or change of role. Multi-factor authentication is required for access to production environments and administrative consoles.
Crunchafi requires strong authentication for all user accounts. Administrative and privileged accounts require multi-factor authentication. Authentication credentials are stored using industry-standard hashing algorithms and are never stored in plaintext. Customer-facing authentication supports configurable password complexity requirements and session expiration.
Customer Personal Data is encrypted in transit over public networks using TLS 1.2 or higher with strong cipher suites. Customer Personal Data at rest in production databases and backup media is encrypted using AES-256 or an equivalent industry-standard algorithm. Cryptographic keys are managed using a dedicated key management service with restricted access.
Production environments are segregated from non-production environments. Perimeter controls include firewalls, intrusion detection and prevention systems, and denial-of-service mitigation. Administrative access to production infrastructure is available only through secured, monitored channels.
Customer Personal Data is hosted in data centers operated by reputable infrastructure providers certified under SOC 2, ISO/IEC 27001, or equivalent standards. These facilities maintain physical access controls, environmental controls, fire suppression, and redundant power and cooling.
Crunchafi conducts regular vulnerability scans of production systems and applications, applies security patches in accordance with a documented patch-management policy based on risk, and engages qualified third parties to perform annual penetration testing of the Services.
Crunchafi follows a secure software development lifecycle that includes peer code review, automated static analysis, dependency scanning, and separation of development, staging, and production environments. Changes to production are deployed through controlled change-management processes.
Security-relevant events, including authentication events, administrative actions, and access to Customer Personal Data by Crunchafi personnel, are logged and retained in accordance with Crunchafi's logging policy. Logs are monitored for anomalous activity, and alerts are reviewed by Crunchafi's security team.
Crunchafi maintains a documented incident response plan that defines roles, responsibilities, escalation paths, communication procedures, and post-incident review. The plan is tested at least annually. Crunchafi's incident response team is available 24x7 to respond to security incidents.
Crunchafi maintains business continuity and disaster recovery plans designed to enable restoration of the Services and Customer Personal Data within defined recovery objectives. Backups of Customer Personal Data are taken regularly and tested periodically. The plans are reviewed and updated at least annually.
Crunchafi personnel with access to Customer Personal Data are subject to background screening as permitted by applicable law, are bound by written confidentiality obligations, and receive security and data protection training upon hire and periodically thereafter.
Crunchafi evaluates the security and privacy practices of Sub-processors prior to engagement, imposes contractual data protection obligations substantially similar to and no less protective than those in this DPA, and monitors Sub-processor performance on an ongoing basis.
The Services are operated on a multi-tenant architecture with logical controls designed to prevent Customer Personal Data from being accessible to other customers. Tenant identifiers and access controls are enforced at the application and data layers.
Crunchafi Processes Customer Personal Data only as necessary to provide the Services and as instructed by Customer. Data retention and deletion are governed by Crunchafi's documented retention schedule and by Section 11 of this DPA.
Crunchafi maintains a written information security program owned by a designated security function. The program is reviewed at least annually and is aligned with recognized industry frameworks (such as SOC 2 or ISO/IEC 27001). Crunchafi may make summaries of applicable certifications or attestations available to Customer on request, subject to confidentiality obligations.
Sub-processors are authorized to Process Customer Personal Data in connection with the Services as of the Effective Date of this DPA can be found https://www.crunchafi.com/legal/sub-processors and is updated in accordance with Section 6 of this DPA.
