Data Processing Agreement

Last Updated: March 19, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other agreement between CRMown ("Processor," "we," "us") and the customer ("Controller," "you") that governs your use of the CRMown platform ("Agreement").

Self-Hosted Customers: This DPA applies only to the CRMown managed SaaS platform. If you have purchased a perpetual "Own" license and self-host CRMown on your own infrastructure, CRMown does not process any Personal Data on your behalf and this DPA does not apply. You are the sole controller and processor of data on your self-hosted instance.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by CRMown on behalf of the Controller in connection with the Agreement.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, use, disclosure, erasure, or destruction.

"Data Protection Laws" means all applicable laws relating to the processing of Personal Data, including the GDPR (EU Regulation 2016/679), UK GDPR, Swiss nFADP, CCPA/CPRA, LGPD, PIPEDA, and the Australian Privacy Act, as applicable.

"Sub-Processor" means any third party engaged by CRMown to process Personal Data on behalf of the Controller.

2. Scope and Roles

The Controller determines the purposes and means of processing Personal Data. CRMown acts as a Processor, processing Personal Data solely on behalf of and in accordance with the Controller's documented instructions.

The categories of Personal Data processed, the categories of data subjects, and the purposes of processing are determined by the Controller's use of the CRMown platform, which may include contact management, communications, pipeline management, invoicing, scheduling, and related CRM functions.

3. Controller Obligations

The Controller shall:

Ensure that it has a lawful basis for processing Personal Data and for instructing CRMown to process Personal Data on its behalf
Provide all necessary notices to, and obtain all necessary consents or authorizations from, data subjects as required by applicable Data Protection Laws
Be responsible for the accuracy, quality, and legality of the Personal Data provided to CRMown
Comply with applicable Data Protection Laws in its use of the CRMown platform
Configure the platform's consent management, data retention, and privacy settings appropriately for its jurisdiction and business requirements

4. Processor Obligations

CRMown shall:

Process Personal Data only in accordance with the Controller's documented instructions, unless required by applicable law
Ensure that persons authorized to process Personal Data are subject to confidentiality obligations
Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see our Security Overview for details)
Assist the Controller in responding to data subject requests (access, rectification, erasure, portability, restriction, objection) to the extent technically feasible
Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations under Data Protection Laws
At the Controller's choice, delete or return all Personal Data upon termination of the Agreement, unless retention is required by applicable law
Make available to the Controller all information necessary to demonstrate compliance with this DPA

5. Sub-Processors

The Controller provides general authorization for CRMown to engage Sub-Processors. A current list of Sub-Processors is maintained at crmown.com/sub-processors.

CRMown shall:

Maintain an up-to-date list of Sub-Processors
Notify the Controller of any intended addition or replacement of Sub-Processors, providing the Controller an opportunity to object
Impose on each Sub-Processor data protection obligations no less protective than those in this DPA
Remain liable for the acts and omissions of its Sub-Processors

If the Controller objects to a new Sub-Processor on reasonable grounds, the parties shall discuss the concern in good faith. If no resolution is reached, the Controller may terminate the affected services.

6. Data Security

CRMown implements and maintains appropriate technical and organizational measures, including:

Encryption of data in transit (TLS 1.2/1.3) and at rest
Bcrypt password hashing with cost factor 12
Role-based access control with field-level permissions
Multi-tenant data isolation at the database query level
Daily encrypted database backups
Rate limiting on all API endpoints
AI action audit logging and approval queues
Automated health monitoring with container-level isolation

7. Personal Data Breach

In the event of a Personal Data breach, CRMown shall:

Notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of the breach
Provide sufficient information to allow the Controller to meet its breach notification obligations under applicable Data Protection Laws
Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
Maintain records of all breaches, including the facts, effects, and remedial actions taken

8. International Data Transfers

CRMown processes data primarily in the United States. Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States or other countries, CRMown relies on Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914), or other legally recognized transfer mechanisms.

The Controller may request execution of SCCs by contacting legal@crmown.com.

9. Data Subject Requests

CRMown provides tools within the platform to assist the Controller in responding to data subject requests, including:

Contact data export functionality
Contact deletion with cascade to related records
Consent management with audit trail
Public preference center for contact self-service
Data retention controls with automated enforcement

If CRMown receives a data subject request directly, CRMown will redirect the data subject to the Controller unless legally prohibited from doing so.

10. Audit Rights

CRMown shall make available to the Controller on request all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct audits, including inspections, on reasonable notice and during normal business hours. CRMown may satisfy audit requests by providing relevant third-party audit reports, certifications, or compliance documentation.

11. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. Upon termination, CRMown shall, at the Controller's election, delete or return all Personal Data within 30 days, unless retention is required by applicable law. CRMown shall certify deletion upon request.

12. Governing Law

This DPA shall be governed by the same governing law as the Agreement between the parties, except to the extent that Data Protection Laws require otherwise.

13. Contact

For questions about this DPA or to request execution of Standard Contractual Clauses, contact: legal@crmown.com