This Data Processing Agreement ("DPA") forms part of the Terms of Service between UltCRM and the Customer (as defined below), and governs the processing of personal data by UltCRM on behalf of the Customer in connection with the Services.
1. Introduction and Scope
1.1 Parties
This Data Processing Agreement is entered into between:
Controller (Customer): The entity that has agreed to the Terms of Service and uses the Services to process personal data.
Processor (UltCRM): UltCRM, which processes personal data on behalf of the Controller.
1.2 Scope
This DPA applies to the processing of personal data by UltCRM in its capacity as a data processor on behalf of the Customer (as data controller) in the provision of the Services. This DPA supplements and is incorporated into the Terms of Service.
1.3 Applicability
This DPA applies where:
The Customer is established in the European Economic Area (EEA), United Kingdom, or Switzerland;
The Customer processes personal data of individuals located in the EEA, UK, or Switzerland;
The GDPR, UK GDPR, or Swiss FADP applies to the Customer's processing activities;
Other applicable data protection laws require a data processing agreement.
2. Definitions
For the purposes of this DPA:
"Controller" means the Customer, the entity that determines the purposes and means of processing personal data;
"Processor" means UltCRM, which processes personal data on behalf of the Controller;
"Subprocessor" means any third party engaged by the Processor to process personal data on behalf of the Controller;
"Personal Data" means any information relating to an identified or identifiable natural person;
"Data Subject" means an identified or identifiable natural person whose personal data is processed;
"Processing" means any operation performed on personal data, including collection, storage, use, disclosure, or deletion;
"Personal Data Breach" means a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data;
"Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA, and other relevant legislation;
"GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation);
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers;
"Services" means the UltCRM platform and related services provided under the Terms of Service.
3. Roles and Responsibilities
3.1 Controller Responsibilities
The Controller shall:
Determine the purposes and means of processing personal data;
Ensure a lawful basis exists for all processing activities;
Provide appropriate privacy notices to data subjects;
Obtain necessary consents where required;
Ensure the accuracy of personal data;
Comply with data subject rights requests;
Ensure personal data is not processed in violation of Data Protection Laws;
Provide documented instructions for processing;
Assess and ensure the adequacy of security measures.
3.2 Processor Responsibilities
The Processor shall:
Process personal data only on documented instructions from the Controller;
Ensure persons authorized to process personal data are bound by confidentiality;
Implement appropriate technical and organizational security measures;
Assist the Controller with data subject rights requests;
Assist the Controller with GDPR compliance obligations;
Delete or return personal data upon termination as instructed;
Make available information necessary to demonstrate compliance;
Allow for and contribute to audits conducted by the Controller.
4. Details of Processing
4.1 Subject Matter and Duration
The Processor processes personal data for the duration of the agreement for the purpose of providing the Services as described in the Terms of Service.
4.2 Nature and Purpose of Processing
The Processor processes personal data for the following purposes:
Providing CRM and contact management services;
Enabling communications (email, SMS, voice);
Supporting marketing automation and campaigns;
Managing sales pipelines and opportunities;
Processing form submissions;
Providing analytics and reporting;
Facilitating advertising platform integrations;
Any other purposes as instructed by the Controller.
4.3 Categories of Data Subjects
Personal data processed may relate to the following categories of data subjects:
Controller's customers and prospects;
Controller's leads and contacts;
Controller's employees and contractors;
End users who interact with Controller through the Services;
Any other data subjects whose data is processed through the Services.
4.4 Types of Personal Data
Category
Examples
Identification Data
Name, email address, phone number, postal address, company name, job title
Communication Data
Email content, SMS messages, call recordings, conversation history
Transaction Data
Purchase history, invoices, payment information (processed by payment processors)
Marketing Data
Marketing preferences, campaign interactions, consent records
Technical Data
IP address, browser type, device information, usage data
Custom Data
Any additional data fields created by the Controller
4.5 Special Categories of Data
The Controller shall not submit special categories of personal data (as defined in Article 9 of GDPR) to the Services unless specifically agreed in writing and appropriate safeguards are implemented.
5. Processor Obligations
5.1 Processing Instructions
The Processor shall:
Process personal data only on documented instructions from the Controller;
Inform the Controller if, in its opinion, an instruction infringes Data Protection Laws;
Not process personal data for its own purposes unless permitted by law.
5.2 Confidentiality
The Processor shall ensure that:
All personnel authorized to process personal data are bound by confidentiality obligations;
Access to personal data is limited to authorized personnel on a need-to-know basis;
Personnel receive appropriate data protection training.
5.3 Assistance
The Processor shall assist the Controller with:
Responding to data subject rights requests;
Ensuring compliance with security obligations;
Notifying personal data breaches;
Conducting data protection impact assessments;
Prior consultation with supervisory authorities where required.
6. Subprocessors
6.1 General Authorization
The Controller provides general authorization for the Processor to engage subprocessors for the processing of personal data. The Processor shall:
Maintain a list of current subprocessors;
Notify the Controller of any intended additions or replacements of subprocessors;
Provide the Controller with the opportunity to object to such changes;
Ensure subprocessors are bound by data protection obligations at least as protective as those in this DPA.
6.2 Current Subprocessors
A list of current subprocessors is available upon request and includes:
Subprocessor
Purpose
Location
Amazon Web Services (AWS)
Cloud infrastructure and hosting
Various (US, EU)
Twilio
Communications (SMS, Voice, Email)
United States
Stripe
Payment processing
United States
Google Cloud Platform
Cloud services, APIs
Various (US, EU)
Cloudflare
CDN and security
Various
6.3 Subprocessor Changes
The Processor shall provide at least 30 days' notice before adding or replacing a subprocessor. If the Controller objects to a subprocessor on reasonable data protection grounds, the parties shall work together in good faith to resolve the objection.
7. Data Subject Rights
7.1 Assistance with Requests
The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under Data Protection Laws, including:
Right of Access: Providing copies of personal data;
Right to Rectification: Correcting inaccurate personal data;
Right to Erasure: Deleting personal data;
Right to Restriction: Restricting processing of personal data;
Right to Data Portability: Providing personal data in portable format;
Right to Object: Ceasing certain processing activities;
Rights Related to Automated Decision-Making: Providing information and human intervention.
7.2 Response Process
If the Processor receives a request directly from a data subject:
The Processor shall promptly notify the Controller;
The Processor shall not respond directly unless authorized by the Controller;
The Controller shall be responsible for responding to the request.
8. Security Measures
8.1 Technical and Organizational Measures
The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
8.2 Technical Measures
Encryption: Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256);
Business Continuity: Disaster recovery and business continuity plans;
Vendor Management: Security assessments of subprocessors;
Physical Security: Secure data centers with physical access controls.
9. Data Breach Notification
9.1 Notification to Controller
In the event of a personal data breach, the Processor shall:
Notify the Controller without undue delay upon becoming aware of the breach;
Provide notification within 72 hours where feasible;
Provide information necessary for the Controller to meet its breach notification obligations.
9.2 Breach Information
The notification shall include, to the extent known:
Nature of the breach, including categories and number of data subjects affected;
Name and contact details of the data protection point of contact;
Likely consequences of the breach;
Measures taken or proposed to address the breach;
Measures to mitigate adverse effects.
9.3 Assistance
The Processor shall assist the Controller with:
Investigating the breach;
Fulfilling notification obligations to supervisory authorities;
Communicating with affected data subjects if required;
Implementing measures to address and mitigate the breach.
10. International Data Transfers
10.1 Transfer Mechanisms
Where personal data is transferred outside the EEA, UK, or Switzerland, the Processor shall ensure that appropriate safeguards are in place, including:
Adequacy Decisions: Transfers to countries with adequate data protection;
Standard Contractual Clauses: EU Commission-approved SCCs;
UK International Data Transfer Agreement: For UK transfers;
Supplementary Measures: Additional technical and organizational measures as necessary.
10.2 Standard Contractual Clauses
Where the Controller is subject to GDPR and personal data is transferred to the Processor or subprocessors in the United States, the parties agree to be bound by the Standard Contractual Clauses (Module Two: Controller to Processor) incorporated herein by reference.
10.3 Transfer Impact Assessment
The Processor shall assist the Controller in conducting transfer impact assessments where required and shall implement supplementary measures to address any identified risks.
11. Audits and Assessments
11.1 Audit Rights
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or an auditor mandated by the Controller.
11.2 Audit Process
Audits shall be conducted:
With reasonable advance notice (at least 30 days except in emergencies);
During normal business hours;
No more than once per year unless required by law or following a security incident;
Subject to appropriate confidentiality obligations.
11.3 Certifications and Reports
The Processor may satisfy audit requests by providing:
Relevant certifications (e.g., SOC 2 Type II, ISO 27001);
Third-party audit reports;
Penetration test reports;
Responses to security questionnaires.
12. Termination and Data Return
12.1 Upon Termination
Upon termination of the Services, the Processor shall, at the Controller's choice:
Return all personal data to the Controller in a commonly used, machine-readable format; or
Delete all personal data and certify such deletion.
12.2 Data Retention Period
The Controller shall have thirty (30) days following termination to request return of personal data. After this period, the Processor may delete all personal data unless required by law to retain it.
12.3 Survival
Obligations regarding confidentiality, security, and limitation of liability shall survive termination of this DPA.
13. Liability
13.1 Processor Liability
The Processor shall be liable for damages caused by processing that does not comply with this DPA or applicable Data Protection Laws, unless the Processor demonstrates it is not responsible for the event giving rise to the damage.
13.2 Limitation
Any limitations of liability set forth in the Terms of Service shall apply to this DPA, except to the extent prohibited by applicable law.
13.3 Indemnification
Each party shall indemnify the other for any fines, penalties, or damages arising from the indemnifying party's breach of this DPA or applicable Data Protection Laws.
14. General Provisions
14.1 Order of Precedence
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of personal data. In the event of a conflict between this DPA and applicable Data Protection Laws, the applicable laws shall prevail.
14.2 Amendments
UltCRM may update this DPA from time to time to reflect changes in Data Protection Laws or our data processing practices. Material changes will be communicated to the Controller.
14.3 Governing Law
This DPA shall be governed by the laws applicable to the Terms of Service, unless Data Protection Laws require otherwise.
14.4 Severability
If any provision of this DPA is found invalid or unenforceable, the remaining provisions shall continue in full force and effect.
14.5 Entire Agreement
This DPA, together with the Terms of Service and incorporated policies, constitutes the entire agreement between the parties regarding data processing.
Contact Information
For questions about this Data Processing Agreement or to request a signed copy:
UltCRM
Data Protection Contact: dpa@ultcrm.com
Website: https://ultcrm.com
Execution: This DPA is automatically effective and binding upon the Customer's acceptance of the Terms of Service. If you require a separately signed copy for your records, please contact us at dpa@ultcrm.com.