Data Processing Addendum

Last Updated: 8th Feb 2025

This Data Processing Agreement (“DPA”) forms part of the Terms of Use between Sellframe Ltd. (trading as “CRM Inputs”) and the Customer (the “Controller”), where CRM Inputs acts as a Processor of personal data on behalf of the Controller. This DPA ensures compliance with the General Data Protection Regulation (GDPR) (EU 2016/679) and relevant UK GDPR provisions.

1. Definitions

  • Controller: The entity that determines the purposes and means of the processing of personal data.
  • Processor: CRM Inputs, which processes personal data on behalf of the Controller.
  • Sub-processor: A third-party entity engaged by CRM Inputs to process personal data.
  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Data Subject: The individual whose personal data is processed.
  • Processing: Any operation performed on personal data, such as collection, storage, modification, and deletion.
  • SCCs: Standard Contractual Clauses as approved by the European Commission for international data transfers.

2. Scope of Processing

2.1 Categories of Data Processed

CRM Inputs processes the following categories of personal data on behalf of the Controller:

  • Basic Identification Data: Full name, email address, job title, company name.
  • Professional Data: LinkedIn profile URL, company information (including enriched data from Apollo.io and similar providers).
  • Technical Data: Session cookies and authentication data for login management.

CRM Inputs does not process any special categories of personal data (e.g., health, biometric, or sensitive data).

2.2 Nature and Purpose of Processing

CRM Inputs processes personal data solely for the following purposes:

  • Facilitating CRM integrations: Enabling users to add LinkedIn contacts to their CRM.
  • Data enrichment: Using third-party data providers (e.g., Apollo.io, Hunter) to supplement CRM entries.
  • User authentication: Managing login credentials and account security.
  • Marketing communications: Sending transactional and promotional emails based on user opt-in.

CRM Inputs will not process personal data for any purpose other than as documented by the Controller.

3. Sub-processors

3.1 Authorized Sub-processors

The Controller acknowledges that CRM Inputs engages the following Sub-processors:

  • Hosting & Infrastructure: DigitalOcean (USA, UK)
  • Email & Marketing: Mailerlite, Mailersend
  • Payment Processing: Stripe
  • Data Enrichment: Apollo.io, Hunter.io

3.2 New Sub-processors

CRM Inputs may engage new Sub-processors, provided that:

  • The Controller is notified in advance of any changes.
  • The Sub-processor meets the security and data protection standards of this DPA.
  • The Controller may object in writing if the Sub-processor is deemed non-compliant.

4. Data Transfers

CRM Inputs hosts data on DigitalOcean servers in New York, USA, meaning personal data may be transferred outside of the EEA/UK. For such transfers, CRM Inputs relies on:

  • Standard Contractual Clauses (SCCs) in compliance with GDPR.
  • UK Addendum for UK GDPR compliance.
  • Technical and organizational safeguards to ensure data protection.

5. Security Measures

CRM Inputs implements industry-standard security practices, including:

  • Data Transmission: All data is transmitted using HTTPS (TLS 1.2/1.3) encryption.
  • Data Storage:
    • Personal data stored in PostgreSQL database is encrypted using AES-256.
    • User passwords are hashed with bcrypt, including salt to prevent brute-force attacks.
  • Access Controls:
    • API keys and authentication tokens are not stored on CRM Inputs servers, only locally on users’ devices.
    • Environment variables are used for storing secrets securely.
    • Restricted access to production data with role-based permissions.
  • Session Security:
    • Secure HTTP-only session cookies used for authentication.
    • Enforced session expiration and token revocation policies.
  • Firewall & Network Security:
    • VPS firewalls restrict unauthorized access based on whitelisted IPs.
    • Regular network security assessments.

6. Data Retention & Deletion

CRM Inputs retains personal data only for as long as necessary to fulfill processing purposes. Standard retention policies include:

  • User account data: Retained as long as the account is active + 6 months after termination.
  • Logging data: Retained for security monitoring (max 90 days).
  • Backups: Retained for disaster recovery (max 30 days, then purged).

Upon termination of the Controller’s use of CRM Inputs, all personal data will be deleted within 30 days, unless required for legal obligations.

7. Assistance with Data Subject Requests

CRM Inputs will assist the Controller in fulfilling GDPR obligations concerning data subjects, including:

  • Access & Rectification: Assisting with access requests within 30 days.
  • Erasure Requests: Deleting personal data upon request unless legally required to retain it.
  • Data Portability: Providing structured, machine-readable exports upon request.

8. Audit Rights & Compliance

To demonstrate compliance, CRM Inputs:

  • Will provide security policies and relevant compliance documentation upon request.
  • Does not allow on-site audits but may provide audit reports if necessary.
  • Will notify the Controller of any data breach within 72 hours.

9. Liability & Indemnification

    • CRM Inputs’ liability for any data protection breach is limited to 12 months’ worth of fees paid by the Controller.
  • CRM Inputs will indemnify the Controller for any GDPR non-compliance caused solely by CRM Inputs.
  • The Controller indemnifies CRM Inputs for any misuse of data caused by the Controller’s instructions or negligence.

10. Term & Termination

This DPA remains in effect for as long as CRM Inputs processes personal data for the Controller. Termination occurs:

  • Upon the Controller’s account closure, subject to 30-day data deletion period.
  • If CRM Inputs materially breaches GDPR obligations.
  • If the Controller objects to a Sub-processor change and CRM Inputs cannot provide a suitable alternative.

11. Governing Law

This DPA is governed by Scottish law (UK), with exclusive jurisdiction in Scottish courts for disputes.

12. Incorporation by Reference

This DPA is incorporated by reference into CRM Inputs’ Terms of Use. By using CRM Inputs’ Services, the Controller agrees to this DPA.

Contact Information

For any GDPR-related inquiries, please contact:

Sellframe Ltd. (trading as CRM Inputs)
14 Avonside Grove, Hamilton, UK, ML3 7DL
Email: [email protected]