Data Processing Agreement (DPA)
Last updated: 17 June 2026 · Version 1.0 · GDPR Art. 28
This DPA forms part of the Terms of Service. For negotiated B2B engagements a separately signed agreement may apply.
This Data Processing Agreement (“DPA”) is entered into between the Customer (the “Controller”) and EpicCRM, operated by Web Systems (sole proprietorship, CEIDG, ul. Dąbrowskiego 249/23, 93-231 Łódź, Poland, NIP 7292462454) (the “Processor”), and applies whenever the Processor processes personal data on the Controller’s behalf in connection with the Service. It reflects the requirements of Article 28 of the GDPR (Regulation (EU) 2016/679).
1. Subject matter & roles
The Controller determines the purposes and means of processing the personal data it submits to the Service (“Controller Personal Data”). The Processor processes that data only to provide the Service and only on the Controller’s documented instructions, including those in the Terms of Service and this DPA.
2. Details of processing (Annex 1)
| Item | Description |
|---|---|
| Nature & purpose | Hosting and processing of CRM data to provide the EpicCRM Service (storage, organization, retrieval, transmission). |
| Duration | For the term of the Controller’s subscription, plus the deletion period in section 8. |
| Categories of data subjects | The Controller’s contacts, leads, customers, employees and other persons whose data the Controller chooses to store. |
| Types of personal data | Contact details (name, email, phone), company data, deal/notes/tasks/tickets content, calendar data and any other data the Controller enters. |
| Special categories | Not requested by the Service. The Controller should not store special-category data without a lawful basis and safeguards. |
3. Processor obligations
- Process Controller Personal Data only on documented instructions, including for transfers, unless required by law (in which case it will inform the Controller unless prohibited).
- Ensure persons authorized to process the data are bound by confidentiality.
- Implement appropriate technical and organizational measures (section 6).
- Respect the conditions for engaging sub-processors (section 4).
- Assist the Controller, insofar as possible, in responding to data-subject requests.
- Assist the Controller with security, breach notification and data-protection impact assessments (Art. 32–36).
- At the Controller’s choice, delete or return the data after the end of the services (section 8).
- Make available information necessary to demonstrate compliance and allow audits (section 7).
4. Sub-processors
The Controller gives general authorization for the Processor to engage sub-processors to provide the Service. Current sub-processors are listed in the Privacy Policy (section “Recipients & subprocessors”). The Processor imposes data-protection obligations on each sub-processor that are no less protective than this DPA, and remains liable for their performance. The Processor will inform the Controller of intended changes and give the Controller the opportunity to object on reasonable data-protection grounds.
5. Data-subject requests
Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organizational measures (including data export and deletion tools in the Service) in fulfilling the Controller’s obligation to respond to requests to exercise data-subject rights. If a data subject contacts the Processor directly regarding Controller Personal Data, the Processor will refer them to the Controller.
6. Security measures (Annex 2)
- Encryption of data in transit (TLS/HTTPS) and encryption at rest for sensitive secrets (e.g. calendar tokens via libsodium).
- Hashed credentials, role-based access control and least-privilege administration.
- Logical isolation of each Organization’s data (multi-tenant separation at the application layer).
- Regular backups and the ability to restore availability after an incident.
- Monitoring, patching and access logging.
7. Audits
The Processor makes available information necessary to demonstrate compliance with Art. 28 and allows for and contributes to audits, including inspections, conducted by the Controller or an auditor it mandates, subject to reasonable notice, confidentiality, and not unreasonably disrupting operations. The Processor may satisfy audit requests by providing relevant documentation or third-party certifications where available.
8. Return & deletion
On termination, the Controller may export its data while the account is active. After termination, the Processor will delete or anonymize Controller Personal Data within the period stated in the Privacy Policy (typically up to 90 days), unless retention is required by law. Backups are purged on a rolling cycle.
9. International transfers
Where processing involves a transfer outside the EEA, it is safeguarded by Standard Contractual Clauses or another lawful mechanism, as described in the Privacy Policy.
10. Breach notification
The Processor notifies the Controller without undue delay after becoming aware of a personal-data breach affecting Controller Personal Data, with information reasonably available to help the Controller meet its own notification obligations under Art. 33–34.
11. Liability & order of precedence
Liability under this DPA is subject to the limitations in the Terms of Service. In case of conflict on data-protection matters, this DPA prevails over the Terms. This DPA is governed by the same law as the Terms.