Data Processing Addendum (DPA)

Effective date: 2026-05-28 · DRAFT v4 — counsel review required

> Not legal advice. Working draft. This DPA is designed to be incorporated by reference into the Terms of Service and to satisfy GDPR Article 28, UK GDPR, and similar laws' requirements for data-processing relationships between a controller (you, our customer) and a processor (us, CRMish). > > Once counsel-approved and signed, a copy will be furnished on request to any customer who needs an executed DPA on file.


1. Parties

This Data Processing Addendum ("DPA") is between:

  • JAS Operations LLC dba CRMish ("Processor," "CRMish," "we," "us"), and
  • You ("Controller," "Customer"), the account holder using the CRMish service.

The DPA forms part of, and is governed by, the Terms of Service. Capitalized terms not defined here have the meaning given in the Terms.

2. Scope

This DPA applies whenever Customer's use of the Service results in CRMish processing Personal Data (as defined by the GDPR or, where applicable, comparable laws including the UK GDPR, CCPA/CPRA, LGPD, and PIPEDA) on behalf of Customer.

It does not apply to:

  • Personal data Customer provides about itself or its account holder (we are an independent controller for that data — see the Privacy Policy).
  • Anonymous or aggregated data that no longer identifies any natural person.

3. Definitions

The following terms have their GDPR meaning: Personal Data, Processing, Data Subject, Personal Data Breach, Controller, Processor, Sub-processor, and Special Categories of Personal Data.

Standard Contractual Clauses (SCCs) means the European Commission's Module Two SCCs (Decision 2021/914) for controller-to-processor transfers, as amended.

UK Addendum means the UK Information Commissioner's International Data Transfer Addendum to the SCCs.

4. Roles and responsibilities

| Party | Role | |---|---| | Customer | Controller — determines the purposes and means of Processing of Personal Data submitted to the Service | | CRMish | Processor — Processes Personal Data only on Customer's documented instructions |

5. Documented instructions

Customer's "documented instructions" to CRMish are:

1. The Terms of Service, this DPA, and the Privacy Policy; 2. The configuration of the Service Customer sets up (e.g., what data Customer imports via webhook ingest, who Customer invites to a Pipeline, what Customer asks the AI Coaching feature to process); 3. Any additional written instructions Customer issues to CRMish from time to time.

CRMish will inform Customer if, in CRMish's opinion, an instruction infringes applicable data-protection law.

6. Categories of Personal Data and Data Subjects

CRMish Processes the following Personal Data on Customer's behalf, depending on which features Customer uses:

| Category | Data Subjects | |---|---| | Account-holder data (name, email, password hash, time zone, billing reference, public profile fields) | Customer's account holders and team members | | Contact records (name, email, phone, source, tags, notes) | Customer's prospects and contacts | | Conversation, follow-up, and sale records | Customer's prospects | | Webhook event audit log | Customer's leads ingested via integration | | Push subscription endpoints | Customer's account holders who opt in | | AI Coaching prompts (structured context derived from prospect records) | Customer's prospects | | Coaching-relationship and sprint data | Coach and affiliate account holders |

CRMish does not knowingly Process Special Categories of Personal Data on Customer's behalf. Customer agrees not to upload Special Categories unless agreed in writing.

7. Sub-processors

7.1 Authorization

Customer authorizes CRMish to engage Sub-processors to assist in Processing. The current list is at /legal/sub-processors.

7.2 Obligations on Sub-processors

CRMish will:

  • Bind each Sub-processor by written contract to data-protection obligations no less protective than those in this DPA.
  • Remain liable to Customer for each Sub-processor's compliance.

7.3 Change notification

CRMish will notify Customer at least 30 days before adding or replacing a Sub-processor that Processes Personal Data. Notification is by email to the address on file and by update to /legal/sub-processors.

7.4 Objection

If Customer reasonably objects to a new Sub-processor on data-protection grounds, Customer may notify CRMish in writing within 30 days. CRMish will work in good faith to resolve the objection. If no resolution is reached, Customer may terminate the affected portion of the Service for convenience and receive a pro-rata refund.

8. Security

CRMish maintains the technical and organizational measures described in the Security Overview, which is incorporated by reference.

Highlights:

  • Passwords hashed with bcrypt at cost factor 12.
  • Sessions in encrypted cookies (iron-session) with HTTPOnly + Secure + SameSite=Lax.
  • TLS for data in transit.
  • Encryption-at-rest at the database provider level (Turso).
  • Least-privilege internal access.
  • Standard security headers (CSP, HSTS, X-Frame-Options).
  • Bot protection via Cloudflare Turnstile on auth flows.

CRMish reviews these measures periodically and updates them as appropriate.

9. Personal Data Breach notification

CRMish will notify Customer without undue delay — and in any event within 72 hours of becoming aware — of any confirmed Personal Data Breach affecting Customer's Personal Data, by email to the address on file.

Notification will include, to the extent then known:

  • The nature of the breach.
  • Categories and approximate number of Data Subjects affected.
  • Categories and approximate volume of Personal Data records affected.
  • Likely consequences.
  • Measures taken or proposed to address the breach and to mitigate possible adverse effects.

CRMish will cooperate with Customer's reasonable requests for further information and will document each breach.

10. Data Subject requests

CRMish will, to the extent legally permitted and technically reasonable, assist Customer in responding to Data Subject requests under applicable law (access, rectification, erasure, restriction, portability, objection).

Where a Data Subject contacts CRMish directly about Customer's data, CRMish will redirect them to Customer except where law requires us to act directly.

11. Audits

Customer has the right, no more than once per 12-month period, to audit CRMish's compliance with this DPA. Audits will:

  • Be conducted at Customer's expense.
  • Be conducted by Customer's authorized representative who has signed a reasonable confidentiality agreement with CRMish.
  • Be scheduled with at least 30 days' notice.
  • Not unreasonably interfere with CRMish's business operations.
  • Not require disclosure of information protected by third-party confidentiality obligations or by attorney-client privilege.

In place of an on-site audit, CRMish may provide a current SOC 2 report or equivalent certification, where available, satisfying Customer's audit right.

Audit rights for regulators under applicable law are not limited by this Section.

12. International transfers

Where Customer or its Data Subjects are located in the EEA, UK, or Switzerland, and Personal Data is transferred to a country not deemed adequate by the relevant authority:

  • The SCCs are incorporated into this DPA, with CRMish as the data importer (Module Two: controller to processor).
  • For UK transfers, the UK Addendum applies in addition to the SCCs.
  • For Swiss transfers, the SCCs are amended as necessary under Swiss FDPIC guidance.

Required SCC selections (modules, options, annexes) are described in Schedule A.

13. Deletion or return of Personal Data

Within 30 days after the end of the Service (cancellation, expiration, or termination), CRMish will, at Customer's choice:

  • Delete all Personal Data Processed on Customer's behalf, or
  • Return the Personal Data to Customer in a structured, commonly-used, machine-readable format.

Backups containing the Personal Data will be cycled out within 90 days from the end of the Service.

CRMish may retain Personal Data after the end of the Service to the extent required by law (e.g., billing records for tax purposes), in which case CRMish will continue to apply the protections of this DPA to such data.

14. Confidentiality

Personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations, whether by contract or by law.

15. Liability

Liability under this DPA is subject to the limitations of liability in the Terms of Service §16.

16. Conflict

In the event of conflict between this DPA and the Terms of Service, this DPA controls with respect to Processing of Personal Data on Customer's behalf.

17. Term

This DPA is effective from the start of Customer's use of the Service until the latest of (a) the end of the Service or (b) the date on which CRMish ceases all Processing of Personal Data on Customer's behalf.

18. Contact and execution

For DPA-related correspondence or to request a counter-signed copy: privacy@crmish.io.

For most customers, no signature is required — using the Service constitutes acceptance. Enterprise customers requiring a signed DPA may request one.


Schedule A — SCC selections

| SCC element | Selection | |---|---| | Module | Module Two (controller-to-processor) | | Clause 7 (docking clause) | Applicable | | Clause 9 (sub-processor changes) | Option 2 — General written authorization, 30-day notice | | Clause 11 (independent dispute resolution) | Option not selected | | Clause 17 (governing law) | Law of the Republic of Ireland | | Clause 18 (forum) | Courts of the Republic of Ireland | | Annex I.A — Parties | Customer (Controller) and JAS Operations LLC dba CRMish (Processor) | | Annex I.B — Description of transfer | As described in DPA §6 | | Annex I.C — Competent supervisory authority | Irish Data Protection Commission (DPC), or the supervisory authority designated by Customer's establishment | | Annex II — Technical and organizational measures | As described in Security Overview and DPA §8 | | Annex III — List of sub-processors | As listed at /legal/sub-processors |


Document version: dpa-v1 · Last updated 2026-05-28.