logo logo
Sign In

Data Processing Addendum (DPA)

Last Updated: September 14, 2025

1. Subject Matter & Duration

CRMx processes personal data on behalf of the Customer in connection with the services (heatmaps, session recordings, email analytics, A/B testing, dashboards). Processing continues for as long as the Customer maintains an account, unless otherwise required by law.

2. Roles & Responsibilities

Customer (Controller): Responsible for lawful collection of data, consent, and responding to data subject requests.

CRMx (Processor): Processes personal data only under Customer’s instructions and as required by law.

3. Categories of Data Processed

  • Account data (names, emails, billing info)
  • Analytics data (heatmaps, clicks, scrolls, recordings, email engagement)
  • Technical data (IP, device/browser info, logs)
  • No sensitive special-category data is intentionally collected

4. Data Subject Rights

CRMx will assist the Customer, where possible, in fulfilling obligations to respond to data subject rights requests.

5. Security Measures

  • Encryption in transit and at rest
  • Role-based access controls
  • System monitoring and patching
  • Access restricted to authorised staff

6. Sub-Processors

CRMx uses trusted sub-processors (e.g., hosting providers, payment processors). Customer authorises CRMx to engage sub-processors provided CRMx remains responsible for their performance.

7. International Transfers

CRMx ensures compliance with GDPR/UK DPA when transferring data outside the UK/EU via SCCs, IDTA, or adequacy decisions.

8. Data Breach

CRMx will notify the Customer without undue delay if aware of a personal data breach.

9. Return & Deletion of Data

On termination of services, CRMx will delete or return Customer data, subject to legal retention requirements.

10. Liability & Governing Law

This DPA is governed by the laws of England and Wales. Liability is limited in line with CRMx’s Terms of Service.

Contact: privacy@crmx.uk