+1 (408) 320-0380

Data Processing Addendum

Last Updated: Jan 25, 2026

This Data Processing Addendum, including the schedules to it (“DPA”), forms part of the EspoCRM Cloud Subscriber Agreement (the “Agreement”) between Customer and EspoCRM, Inc., a Delaware corporation (“EspoCRM”). Customer and EspoCRM are also referred to as a “Party” and collectively as the “Parties”.

All capitalized terms used in this DPA but not defined will have the meaning set forth in the Agreement.

This DPA sets out the terms that apply when Personal Data is Processed by EspoCRM under the Agreement. The purpose of this DPA is to ensure such Processing is conducted in accordance with Data Protection Laws and respects the rights of individuals whose Personal Data is Processed under the Agreement.

1. DEFINITIONS

Personal Data” means any information relating to an identified or identifiable individual where such information is contained within Customer Data and is recognized as personal data, personal information, or personally identifiable information under applicable Data Protection Laws.

Data Subject” means the identified or identifiable natural person, as defined under Data Protection Laws, who can be identified, directly or indirectly, in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that natural person.

Subprocessor” means any Data Processor engaged by EspoCRM or its Affiliates to assist in fulfilling its obligations with respect to providing the Subscription Services and Professional Services pursuant to the Agreement or this DPA.

Process,” “Processes,” “Processed” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

Data Controller” means a natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the Processing of Personal Data.

Data Processor” means a natural or legal person, public authority, agency, or other body which Processes Personal Data on behalf of the Data Controller.

Restricted Data” means personal data that may be categorized as “special categories of data” under Data Protection Laws, including, but not limited to, social security numbers, financial account numbers, credit card information, or health information.

Restricted Transfer” means: (a) where the GDPR applies, a transfer of personal data from the EEA to a country outside of the EEA which is not subject to an adequacy determination by the European Commission; (b) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not subject to adequacy regulations adopted pursuant to Section 17A of the UK DPA 2018.

Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise Processed by EspoCRM and/or its Subprocessors in connection with the provision of the Subscription Services. Personal Data Breach will not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks, and other network attacks on firewalls or networked systems.

EEA” means the European Economic Area, which constitutes the member states of the European Union and Norway, Iceland, and Liechtenstein.

Data Protection Laws” means all applicable laws, regulations, and other legal or regulatory requirements in any jurisdiction relating to privacy, data protection, security, or the processing of personal data, including without limitation: (a) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (the “CCPA”); (b) the General Data Protection Regulation, Regulation (EU) 2016/679 (“GDPR”); (c) in respect of the United Kingdom, the Data Protection Act 2018 (“UK DPA 2018”) and the GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom’s European Union (Withdrawal) Act 2018 (the “UK GDPR”). For the avoidance of doubt, if EspoCRM’s processing activities involving personal data are not within the scope of the Data Protection Laws, such law is not applicable for purposes of this DPA.

Standard Contractual Clauses” means (a) where the GDPR applies, the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the European Council (available as of June 2021 at https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj) (the “EU SCCs”); (b) where the UK GDPR applies, the applicable standard data protection clauses adopted pursuant to Article 46(2)(c) or (d) of the UK GDPR including the standard data protection clauses issued by the commissioner under s119A(1) of the UK DPA 2018 as revised from time to time (“UK Addendum”) in each case as completed as described in Schedule 4 (Transfer Mechanisms) of this DPA.

Privacy Policy” means the terms available at https://www.espocrm.com/privacy-policy/.

2. RELATIONSHIP OF THE PARTIES

2.1 EspoCRM as a processor and service provider. The Parties acknowledge and agree that with regard to Personal Data, Customer is a controller and business, and EspoCRM is a processor and service provider, as defined by Data Protection Laws.

2.2 EspoCRM as a Subprocessor. In circumstances in which Customer may be a processor, Customer appoints EspoCRM as Customer’s subprocessor, which will not change the obligations of either Customer or EspoCRM under this DPA.

3. CUSTOMER’S INSTRUCTIONS TO ESPOCRM

3.1 Purpose Limitation. EspoCRM will Process Personal Data (a) in order to provide the Subscription Services and Professional Services in accordance with the Agreement; (b) in accordance with Customer’s lawful instructions as set forth in Section 3.3; (c) as necessary to comply with Data Protection Laws; and (d) as otherwise agreed in writing. Customer, as the controller, acknowledges that the Subscription Services as provided are not intended for the storage or processing of Restricted Data. At its sole discretion, Customer determines all categories and types of Personal Data it may submit and transfer to EspoCRM through the Subscription Services. Customer is responsible for the secure and appropriate use of the Subscription Services to ensure a level of security appropriate to the risk with respect to the Personal Data and agrees that compliance and security measures as set forth in the Agreement and this DPA are deemed sufficient safeguards for processing of any such Restricted Data that Customer chooses to provide to the Subscription Services.

3.2 No Sale of Personal Information and No Sharing for Targeted Advertising. EspoCRM will not sell (as defined by Data Protection Laws) Personal Data, share Personal Data for purposes of cross-context behavioral advertising, or otherwise Process Personal Data for any purpose other than as set forth in the Agreement, unless obligated to do so under Data Protection Laws. In such case, EspoCRM will inform Customer of that legal requirement before such processing unless legally prohibited from doing so. EspoCRM will not retain, use, or disclose Customer’s Personal Data for any commercial purposes (as defined by Data Protection Laws) other than to provide the Subscription Services and Professional Services. EspoCRM understands its obligations as set forth in this section and will comply with them.

3.3 Lawful Instructions. Customer appoints EspoCRM as a processor (or subprocessor) to Process Personal Data on behalf of, and in accordance with, Customer’s instructions. Customer will not instruct EspoCRM to Process Personal Data in violation of Data Protection Laws. EspoCRM will promptly inform Customer if, in EspoCRM’s opinion, an instruction from Customer infringes Data Protection Laws. The Agreement, including this DPA, along with Customer’s configuration of the Subscription Services (which Customer may be able to modify from time to time), constitutes Customer’s complete and final instructions to EspoCRM regarding the Processing of Personal Data, unless otherwise agreed in writing.

4. DETAILS OF PROCESSING

4.1 The subject matter of Processing of Personal Data by EspoCRM is the performance of the Subscription Services and Professional Services under the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data and categories of Data Subjects Processed under this DPA are set forth in Schedule 1 (Details of the Processing) to this DPA.

4.2 The Parties acknowledge and agree that the Processing of personal information or Personal Data that is subject to the CCPA shall be carried out in accordance with the terms set forth in Schedule 5 (Jurisdiction Specific Requirements – California) to this DPA.

5. CUSTOMER OBLIGATIONS

5.1 Customer has full control over the Personal Data sent for Processing and is responsible for complying with its applicable Data Protection Laws, for assessing whether the use of the Subscription Services meets its compliance and contractual obligations, and for obtaining all rights, authorizations, and consents for the Processing of Personal Data in accordance with this DPA and the instructions, including where applicable approval by Customer’s Data Controllers to use EspoCRM as a Data Processor (or subprocessor).

5.2 In particular, but without prejudice to the generality of the foregoing, Customer acknowledges and agrees that Customer will be solely responsible for:

  • (a) the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data;
  • (b) complying with all necessary transparency and lawfulness requirements under Data Protection Laws for the collection and use of the Personal Data, including providing the necessary notifications and obtaining any necessary consents and authorizations (particularly for use by Customer for marketing purposes);
  • (c) ensuring Customer has the right to transfer, or provide access to, the Personal Data to EspoCRM for Processing in accordance with the Agreement;
  • (d) complying with all applicable Data Protection Laws to any emails or other content created, sent, or managed through the Subscription Services, including those relating to obtaining consents (where required) to send emails, the content of the emails, and its email deployment practices; and
  • (e) properly implementing access and use controls and configuring certain features and functionalities of the Subscription Services that Customer may elect to use and in such manner that Customer deems adequate to maintain appropriate security, protection, deletion, and backup of Personal Data.

5.3 Customer will inform EspoCRM without undue delay if Customer is not able to comply with its responsibilities under Section 5 or applicable Data Protection Laws.

6. ESPOCRM OBLIGATIONS

6.1 EspoCRM commits to Process Personal Data received for the purposes described in this DPA or as otherwise agreed within the scope of Customer’s lawful instructions, except where and to the extent otherwise required by applicable Data Protection Laws to which EspoCRM is subject, in which case EspoCRM shall inform Customer of those legal requirements before such processing, unless that law prohibits such information on important grounds of public interest.

6.2 EspoCRM will notify Customer without undue delay if EspoCRM is of the opinion that an instruction received from Customer is in violation of applicable Data Protection Laws or in violation of contractual duties under this DPA.

6.3 EspoCRM will oblige its personnel to Process Personal Data only in accordance with the Agreement, this DPA and its appendices, and any instructions received from Customer.

6.4 EspoCRM will keep confidential and will not make available any Personal Data received in connection with the Subscription Services to any third party except in accordance with the Agreement or this DPA or as required by applicable Data Protection Laws.

7. SECURITY INCIDENT NOTIFICATION

To the extent required by Data Protection Laws and taking into account the nature of processing and the information available to EspoCRM, EspoCRM will notify Customer via email without undue delay or within the time period required under Data Protection Laws after becoming aware of a Personal Data Breach involving Personal Data for which Customer is the Data Controller, and will assist Customer in fulfilling its statutory obligations under applicable Data Protection Laws. EspoCRM will provide timely and periodic updates to Customer as additional information regarding the Personal Data Breach becomes available. Customer acknowledges that any updates may be based on incomplete information. EspoCRM will not assess the contents of Customer Data for the purpose of determining if such Customer Data is subject to any requirements under Data Protection Laws.

8. PERSONNEL

8.1 Confidentiality. EspoCRM will ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements. EspoCRM shall ensure that such confidentiality obligations survive the termination of the personnel engagement.

8.2 Reliability. EspoCRM will take commercially reasonable steps to ensure the reliability of any EspoCRM personnel engaged in the Processing of Personal Data.

8.3 Limitation of Access. EspoCRM will ensure that EspoCRM’s access to Personal Data is limited to those personnel, including Subprocessors, providing the Subscription Services in accordance with the Agreement. EspoCRM only grants its employees and Subprocessors access to the Personal Data insofar as this is required for the performance of the Agreement and with due observance of the confidentiality provisions.

9. DELETION AND RETURN OF PERSONAL DATA

Upon termination or expiration of the Agreement, EspoCRM shall, upon Customer’s request, and subject to the limitations described in the Agreement, return to Customer (or make available for export in accordance with the Agreement) all Customer Personal Data in EspoCRM’s possession, or securely destroy such Customer Personal Data (excluding any back-up or archival copies which shall be deleted in accordance with EspoCRM’s data retention schedule), except where EspoCRM is required to retain copies under applicable laws, in which case EspoCRM will limit its processing of such Customer Personal Data except to the extent required by applicable laws.

10. SUBPROCESSORS

10.1 Subprocessors Authorization. Customer agrees that EspoCRM may engage Subprocessors to Process Personal Data on behalf of Customer in connection with the obligations of the Subscription Services. Customer authorizes EspoCRM’s engagement of the Subprocessors listed at https://www.espocrm.com/subprocessors/.

10.2 Notification of Changes in Subprocessors. EspoCRM will notify Customer via email if EspoCRM intends to add one or more Subprocessors to that list at least thirty (30) days before the changes take effect. If Customer can reasonably show that the appointment of a new Subprocessor will have a material adverse effect on EspoCRM’s ability to comply with applicable Data Protection Laws, then Customer must promptly notify EspoCRM in writing within fifteen (15) business days thereafter of its reasonable basis for objection to the use of a new Subprocessor. If EspoCRM is unable to assist Customer with its objection regarding the engagement of a Subprocessor within a reasonable period of time which shall not exceed thirty (30) calendar days, Customer may, upon written notice to EspoCRM, terminate the Agreement in accordance with Section 11 of the Agreement. In the event of such termination, EspoCRM will refund Customer on a pro rata basis any amounts paid by such Customer for use of the Subscription Services.

10.3 Conditions for Engaging Subprocessors. EspoCRM may only engage Subprocessors for providing the Subscription Services under the Agreement if EspoCRM (a) provides notice of the Subprocessor’s name and the services to be provided by the Subprocessor prior to engaging or replacing the Subprocessor; and (b) has in place, or enters into prior to engaging the Subprocessor, an agreement with the Subprocessor that imposes obligations that are no less protective than those set forth in this DPA.

10.4 Redaction of Subprocessor Agreements. To the extent required under the Standard Contractual Clauses or applicable Data Protection Laws, EspoCRM may provide Customer with copies of Subprocessor agreements. Customer acknowledges that such agreements may be redacted to remove commercial information or provisions unrelated to data protection. Such copies will be provided only upon Customer’s prior written request.

11. DATA TRANSFERS

11.1 Customer acknowledges and agrees that EspoCRM may access and Process Personal Data on a global basis as necessary to provide the Subscription Services and Professional Services in accordance with the Agreement and, in particular, that Personal Data may be transferred to and Processed by EspoCRM’s Subprocessors in jurisdictions where they have operations. Wherever Personal Data is transferred outside its country of origin, each party will ensure such transfers are made in compliance with the requirements of Data Protection Laws.

11.2 Customer authorizes EspoCRM and its Subprocessors to make international transfers of Customer Personal Data in accordance with this DPA and Data Protection Laws.

12. SECURITY MEASURES

Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects, EspoCRM will implement appropriate technical and organizational security measures to ensure a level of security appropriate to the risk, including the measures listed in Schedule 3 (Technical and Organizational Measures) of this DPA.

13. AUDITS

EspoCRM will grant to Customer and its designees during the term of this DPA all requested information and access rights strictly in accordance with EspoCRM’s security policies in order to verify EspoCRM’s compliance with the Agreement and with Data Protection Laws upon written request by Customer. Customer may request an audit by providing at least 30 days’ advance written notice to privacy-concerns@espocrm.com. Customer may determine EspoCRM’s compliance with the agreed technical and organizational measures (see Schedule 3 of this DPA) at EspoCRM’s facilities upon a reasonable request in writing once a year, which is subject to confidentiality. If and to the extent Customer engages third parties to conduct an audit, such third parties must be bound by confidentiality obligations similar to and no less protective than those agreed to under this DPA. Customer shall reimburse EspoCRM for any time expended for any on-site audits at EspoCRM’s then-current professional services rates. Customer is responsible for costs and expenses relating to any audit it requests beyond the audit report. Customer shall promptly notify EspoCRM and provide information about any actual or suspected non-compliance discovered during an audit. Any reports or information derived from any inquiry or audit under this Section 13 shall be considered EspoCRM’s Confidential Information.

14. LIMITATION OF LIABILITY

14.1 Notwithstanding anything contained in this DPA (including the Standard Contractual Clauses if any) to the contrary, Customer’s remedies and EspoCRM’s and its Affiliates’ obligations, with respect to breach of this DPA or a Personal Data Breach directly caused by EspoCRM and the overall liability of EspoCRM arising out of, or in connection with such breach will be subject to the aggregate limitations of liability under Section 16 of the Agreement (the “Liability Cap”). EspoCRM’s total liability for all claims from Customer and all of its users arising out of or related to the Agreement or this DPA will apply in aggregate for all claims under both the Agreement and this DPA.

FOR THE AVOIDANCE OF DOUBT, THE PARTIES INTEND AND AGREE THAT THE OVERALL AGGREGATE LIABILITY OF ESPOCRM AND ITS AFFILIATES ARISING OUT OF, OR IN CONNECTION WITH, ESPOCRM’S BREACH OF THIS DPA SHALL IN NO EVENT EXCEED THE LIABILITY CAP.

14.2 NOTWITHSTANDING ANYTHING TO THE CONTRARY IN THE AGREEMENT, INCLUDING THIS DPA, ESPOCRM AND ITS AFFILIATES WILL NOT BE LIABLE FOR ANY CLAIM MADE BY A DATA SUBJECT ARISING FROM OR RELATED TO ESPOCRM’S OR ANY OF ITS AFFILIATES’ ACTS OR OMISSIONS, TO THE EXTENT THAT ESPOCRM WAS ACTING IN ACCORDANCE WITH CUSTOMER’S OR ITS AUTHORIZED USERS’ INSTRUCTIONS.

14.3 Where EspoCRM has paid compensation, damages, or fines, EspoCRM is entitled to claim back from Customer that part of the compensation, damages, or fines, corresponding to Customer’s part of the responsibility for the compensation, damages, or fines.

15. MISCELLANEOUS

15.1 This DPA is governed by the law indicated as the governing law in the respective provisions of the Agreement.

15.2 Notwithstanding anything else to the contrary in the Agreement, EspoCRM may periodically make modifications to this DPA where necessary to (a) comply with a request or order by a supervisory authority or other government or regulatory entity; (b) as may be required to comply with Data Protection Laws; (c) implement or adhere to new standard contractual clauses, approved codes of conduct or certifications, or other compliance mechanisms, which may be permitted under Data Protection Laws; or (d) reflect any changes in its data processing practices. Unless otherwise specified by EspoCRM, these changes will become effective for Customer upon posting of the modified DPA (see “Last Updated” date above). In any event, continued use of the Services will constitute Customer’s acceptance of the version of this DPA in effect.

15.3 In the event of any conflict or inconsistency between the terms of this DPA and the terms of the Agreement, the terms of this DPA shall prevail solely to the extent that the subject matter concerns the Processing of Personal Data. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail to the extent of such conflict.

15.4 Each Party’s liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations of liability contained in the Agreement.

15.5 If any individual provisions of this DPA are determined to be invalid or unenforceable, the validity and enforceability of the other provisions of this DPA will not be affected.

SCHEDULE 1 – DETAILS OF THE PROCESSING

1. NATURE AND PURPOSE OF PROCESSING

EspoCRM will Process Personal Data as necessary to perform the Subscription Services and Professional Services pursuant to the Agreement, and as further instructed by Customer in its use of the Subscription Services.

2. DURATION OF PROCESSING

For as long as necessary to provide the Subscription Services as described in the Agreement, as legally or contractually required, or upon receipt of Customer’s written request for deletion.

3. CATEGORIES OF DATA SUBJECTS

Customer may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, Personal Data relating to, the following categories of data subjects:

  • Prospects, customers, business partners, and vendors of Customer (who are natural persons);
  • Employees or contact persons of Customer’s prospects, customers, business partners, and vendors;
  • Employees, agents, advisors, freelancers of Customer (who are natural persons);
  • Customer’s Authorized Users of the Subscription Services.

4. SENSITIVE DATA

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialized training), keeping a record of access to the data, restrictions for onward transfers, or additional security measures.

5. TYPE OF PERSONAL DATA

Customer may submit Personal Data to the Subscription Services, the extent of which is determined and controlled by Customer in its sole discretion, and which may include, but is not limited to, the following categories of Personal Data:

  • First and last name;
  • Title;
  • Position;
  • Employer;
  • Contact information (company, street address, email, phone, other contact information);
  • Professional life data;
  • Personal life data;
  • Connection data;
  • Customer history;
  • IP addresses;
  • Log data;
  • Localization data;
  • Other data collected by Customer and entered or uploaded into the Subscription Services, the nature of which is determined solely by Customer.

SCHEDULE 2 – LIST OF PARTIES

Data exporter(s):Details/Descriptions
Name:Customer (identified in the Agreement)
Address:Customer address as specified in the Agreement or the applicable Order Form
Contact person’s name, position and contact details:Customer contact person as specified in the Agreement
Activities relevant to the data transferred under these Clauses:Activities relevant are described in Schedule 1
Signature and date:Effective Date of the Agreement
Role (controller/processor):Controller and/or processor
Data importer(s):Details/Descriptions
Name:EspoCRM, Inc.
Address:2028 E Ben White Blvd #240-6555, Austin, TX 78741, USA
Contact person’s name, position and contact details:Contact form: https://www.espocrm.com/support/; Email: privacy-concerns@espocrm.com;
Activities relevant to the data transferred under these Clauses:Activities relevant are described in Schedule 1
Signature and date:Effective Date of the Agreement
Role (controller/processor):Processor

SCHEDULE 3 – TECHNICAL AND ORGANIZATIONAL MEASURES

1. PHYSICAL SECURITY MEASURES

Outsourced processing. EspoCRM hosts the Subscription Services with outsourced cloud infrastructure providers. EspoCRM stores Customer Data in physically secure data centers. Additionally, EspoCRM maintains contractual relationships with vendors in order to provide the Subscription Services in accordance with our DPA. EspoCRM relies on contractual agreements, privacy policies, and vendor compliance programs in order to protect data Processed or stored by these vendors.

Physical and environmental security. EspoCRM hosts its product infrastructure with multi-tenant, outsourced infrastructure providers. The physical and environmental security controls are audited for ISO 27001 compliance, among other certifications.

2. PREVENTING UNAUTHORIZED ACCESS TO THE SERVICE

Authorization. Customer Data is stored in multi-tenant storage systems, accessible to Customers via only application user interfaces and application programming interfaces. Customers are not allowed direct access to the underlying application infrastructure. The authorization model in each of EspoCRM’s Subscription Services is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed through validating the user’s permissions against the attributes associated with each data set.

Application Programming Interface (API) access. Public product APIs may be accessed using an API.

Passwords. Passwords are securely stored using one-way hashing.

Encryption in transit. To protect Customer Data in transit, EspoCRM requires all inbound and outbound data connections to be encrypted using the TLS 1.2 or TLS 1.3 protocol.

Services Access Control. The Subscription Services provide user account management, role-based access control, and integration with OpenID Connect, enterprise identity (LDAP) and access management services, including, but not limited to, multi-factor authentication where feasible. Customers are responsible for configuring such access controls within their instance(s).

3. INTERNAL ACCESS CONTROL

  • Access to all data, including Customer Data, by EspoCRM employees and contractors is protected by strong authentication, authorization, and audit mechanisms. The intent of providing access to a subset of employees and contractors is to provide effective customer support, troubleshoot potential problems, detect and respond to security incidents, and implement data security. Access privileges are based on job requirements, and access to Customer Data is granted on a per-customer, time-limited basis requiring multi-level approvals, and are revoked upon termination of employment or consulting relationships.
  • Strong password policy, device trust controls, and multi-factor authentication where feasible.

4. DATABASE SECURITY

  • Customer Data is stored in a dedicated database – no sharing of data between customers.
  • Data access control rules implement complete isolation between customer databases running on the same cluster; no access is possible from one database to another.

5. RESILIENCE AND BACKUPS

  • All Customer Data is backed up for disaster recovery.
  • Backups are encrypted and stored off-site, available for restoration in the event of data corruption or destruction.

SCHEDULE 4 – TRANSFER MECHANISMS

EspoCRM utilizes several transfer mechanisms governing the international transfer of Personal Data, depending upon the jurisdiction of the Personal Data that is Processed.

1. EU STANDARD CONTRACTUAL CLAUSES

The EU SCCs will apply to Restricted Transfers of Customer Personal Data protected by the GDPR and will be completed as follows:

  • (i) The clauses as set forth in Module Two (controller to processor) will apply only to the extent Customer is a controller and EspoCRM is a processor;
  • (ii) The clauses as set forth in Module Three (processor to processor) will only apply to the extent Customer is a processor and EspoCRM is a subprocessor;
  • (iii) The “data exporter” is Customer, and the exporter’s contact information is set forth in Schedule 2 (List of Parties);
  • (iv) The “data importer” is EspoCRM, and EspoCRM’s contact information is set forth in Schedule 2 (List of Parties);
  • (v) In Clause 7, the optional docking clause will apply;
  • (vi) In Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be as set forth in Section 10 of this DPA;
  • (vii) In Clause 11, the optional language will not apply;
  • (viii) In Clause 17, Option 1 will apply, and the EU SCCs will be governed by the law of Bulgaria;
  • (ix) In Clause 18(b), disputes will be resolved before the courts of Bulgaria; and
  • (x) Annexes I and II are deemed completed with the relevant information set forth in Schedule 1 (Details of Processing), Schedule 2 (List of Parties), and Schedule 3 (Technical and Organizational Measures).

2. UK INTERNATIONAL DATA TRANSFER ADDENDUM

The UK Addendum will apply to Restricted Transfers of Customer Personal Data protected by the UK GDPR and will be completed as follows:

  • (i) Table 1 will be completed with the relevant information in Schedule 2 (List of Parties);
  • (ii) Table 2 will be completed with the selected modules and clauses of the EU SCCs, as identified in Schedule 4, Section 1.
  • (iii) Table 3 will be completed with the relevant information set forth in Schedule 1 (Details of Processing), Schedule 2 (List of Parties), and Schedule 3 (Technical and Organizational Measures) and Section 10.1 of this DPA; and
  • (iv) Table 4 will be deemed completed by selecting “neither party”.

3. CONFLICT

The Standard Contractual Clauses are subject to this DPA. The rights and obligations afforded by the Standard Contractual Clauses will be exercised in accordance with this DPA, unless stated otherwise. In the event of any conflict or inconsistency between the body of this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses will prevail to the extent of such conflict.

SCHEDULE 5 – JURISDICTION SPECIFIC REQUIREMENTS – CALIFORNIA

1. DEFINITIONS

For the purpose of this Schedule 5, the terms “personal information,” “business”, “consumer”, “service provider,” “business purpose”, “sale,” “cross-context behavioral advertising”, “share”, and “sell” are as defined in Section 1798.140 of the California Consumer Privacy Act.

2. ROLE OF PARTIES

When processing personal information subject to the CCPA under this DPA, the Parties acknowledge and agree that Customer is a business and EspoCRM is a service provider for the purposes of the CCPA.

3. OBLIGATIONS

3.1 The Parties acknowledge and agree that all personal information subject to the CCPA is disclosed to EspoCRM by Customer for one or more business purposes and its use or sharing by Customer with EspoCRM is to perform such business purposes, or as otherwise permitted by the CCPA. For the avoidance of doubt, the transmission of personal information is not for the purposes of cross-context behavioral advertising.

3.2 The Parties acknowledge and agree that the disclosure of personal information by Customer to EspoCRM does not form part of any monetary or other valuable consideration exchanged between the Parties.

3.3 EspoCRM certifies that it will process personal information as a service provider strictly for the purpose of performing the Subscription Services and Professional Services under the Agreement or as otherwise permitted by the CCPA.

3.4 EspoCRM will comply with the obligations applicable to it as a service provider under the CCPA, provide the same level of protection for personal information as required by the CCPA, and notify Customer if EspoCRM determines that it can no longer meet its obligations as a service provider under the CCPA.

3.5 EspoCRM will not:

  • sell personal information;
  • process personal information outside the direct business relationship between the Parties, unless required by applicable law; or
  • combine personal information included in Customer Data with personal information that EspoCRM collects or receives from another source (other than information EspoCRM receives from another source in connection with EspoCRM’s obligations as a service provider under the Agreement).

4. AUDITS

EspoCRM will assist Customer in responding to any consumer requests to exercise their rights under the CCPA, including requests for access, deletion, or opt-out, to the extent applicable. Customer has the right to audit and verify that EspoCRM processes personal information in a manner consistent with Customer’s obligations under the CCPA and in accordance with Section 13 of this DPA. Upon notice, Customer has the right, in accordance with the Agreement (including this DPA) and EspoCRM security policies, to take reasonable and appropriate steps to stop and remediate any non-compliant use of personal information.