Data Processing Addendum

The controller-processor contract.

Version 1.0 · Effective May 15, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you (the "Customer") and Cruma Inc. ("Cruma") for the processing of Personal Data subject to the GDPR, the UK GDPR, the Swiss FADP, or the California Consumer Privacy Act / CPRA.

This DPA is automatically incorporated into your contract with Cruma when you accept the Terms of Service. No counter-signature is required unless your procurement process specifically demands one — in which case email legal@cruma.ai for an executed counterpart.

1 · Definitions

Capitalized terms not defined here have the meanings given in the Terms or in applicable Data Protection Laws.

Customer Personal Data means Personal Data that Cruma processes on behalf of Customer in connection with the Service.
Data Protection Laws means GDPR (Regulation (EU) 2016/679), UK GDPR + Data Protection Act 2018, Swiss FADP, CCPA / CPRA, and any other applicable data-protection legislation.
Controller, Processor, Personal Data, Processing, Data Subject, Personal Data Breach have the meanings given in the GDPR.
SCCs means the Standard Contractual Clauses adopted by the European Commission on 4 June 2021 (Module 2: Controller-to-Processor).
UK Addendum means the UK International Data Transfer Addendum issued by the UK ICO, version B1.0.
Sub-processor means any third party engaged by Cruma to process Customer Personal Data.

2 · Roles & scope

Customer is the Controller and Cruma is the Processor with respect to Customer Personal Data. Cruma will process Customer Personal Data only on documented instructions from Customer (which are given through Customer's use of the Service, its configuration choices, and any further written instructions Customer issues).

3 · Processing details

Subject matter: Cruma's provision of the Service to Customer.
Duration: the term of Customer's subscription, plus any period of post-termination retention permitted by §12.
Nature & purpose: hosting, processing, transmitting, and analyzing Customer Personal Data to operate the Service, including AI-assisted drafting, classification, search, and execution against Customer's connected accounts.
Categories of Data Subjects: Customer's personnel, prospects, customers, partners, suppliers, and any individuals Customer chooses to include in its workspace.
Categories of Personal Data: identifiers (name, email, phone), employment information, communications content (email bodies, calendar events Customer shares), behavioral / interaction data (engagement, replies), and any other Personal Data Customer chooses to include.
Special category data: Customer agrees not to submit Special Category Data (e.g., health, biometric, genetic, political opinions) to the Service except as expressly required by Customer's lawful use case and supported by Customer's own lawful basis. Cruma is not designed for Special Category Data processing.

4 · Cruma's obligations

Cruma will:

Process Customer Personal Data only on Customer's documented instructions and in accordance with the Terms and this DPA.
Ensure personnel authorized to process Customer Personal Data are under appropriate confidentiality obligations.
Implement and maintain the security measures described in §6.
Assist Customer in responding to Data Subject requests (§10) and in meeting Customer's GDPR Articles 32-36 obligations (security, breach notification, DPIA, prior consultation), taking into account the nature of processing and the information available to Cruma.
Make available to Customer information reasonably necessary to demonstrate compliance with this DPA (§11).
Tell Customer immediately if, in Cruma's opinion, an instruction violates Data Protection Laws.

5 · Customer obligations

Customer represents and warrants that:

It has a valid lawful basis under Data Protection Laws to process Customer Personal Data and to instruct Cruma to do so.
It has provided all required notices to Data Subjects, including those whose data Customer loads into the workspace (prospects, customer contacts, etc.).
Its instructions to Cruma comply with Data Protection Laws.
It will not submit Special Category Data except as permitted in §3.

6 · Security measures

Cruma will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures include:

Encryption. TLS 1.2+ in transit; AES-256 at rest; OAuth tokens encrypted with envelope encryption.
Access control. Least-privilege service roles; row-level security on every workspace-scoped table at the database layer; multi-factor authentication for production-system access by Cruma personnel.
Audit logging. Structured logs on cross-workspace operations and break-glass access.
Vulnerability management. Dependency review on every pull request; published vulnerability disclosure policy at /.well-known/security.txt.
Operational security. Production access restricted to authorized personnel; no production database access from personal devices.

Cruma will review and update these measures over time. Material changes will not weaken the overall level of security. The current security posture is summarized at /legal/security.

7 · Sub-processors

Customer authorizes Cruma to engage Sub-processors to process Customer Personal Data, provided that Cruma: (a) imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA; (b) remains liable to Customer for each Sub-processor's performance.

Categories of Sub-processors and named AI-provider Sub-processors are listed at /legal/subprocessors. Active customers may request the current full list (including specific named vendors in each category) by emailing privacy@cruma.ai.

Change notification. Cruma will give Customer at least 30 days' notice (via email to the workspace owner or via posting on /legal/subprocessors) before adding or replacing a Sub-processor. If Customer reasonably objects to a new Sub-processor on data-protection grounds, the parties will discuss commercially reasonable alternatives. If no resolution is reached, Customer may terminate the affected portion of the Service without penalty.

8 · Personal Data Breach notification

Cruma will notify Customer without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting Customer Personal Data. The notice will describe the nature of the breach, categories and approximate number of affected Data Subjects and records, likely consequences, and measures taken or proposed.

9 · International transfers (SCCs)

Cruma is operated from the United States. For transfers of Customer Personal Data from the EEA, the UK, or Switzerland to the United States or other jurisdictions that have not been deemed to provide adequate protection, the parties incorporate the SCCs as follows:

Module 2 (Controller-to-Processor) applies with Customer as data exporter and Cruma as data importer.
In Clause 7 (Docking clause): not applicable.
In Clause 9 (Sub-processors): Option 2 (general written authorization) applies, with the 30-day notice period per §7.
In Clause 11 (Redress): the optional independent dispute-resolution body does not apply.
In Clause 17 (Governing law): Ireland.
In Clause 18 (Forum and jurisdiction): the courts of Ireland.
Annex I.A: Customer is the data exporter; Cruma Inc., Delaware, USA is the data importer.
Annex I.B: as described in §3.
Annex I.C: Customer's competent supervisory authority.
Annex II: the security measures in §6.

For transfers from the United Kingdom, the parties incorporate the UK Addendum to the SCCs, with the SCCs as the Approved EU SCCs and this DPA as the Approved Addendum.

For transfers from Switzerland, references to "GDPR" in the SCCs are deemed to include the Swiss FADP, and references to the "supervisory authority" include the Swiss Federal Data Protection and Information Commissioner.

10 · Assistance with Data-Subject requests

Cruma will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures (insofar as possible) to respond to Data-Subject requests under Chapter III of the GDPR. To the extent Customer's workspace tools (Settings → Export, Settings → Delete) are not sufficient for the request, Customer may request additional assistance from privacy@cruma.ai.

11 · Audits

Cruma will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA. On reasonable prior written request and no more than once per twelve-month period (unless required by a supervisory authority), Customer may audit Cruma's compliance, either by reviewing third-party audit reports Cruma makes available (e.g., SOC 2 or ISO 27001, once issued) or, if such reports are not sufficient, by conducting a mutually-agreed audit through an independent third-party auditor under reasonable confidentiality terms, at Customer's expense.

12 · Return & deletion

On termination of the Service, Cruma will, at Customer's choice and within 30 days, either return all Customer Personal Data to Customer (via Settings → Export or by bulk export on request) or delete it from active production systems. Backup copies age out on the standard 30-day backup cycle. Cruma may retain Customer Personal Data to the extent and for as long as required by applicable law, subject to continued application of this DPA.

13 · Liability

Each party's liability under or in connection with this DPA is subject to the limitation of liability set out in the Terms of Service, applied per the order of precedence in §15. Nothing in this DPA limits or excludes liability that cannot be limited or excluded under Data Protection Laws.

14 · CCPA / CPRA terms

For Customer Personal Data subject to the CCPA / CPRA, Cruma is a "Service Provider" (or, where applicable, a "Contractor"). Cruma will not:

Sell or share Personal Information.
Retain, use, or disclose Personal Information for any purpose other than performing the Service or as permitted by the CCPA.
Retain, use, or disclose Personal Information outside the direct business relationship between Customer and Cruma.
Combine Personal Information received from Customer with Personal Information from other sources, except as permitted by the CCPA for Service-Provider activities.

Cruma certifies that it understands and will comply with these restrictions.

15 · Order of precedence

If a conflict arises among (a) the SCCs / UK Addendum, (b) this DPA, (c) the Terms of Service, the order of precedence is (a) → (b) → (c) on data-protection matters and (c) → (b) → (a) on all other matters.

16 · Contact

Cruma Inc. (Delaware)
Data protection / privacy: privacy@cruma.ai
Legal: legal@cruma.ai
Security: security@cruma.ai