Data Processing Addendum
Last updated: May 5, 2026
This Data Processing Addendum ("DPA") supplements the AutomatticCRM Terms of Service and applies whenever AutomatticCRM ("Processor") processes personal data on behalf of a customer ("Controller"). It reflects the requirements of the EU General Data Protection Regulation ("GDPR") and the UK GDPR.
1. Subject matter, duration, nature, and purpose
AutomatticCRM processes personal data submitted by the Controller for the purpose of providing the AutomatticCRM service for the duration of the Controller's subscription.
2. Categories of data subjects and personal data
Data subjects include the Controller's contacts, customers, leads, employees, and end users. Personal data includes contact identifiers (name, email, phone), business attributes (company, role), interaction history, and any data the Controller voluntarily uploads.
3. Sub-processors
AutomatticCRM uses a limited list of sub-processors (currently: AWS, Stripe, and the AI provider chosen by the Controller). The Controller will be notified at least 30 days before any new sub-processor is added and may object on reasonable grounds.
4. Security measures
Encryption in transit (TLS 1.3) and at rest (AES-256), strict tenant isolation, role-based access control, audit logging, and ongoing monitoring. Full description available on the Security page.
5. International transfers
AutomatticCRM relies on the EU Standard Contractual Clauses (SCCs) and the UK International Data Transfer Addendum for transfers outside the EEA/UK.
6. Data subject rights
AutomatticCRM provides Controllers the tools to fulfil access, rectification, erasure, restriction, and portability requests directly within the product. Where additional support is needed, AutomatticCRM will assist on commercially reasonable terms.
7. Breach notification
AutomatticCRM will notify the Controller without undue delay (and within 72 hours) of becoming aware of a personal data breach affecting the Controller's data.
8. Audit
Once per year, the Controller may request a SOC 2 report (when available) or other reasonable independent assessment of AutomatticCRM's controls.
9. Termination
On termination, the Controller may export all personal data within 30 days. After that, AutomatticCRM will delete personal data unless retention is required by law.
Contact
To execute a DPA or for data-protection inquiries, email security@automatticcrm.com.