CrispWebs

Legal

Data Processing Agreement

Last updated: 19 May 2026 · Effective: 19 May 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between CrispWebs OÜ, a private limited company registered in Estonia (registry code: XXXXXXXX) (“Processor”), and you, the customer (“Controller”), and governs the processing of personal data by CrispWebs on your behalf.

This DPA is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (nFADP/DSG).

1. Definitions

2. Scope & Roles

You (Controller) determine the purposes and means of processing Personal Data collected through your Site (e.g., contact form submissions, lead captures, booking requests).

CrispWebs (Processor) processes that Personal Data strictly on your documented instructions and solely for the purpose of delivering the Service.

3. Categories of Data & Data Subjects

Data SubjectsCategories of Personal DataProcessing Purpose
Site visitors / leadsName, email, phone, message contentContact form delivery, lead capture
Booking customersName, email, phone, appointment detailsBooking management (Studio plan)
Review authorsName, review text (public data)Display on Site

4. Obligations of the Processor

CrispWebs shall:

5. Sub-processors

5.1 Authorisation

The Controller grants general written authorisation for the Processor to engage Sub-processors listed below. The Processor shall inform the Controller of any intended addition or replacement of Sub-processors at least 14 days in advance, giving the Controller the opportunity to object.

5.2 Current Sub-processors

Sub-processorProcessing ActivityLocationTransfer Mechanism
Vercel, Inc.Hosting, serverless computeUSEU SCCs
Supabase, Inc.Database (PostgreSQL)EU (Frankfurt)Adequacy
Cloudflare, Inc.DNS, CDN, domain registrationUS / GlobalEU SCCs
Stripe, Inc.Payment processingUSEU SCCs
Resend (Svix, Inc.)Transactional emailUSEU SCCs
OpenAI, Inc. / Anthropic, PBCAI content generationUSEU SCCs + DPA

5.3 Obligations

The Processor shall impose the same data protection obligations on each Sub-processor via written contract. The Processor remains fully liable to the Controller for the performance of Sub-processors.

6. International Data Transfers

Where Personal Data is transferred to countries without an adequacy decision by the European Commission or the Swiss FDPIC, we implement:

7. Security Measures

The Processor implements the following technical and organisational measures (Art. 32 GDPR):

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

9. Audits

The Controller may audit the Processor’s compliance with this DPA once per calendar year, upon 30 days’ written notice. Audits shall be conducted during normal business hours, at the Controller’s expense, and shall not unreasonably interfere with the Processor’s operations. The Processor may satisfy audit requests by providing:

10. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests by:

11. Data Retention & Deletion

Upon termination of the Service or upon the Controller’s written request:

12. Duration

This DPA remains in effect for the duration of the Controller’s subscription, and continues until all Personal Data has been deleted or returned in accordance with Section 11.

13. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA does not limit either party’s liability for breaches of data protection law to the extent such limitation is prohibited by applicable law.

14. Governing Law

This DPA is governed by the laws of the Republic of Estonia. GDPR obligations shall be interpreted in accordance with EU law and guidance from the European Data Protection Board (EDPB). Any disputes shall be resolved in accordance with the Terms of Service (Harju County Court, Tallinn).

15. Contact

For questions or requests regarding this DPA:

CrispWebs OÜ
Data Protection
Tallinn, Estonia
Registry code: XXXXXXXX
Email: privacy@crispwebs.com

Lead supervisory authority: Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate).