Legal
Data Processing Agreement
Last updated: 19 May 2026 · Effective: 19 May 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between CrispWebs OÜ, a private limited company registered in Estonia (registry code: XXXXXXXX) (“Processor”), and you, the customer (“Controller”), and governs the processing of personal data by CrispWebs on your behalf.
This DPA is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss Federal Act on Data Protection (nFADP/DSG).
1. Definitions
- “Personal Data” — any information relating to an identified or identifiable natural person processed by the Processor on behalf of the Controller through the Service.
- “Data Subject” — the identified or identifiable natural person to whom Personal Data relates (e.g., visitors to your Site who submit contact forms).
- “Sub-processor” — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- “Processing” — any operation performed on Personal Data (collection, storage, use, transmission, deletion, etc.).
- “SCCs” — the Standard Contractual Clauses adopted by the European Commission for international data transfers.
2. Scope & Roles
You (Controller) determine the purposes and means of processing Personal Data collected through your Site (e.g., contact form submissions, lead captures, booking requests).
CrispWebs (Processor) processes that Personal Data strictly on your documented instructions and solely for the purpose of delivering the Service.
3. Categories of Data & Data Subjects
| Data Subjects | Categories of Personal Data | Processing Purpose |
|---|---|---|
| Site visitors / leads | Name, email, phone, message content | Contact form delivery, lead capture |
| Booking customers | Name, email, phone, appointment details | Booking management (Studio plan) |
| Review authors | Name, review text (public data) | Display on Site |
4. Obligations of the Processor
CrispWebs shall:
- Process Personal Data only on documented instructions from the Controller, unless required by applicable law (in which case we will notify you unless legally prohibited);
- Ensure that persons authorised to process Personal Data are bound by confidentiality obligations;
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see Section 7);
- Assist the Controller in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection);
- Assist the Controller in ensuring compliance with obligations under Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation);
- At the Controller’s choice, delete or return all Personal Data after the end of the service, unless storage is required by applicable law;
- Make available all information necessary to demonstrate compliance and allow for audits (see Section 9).
5. Sub-processors
5.1 Authorisation
The Controller grants general written authorisation for the Processor to engage Sub-processors listed below. The Processor shall inform the Controller of any intended addition or replacement of Sub-processors at least 14 days in advance, giving the Controller the opportunity to object.
5.2 Current Sub-processors
| Sub-processor | Processing Activity | Location | Transfer Mechanism |
|---|---|---|---|
| Vercel, Inc. | Hosting, serverless compute | US | EU SCCs |
| Supabase, Inc. | Database (PostgreSQL) | EU (Frankfurt) | Adequacy |
| Cloudflare, Inc. | DNS, CDN, domain registration | US / Global | EU SCCs |
| Stripe, Inc. | Payment processing | US | EU SCCs |
| Resend (Svix, Inc.) | Transactional email | US | EU SCCs |
| OpenAI, Inc. / Anthropic, PBC | AI content generation | US | EU SCCs + DPA |
5.3 Obligations
The Processor shall impose the same data protection obligations on each Sub-processor via written contract. The Processor remains fully liable to the Controller for the performance of Sub-processors.
6. International Data Transfers
Where Personal Data is transferred to countries without an adequacy decision by the European Commission or the Swiss FDPIC, we implement:
- Standard Contractual Clauses (Module 2: Controller to Processor, or Module 3: Processor to Sub-processor);
- Transfer Impact Assessments where required;
- Supplementary technical measures: encryption in transit (TLS 1.3), at rest (AES-256), access controls, pseudonymisation where feasible.
7. Security Measures
The Processor implements the following technical and organisational measures (Art. 32 GDPR):
- Encryption: TLS 1.3 in transit, AES-256 at rest;
- Access control: Role-based access, MFA for all internal systems, principle of least privilege;
- Pseudonymisation: Applied where processing purposes allow;
- Resilience: Multi-region hosting, automated backups, disaster recovery;
- Testing: Regular vulnerability assessments and penetration testing;
- Logging: Comprehensive audit logs with 90-day retention;
- Staff training: Annual data protection training for all personnel;
- Incident management: Documented incident response procedures.
8. Data Breach Notification
In the event of a Personal Data breach, the Processor shall:
- Notify the Controller without undue delay, and in any case within 48 hours of becoming aware of the breach;
- Provide all information necessary for the Controller to fulfil its notification obligations under Art. 33/34 GDPR;
- Cooperate with the Controller to investigate and mitigate the breach;
- Document the breach, its effects, and remedial actions taken.
9. Audits
The Controller may audit the Processor’s compliance with this DPA once per calendar year, upon 30 days’ written notice. Audits shall be conducted during normal business hours, at the Controller’s expense, and shall not unreasonably interfere with the Processor’s operations. The Processor may satisfy audit requests by providing:
- SOC 2 Type II report or equivalent certification;
- Results of independent third-party audits or penetration tests;
- Written responses to reasonable audit questionnaires.
10. Data Subject Rights
The Processor shall assist the Controller in responding to Data Subject requests by:
- Providing technical measures to retrieve, correct, or delete Personal Data;
- Forwarding any Data Subject request received directly to the Controller within 48 hours;
- Not responding directly to Data Subjects unless instructed by the Controller.
11. Data Retention & Deletion
Upon termination of the Service or upon the Controller’s written request:
- The Processor shall delete or return all Personal Data within 30 days;
- The Processor shall confirm deletion in writing upon request;
- Data retained for legal compliance (e.g., billing records) shall be clearly separated and access-restricted.
12. Duration
This DPA remains in effect for the duration of the Controller’s subscription, and continues until all Personal Data has been deleted or returned in accordance with Section 11.
13. Liability
Each party’s liability under this DPA is subject to the limitations of liability set out in the Terms of Service. This DPA does not limit either party’s liability for breaches of data protection law to the extent such limitation is prohibited by applicable law.
14. Governing Law
This DPA is governed by the laws of the Republic of Estonia. GDPR obligations shall be interpreted in accordance with EU law and guidance from the European Data Protection Board (EDPB). Any disputes shall be resolved in accordance with the Terms of Service (Harju County Court, Tallinn).
15. Contact
For questions or requests regarding this DPA:
CrispWebs OÜ
Data Protection
Tallinn, Estonia
Registry code: XXXXXXXX
Email: privacy@crispwebs.com
Lead supervisory authority: Andmekaitse Inspektsioon (Estonian Data Protection Inspectorate).