This Data Processing Agreement ("DPA") supplements the Terms of Service ("Terms") and Privacy Policy for all Customers, and will remain in effect until all Customer Personal Data has been deleted. If there is any conflict or inconsistency between this DPA and the Terms, this DPA will govern.

This DPA reflects our mutual agreement on the terms governing the processing and security of Personal Data in connection with the privacy laws below:
(The United Kingdom ("UK") officially withdrew from the European Union ("EU") and European Economic Area ("EEA") on Jan 1, 2021. The UK has thus adopted a slightly modified version of the GDPR, called the UK-GDPR. For convenience, this DPA uses "EEA" and "GDPR" as umbrella terms that include the UK and its modified UK-GDPR, as there are no fundamental differences in relation to your usage of the Service.)


Data processing

The parties acknowledge and agree that:
  • Under the GDPR and LGPD,
    • Crownpeak is a "Data Processor" of Personal Data, and Customer is a "Data Controller".
    • If Customer is also a Data Processor for its own customers, Customer warrants to Crownpeak that Customer’s instructions and actions with respect to Personal Data, including its appointment of Crownpeak as another Data Processor, have been authorized by the relevant Data Controllers or customers.
  • Under the CCPA,
    • Crownpeak is a "Service Provider", and Customer is a "Business", as these terms relate to Personal Data.
    • If Customer is also a Service Provider for its own customers, Customer warrants to Crownpeak that Customer's instructions and actions with respect to Personal Data, including its appointment of Crownpeak as another Service Provider, have been authorized by the relevant Businesses or customers).
  • Each party will comply with the obligations applicable to it under the laws above with respect to the processing of Personal Data.

By entering into this DPA, Customer instructs Crownpeak to process Personal Data only in accordance with applicable law:
  • to provide the Data Processing and any related technical support;
  • as further specified via Customer’s use of the Service (including in the settings, preferences, and other functionality) and any related technical support;
  • as documented in the Terms of Service, Privacy Policy, and this DPA; and
  • as further documented in any other written instructions given by Customer and acknowledged by Crownpeak as constituting instructions for purposes of this DPA.

Furthermore, as a Service Provider under the CCPA, Crownpeak certifies that it:
  • receives Personal Data from Customer pursuant to a "business purpose";
  • will not "sell" the Personal Data to any third party, as the term "sell" is defined under the CCPA;
  • will retain, use and disclose such Personal Data only for the specific purposes as defined above and by the Customer; and
  • understands its contractual restrictions and shall comply with them.

Crownpeak will comply with Customer instructions (including with regard to data transfers), unless applicable law requires other processing of Personal Data by Crownpeak, in which case Crownpeak will inform Customer as the law allows.

Customer is solely liable for its compliance with the GDPR, LGPD, CCPA, and all other applicable privacy laws, with regards to its use of the Service.


Data deletion

The Service includes tools for Customers to manually delete Personal Data as needed, e.g. per End User request; the Personal Data will be deleted from our systems as soon as reasonably practicable and within a maximum period of 180 days, unless applicable law requires further storage.

Upon deletion of a Customer account, all Personal Data will be deleted from production and backup systems within 1 year.


Data security

Crownpeak maintains reasonable measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access.

Physical access to the data center requires two-factor authentication via keycard and thumbprint. Server racks are further secured within a locked cage. Data center has 24/7 video surveillance and on-site staff. Backend access to servers and data, whether physical, shell, or administrative interfaces, is limited to employees who require it to perform their duties. No contractors or subprocessors are authorized for such access.

If Crownpeak becomes aware of a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer's Personal Data on our servers ("Incident"), we will notify Customer, via Customer's registered email address, of the Incident promptly and without undue delay, and take reasonable steps to minimise harm and secure Customer's data. Our notification of or response to an Incident will not be construed as an acknowledgement of any fault or liability with respect to the Incident.

Customer agrees that they are solely responsible for their use of the Service, including securing the account credentials, systems and devices Customer uses to access the Service. Crownpeak has no obligation to protect Customer's Personal Data that Customer elects to store or transfer outside of Crownpeak systems.


Data rights

EEA and UK residents have the legal right to access, correct, and delete their Personal Data, per the GDPR, with some exceptions. Residents of California and Brazil have similar rights and exceptions, per the CCPA and LGPD, respectively.

If we receive a request from an End User in the EEA, UK, California or Brazil in relation to Personal Data processed for a Customer, we will advise the End User to submit their request to Customer, and Customer will be responsible for responding to such request using the tools we have provided on our Site for handling Personal Data requests.

Customer agrees to use all reasonable measures to verify the identity and location of an End User before sharing or modifying Personal Data. Per GDPR recital 64, "the controller [Customer] should use all reasonable measures to verify the identity of a data subject [End User] who requests access, in particular in the context of online services and online identifiers."


Data transfer

Customer agrees that Personal Data may be transferred to Crownpeak in the United States of America, where it will be stored and processed.

For Customers residing in the EEA and UK, the Standard Contractual Clauses (SCCs) supplement this DPA.




Changes to the DPA

This DPA may be updated from time to time, as documented below. We will notify you via your registered email address and/or a notice on this website prior to any significant changes becoming effective regarding Personal Data. You should periodically review this page for the latest information.

- Sep 27, 2021 - added clauses for Brazil's LGPD; The SCCs have been moved to a separate document.
- Aug 21, 2020 - added EU Standard Contractual Clauses (SCCs), and additional details to the "Data Security" section.
- Jul 1, 2020 - added clauses for the CCPA.