crewbitz

Data Processing Agreement (DPA)

Last updated: March 28, 2026

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller: the Client (as identified in the service agreement), hereinafter the "Controller";
  • Data Processor: CrewBitz Srl, with registered office in Italy, hereinafter the "Processor".

This DPA forms an integral part of the service agreement between the Controller and the Processor and is governed by Article 28 of Regulation (EU) 2016/679 ("GDPR").

2. Subject Matter and Duration

The Processor shall process personal data on behalf of the Controller solely for the purpose of providing the Ployer service, as described in the service agreement.

The duration of the processing shall be equal to the duration of the service agreement. Upon termination, the provisions of Section 4 regarding data deletion or return shall apply.

3. Nature and Purpose of Processing

The nature of the processing involves the automation of business tasks through AI-powered digital employees (Ployers). The types of personal data processed and the categories of data subjects depend on the specific Ployer role deployed by the Controller.

Examples by Ployer role:

  • HR Ployer: employee names, contact details, CVs, performance data
  • Sales Ployer: prospect names, company information, contact details
  • Support Ployer: customer names, email addresses, support ticket content
  • Marketing Ployer: contact lists, engagement metrics, campaign data

4. Obligations of the Processor

The Processor undertakes to:

  1. Process data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by Union or Member State law;
  2. Ensure confidentiality: ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. Implement security measures in accordance with Article 32 of the GDPR, as detailed in Section 6 of this DPA;
  4. Assist with data subject requests (DSAR): assist the Controller by appropriate technical and organizational measures for the fulfilment of the Controller's obligation to respond to requests for exercising data subject rights;
  5. Assist with DPIA and breach notifications: assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor;
  6. No sub-processing without authorization: not engage another processor without prior specific or general written authorization of the Controller (see Section 5);
  7. Make available information for audits: make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections (see Section 9);
  8. Delete or return data: at the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless Union or Member State law requires storage of the personal data.

5. Sub-processors

The Controller provides general written authorization for the Processor to engage the following sub-processors:

Sub-processor Purpose Location
DeepInfra AI model inference USA
Anthropic AI model inference USA
Cloudflare CDN, DDoS protection, DNS Global (HQ: USA)
Contabo Server hosting Germany
Zoho Email services EU (Netherlands)

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller a 30-day notice period to object to such changes. If the Controller objects, the Processor shall refrain from engaging the new sub-processor for the processing of the Controller's data, or the Controller may terminate the service agreement.

6. Security Measures (Art. 32)

The Processor implements the following technical and organizational security measures:

  • Pseudonymization: personal data is pseudonymized where feasible, separating identifiers from content data;
  • Encryption in transit: all data transmissions are encrypted using TLS 1.2 or higher;
  • Row-Level Security (RLS): database access is enforced through row-level security policies, ensuring strict tenant isolation;
  • Encrypted backups: all backups are encrypted at rest and stored in compliance with data residency requirements;
  • Periodic testing: the effectiveness of security measures is tested and evaluated on a regular basis.

7. Data Breach (Art. 33-34)

In the event of a personal data breach, the Processor shall:

  1. Notify the Controller within 48 hours after becoming aware of the breach;
  2. Provide the following information:
    • The nature of the breach, including where possible the categories and approximate number of data subjects and records concerned;
    • The likely consequences of the breach;
    • The measures taken or proposed to address the breach, including measures to mitigate its adverse effects;
    • The name and contact details of the Processor's point of contact.
  3. Assist the Controller in fulfilling its notification obligations towards the supervisory authority (Art. 33) and, where applicable, towards the affected data subjects (Art. 34).

8. Extra-EU Transfers

Personal data may be transferred to sub-processors located outside the European Economic Area (EEA) only where appropriate safeguards are in place, specifically:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to Article 46(2)(c) of the GDPR;
  • Any supplementary measures required following a transfer impact assessment.

The Processor ensures that all extra-EU sub-processors listed in Section 5 have entered into SCCs covering the relevant data transfers.

9. Audit

The Controller has the right to conduct audits of the Processor's compliance with this DPA, subject to the following conditions:

  • The Controller shall provide at least 30 days' prior written notice;
  • Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations;
  • The cost of the audit shall be borne by the Controller, unless the audit reveals a material breach by the Processor;
  • The Controller may appoint a qualified third-party auditor, subject to confidentiality obligations.

10. Liability

Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82:

  • The Controller is liable for processing that does not comply with the GDPR or with lawful instructions given to the Processor;
  • The Processor is liable where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions.

Each party shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.