Data Processing Agreement

This Data Processing Agreement (DPA) governs the processing of personal data by Less Annoying CRM GmbH (Processor) on behalf of the Customer (Controller) in connection with the use of the Less Annoying CRM platform.

The term of the data processing corresponds to the duration of the main agreement (Terms of Service). Upon termination of the main agreement, this DPA also terminates.

Processing includes: storage and management of contact data (leads, customers, companies), managing deals and pipeline records, processing engagement data (activities, calls, emails, meetings), providing CRM analytics and reports, and operating automation workflows.

The purpose of processing is to provide the CRM services agreed in the main contract.

Data subjects: contacts, leads, accounts, and companies managed by the Controller via the CRM platform.

Categories of personal data: email addresses, first and last name, phone numbers, company affiliation, job title, custom fields (defined by the Controller), engagement data (call logs, meeting notes, activity timestamps), technical data (IP addresses, user agent, geolocation at country level), and data source records (import origin, creation timestamp).

Less Annoying CRM agrees to: process personal data only on documented instructions from the Controller, ensure the confidentiality of the data, implement appropriate technical and organizational measures, engage subprocessors only with prior approval, assist the Controller in fulfilling its obligations, and delete or return all data at the end of the processing.

The Processor implements the following TOMs: encryption of all data in transit (TLS 1.3) and at rest (AES‑256), physical access control through ISO 27001‑certified data centres, logical access control with role‑based permissions and 2FA, input control via comprehensive audit logs for all data changes, transfer control through encrypted communication channels, availability control via redundant systems and daily backups, and separation by design through a multi‑tenant architecture with strict data isolation.

Less Annoying CRM uses the following subprocessors:

Amazon Web Services EMEA SARL (Luxembourg) – cloud hosting and data processing. Hetzner Online GmbH (Germany) – backup servers. Stripe Inc. (USA, based on EU standard contractual clauses) – payment processing. Postmark (USA, based on EU standard contractual clauses) – transactional system notifications.

Changes to subprocessors are notified at least 30 days in advance. The Controller has the right to object.

Less Annoying CRM supports the Controller in fulfilling data subject rights through: API endpoints for data export and deletion, dashboard features for one‑click deletion, automated handling of data deletion requests, and notification of any data subject requests received directly by Less Annoying CRM.

Data subject requests received directly by ${n} are forwarded to the Controller without delay.

Less Annoying CRM will notify the Controller of any data breach without undue delay, and in any case within 48 hours of becoming aware of it.

The notification will include: the nature of the breach, the categories of data and approximate number of affected data subjects, likely consequences, and measures taken or proposed to mitigate the impact.

Following termination of the main agreement, the Processor will delete all personal data within 30 days, unless statutory retention obligations require otherwise.

Upon request, the Controller may export the data in JSON or CSV format before deletion.

Deletion includes all systems: live databases, backups, logs, caches, and third‑party systems.

The Controller has the right to verify compliance with this DPA: by requesting current certifications and audit reports (e.g., SOC 2 Type II, available on request), by submitting written inquiries answered within 14 days, and by on‑site audits with reasonable prior notice (at least 30 days) and at the Controller’s own cost.

The Controller bears the costs of on‑site audits. ${n} will provide the necessary resources.

This DPA forms an integral part of the main agreement and becomes effective upon registration. Modifications require written form.

This agreement is governed by German law. The place of jurisdiction is Berlin.

A PDF version of this DPA can be requested at contact@lessannoying-crm.com.