Legal

Data Processing Agreement (DPA)

Important context. When you install Crumbless on your own server, you are the data controller for any data the software processes — we don’t see it. Strictly speaking, our role looks more like a software vendor than a processor. However, B2B customers under GDPR scrutiny often need a formal DPA on file. This document fills that gap. It covers (a) the limited personal data we process about you as our customer on the Crumbless Hub, where we are the processor for any data you control, and (b) clarifies the data-controller relationship for the self-hosted product.

This is a template. Replace [BRACKETED] placeholders before publishing or signing. Have a Spanish lawyer or DPO review before relying on this in a formal procurement process. Compliant with GDPR Article 28.

Last updated: 2026-05-07

1. Parties

This Data Processing Agreement (“DPA”) is entered into between:

The Customer: [CUSTOMER LEGAL NAME], registered office at [CUSTOMER ADDRESS], acting as Data Controller (“Controller”, “you”);
NEXTGENWEBS, S.L., a Sociedad Limitada registered in Spain with tax ID B97380067 and registered office at Pol. Ind. Fuente del Jarro, Plaza Gerardo Salvador, No. 1, Offices 17–19, 46988 Paterna – Valencia, Spain, acting as Data Processor in the context defined below (“Crumbless”, “we”, “Processor”).

Together, the “Parties”.

This DPA forms part of the Terms of Service (“Principal Agreement”) between the Parties. In case of conflict between this DPA and the Principal Agreement regarding the processing of personal data, this DPA prevails.

2. Scope and clarifications

2.1 What this DPA covers

This DPA governs personal data that we process on behalf of the Customer in connection with our services. Specifically:

Account data, license data, and Hub usage data — where you are the controller and we are the processor.

2.2 What this DPA does not cover (and why)

This DPA does not cover personal data your visitors generate when they use a website on which you have installed the Crumbless Software, because:

The Crumbless Software runs on infrastructure under your control, not ours;
We do not receive, see, or process that data at any point;
The Software is engineered to avoid generating personal data in the first place (see our Privacy Promise for a technical explanation).

In that context, you are the sole data controller for any data your Crumbless installation processes, with full responsibility for compliance. We are not a processor of that data; we are a software vendor whose product you operate independently. This is the same legal relationship you have with the operating system on your server, your web framework, or any locally-installed software.

If your local interpretation of GDPR or your enterprise procurement process requires a formal acknowledgement of this relationship, this DPA serves as that acknowledgement.

3. Subject matter, duration, and nature of processing

Item	Details
Subject matter	Provision of the Crumbless Hub services described in the Principal Agreement
Duration	The duration of the Principal Agreement
Nature of processing	Storage, retrieval, organisation, transmission, and deletion of personal data necessary to provide the services
Purpose	Account management, license issuance and verification, billing, customer support, security
Categories of data subjects	Authorised users of the Customer’s account
Categories of personal data	Email addresses, names (where provided), country, VAT number (where provided), bcrypt password hashes, TOTP secrets (if 2FA enabled), license keys (hashed), installation identifiers, IP addresses (transient), Lemon Squeezy customer/order/subscription IDs
Special categories (Art. 9)	None processed
Data of children	None processed

4. Obligations of the Processor

We will:

4.1 Documented instructions

Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do otherwise by EU or Member State law (in which case we will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest).

The Principal Agreement, this DPA, and the configuration choices made by the Controller in their account constitute the Controller’s documented instructions.

4.2 Confidentiality

Ensure that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security

Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. Our current measures are described in Annex II to this DPA.

4.4 Sub-processors

Engage sub-processors only in accordance with section 5 of this DPA.

4.5 Assist the Controller

Taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as possible, to fulfil the Controller’s obligation to respond to data subject requests under Chapter III GDPR (rights of data subjects).

In practice, this primarily means: (a) providing self-service tools where feasible, and (b) responding to documented Controller requests for data export, correction, or deletion within reasonable timescales.

4.6 Breach notification

Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal data breach affecting the Controller’s personal data. The notification will include the information required under Article 33(3) GDPR to the extent we have it.

4.7 Records of processing

Maintain a record of categories of processing activities carried out on behalf of the Controller, in accordance with Article 30(2) GDPR.

4.8 Cooperation with supervisory authorities

Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, in accordance with section 8 of this DPA.

4.9 Return or deletion

On termination of the Principal Agreement, at the Controller’s choice, delete or return all personal data to the Controller, and delete existing copies, unless EU or Member State law requires storage.

The default is deletion within 90 days of termination, with the exception of data we are legally required to retain (for example, invoicing data under Spanish tax law for 6 years). Such retained data is processed only for the legal purpose that requires it.

5. Sub-processors

5.1 General authorisation

The Controller grants general written authorisation for the engagement of sub-processors, on condition that we:

Maintain an up-to-date list of sub-processors at crumbless.eu/legal/sub-processors;
Inform the Controller of intended changes (additions or replacements) at least 30 days in advance, giving the Controller the opportunity to object;
Impose contractual obligations on each sub-processor that are no less protective than this DPA, in accordance with Article 28(4) GDPR;
Remain fully liable to the Controller for the performance of the sub-processor’s obligations.

5.2 Right to object

If the Controller objects in good faith to a new sub-processor, the Parties will discuss in good faith for 30 days. If no resolution is reached, the Controller may terminate the Principal Agreement with respect to the affected services with pro-rata refund of any prepaid fees.

5.3 Current sub-processors

Listed in Annex I.

6. International transfers

Where personal data is transferred to a country outside the European Economic Area not covered by an adequacy decision, the Parties rely on the European Commission’s Standard Contractual Clauses (“SCCs”, Implementing Decision (EU) 2021/914) as the lawful transfer mechanism.

By signing this DPA, the Parties are deemed to have signed the SCCs (Module 2: Controller-to-Processor or Module 3: Processor-to-Processor as applicable), with:

Clause 7 (docking clause): not applicable (bilateral)
Clause 9 (sub-processors): Option 2 (general authorisation) with a 30-day notice period
Clause 11 (redress): no independent dispute resolution body
Clause 17 (governing law): the law of Spain
Clause 18 (forum and jurisdiction): the courts of Spain
Annexes: as set out in Annex I and Annex II to this DPA

Where supplementary measures are required by the Schrems II judgment or subsequent guidance, we apply them as described in Annex II.

7. Data subject rights and assistance

We assist the Controller in responding to data subject requests by:

Providing self-service mechanisms where feasible (account export, account deletion);
Responding to documented Controller requests within 14 calendar days for routine requests, sooner where the deadline imposed on the Controller by GDPR requires it;
Not responding directly to data subjects, except to direct them to the Controller, unless the Controller instructs us otherwise or applicable law requires it.

8. Audits

The Controller has the right to verify our compliance with this DPA through:

Information: written requests for documentation, attestations, or certifications, which we will respond to within 30 days;
Audit: at the Controller’s reasonable cost, no more than once per 12-month period (except where there is a reasonable suspicion of breach), with at least 30 days’ written notice, conducted by the Controller or an independent auditor mutually approved, subject to confidentiality obligations and during normal business hours, in a manner that does not unreasonably disrupt our operations.

We may satisfy audit requests by providing recent third-party security audit reports, ISO 27001 / SOC 2 certifications (when obtained), or equivalent attestations, where these reasonably address the Controller’s concerns.

9. Liability

Each Party’s liability under this DPA is governed by the liability provisions of the Principal Agreement, except where mandatory law (including GDPR) provides otherwise. Nothing in this DPA limits liabilities that cannot be excluded under applicable law.

10. Term, termination, and order of precedence

This DPA enters into force on the effective date of the Principal Agreement and remains in effect for as long as we process personal data on behalf of the Controller.

In the event of any conflict between this DPA, the Principal Agreement, and the SCCs:

The SCCs prevail in matters within their scope.
This DPA prevails over the Principal Agreement in matters concerning the processing of personal data.
The Principal Agreement governs all other matters.

11. Signature

Signed for and on behalf of the Controller:

Name: ________________________ Title: ________________________ Date: ________________________ Signature: ________________________

Signed for and on behalf of NEXTGENWEBS, S.L.:

Name: [SIGNATORY NAME] Title: [SIGNATORY TITLE] Date: ________________________ Signature: ________________________

Annex I — Sub-processors

Name	Role	Country	Transfer mechanism
Lemon Squeezy, LLC	Payments and merchant of record	United States	EU SCCs + supplementary measures
[HOSTING PROVIDER, e.g. Hetzner Online GmbH]	Server hosting	Germany / Finland (EEA)	Within EEA
[CDN PROVIDER, e.g. Bunny.net]	Content delivery	EU	Within EEA
[EMAIL PROVIDER, e.g. Postmark]	Transactional email	[LOCATION]	[As applicable]
[ERROR TRACKING, e.g. Sentry]	Error monitoring	[LOCATION]	[As applicable]

The current canonical list is at crumbless.eu/legal/sub-processors.

Annex II — Technical and organisational measures (TOMs)

A. Pseudonymisation and encryption

TLS 1.2+ for all data in transit, with HSTS preload on customer-facing endpoints;
Encrypted backups using AES-256;
Bcrypt for password hashing (cost factor ≥ 12);
Customer license keys stored as SHA-256 hashes;
IP addresses processed only at request time and never written to persistent storage on the marketing site or license API beyond a 14-day rolling log retained for security purposes.

B. Confidentiality, integrity, availability, and resilience

Daily encrypted database backups with 30-day retention; weekly off-site copies;
Multi-factor authentication mandatory for all administrative access;
Principle of least privilege applied to staff access;
Network segmentation between public, application, and data tiers;
DDoS mitigation at the CDN layer.

C. Restoration of availability

Documented backup restoration procedure tested at least annually;
RTO target: 4 hours for the license verification API; 24 hours for customer dashboard;
RPO target: 24 hours.

D. Process for regular testing

Quarterly review of dependency security advisories;
Annual penetration test by an independent third party once revenue and scale justify it;
Continuous error monitoring with alerting on anomalies;
Append-only audit logs of administrative actions, retained for 24 months.

E. User identification, authorisation, access management

Role-based access control;
All admin access from allowlisted IPs only;
Automatic session expiry; re-authentication required for sensitive operations.

F. Physical security

All processing infrastructure resides in EU-based data centres operated by sub-processors with ISO 27001 certification.

G. Awareness, training, and personnel reliability

Confidentiality obligations in employment / contractor agreements;
Annual security awareness training for all personnel with access to customer data.

H. Vendor management

Annual review of sub-processors, including their security posture, certifications, and processing locations;
DPAs in place with all sub-processors handling personal data.

I. Supplementary measures for international transfers

For transfers to the United States (notably Lemon Squeezy), supplementary measures include:

Pseudonymisation of personal data where feasible;
Tracking of any government access requests; commitment to challenge unlawful requests;
Annual review of the legal landscape and adequacy of supplementary measures.