This Data Processing Agreement (DPA) applies when you use NairoCRM to process personal data of your customers, employees, prospects, or other individuals. It sits alongside our Terms of Service and forms part of your contract with us.
In this DPA: controller means you, the NairoCRM customer; processor means NairoCRM; and data subject means an individual whose data you upload into NairoCRM.
You are the controller of the personal data you upload to NairoCRM. You are responsible for: choosing what data to collect, why you collect it, the legal basis for processing, providing notice to data subjects, and responding to data subject requests.
NairoCRM is the processor. We process the data on your documented instructions, which are typically reflected in your configuration of the service and these documents.
Provision of the NairoCRM service to you under our Terms of Service.
For the term of your subscription, plus the retention period in our Privacy Policy after termination.
Hosting, storage, transmission, backup, analytics, customer support, and other processing necessary to deliver the service.
Whatever you choose to upload. Typically: contact details, deal records, activity history, support tickets, and any free-text notes or attachments you add.
Typically: your customers, prospects, leads, employees, contractors, and other individuals you interact with.
We maintain a written information security program with administrative, technical, and physical safeguards designed to protect personal data. Highlights include encryption in transit and at rest, access controls, audit logging, vulnerability management, secure development practices, and incident response procedures.
Full details are on our Security page.
We use sub-processors to deliver parts of the service: cloud hosting, email delivery, payments, error tracking, and similar. All sub-processors are bound by data protection terms at least as protective as this DPA.
We maintain a current list of sub-processors and will notify you of material changes with reasonable advance notice. You may object to a new sub-processor on reasonable grounds related to data protection; if we cannot accommodate the objection, you may terminate the affected service.
Your data may be transferred across borders to provide the service. When transfers happen out of regions with statutory data protection regimes, we use appropriate safeguards as required by applicable law, such as standard contractual clauses or recognized adequacy mechanisms.
If a data subject contacts us directly about their data in your NairoCRM account, we will, unless legally required to act, refer them to you. If you need help responding to a request (for example to export, correct, or delete a record), our support team can assist.
We notify you without undue delay if we become aware of a personal data breach affecting your data. The notification will include information available to us at the time and will be updated as we learn more.
On reasonable written request and subject to confidentiality, we will provide information you reasonably need to verify our compliance with this DPA. For some customers we may rely on third-party audit reports rather than on-site audits.
At the end of the service, we will delete or return your personal data within a reasonable timeframe, unless we are required by law to retain it. Specifics are in our Privacy Policy.
To the extent of any conflict between this DPA and our Terms of Service, this DPA prevails with respect to personal data processing.
For most customers, accepting our Terms of Service automatically incorporates this DPA. If your procurement or legal team needs a counter-signed copy, contact us through the link below and we will send one within 5 business days.