CRAFTERQ DATA PROCESSING ADDENDUM (DPA)
Last Updated: January 26, 2026
Effective Date: January 1, 2026
This Data Processing Addendum (“DPA”) forms part of the CrafterQ Terms of Service (“Agreement”) between Crafter Software Corporation (“Processor” or “CrafterQ”) and the customer identified in the Agreement (“Controller” or “Customer”).
This DPA applies to the extent CrafterQ processes Personal Data on behalf of Customer in connection with the Service.
1. Definitions
Capitalized terms not defined in this DPA have the meanings set forth in the Agreement.
- “Personal Data” means any information relating to an identified or identifiable individual.
- “Processing” has the meaning given under applicable data protection laws.
- “Applicable Data Protection Laws” means GDPR, UK GDPR, CCPA/CPRA, and other applicable privacy laws.
2. Roles of the Parties
- Customer is the Controller of Personal Data.
- CrafterQ is the Processor, processing Personal Data solely on Customer’s documented instructions, including instructions implicit in the use and configuration of the Service.
3. Scope & Purpose of Processing
3.1 Subject Matter
Processing of Personal Data contained in:
- Customer Content
- User interactions with AI agents
- Account and usage data
3.2 Purpose
CrafterQ processes Personal Data only to:
- Provide, operate, and support the Service
- Generate AI Outputs at Customer’s request
- Ensure security, reliability, and performance
- Comply with legal obligations
3.3 Duration
Processing continues for the term of the Agreement, unless otherwise required by law.
4. Customer Instructions
Customer instructs CrafterQ to process Personal Data by:
- Uploading or connecting Customer Content
- Configuring the Service
- Using AI agents and related features
CrafterQ shall not process Personal Data for any other purpose.
5. Confidentiality
CrafterQ ensures that personnel authorized to process Personal Data:
- Are subject to confidentiality obligations
- Access data only as necessary to perform the Service
6. Security Measures
CrafterQ implements appropriate technical and organizational measures, including:
- Encryption in transit and at rest
- Access controls and role-based permissions
- Logging and monitoring
- Incident response procedures
7. Subprocessors
Customer authorizes CrafterQ to engage third-party subprocessors to support the Service.
CrafterQ shall:
- Maintain a list of subprocessors
- Ensure subprocessors are bound by data protection obligations
- Remain responsible for subprocessors’ performance
8. Data Subject Rights
CrafterQ shall reasonably assist Customer in responding to requests from data subjects, including requests for:
- Access
- Correction
- Deletion
- Restriction
9. Personal Data Breach
CrafterQ shall notify Customer without undue delay upon becoming aware of a Personal Data breach affecting Customer Personal Data and provide reasonable assistance in remediation.
10. Data Deletion & Return
Upon termination of the Agreement:
- Customer may request an export of Personal Data before account deletion
- CrafterQ will delete or anonymize Personal Data thereafter, unless retention is required by law
11. International Transfers
Where Personal Data is transferred outside its originating jurisdiction, CrafterQ shall ensure appropriate safeguards, including:
- Standard Contractual Clauses (where applicable)
- Equivalent legal transfer mechanisms
12. Audits
Upon reasonable written request, CrafterQ shall provide information necessary to demonstrate compliance with this DPA, subject to confidentiality and security restrictions.
13. Limitation of Liability
Liability under this DPA is subject to the limitations set forth in the Agreement.
14. Governing Law
This DPA is governed by the laws specified in the Agreement, except where mandatory data protection laws require otherwise.
