How Piraja processes data on behalf of customers in compliance with GDPR and global privacy regulations.
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Piraja CRM ("Processor", "we", "us") and the customer ("Controller", "you") who uses Piraja CRM services.
This DPA applies where and to the extent that we process Personal Data on your behalf in the course of providing our services. This DPA is designed to ensure compliance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR") and equivalent provisions under applicable data protection laws worldwide.
2. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person as defined in applicable data protection law.
- Processing: Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
- Data Subject: The identified or identifiable natural person to whom Personal Data relates.
- Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Scope and Purpose of Processing
We process Personal Data solely for the purpose of providing Piraja CRM services to you, including:
- Customer relationship management: Storing and managing contact information, organizations, and individuals.
- Communication: Processing email data for the mailbox integration module (Gmail, Outlook).
- Billing and invoicing: Processing payment and billing information via Stripe.
- Support and ticketing: Managing support tickets and service cases.
- Analytics: Aggregated, anonymized usage analytics to improve the service.
4. Categories of Data Subjects and Personal Data
Data subjects may include:
- Your employees and team members (user accounts)
- Your customers and contacts (CRM records)
- Your business partners and vendors
Categories of Personal Data processed:
- Contact information (name, email, phone number, address)
- Professional information (job title, company, department)
- Communication records (emails, notes, activity logs)
- Financial data (invoices, payment references — card data is processed solely by Stripe)
- Technical data (IP addresses, browser information for authentication)
5. Obligations of the Processor
We shall:
a) Process Personal Data only on your documented instructions, unless required by applicable law.
b) Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
c) Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of data in transit (TLS/HTTPS) and at rest
- AES-256-GCM encryption for OAuth tokens
- Row Level Security (RLS) on database tables
- Regular security assessments and audits
- Access controls and authentication via Supabase Auth
d) Not engage another processor without your prior general written authorization. We maintain a list of approved sub-processors (see Section 8).
e) Assist you in responding to Data Subject requests (access, rectification, erasure, portability, restriction, and objection).
f) Assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultation.
g) At your choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
h) Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits.
6. Obligations of the Controller
You shall:
a) Ensure that your use of our services and your instructions to us comply with applicable data protection laws.
b) Have obtained all necessary consents and legal bases for the processing of Personal Data shared with us.
c) Notify us promptly of any Data Subject requests that require our assistance.
7. Data Breach Notification
We shall notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include:
- A description of the nature of the breach
- The categories and approximate number of Data Subjects and Personal Data records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach
8. Sub-processors
We use the following sub-processors to deliver our services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase (Supabase Inc.) | Database hosting, authentication, file storage | United States (AWS) |
| Stripe (Stripe Inc.) | Payment processing, billing, invoicing | United States |
| Vercel (Vercel Inc.) | Application hosting, edge network, serverless functions | Global (edge network) |
| Resend (Resend Inc.) | Transactional email delivery | United States |
| OpenAI (OpenAI LLC) | AI-powered features (Aiden assistant) | United States |
| Google (Google LLC) | Gmail integration, Google Calendar, Analytics | United States |
| Microsoft (Microsoft Corp.) | Outlook/Microsoft 365 integration | United States |
We will inform you of any intended changes to sub-processors, giving you reasonable opportunity to object.
9. International Data Transfers
Where Personal Data is transferred outside the European Economic Area (EEA), we ensure that appropriate safeguards are in place, including:
- Standard Contractual Clauses (SCCs) as approved by the European Commission
- Adequacy decisions where applicable
- Supplementary measures as required
Our primary sub-processors maintain their own data transfer mechanisms and certifications.
10. Data Retention and Deletion
- We retain Personal Data only for as long as necessary to provide our services.
- You can configure data retention periods within the application settings.
- Automated data purging runs on configurable schedules.
- Upon termination of services, we will delete your data within 30 days unless required by law to retain it.
- You may request data export at any time through the application.
11. Audit Rights
You have the right to audit our compliance with this DPA. Audits shall be:
- Conducted with reasonable prior notice (at least 30 days)
- Limited to once per year unless a data breach has occurred
- Conducted during normal business hours
- At the Controller's expense
We may satisfy audit requests by providing relevant certifications, audit reports, or other documentation.
12. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
13. Duration and Termination
This DPA shall remain in effect for the duration of our processing of Personal Data on your behalf. It shall automatically terminate when we no longer process Personal Data for you.
Provisions that by their nature should survive termination (including data deletion obligations, confidentiality, and liability) shall survive.
14. Governing Law
This DPA shall be governed by the same law that governs the Terms of Service, without prejudice to mandatory data protection laws that may apply.
15. Contact
For questions about this DPA or to exercise your rights, contact us at:
Email: support@piraja.io