Data Processing Addendum
Last updated: June 20, 2026 · Incorporated into the Terms of Service
1. Roles and scope
This addendum is between you (the "Customer") and Crutan LLC, 228 Faulkner St, Liberty Hill, TX 78642, USA. When you use Crutan to generate pages for your prospects, you are the data controller of the prospect and recipient data you import, and Crutan acts as your data processor. This addendum applies whenever Crutan processes personal data on your behalf under the Terms of Service, and supplements, not replaces, our Privacy Policy. Where Crutan acts as a controller (for example, the crutan.com marketing site), the Privacy Policy governs instead.
2. What we process on your behalf
- Prospect records you import: names, work emails, companies, roles, domains, notes.
- Research artifacts the engine derives from public sources about those companies, including via third-party AI providers (see Subprocessors).
- Engagement events on generated pages: views, clicks, return visits, referrer, and UTM data. IP addresses are stored only as a salted hash, never in raw form.
- Submissions from forms and booking widgets on generated pages (e.g. name, email, meeting requests).
Subject matter: provision of the Service. Duration: the term of the agreement plus the deletion window in section 8. Nature and purpose: hosting, generating, personalizing, and measuring pages. Categories of data subjects: your prospects, recipients, and their colleagues.
3. Our commitments as processor
- Process personal data only on your documented instructions (your workspace configuration and use of product features constitute instructions), unless required by law, in which case we notify you where permitted.
- Ensure personnel with access are bound by confidentiality.
- Implement the technical and organizational measures described in section 5.
- Engage subprocessors only under contracts at least as protective as this addendum (section 6).
- Assist you with data-subject requests, security, breach notification, and impact assessments as reasonably needed.
- Delete or return personal data at contract end (section 8).
- Make available information reasonably necessary to demonstrate compliance.
4. Your commitments as controller
- You have a lawful basis to process and import the prospect data you upload (legitimate-interest assessments for B2B outreach are typically yours to make).
- You will provide any required notices to, and obtain any required consents from, your data subjects.
- You will honor opt-outs and applicable e-marketing laws (CAN-SPAM, CASL, PECR/GDPR, etc.) in campaigns that link to generated pages, see the Acceptable Use Policy.
- You will not import special-category data; the product is not designed for it.
- Your instructions to us will comply with applicable data-protection law.
5. Security measures
- Encryption in transit (TLS 1.2+) and at rest for databases and backups.
- Workspace isolation enforced at the database layer (row-level security), one tenant cannot read another's data.
- Connector secrets and API keys stored encrypted (application-layer cipher).
- Least-privilege internal access; production access limited, logged, and reviewed.
- Signed webhooks (HMAC) for inbound and outbound integrations.
- IP addresses hashed before storage on engagement events.
- Independent infrastructure providers with SOC 2 Type II reports (see Subprocessors).
- See the Security overview for the current control set.
6. Subprocessors
You authorize the subprocessors listed at crutan.com/legal/subprocessors. We will give at least 14 days' notice (via that page and email to workspace owners) before adding a subprocessor that processes customer personal data, during which you may object on reasonable data-protection grounds; if we cannot accommodate a reasonable objection, you may terminate the affected Service.
7. International transfers
Where personal data originating from the EEA, UK, or Switzerland is transferred to a country without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module 2: controller-to-processor), which are incorporated by reference, together with the UK Addendum and Swiss amendments where applicable.
8. Deletion and return
You can export prospect data and engagement events at any time from the product. On termination, we delete customer personal data within 30 days, except minimal records we must retain for legal, billing, or security purposes, which remain protected under this addendum until deleted. Backups roll off within 35 days.
9. Breach notification
We will notify affected workspace owners without undue delay, and in any case within 72 hours of confirming a personal-data breach affecting their data, with the information reasonably available to us at the time and updates as the investigation progresses.
10. Audit
Once per 12-month period, on 30 days' notice, you may audit compliance with this addendum, satisfied first through documentation and our providers' third-party reports, then, where legally required, through a remote review that does not endanger other customers' data.
11. Liability
Each party's liability under this addendum is subject to the limitations of liability in the Terms of Service.
Executing this DPA
This addendum applies automatically to all paid workspaces. If your compliance team requires a countersigned copy, email legal@crutan.com.