Data Processing Agreement

Last updated: January 2025

This Data Processing Agreement ("DPA") forms part of the Master Services Agreement (or other applicable agreement) between CRED, Inc. ("CRED," "Processor," "we," "us," or "our") and the Customer ("Controller," "you," or "your") for the provision of the CRED data intelligence platform and related services (the "Services"). This DPA sets out the terms and conditions under which CRED will process personal data on behalf of the Customer in compliance with applicable data protection legislation, including the European Union General Data Protection Regulation (EU 2016/679) ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act ("CCPA"), and any other applicable data protection laws.

This DPA shall apply to the extent that CRED processes personal data on behalf of the Customer in the course of providing the Services. In the event of any conflict between this DPA and the Master Services Agreement, the terms of this DPA shall prevail with respect to data protection matters.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") that is processed by CRED on behalf of the Customer in connection with the Services. An identifiable natural person is one who can be identified, directly or indirectly, by reference to an identifier such as a name, identification number, location data, online identifier, or one or more factors specific to the physical, physiological, genetic, mental, economic, cultural, or social identity of that person.

"Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.

"Sub-processor" means any third party engaged by CRED to process Personal Data on behalf of the Customer in connection with the Services.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the GDPR, the UK GDPR, the CCPA, the Swiss Federal Act on Data Protection, and any other applicable national or regional data protection legislation, as amended from time to time.

2. Processing of Personal Data

CRED shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by European Union or Member State law to which CRED is subject. In such a case, CRED shall inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The subject matter, duration, nature, and purpose of the processing, the types of Personal Data processed, and the categories of Data Subjects are described in Annex 1 to this DPA. CRED shall not process Personal Data for any purpose other than as necessary to provide the Services and as instructed by the Customer. CRED shall not sell Personal Data or use it for purposes of targeted advertising, profiling, or any purpose unrelated to the provision of the Services.

CRED shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. CRED shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as detailed in Section 6 of this DPA.

3. Data Controller and Processor Obligations

Controller Obligations

The Customer, as the Data Controller, is responsible for: (a) ensuring that it has a lawful basis for the processing of Personal Data, including obtaining all necessary consents from Data Subjects where required; (b) providing CRED with documented instructions regarding the processing of Personal Data; (c) ensuring that the Personal Data provided to CRED is accurate, complete, and up to date; and (d) complying with all applicable Data Protection Laws in relation to its use of the Services and the processing of Personal Data.

The Customer shall notify CRED promptly if it becomes aware of any circumstances that may affect CRED's ability to process Personal Data in accordance with this DPA, including any changes to Data Protection Laws that may impact the processing, any Data Subject requests that require CRED's assistance, or any data protection impact assessments that may need to be conducted.

Processor Obligations

CRED, as the Data Processor, shall: (a) process Personal Data only in accordance with the Customer's documented instructions and this DPA; (b) implement appropriate technical and organizational security measures; (c) assist the Customer in responding to Data Subject requests; (d) assist the Customer in ensuring compliance with obligations related to security of processing, notification of data breaches, data protection impact assessments, and prior consultation with supervisory authorities; (e) make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA; and (f) allow for and contribute to audits and inspections conducted by the Customer or the Customer's authorized auditor.

4. Sub-processors

The Customer grants CRED general written authorization to engage Sub-processors for the processing of Personal Data. CRED shall maintain a current list of Sub-processors on its website and shall notify the Customer of any intended changes to Sub-processors at least thirty (30) days in advance by email or through the platform, giving the Customer the opportunity to object to such changes.

If the Customer objects to a new Sub-processor on reasonable grounds related to data protection, the parties shall discuss the Customer's concerns in good faith. If the parties are unable to reach a mutually acceptable resolution, the Customer may terminate the affected Services without penalty by providing written notice within thirty (30) days of the notification of the new Sub-processor.

CRED shall impose on each Sub-processor, by way of a written contract, data protection obligations that are no less protective than those set out in this DPA. CRED shall remain fully liable to the Customer for the performance of each Sub-processor's obligations. CRED's current Sub-processors include cloud infrastructure providers (Amazon Web Services, Google Cloud Platform), analytics services, payment processors, and customer support platforms, as detailed in the Sub-processor list available at credplatform.com/sub-processors.

5. Data Subject Rights

CRED shall assist the Customer in fulfilling its obligations to respond to requests from Data Subjects exercising their rights under applicable Data Protection Laws. These rights include, but are not limited to, the right of access, the right to rectification, the right to erasure ("right to be forgotten"), the right to restriction of processing, the right to data portability, the right to object to processing, and the right not to be subject to automated decision-making, including profiling.

If CRED receives a request directly from a Data Subject regarding Personal Data processed on behalf of the Customer, CRED shall promptly notify the Customer and shall not respond to the request directly unless authorized by the Customer or required by applicable law. CRED shall provide the Customer with commercially reasonable assistance in responding to Data Subject requests, including by providing relevant technical capabilities within the platform for the Customer to access, export, correct, or delete Personal Data.

CRED shall implement and maintain features within the platform that enable the Customer to fulfill Data Subject requests efficiently, including the ability to search for and identify Personal Data associated with a specific Data Subject, export such data in a commonly used and machine-readable format, and delete or anonymize such data upon request.

6. Security Measures

CRED implements and maintains comprehensive technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures are designed to ensure a level of security appropriate to the risk and are regularly reviewed and updated. CRED maintains SOC 2 Type II certification, which is independently audited on an annual basis.

Technical measures include: (a) encryption of Personal Data in transit using TLS 1.2 or higher and at rest using AES-256 encryption; (b) network segmentation and firewall protection; (c) intrusion detection and prevention systems; (d) regular vulnerability assessments and penetration testing conducted by independent third parties; (e) secure software development practices, including code review and automated security testing; and (f) automated backup and disaster recovery procedures with recovery point objectives (RPO) of 1 hour and recovery time objectives (RTO) of 4 hours.

Organizational measures include: (a) role-based access controls with the principle of least privilege; (b) multi-factor authentication for all personnel accessing production systems; (c) mandatory security awareness training for all employees upon hire and annually thereafter; (d) background checks for employees with access to Personal Data; (e) documented information security policies and procedures; (f) a dedicated security team responsible for monitoring, incident response, and compliance; and (g) regular internal and external audits of security controls.

7. International Transfers

CRED may transfer Personal Data to countries outside the European Economic Area (EEA), the United Kingdom, or Switzerland in connection with the provision of the Services. Where such transfers occur, CRED shall ensure that appropriate safeguards are in place in accordance with applicable Data Protection Laws. CRED relies on the Standard Contractual Clauses (SCCs) adopted by the European Commission (Commission Implementing Decision (EU) 2021/914) as the primary transfer mechanism for transfers of Personal Data from the EEA to third countries.

CRED has conducted transfer impact assessments for its primary processing locations and Sub-processors to evaluate the level of data protection in the recipient countries and to identify any supplementary measures that may be necessary. CRED implements supplementary measures, including encryption, pseudonymization, and access controls, to ensure that Personal Data receives a level of protection that is essentially equivalent to that guaranteed under the GDPR.

CRED shall promptly notify the Customer if it becomes aware of any legal requirement or government access request that may affect the protection of Personal Data transferred under this DPA, to the extent permitted by applicable law. CRED shall challenge any such request that it reasonably considers to be unlawful or excessive.

8. Breach Notification

CRED shall notify the Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Personal Data processed on behalf of the Customer. The notification shall include, to the extent available: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the name and contact details of CRED's data protection officer or other contact point where more information can be obtained; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects.

CRED shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of any personal data breach. CRED shall document all personal data breaches, including the facts relating to the breach, its effects, and the remedial actions taken, and shall make this documentation available to the Customer and, upon request, to the relevant supervisory authority.

CRED maintains a documented incident response plan that is tested at least annually through tabletop exercises and simulations. The incident response plan includes procedures for identification, containment, eradication, recovery, and post-incident review of security incidents, with clearly defined roles, responsibilities, and escalation procedures.

9. Audit Rights

CRED shall make available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and shall allow for and contribute to audits, including inspections, conducted by the Customer or a third-party auditor mandated by the Customer. Audits shall be conducted during normal business hours, with reasonable advance notice of at least thirty (30) days, and shall not unreasonably interfere with CRED's business operations.

CRED shall provide the Customer with copies of its most recent SOC 2 Type II audit report and any other relevant third-party certifications or audit reports upon request. To the extent that an audit can be satisfied through the review of such reports and documentation, the Customer agrees to rely on these materials before exercising its right to conduct an on-site audit.

Contact Information

For questions about this Data Processing Agreement, please contact: