We respect your privacy.

We use strictly necessary cookies to keep you signed in and to protect against CSRF. With your permission we also use a small amount of first-party analytics to improve the product. We do not sell your data and we do not use third-party advertising trackers. See our cookie policy and privacy policy.

Crawlmind

Legal

Data Processing Addendum (DPA)

Last updated: 2026-05-10. This DPA is incorporated by reference into the Terms of Service for any Customer that processes personal data of EU/UK/Swiss data subjects through the Service.

1. Definitions

  • Customer ("Controller"): the legal entity that has accepted the Terms of Service and uses the Service.
  • AVP ("Processor"): Crawlmind Inc., the operator of the Service.
  • Personal Data: data relating to an identified or identifiable natural person, as defined in Art. 4(1) GDPR.
  • Sub-processor: any third party engaged by AVP to process Customer Personal Data. Current list at /legal/subprocessors.

2. Subject matter + duration

AVP processes Customer Personal Data only to provide the Service for the duration of the Customer's subscription, plus the retention windows defined in the Privacy Policy.

3. Categories of data + data subjects

  • Data subjects: Customer's end-users of the audited websites (incidental personal data appearing on crawled pages); Customer's own team members who use AVP.
  • Categories: identifiers (email, name, IP address from request logs), organisation membership, audit log entries, content of crawled pages insofar as they contain personal data the Customer has chosen to publish.

4. Customer instructions

AVP processes Personal Data only on documented instructions from the Customer. Use of the Service through its UI/API constitutes documented instructions. AVP will not process Personal Data for its own purposes.

5. Confidentiality

AVP ensures that all personnel authorised to process Personal Data are under written confidentiality obligations.

6. Security measures (Art. 32 GDPR)

AVP implements appropriate technical + organisational measures, including:

  • TLS 1.2+ in transit, automatically provisioned via Let's Encrypt; HSTS enabled.
  • Application-layer AES-256-GCM encryption of SSO client secrets and SAML keys at rest.
  • Argon2id password hashing; public API tokens stored as SHA-256 hashes.
  • Role-based access control (Owner / Admin / Manager / Analyst / Viewer) on every protected endpoint; tenant isolation enforced by organizationId on every query.
  • Outbound webhooks signed with HMAC-SHA256; SSRF guard on every URL the crawler fetches.
  • Structured logging with credential / cookie redaction; an in-app AuditLog records platform-admin actions (impersonation, plan / quota overrides, role changes, etc.).
  • Vulnerability scanning of container images on every release; CycloneDX SBOMs.
  • Daily host-level backups; on-demand pg_dump exports.

What we have not yet shipped: end-user MFA, KMS-backed envelope encryption of the full database, multi-AZ failover, 24x7 on-call rotation, external penetration test, SOC 2 / ISO 27001. We will update this section and notify customers when each is in place. Full breakdown: /legal/security.

7. Sub-processors

AVP uses the sub-processors listed at /legal/subprocessors. Customer authorises the use of these sub-processors. We give Customer at least 30 days' notice before adding a new sub-processor (via email + product changelog) and the Customer can object on legitimate grounds. If we cannot resolve the objection, the Customer may terminate the affected portion of the Service.

8. Data subject rights

AVP will assist the Customer with responding to data subject requests (access, rectification, erasure, portability, objection) by providing the in-product tools described in the Privacy Policy. For requests AVP receives directly, we forward them to the Customer within 5 business days.

9. Personal data breaches

AVP notifies the Customer of any Personal Data breach affecting the Customer's data without undue delay and no later than 72 hours after becoming aware of it. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.

10. International transfers

For transfers of Personal Data outside the EEA / UK / Switzerland to sub-processors, AVP relies on the EU Commission's Standard Contractual Clauses (Module 3, processor-to-processor) and, where applicable, the UK IDTA addendum. A copy is available on request from [email protected].

11. Audit

The Customer can audit AVP's compliance with this DPA once per year, on 30 days' written notice, during business hours, subject to mutually agreed scope and confidentiality. Routine information is satisfied by the Customer reviewing AVP's SOC 2 / ISO report (when available) and this DPA.

12. Return + deletion at end of services

Upon termination, AVP deletes Customer Personal Data within 30 days, except where retention is required by law (e.g. invoices for tax purposes) or where backup retention windows make immediate deletion infeasible — in which case data remains encrypted and is deleted on the backup retention schedule.

13. Liability

Liability under this DPA is governed by the Terms of Service.

14. Order of precedence

If there is a conflict between this DPA and the Terms of Service, this DPA prevails for the subject matter it covers.

15. Contact

[email protected]