Site in progress — content and design updates are ongoing. Stay tuned for the full Crylo Tech experience.

PHONE NUMBER

+ 44 78 816 73 483

Data Processing Agreement (DPA)

Effective Date: 24 September 2025
Parties: Crylo Tech Ltd (data processor/controller as specified below) — company registration number [insert number], 128 City Road, London, United Kingdom, EC1V 2NX
Contact for data protection matters: Phone +44 7881 673483 · Email crylotechltd@gmail.com

  1. Purpose and Scope
    1.1 This Data Processing Agreement (the “Agreement”) outlines the terms under which Crylo Tech Ltd (“Crylo Tech,” “Processor,” or “we”) processes personal data on behalf of its customers or business partners acting as data controllers (“Controller”), in connection with the supply of services, software, hosting, support, or other related deliverables as described in the separate Master Agreement between the parties (the “Master Agreement”). This Agreement is an integral part of the Master Agreement.
    1.2 If Crylo Tech acts as a data controller in relation to certain data processing activities, those activities are not governed by this Agreement unless explicitly specified. The respective roles of data controller and data processor will be determined in the Master Agreement or within a separate Processing Schedule.
  2. Definitions
    2.1 The following terms shall have the meanings ascribed to them in this Agreement:
    Personal Data: Information related to an identified or identifiable individual
    Special Category Data: Sensitive data as defined under applicable data protection law
    Processing: Any operation or set of operations performed on Personal Data
    Data Subject: An individual whose Personal Data is processed
    Data Controller: The entity that determines the purposes and means of processing Personal Data
    Data Processor: The entity that processes Personal Data on behalf of the Controller
    International Transfer: Any transfer of Personal Data to a country outside the jurisdiction in which it was originally collected
    Sub-processor: Any third-party Data Processor engaged by the Processor to assist with processing Personal Data on behalf of the Controller
    SCCs: Standard Contractual Clauses, as approved by the relevant regulatory authorities, for the transfer of Personal Data to jurisdictions outside the European Economic Area (EEA) or UK
  3. Roles and Responsibilities
    3.1 The Controller is responsible for determining the purposes and means of processing Personal Data. It is also responsible for ensuring that it has a lawful basis for processing the Personal Data and for providing any necessary notices to Data Subjects. The Controller shall only provide the Processor with Personal Data necessary for the performance of the Master Agreement and ensure that the provision of such data is lawful.
    3.2 The Processor shall process Personal Data only in accordance with documented instructions from the Controller, including with respect to transfers to third countries or international organizations, unless required to do otherwise by law. If the Processor is compelled by law to process Personal Data outside of the documented instructions of the Controller, the Processor will inform the Controller of the legal requirement (to the extent permitted by law) prior to processing.
  4. Processing Details and Subject Matter
    4.1 Subject Matter: Personal Data submitted to or collected by the Processor in connection with the Services provided under the Master Agreement.
    4.2 Duration of Processing: The duration of processing shall align with the term of the Master Agreement and continue as reasonably necessary for termination activities, compliance with legal obligations, or as specified in the Master Agreement.
    4.3 Nature and Purpose: Crylo Tech will provide services, host and maintain software, deliver support, handle billing, diagnostics, and perform related activities described in the Master Agreement.
    4.4 Categories of Data Subjects: End users, customer employees and contractors, prospective clients, personnel, applicants, and other individuals whose Personal Data is submitted to the Processor by or on behalf of the Controller.
    4.5 Categories of Personal Data: Contact and identity data, account and authentication data, transactional and billing data, technical and usage data, customer project data, and other necessary categories required for the performance of the Services.
  5. Processor Obligations
    5.1 The Processor shall implement appropriate technical and organizational measures to ensure a level of security that is appropriate to the risk. This includes access control, authentication, encryption during transit and at rest, logging, monitoring, patch management, vulnerability management, and secure development practices. The Processor will document these measures and provide evidence of compliance to the Controller upon request, subject to confidentiality obligations.
    5.2 The Processor shall ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations and have received adequate training regarding data protection.
    5.3 The Processor shall assist the Controller, where reasonably necessary, to help the Controller comply with Data Subject rights requests, data breach notifications, Data Protection Impact Assessments, and consultations with supervisory authorities. The Processor’s assistance will be subject to the Controller providing reasonable cooperation and compensating for excessive requests.
    5.4 The Processor shall maintain records of processing activities carried out on behalf of the Controller as required by applicable law.
  6. Sub-processors
    6.1 The Controller hereby authorizes the Processor to engage Sub-processors for the provision of services as detailed in the Master Agreement or as otherwise notified to the Controller. The Processor shall provide the Controller with prior written notice of any new Sub-processors and the Controller may object to a new Sub-processor on reasonable grounds related to data protection; failure to object within ten (10) business days will be deemed acceptance.
    6.2 The Processor will ensure that Sub-processors are bound by written contracts that impose data protection obligations equivalent to those in this Agreement. The Processor will remain liable for the actions of Sub-processors.
  7. International Transfers
    7.1 International transfers of Personal Data shall only occur where the Controller’s documented instructions permit such transfers and where appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs), adequacy decisions, or other lawful transfer mechanisms. If required, the Processor shall enter into SCCs with the Controller and provide cooperation to implement safeguards.
    7.2 Where local law requires the Processor to retain Personal Data within a specific jurisdiction or respond to lawful local requests, the Processor will notify the Controller in advance (where permitted by law) and seek to limit any disclosures, providing notice to the Controller when required by law.
  8. Security Incidents and Breach Notification
    8.1 The Processor shall notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a confirmed data breach involving Personal Data that affects the Controller. The Processor shall provide sufficient details to enable the Controller to meet any regulatory reporting obligations.
    8.2 The Processor shall cooperate with the Controller in incident response, investigation, and mitigation, and shall assist in notifying supervisory authorities and Data Subjects where required.
  9. Data Subject Rights and Cooperation
    9.1 The Processor shall, upon the Controller’s request, assist with responding to Data Subject requests for access, rectification, erasure, restriction, portability, or objection, within the statutory timeframes. Where applicable, the Processor may provide the necessary tools or extracts to help the Controller respond directly to Data Subjects, as per the Controller’s instructions.
  10. Deletion, Return, and Retention of Personal Data
    10.1 Upon termination or expiry of the Master Agreement, the Processor shall, at the Controller’s option, either return or securely delete all Personal Data processed on the Controller’s behalf, subject to any legal retention requirements. The Processor will provide certification of deletion upon request.
    10.2 The Processor may retain archived backups containing Personal Data only for the minimum necessary period, ensuring that retained data is isolated, access-restricted, and deleted in line with the retention schedule.
  11. Audit and Inspection
    11.1 The Controller may, at its own cost, audit the Processor’s compliance with this Agreement by reviewing independent third-party assessment reports (such as SOC2 Type II) provided by the Processor or, if applicable, conducting on-site audits with reasonable notice. Operational audits will not occur more frequently than once every 12 months unless there is reasonable suspicion of non-compliance.
    11.2 Audit access will be subject to operational and security constraints. The Controller agrees not to disrupt the Processor’s business unnecessarily. Any findings from the audit will be remediated within a reasonable timeframe as agreed upon by both parties.
  12. Liability and Indemnities
    12.1 The parties’ liability for breaches of data protection obligations is subject to the terms set forth in the Master Agreement. Nothing in this Agreement limits liability for breaches that cannot be limited by law. Each party agrees to indemnify the other for liabilities arising from its breach of this Agreement and data protection obligations under the Master Agreement.
  13. Miscellaneous
    13.1 This Agreement is governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with this Agreement will be subject to the exclusive jurisdiction of the courts of England and Wales unless otherwise agreed in writing.
    13.2 This Agreement may be updated by the Processor to reflect legal, regulatory, or operational changes. The Controller will be notified of material changes in advance and may be required to provide consent for such changes.
    13.3 In the event of any conflict between this Agreement and the Master Agreement, the Master Agreement will prevail, except to the extent that this Agreement offers greater protection for Personal Data, in which case the Agreement will take precedence.
    Contact for DPA Matters and Processor Details
    For any inquiries or to exercise rights related to this Agreement, please contact Crylo Tech at crylotechltd@gmail.com or call +44 7881 673483.