When you trust Crawlzo with data, this Data Processing Addendum is the contract that holds us to it. It sets out, in the language regulators and procurement teams expect, exactly how we process personal data on your behalf: our role as processor, the security we maintain, who our subprocessors are, how we handle transfers and breaches, and how you can audit us.
Overview & how to execute
This Data Processing Addendum (“DPA”) forms part of the agreement between Crawlzo (“Crawlzo,” the “Processor”) and the customer (the “Controller” or “you”) for the provision of the Services (the “Agreement”). It governs Crawlzo’s Processing of Personal Data on your behalf and reflects the requirements of the GDPR, the UK GDPR, and applicable U.S. state privacy laws.
In the event of any conflict between this DPA and the rest of the Agreement regarding the Processing of Personal Data, this DPA controls.
Definitions
Capitalized terms not defined here have the meaning given in the Agreement or in applicable Data Protection Law.
- Data Protection Law
- All laws applicable to the Processing of Personal Data under the Agreement, including the EU GDPR, the UK GDPR, the Swiss FADP, and U.S. state privacy laws such as the CCPA/CPRA.
- Controller, Processor, Data Subject, Processing
- As defined in the GDPR (or their equivalents under other Data Protection Law, including “business” and “service provider” under the CCPA).
- Personal Data
- Any Customer Data that constitutes personal data and is Processed by Crawlzo on your behalf under the Agreement.
- Subprocessor
- Any third party engaged by Crawlzo to Process Personal Data on your behalf.
- SCCs
- The Standard Contractual Clauses approved by the European Commission, together with the UK International Data Transfer Addendum where applicable.
Roles & scope of processing
As between the parties, you are the Controller and Crawlzo is the Processor of Personal Data Processed under the Agreement. Where you act as a processor for a third-party controller, Crawlzo acts as a subprocessor, and you warrant that you have the authority and instructions necessary to engage us.
Crawlzo will Process Personal Data only: (a) to provide the Services and as otherwise necessary to perform the Agreement; (b) in accordance with your documented lawful instructions, including those given through the Services’ configuration and your target specifications; and (c) as required by applicable law, in which case we will inform you unless legally prohibited. We will promptly notify you if, in our opinion, an instruction infringes Data Protection Law.
The subject matter, duration, nature, and purpose of the Processing, and the categories of Data Subjects and Personal Data, are described in Annex A.
Crawlzo’s obligations
Crawlzo will:
- Process Personal Data only on your documented instructions and not for its own purposes;
- ensure that personnel authorized to Process Personal Data are bound by confidentiality;
- implement and maintain the technical and organizational measures in Annex B;
- assist you, taking into account the nature of Processing, in responding to Data Subject requests and in meeting your obligations for security, breach notification, data protection impact assessments, and prior consultation;
- make available information reasonably necessary to demonstrate compliance and submit to audits as described below; and
- at your choice, delete or return Personal Data at the end of the Services and delete existing copies unless retention is required by law.
Consistent with our zero-retention default, Crawlzo does not retain Output containing Personal Data beyond the period necessary to deliver it and any retention window you configure.
Data subject requests
Taking into account the nature of the Processing, Crawlzo will assist you by appropriate technical and organizational measures, insofar as this is possible, to fulfil your obligation to respond to requests by Data Subjects exercising their rights. If a Data Subject contacts Crawlzo directly regarding Personal Data we Process on your behalf, we will, where legally permitted, promptly forward the request to you and not respond directly except to confirm receipt or as you instruct.
Subprocessors
You provide general authorization for Crawlzo to engage Subprocessors to Process Personal Data, subject to this section. Crawlzo will: (a) impose data-protection obligations on each Subprocessor no less protective than those in this DPA; and (b) remain liable for each Subprocessor’s performance.
Our current Subprocessors are listed below. We will give you advance notice of any intended addition or replacement of a Subprocessor and a reasonable period to object on legitimate data-protection grounds. To subscribe to change notifications, email support@crawlzo.com.
| Subprocessor | Purpose | Region |
|---|---|---|
| Cloud infrastructure provider | Compute, storage, and network hosting | EU / US (per residency) |
| Managed database & queue provider | Operational data stores and delivery queues | EU / US (per residency) |
| Payment processor | Billing and payment handling | US / EU |
| Communications & support tooling | Email, ticketing, and customer support | US / EU |
| Observability provider | Logging, metrics, and error monitoring | EU / US |
A current and complete list with legal entity names is provided with the signed DPA on request.
International transfers
Where Processing of Personal Data involves a transfer from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties agree that the SCCs are incorporated into this DPA by reference and apply to that transfer, with Crawlzo as “data importer” and you as “data exporter,” supplemented by the UK Addendum and Swiss amendments as applicable. We implement supplementary measures, including encryption in transit and at rest, access controls, and a policy of challenging unlawful government access requests, to protect transferred data.
For customers requiring data to remain in a region, Crawlzo offers EU and US data residency options that confine Processing and storage accordingly.
Security measures
Crawlzo implements and maintains the technical and organizational measures set out in Annex B to ensure a level of security appropriate to the risk, taking into account the state of the art, costs of implementation, and the nature, scope, context, and purposes of Processing. We review and update these measures over time and will not materially decrease their overall protection during the term.
Personal data breach notification
Crawlzo will notify you without undue delay, and in any event within the timeframe required by Data Protection Law, after becoming aware of a Personal Data breach affecting Personal Data we Process on your behalf. The notification will describe, to the extent known, the nature of the breach, likely consequences, measures taken or proposed, and a contact point for more information. We will cooperate with you and take reasonable steps to mitigate and remediate the breach.
Audit & demonstration of compliance
Crawlzo will make available to you information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an independent auditor you mandate, subject to reasonable confidentiality and security constraints and no more than once per year absent a breach or regulator requirement. Where available, providing our third-party audit reports, certifications, and security documentation satisfies audit requests. To request our trust pack, contact support@crawlzo.com.
CCPA / U.S. state law terms
To the extent the CCPA applies, Crawlzo acts as a service provider and: (a) will not sell or share Personal Data; (b) will not retain, use, or disclose Personal Data for any purpose other than performing the Services or as permitted by the CCPA; (c) will not combine Personal Data with data from other sources except as the CCPA permits; and (d) certifies that it understands and will comply with these restrictions. Similar terms apply under other U.S. state privacy laws where relevant.
Term, deletion & return
This DPA takes effect when the Agreement does and remains in force for as long as Crawlzo Processes Personal Data on your behalf. On termination or expiry, and at your choice, Crawlzo will delete or return all Personal Data and delete existing copies, unless retention is required by law, in which case Crawlzo will protect it and limit further Processing.
Annex A: Details of processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Crawlzo web data platform and managed data services. |
| Duration | The term of the Agreement plus any wind-down period. |
| Nature & purpose | Retrieval, structuring, transformation, and delivery of web data per your instructions. |
| Categories of Data Subjects | As determined by your instructions and targets; you are responsible for ensuring a lawful basis. |
| Categories of Personal Data | As determined by your instructions; you agree not to instruct Processing of special-category data without prior written agreement and safeguards. |
| Frequency | Continuous or batch, per your configuration. |
Annex B: Security measures
Crawlzo maintains, at a minimum, the following technical and organizational measures:
- Encryption. TLS 1.3 in transit and AES-256 at rest.
- Access control. Least-privilege, role-based access, unique credentials, and enforced multi-factor authentication for administrative access.
- Network security. Segmentation, firewalls, and restricted ingress/egress.
- Logging & monitoring. Centralized logging, alerting, and anomaly detection.
- Resilience. Redundancy, backups where applicable, and tested recovery procedures.
- Vulnerability management. Patching, dependency scanning, and periodic testing.
- Personnel. Background checks where lawful, confidentiality obligations, and security training.
- Incident response. A documented process for detection, escalation, and notification.
A detailed description is available in our trust pack on request via support@crawlzo.com. See also our Compliance page.