NeuroCRMData Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer”, the controller) and Empire Luxury International Corporation (DBA Neuro Empire) (“NeuroCRM”, the processor) and governs the processing of personal data contained in Customer Content. Where there is a conflict on data-protection matters, this DPA prevails over the Terms.
1. Roles and Scope
For Customer Content, the Customer is the controller (or processor acting for its own customers) and NeuroCRM is the processor (or sub-processor). NeuroCRM processes Customer Content only to provide the Service and on the Customer’s documented instructions, which include the Terms, this DPA, and use of the Service’s features. NeuroCRM acts as an independent controller only for the limited account, billing, and security data described in the Privacy Policy.
2. Details of Processing
Subject matter: provision of the NeuroCRM Service. Duration: the term of the Customer’s subscription plus any wind-down period. Nature and purpose: hosting, storage, and processing operations necessary to provide the Service as configured by the Customer. Categories of data subjects: the Customer’s contacts, leads, customers, staff, and other individuals whose data the Customer enters. Categories of personal data: as determined by the Customer, typically identification and contact data, business records, and communications; the Customer must not enter special-category data unless agreed in writing.
3. Customer Instructions and Compliance
NeuroCRM will process Customer Content only on documented instructions, including for transfers, unless required by applicable law (in which case NeuroCRM will inform the Customer unless prohibited). NeuroCRM will notify the Customer if, in its opinion, an instruction infringes applicable data-protection law. The Customer is responsible for the lawfulness of Customer Content and for having all required notices and consents.
4. Confidentiality of Personnel
NeuroCRM ensures that personnel authorised to process Customer Content are bound by confidentiality obligations and process the data only as instructed.
5. Security Measures
NeuroCRM implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including encryption in transit and of access tokens at rest, logical tenant isolation, access controls and logging, resilience and backup, and regular review. A summary is available on request and in the Privacy Policy.
6. Sub-processors
The Customer grants general authorisation for NeuroCRM to engage sub-processors. A current list is at /legal/subprocessors. NeuroCRM imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains responsible for their performance. NeuroCRM will give at least 30 days’ notice of any new or replacement sub-processor; the Customer may object on reasonable data-protection grounds, and if the parties cannot resolve the objection, the Customer may terminate the affected Service and receive a refund of prepaid unused fees.
7. Data-Subject Requests and Assistance
Taking into account the nature of processing, NeuroCRM will, by appropriate measures and to the extent commercially reasonable, assist the Customer in responding to data-subject requests and in complying with its obligations regarding security, breach notification, data-protection impact assessments, and prior consultation. If NeuroCRM receives a request directly from a data subject, it will forward it to the Customer and not respond except as instructed or required by law.
8. Personal Data Breach Notification
NeuroCRM will notify the Customer without undue delay, and in any event within 24 hours of becoming aware of a confirmed or reasonably suspected personal data breach affecting Customer Content, and will provide available information to help the Customer meet its notification obligations, with updates as the investigation progresses. Such notification is not an acknowledgement of fault or liability. Determining whether to notify regulators or data subjects, and making such notifications, is the Customer’s responsibility as controller; NeuroCRM provides reasonable cooperation.
9. International Transfers
Where processing involves a transfer of personal data out of the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the European Commission’s Standard Contractual Clauses (2021/914), Module Two (controller to processor), completed with the information in this DPA, together with the UK International Data Transfer Addendum and the Swiss adaptations as applicable; alternatively NeuroCRM may rely on the EU-US Data Privacy Framework where certified. NeuroCRM applies supplementary measures as appropriate. In a conflict, the SCCs prevail solely to the extent necessary.
10. Russian Data Contour (152-FZ)
For personal data of individuals in the Russian Federation, NeuroCRM maintains a segregated Russian contour with primary recording and storage on servers located in Russia, in accordance with Federal Law No. 152-FZ, and processes such data on the Customer’s instruction under Article 6(3) 152-FZ. This contour and its breach-notification flow (preliminary within 24 hours and results within 72 hours to Roskomnadzor) operate independently of the GDPR chain. See the Personal Data Processing Policy (Russia).
11. Audit
NeuroCRM will make available information necessary to demonstrate compliance with this DPA and allow for audits. To minimise disruption, NeuroCRM may satisfy audit requests by providing current third-party certifications or reports (such as ISO 27001 or SOC 2 Type II) where available. On-site or detailed audits are limited to once per year (except following a breach), require at least 30 days’ notice, a mutually agreed scope, confidentiality, and are conducted during business hours without unreasonable interference.
12. Return and Deletion
On termination, at the Customer’s choice made within 30 days, NeuroCRM will return Customer Content in a commonly used format or delete it and, on request, certify deletion within a reasonable period, except to the extent retention is required by law. Routine backups are overwritten on the standard rotation cycle.
13. Liability and Precedence
Each party’s liability under this DPA is subject to the limitations and exclusions in the Terms of Service, including the enhanced cap for data-protection breaches. This DPA, including its incorporated SCCs, prevails over conflicting provisions of the Terms on data-protection matters. The DPA is governed by the law and dispute-resolution provisions of the Terms applicable to the Customer.