crusaderbase

Data Processing Agreement

Last updated: 2026-06-29

Reviewed internally for beta use — not reviewed by outside counsel. This is a standard-form processor DPA covering GDPR / UK GDPR / CCPA obligations, offered as-is for our pilot program. We will have it reviewed by counsel before general availability.

This Data Processing Agreement ("DPA") supplements the Terms of Service or other written agreement (the "MSA") between the customer organization ("Customer" or "Controller") and Not Beer Inc.("CrusaderBase" or "Processor") governing Customer's use of the CrusaderBaseplatform (the "Service"). It applies to the Processing of Personal Data on Customer's behalf.

1. Definitions

Capitalized terms used but not defined here have the meanings given in the MSA or in applicable Data Protection Laws.

  • "Controller" means the Customer, who determines the purposes and means of Processing of Customer Personal Data.
  • "Processor" means Not Beer Inc., which Processes Customer Personal Data on Controller's behalf under this DPA.
  • "Customer Personal Data" means Personal Data contained in Customer Data that is Processed by Processor under the MSA.
  • "Data Protection Laws"means all laws and regulations applicable to the Processing of Customer Personal Data, including the EU and UK General Data Protection Regulation ("GDPR"), the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and other comparable U.S. state privacy laws.
  • "Personal Data", "Processing", "Data Subject", and "Personal Data Breach" have the meanings given in the GDPR.
  • "Sub-processor" means any third party engaged by Processor to Process Customer Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Decision (EU) 2021/914, including Module Two (controller to processor) and Module Three (processor to processor) as applicable, together with the UK International Data Transfer Addendum where the UK GDPR applies.

2. Scope and roles

The parties acknowledge that with respect to the Processing of Customer Personal Data, Customer is the Controller and Processor acts as a Processor on Customer's behalf. Where Customer is itself a processor for a third-party controller, Customer appoints Processor as a sub-processor and the SCCs Module Three apply where relevant.

3. Details of Processing

  • Subject matter. Provision of the Service to Customer.
  • Duration. The term of the MSA, plus any additional period during which Processor retains Customer Personal Data as permitted by this DPA.
  • Nature and purpose. Hosting, transmission, storage, and Processing of Customer Personal Data to operate AI-agent workflows the Customer has activated, including generating outputs, calling third-party APIs the Customer has authorized, recording usage events, and producing audit traces.
  • Types of Personal Data.Identifiers (name, email, organization), authentication identifiers, message content the Customer or Customer's end-users submit to or generate through the Service, address and contact information included in shipments or correspondence, and metadata about agent activity.
  • Categories of Data Subjects.Customer's personnel, Customer's end-users, and individuals whose information the Customer authorizes to be Processed (for example, creators who message a connected Instagram account, or recipients of approved shipments).

4. Processor obligations

Processor will:

  • Process only on documented instructions.Process Customer Personal Data only on Controller's documented instructions, including those given through the Service's configuration, the MSA, this DPA, and reasonable instructions Controller subsequently provides in writing. Processor will inform Controller if, in Processor's opinion, an instruction infringes Data Protection Laws.
  • Confidentiality. Ensure that personnel authorized to Process Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory obligation of confidentiality, and have received appropriate training.
  • Security measures. Implement appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. Current measures include TLS in transit, disk-level encryption at rest through Supabase, role-based access control, Postgres row-level security, secrets management through AWS Secrets Manager, audit logging, and a defined incident-response process. The measures are detailed further in Annex II of the SCCs as populated in the addendum referenced below and will evolve as the Service matures.
  • Sub-processors.Engage Sub-processors only under written terms (including a Sub-processor's standard data-protection terms or DPA) that impose obligations substantially equivalent to those in this DPA. Controller grants general authorization for Processor to engage the Sub-processors listed at /legal/subprocessors. Processor will give Controller at least 30 days' notice before adding or replacing a Sub-processor (by updating the list, sending email to the addresses subscribed to subprocessor updates, or both). Controller may object on reasonable data-protection grounds within that period; if the parties cannot resolve the objection, Controller may terminate the affected portion of the Service for cause and receive a refund of any pre-paid, unused fees attributable to that portion. Processor remains liable for the acts and omissions of its Sub-processors as if performed by Processor.
  • Assistance with Data-Subject requests.Taking into account the nature of the Processing, assist Controller by appropriate technical and organizational measures, insofar as possible, to fulfill Controller's obligation to respond to requests by Data Subjects to exercise their rights. If Processor receives a Data Subject request directly, Processor will promptly forward it to Controller and will not respond except on Controller's instructions or as required by law.
  • Assistance with compliance. Provide reasonable assistance to Controller in ensuring compliance with its obligations under Data Protection Laws regarding security of Processing, breach notification, data-protection impact assessments, and prior consultation with supervisory authorities.
  • Personal Data Breach notification. Notify Controller without undue delay, and in any event within 72 hours after becoming aware, of a Personal Data Breach affecting Customer Personal Data. The notification will describe the nature of the breach (so far as known), the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.
  • Deletion or return.At Controller's choice, delete or return all Customer Personal Data after the end of the provision of services and delete existing copies unless storage is required by law. Standard deletion will be completed within 30 days of a written request, subject to Processor's backup-rotation cycle.

5. Customer obligations

  • Customer represents and warrants that it has all rights, consents, and lawful bases necessary for Processor to Process Customer Personal Data as contemplated by the MSA and this DPA.
  • Customer is responsible for the accuracy, quality, and legality of Customer Personal Data, the means by which Customer acquired Customer Personal Data, and Customer's instructions to Processor.
  • Customer will provide notices to, and obtain consents from, Data Subjects as required by Data Protection Laws, including for the use of AI-generated outputs and for the connection of third-party platforms (such as Instagram or email providers).
  • Customer is responsible for using available controls in the Service (including approval gates and access controls) to protect Customer Personal Data appropriately.

6. Audit rights

Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA. Once available, Processor will share its annual SOC 2 Type II report (or a comparable industry-standard third-party audit report) under NDA on Controller's reasonable request. Until such reports are available, Processor will respond to reasonable written questionnaires.

Where Data Protection Laws require an on-site audit that cannot be satisfied by the materials above, Controller may, at its expense, conduct an audit no more than once per year, on at least 30 days' written notice, during business hours, in a manner that does not disrupt Processor's operations or the security or confidentiality of any other customer's data, and subject to confidentiality. Controller will share audit results with Processor and the parties will discuss in good faith any remediation.

7. International transfers

Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not been deemed to provide an adequate level of protection, the Standard Contractual Clauses are incorporated by reference and form part of this DPA. The parties agree that:

  • Module Two (controller to processor) applies where Customer is a controller and Processor is a processor. Module Three (processor to processor) applies where Customer is itself a processor and Processor acts as its sub-processor.
  • In Clause 7, the docking clause is included.
  • In Clause 9, Option 2 (general written authorization) applies with at least 30 days' notice for changes to Sub-processors.
  • In Clause 11, the optional independent dispute-resolution body language is not included.
  • In Clause 17, the governing law is the law of the Republic of Ireland.
  • In Clause 18, the courts of Ireland are the chosen forum for disputes arising under the SCCs.
  • Annex I (parties, description of transfer, competent supervisory authority) and Annex II (technical and organizational measures) are populated by the corresponding sections of this DPA and the Privacy Policy.
  • For data subject to the UK GDPR, the parties incorporate the UK International Data Transfer Addendum (Version B1.0).

8. Liability

Each party's liability arising out of or related to this DPA (including, where applicable, the Standard Contractual Clauses) is subject to the limitations and exclusions of liability set forth in the MSA. Nothing in this DPA limits a Data Subject's rights against either party as third-party beneficiaries under the Standard Contractual Clauses.

9. Term and termination

This DPA takes effect on the date Customer accepts the MSA or this DPA, whichever is later, and continues until the MSA terminates or expires. Sections that by their nature should survive (including Sections 4(viii) on deletion, 7 on transfers, and 8 on liability) survive termination.

10. Governing law

This DPA is governed by the law of the State of Texas, United States, except that the SCCs are governed by the law specified in those clauses. The dispute-resolution provisions of the MSA apply to disputes under this DPA, except as required by the SCCs.

11. Order of precedence

In case of conflict among (i) the SCCs, (ii) this DPA, and (iii) the MSA, the order of precedence is: SCCs first, then this DPA, then the MSA.

12. Contact

DPA-related notices, including breach notifications and Sub-processor objections, can be sent to dillon@enjoynotbeer.com.