noCRM.io agreement for data processing

Agreement for data processing in accordance with Article 28 General Data Protection Regulation (EU-GDPR) hereinafter referred to as the Contract
between
the subscriber of the Service noCRM.io hereinafter referred to as the Client
and
YOU DONT NEED A CRM (SAS), 102 Rue de Miromesnil 75008 Paris - the Processor - hereinafter referred to as the Supplier

Version 1.1 created October 14th 2020, last updated October 14th 2020. See previous version

1. Subject matter and duration of the Order or Contract

(1) Subject matter
The Subject matter of the Order or Contract results from the Service Agreement, which is referred to here https://www.nocrm.io/tos (hereinafter referred to as Service Agreement).
You Don’t Need a CRM provides a Service to the Client that allows the Client to manage data on prospects and customers and there interactions with Client's salespeople. The Service falls in the global category of “Lead management software”.

(2) Duration
The duration of this Contract corresponds to the duration of the Service Agreement and will depend of the type of subscription the Client has chosen.

2. Specification of the Order or Contract Details

(1) Nature and Purpose of the intended Processing of Data
Before detailling the Subject Matter with regard to the Nature and Purpose of the services provided by the Supplier it is important to differentiate between two kinds of data:

  • The personal data of the Client’s users of the Service – hereinafter referred to as Users Data -
  • and the data from the prospects and customers of the Client hereinafter referred to as Client’s Sales Related Data.

Users Data are stored to ensure the deliverability, quality and security of the Service, it includes personal data like name, email, phone, encrypted passwords. Those data are mandatory in order to ensure the Service.
Part of the Service is also to measure performance of Client's sales people, as a consequence the Service provide precise reports of the activity and performance of those sales people in terms of numbers of calls, emails, meeting, lead created, won ...
We also store usage logs on our server and collect anonymous statistical. Usage logs are kept for a limited amount of time while statistical data are kept on a very larger scale. Statistical data are not personal but please be aware that we use Google Analytics at a Client level of precision and if the Client has only one user we can clearly know that data refers only to that user. Statistical data are kept in Google Analytics even after the end of the Contract. Please check also our privacy policy on those subjects.

Client’s Sales Related Data are collected and processed to allow the Client to organize, understand and run their sales activities. It includes prospects and customers contact data; historic of sales activities; tracking of conversations with prospects and customers.

Location of data storage: Even if the Supplier is a French company most of the data storage and treatment occurs in the USA. The transfer, processing and storage of the data fulfill the specific Conditions of Article 44 et seq. EU-GDPR by working with company that are tight by the EU Standard Contractual Clause (SCC) or provide contractualy at least the same level of data protection. By accepting this Contract the Client authorize the Supplier to transfer, store and process those data in the USA in accordance with EU-GDPR regulation.
Data are stored on Amazon AWS servers in East Virginia and are managed with the help of Engine Yard Inc. Those suppliers might change in the future as well as their physical location in the US but any new supplier will be either in the EU or will also complies with the EU-GDPR regulation through the Standard Contractual Clauses or any at least equivalent mechanism.
Note 1: To manage business cards recognition feature we use the services of ABBYY software. ABBYY is a Russian company and the image of the business card might be transferred and processed in Russia. You can find more information about ABBY software privacy rules here: https://www.abbyy.com/en-gb/privacy/ If you want to be sure that business card related data is not transferred to Russia please deactivate this feature in the application.
Note 2: Because of the Schrems II ruling who put an end to the EU-US Privacy Shield we're still in discussion with PushWoosh our technical provider of notifications to see how they can amend their contract to comply with the new ruling. Until that time you can disconnect notifications inside the application settings to avoid their architecture to be used to send notifications.
For a complete list of third party service providers used to deliver the service please refer to Annex 2.

(2) Type of Data
The Subject Matter of the processing of personal data generally comprises the following data types/categories: address; e-mail address; telephone number; name and name suffix; communications with prospect or customers but can in fact contain any data the Client add to the Service.
It is the Client responsibility to define and know which kind of data is stored in the Service.

(3) Categories of Data Subjects
The Categories of Data Subjects are generally interested persons; prospects; customers; franchisees…
It is the Client responsibility to define and know which kind of Data Subjects are recorded in the Service and if this is legal or not.
Note: At You Don't Need a CRM, we believe that as long as the Client has obtained data in a lawful and loyal way, the Client may not need the express consent its prospects to store their data in the Service (Recital 47). Be aware that this is only our interpretation of EU-GDPR regulation and we take no responsability on this, at the end and as mentioned above it is the Client responsibility to know what is legal or not.

Technical and Organizational Measures

For information about technical and organizational security measure to protect data please see Annex 1.

(1) The Supplier has documented in Annex 1 the execution of the necessary technical and organizational measures, specifically with regard to the detailed execution of the contract. The Client accepts those measures, which are the foundation of the contract. Insofar if the inspection/audit by the Client shows the need for amendments, such amendments shall be discussed and eventually implemented by mutual agreement. There is no obligation for the Supplier to reach an aggrement with the Client.

(2) The Supplier shall establish the security in accordance with Article 28(3)(c), and Article 32 EU-GDPR in particular in conjunction with Article 5 Paragraph 1, and Paragraph 2 EU-GDPR. The measures to be taken are measures of data security and measures that guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons within the meaning of Article 32(1) EU-GDPR must be taken into account, see Annex 1.

(3) The technical and organizational measures are subject to technical progress and further development. In this respect, it is permissible for the Supplier to implement alternative adequate measures. In so doing, the security level of the defined measures must not be reduced. Substantial changes must be documented.

4. Rectification, restriction, erasure of data and portability

(1) The Supplier may not on its own authority rectify, erase or restrict the processing of data that is being processed on behalf of the Client.

(2) The Client has full access to the data and has the ability to search and erase any record. Every request concerning rectification or erasure of Client Sales Related Data shall be manage directly by the Client via the user interface of the Service. In case of complex rectification / erasure to be done, the Client might request the help of the Supplier who will check feasibility and propose a quotation for the request. Be aware that data will continue to live into our backup for up to six months after erasure from our databases.

(3) Data portability of the Client is insured at two levels

  • by simple data export inside the application in .csv or .json format.
  • by use of the Supplier public API for a more complete/complex export of data. It is this case it is the Client responsability to programatically call the API to export the data he wants.

5. Quality assurance and other duties of the Supplier

In addition to complying with the rules set out in this Order or Contract, the Supplier shall comply with the statutory requirements referred to in Articles 28 to 33 EU-GDPR; accordingly, the Supplier ensures, in particular, compliance with the following requirements:
d) Confidentiality in accordance with Article 28(3) Sentence 2 lit. b, Articles 29 and 32(4) EU-GDPR. The Supplier entrusts only such employees with the data processing outlined in this contract that have been bound to confidentiality and have previously been familiarized with the data protection provisions relevant to their work. The Supplier and any person acting under its authority who has access to personal data, shall not process that data unless on instructions from the Client, which includes the powers granted in this contract, unless required to do so by law.
e) Implementation of and compliance with all technical and organizational measures necessary for this Order or Contract in accordance with Article 28(3) Sentence 2 lit. c, Article 32 EU-GDPR.
f) The Client and the Supplier shall cooperate, on request, with the supervisory authority in performance of its tasks.
g) The Client shall be informed immediately of any inspections and measures conducted by the supervisory authority, insofar as they relate to this Contract. This also applies insofar as the Supplier is under investigation or is party to an investigation by a competent authority in connection with infringements to any Civil or Criminal Law, or Administrative Rule or Regulation regarding the processing of personal data in connection with the processing of this Order or Contract.
h) Insofar as the Client is subject to an inspection by the supervisory authority, an administrative or summary offence or criminal procedure, a liability claim by a data subject or by a third party or any other claim in connection with the Order or Contract data processing by the Supplier, the Supplier shall make its best efforts to support the Client.
i) The Supplier shall periodically monitor the internal processes and the technical and organizational measures to ensure that processing within his area of responsibility is in accordance with the requirements of applicable data protection law and the protection of the rights of the data subject.
j) Verifiability of the technical and organizational measures conducted by the Client as part of the Client's supervisory powers referred to in item 7 of this contract.

Note: Based on the kind of services that You Don't Need a CRM provides the Suplier is not required by the law to have a data privacy officer. Because ot the size of the Suplier's company if we had a DPO they would need to be an external one. The Suplier think it wouldn't be efficient. Data protection is a matter of the highest importance for the Suplier so the CEO, Sunny Paris has taken the effective role of the DPO even if officialy the Suplier does not have a DPO (CEOs can't be DPOs are they're considered as judge and jury). A DPO may be appointed in the future; in this case the Client shall be informed.
c) for any matter concerning privacy, data and security the Supplier can be contacted at dpo@youdontneedacrm.com.

6. Subcontracting

(1) Subcontracting for the purpose of this Agreement is to be understood as meaning services which relate directly to the provision of the principal service. This does not include ancillary services, such as telecommunication services, postal / transport services, maintenance and user support services or the disposal of data carriers, as well as other measures to ensure the confidentiality, availability, integrity and resilience of the hardware and software of data processing equipment. The Supplier shall, however, be obliged to make appropriate and legally binding contractual arrangements and take appropriate inspection measures to ensure the data protection and the data security of the Client's data, even in the case of outsourced ancillary services.
(2) The Supplier may commission subcontractors (additional contract processors) only if they are bind by a contractual agreement in accordance with EU-GDPR. The Supplier will inform the Client of any change in the Supplier list but the Client agrees that if he do not agree with the new subcontractors he will have no other choice that closing its account. In Annex 2 current list of subcontractor are indicated, the Client explicitly agree on that list.
(3) The support team of the Supplier is partly composed of independent subcontractors living in different countries including countries not in the EU. All the support team members are personally bind by a non-disclosure agreement and are aware of the absolute importance of data privacy. If the Client does not want the support team to be able to access its account he must set this preference accordingly in its Admin Pannel > Account Settings.

7. Supervisory powers of the Client

(1) The Client has the right, after consultation with the Supplier, to carry out inspections or to have them carried out by an auditor to be designated in each individual case. It has the right to convince itself of the compliance with this agreement by the Supplier in his business operations by means of random checks, which are ordinarily to be announced in good time.
(2) The Supplier shall ensure that the Client is able to verify compliance with the obligations of the Supplier in accordance with Article 28 EU-GDPR. The Supplier undertakes to give the Client the necessary information on request and, in particular, to demonstrate the execution of the technical and organizational measures.
(3) Evidence of such measures, which concern not only the specific Order or Contract, may be provided by

  • Compliance with approved Codes of Conduct pursuant to Article 40 EU- GDPR;
  • Certification according to an approved certification procedure in accordance with Article 42 EU-GDPR;
  • Current auditor's certificates, reports or excerpts from reports provided by independent bodies (e.g. auditor, Data Protection Officer, IT security department, data privacy auditor, quality auditor)
  • A suitable certification by IT security or data protection auditing (e.g. according to BSI-Grundschutz (IT Baseline Protection certification developed by the German Federal Office for Security in Information Technology (BSI)) or ISO/IEC 27001).
(4) The Supplier may claim remuneration for enabling Client inspections. All the inspection costs will be at the Client charge and the time spent by the Supplier in the inspection process will be billed to Client at a reasonable price both parties must agree on.

8. Communication in the case of infringements by the Supplier

(1) The Supplier shall assist the Client in complying with the obligations concerning the security of personal data, reporting requirements for data breaches, data protection impact assessments and prior consultations, referred to in Articles 32 to 36 of the EU-GDPR. These include:

  1. Ensuring an appropriate level of protection through technical and organizational measures that take into account the circumstances and purposes of the processing as well as the projected probability and severity of a possible infringement of the law as a result of security vulnerabilities and that enable an immediate detection of relevant infringement events.
  2. The obligation to report a personal data breach immediately to the Client.
  3. The duty to assist the Client with regard to the Client's obligation to provide information to the Data Subject concerned and to immediately provide the Client with all relevant information in this regard.
  4. Supporting the Client with its data protection impact assessment.
  5. Supporting the Client with regard to prior consultation of the supervisory authority.

(2) The Supplier may claim compensation for support services which are not included in the description of the services and which are not attributable to failures on the part of the Supplier.

9. Authority of the Client to issue instructions

(1) The Client shall immediately confirm oral instructions (at the minimum in text form).
(2) The Supplier shall inform the Client immediately if he considers that an instruction violates Data Protection Regulations. The Supplier shall then be entitled to suspend the execution of the relevant instructions until the Client confirms or changes them.

10. Deletion and return of personal data

(1) Copies or duplicates of the data shall never be created without the knowledge of the Client, with the exception of back-up copies as far as they are necessary to ensure orderly data processing, as well as data required to meet regulatory requirements to retain data.

(2) After conclusion of the contracted work, at the latest 6 months upon termination of the Service Agreement, the Supplier shall destroy all documents, processing and utilization results, and data sets related to the contract that have come into its possession via the noCRM service software. The same applies to any and all connected test, waste, redundant and discarded material. The log of the destruction or deletion shall be provided on request as long as it still exists. Data of the Client will continue to survive in backups up to 6 months after the deletion of the data in the Service account. Invoices will not be deleted as well as statistical information on the account. The name and contact information of the account creator will not be deleted unless the Supplier is requested to.

(3) Documentation which is used to demonstrate orderly data processing in accordance with the Order or Contract shall be stored beyond the contract duration by the Supplier in accordance with the respective retention periods.

Annex 1 - Security and data protection

Security and privacy of data is a top priority at You Don’t Need a CRM, we are working only with known establish provider and have set up rules to ensure a high level of protection and privacy of your data.

Physical storage:

Our servers and your data are hosted on Amazon Web Service (AWS) in the US. Amazon is a world leader and the pioneer in Infrastructure as a Service. They take data security very seriously both in terms of physical access to the server as well as security over the network. Physical access is strictly controlled and even us have no physical access to the servers. AWS complies with GDPR. You can find more info here: https://aws.amazon.com/compliance/gdpr-center/
Amazon has world-class level dedicated security teams to protect their infrastructure against malicious attacks.

System:

We use Engine Yard Inc services to provide the Linux stack running on the servers. Engine Yard is a Platform As A Service provider. Using their service allow us to be sure that our application relies on up to date components, that security updates are applied as soon as published, that the minimum of ports are opens on our servers and firewall correctly configured. The Engine Yard system admin specialist team is here to help us grow while ensuring your data is safe.

Network communication:

All communications to our servers are encrypted and you can only access your data through a secure SSL connection. Quality of our SSL connection can be seen here: https://www.ssllabs.com/ssltest/analyze.html?d=demo.nocrm.io&latest . Our team use two-factor authentication to connect to previous services, and in general whenever it is possible, including physical tokens to connect to our administration interfaces.

Backup and availability:

Your data are backed up both in real time through a slave database and daily in case of data corruption. Backups are stored on different datacenter insuring that in case of disaster no more than 24 hour of data is lost. Our architecture is built with several front servers in high availability to ensure minimum downtime.

SQL injection – Cross site scripting – Code reviews

Our application is regularly tested by a third party company against SQL-injection and XSS cross-site scripting. We use a modern web development framework to limit those risk and our development team is trained on those problematic. Code is carefully tested and reviewed before being set in production.

Password and payment card data

We do not store your password only an encrypted version of it. We will never ever ask you to give us your password - except on your login page. It is your responsibility to ensure your password and API keys are safe and that you do not give them to anyone. We do not store your payment card detail, they are store by our payment processor Stripe.

Data access

Each member of the team is bind by a strict non-disclosure agreement. Access to your data by our team is strictly limited and depends of the role of the person in our company. Our support team can connect to your account in order to help you solve problems but if you want to disable this you can change the option in your Admin Panel > Account settings. Your data is your strict property. You can easily export at anytime your leads and your prospecting list in csv or json format. If you want a more complete export you will need to use our API.

Annex 2 - Data processors outside the EU or potentially processing data outside the EU

Data processors

This include processors of all the data inside the Service both on prospects and customers of the Client as well as on its users of the Service

Cloud servers:
Amazon Web Services, Inc.
P.O. Box 81226
Seattle, WA 98108-1226

Platform as a Service:
Engine Yard, Inc.
401 Congress Ave
Austin, TX 78701

Software consultancy services:
eBoxr LLC
5462 E 2575 N
Eden, UT 84310

Search engine infrastructure:
ElasticSearch SARL
42 rue monge
75005 Paris France

Payment processor
Stripe, Inc
185 Berry Street, Suite 550
San Francisco, CA 94107

Business card scanning:
ABBYY USA Software House, Inc.
890 Hillview Court, Suite 300
Milpitas, CA 95035, USA
Important note about ABBY: Abby software is a well-known company in the OCR space but its mother company is a Russian company. You can find their privacy statement here: https://www.abbyy.com/en-gb/privacy/ It is stated that data can go to Russia. We use ABBY only for scanning business cards, we send ABBYY an image and ABBYY send us back text, and this is the only data exchange in place. If you want to be sure that no data go to Russia do not use the mobile app to scan business cards, you can deactivate this feature from the Admin Panel > Acount settings.

Notification services:
PushWoosh Inc
1224 M St NW, Suite 101,
Washington, DC 20005, U.S.A.

Error handling:
Sentry - Functional Software, Inc.
132 Hawthorne Street
San Francisco, CA 94107

Client employees’ personal data processors

This includes personal data of Client's users of the service in order for us to communicate with them (email, name, phone, company…).

Mailing system:
Mailjet SAS
13-13 bis, rue de l’Aubrac
75012 Paris

Conferencing tools:
Zoom Video Communications, Inc.
55 Almaden Blvd, Suite 600
San Jose, CA 95113

Customer Support:
Intercom R&D Unlimited Company,
2nd Floor, Stephen Court, 18-21 St. Stephen's Green,
Dublin 2, Republic of Ireland

UX analysis:
Hotjar Ltd, Level 2,
3, Elia Zammit Street,
St Julians STJ 3155, Malta, Europe