Data Processing Agreement (DPA) | ATZ CRM

Last updated: March 11, 2026

Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between ATZ CRM (“Processor”, “we”, “us”) and the customer using ATZ CRM services (“Controller”, “you”). It governs how we process Personal Data on your behalf in connection with the Services and is intended to satisfy the requirements of Article 28 of the GDPR and relevant UK GDPR provisions.

This DPA should be read together with our Terms & Conditions, Privacy Policy, and Data Hosting & Security page. If there is any conflict between this DPA and the main agreement, this DPA will prevail for matters related to data processing.

01. Scope of Contract and Allocation of Responsibilities

  1. You are the Controller of Personal Data and ATZ CRM acts as Processor.
  2. ATZ CRM processes Personal Data solely on your behalf and according to your documented instructions.
  3. Each party is responsible for its respective obligations under Applicable Data Protection Laws.

02. Processing Instructions

  1. Your instructions are set out in this DPA, the Agreement, and your use of the Services.
  2. If you provide new or changed instructions, we will implement them if technically feasible and legally permissible.
  3. At your request, we will correct, delete, or restrict Personal Data.
  4. We will inform you if we believe an instruction violates Applicable Data Protection Laws and will not be required to comply with such instruction until the issue is resolved.

03. Processor Personnel

ATZ CRM ensures that personnel authorized to process Personal Data are bound by confidentiality obligations and receive appropriate data protection and security training.

04. Disclosure to Third Parties; Data Subjects’ Rights

  1. We do not disclose Personal Data to third parties unless required to provide the Services, to comply with law, or with your documented instructions.
  2. If legally required to disclose Personal Data to a public authority, we will, where permitted, provide prior notice to allow you to seek protective measures.
  3. If we receive a data subject request, we will not respond directly unless required by law; we will notify you without undue delay and provide reasonable assistance.

05. Assistance

ATZ CRM will provide reasonable assistance to help you comply with your obligations under Articles 32–36 of the GDPR, including support for security, breach notifications, and data protection impact assessments, taking into account the nature of processing and information available to us.

06. Information Rights and Audit

  1. We will make available information necessary to demonstrate compliance with this DPA.
  2. Upon reasonable request, we will provide relevant summaries of our security audits or certifications, subject to confidentiality obligations.
  3. Where audits are required by law, the parties will agree on the scope, timing, and approach to minimize disruption and protect other customers’ data.

07. Data Incident Management and Notification

  1. We will notify you without undue delay after becoming aware of a Personal Data breach involving the Services.
  2. We will investigate and take reasonable steps to remediate the cause of the incident within our control.
  3. We will provide reasonable assistance to support your obligations to notify authorities and data subjects where required.

08. International Data Transfers

Where Personal Data is transferred outside the EEA or UK, ATZ CRM will ensure appropriate safeguards are in place (such as the EU Standard Contractual Clauses and/or UK International Data Transfer Addendum), as required by Applicable Data Protection Laws.

09. Reference to Standard Contractual Clauses

Where transfers rely on Standard Contractual Clauses, the relevant annexes to those clauses will be interpreted consistently with the information provided in Annex I (Details of Processing) and Annex II (Technical and Organizational Measures) of this DPA.

10. Term and Termination

This DPA becomes effective on the date the Agreement takes effect and remains in place for as long as ATZ CRM processes Personal Data on your behalf.

11. Deletion or Return of Personal Data

Upon termination or expiry of the Services, ATZ CRM will, at your choice, return or delete Personal Data within a reasonable timeframe, unless retention is required by law or for legitimate business purposes (such as billing or dispute resolution).

12. Miscellaneous

  1. This DPA is subject to the limitation of liability terms in the Agreement and the Terms & Conditions.
  2. Notices required under this DPA may be provided by email.
  3. If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in effect.

13. Definitions

Capitalized terms not defined in this DPA have the meanings given in the Agreement. Terms such as “Personal Data”, “Processing”, “Controller”, and “Processor” have the meanings given in the GDPR.

Annex I: Details of Processing

Subject matter: Provision of ATZ CRM software and related services.
Duration: For the term of the Agreement and any applicable retention period.
Nature and purpose: Hosting, storage, organization, access, transmission, analytics, support, and other processing necessary to provide and secure the Services.
Categories of data subjects: Customer users, candidates, contacts, clients, suppliers, and website visitors.
Categories of Personal Data: Contact details, recruiting data, notes, communications, activity logs, and other data submitted by the Controller.
Special categories of data: Not intended. If processed, it is only at the Controller’s instruction and subject to additional safeguards.

Annex II: Technical and Organizational Measures

ATZ CRM applies appropriate measures to protect Personal Data, including:

  • Encryption in transit and at rest where appropriate
  • Role-based access control and least-privilege permissions
  • Multi-factor authentication for administrative access
  • Logging, monitoring, and alerting for security events
  • Regular vulnerability assessments and patching
  • Secure development lifecycle practices
  • Backups and disaster recovery procedures
  • Incident response and breach notification procedures

Annex III: List of Subprocessors

ATZ CRM uses reputable infrastructure and service providers to deliver the Services (for example, cloud hosting and email delivery providers). A current list of Subprocessors is available upon request by contacting support@atzcrm.com.

Contact

For questions about this DPA or to request a signed copy, contact:

ATZ CRM
Email: support@atzcrm.com