Cropsly

Data Processing Agreement

Last updated: March 2026

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the service agreement between Cropsly Solutions Pvt Ltd (“Processor”, “we”, “us”) and the client (“Controller”, “you”) who engages Cropsly for services that involve the processing of personal data.

This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applies to all personal data processed by Cropsly on behalf of the Controller.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
  • Controller: The client who determines the purposes and means of processing personal data.
  • Processor: Cropsly Solutions Pvt Ltd, which processes personal data on behalf of the Controller.
  • Sub-processor: Any third party engaged by the Processor to process personal data on behalf of the Controller.
  • Data Subject: An identified or identifiable natural person whose personal data is processed.
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.

3. Scope & Purpose of Processing

The Processor shall process personal data only to the extent necessary to perform the services agreed upon in the service agreement. The nature, purpose, and duration of processing, the types of personal data, and the categories of data subjects are defined in the service agreement.

The Processor shall not process personal data for any purpose other than as instructed by the Controller, unless required by applicable law.

4. Processor Obligations

The Processor shall:

  • Process personal data only on documented instructions from the Controller, including with regard to transfers to third countries
  • Ensure that persons authorized to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (see Section 6)
  • Assist the Controller in responding to requests from data subjects exercising their rights under GDPR (see Section 8)
  • Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation
  • At the Controller's choice, delete or return all personal data upon termination of services (see Section 10)
  • Make available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR and allow for audits (see Section 11)
  • Immediately inform the Controller if, in the Processor's opinion, an instruction infringes GDPR or other applicable data protection law

5. Sub-processors

The Controller provides general authorization for the Processor to engage sub-processors. The Processor shall:

  • Maintain an up-to-date list of sub-processors on our Security page
  • Notify the Controller of any intended changes to sub-processors at least 30 days in advance
  • Impose the same data protection obligations on sub-processors as set out in this DPA through a written contract
  • Remain fully liable to the Controller for the performance of any sub-processor's obligations

If the Controller objects to a new sub-processor, the parties shall discuss the objection in good faith. If no resolution is reached, the Controller may terminate the affected services.

6. Security Measures

The Processor implements the following technical and organizational measures:

  • Encryption: AES-256 at rest, TLS 1.3 in transit
  • Infrastructure: Self-hosted Kubernetes on Hetzner Cloud (Germany, EU). No third-party SaaS for primary data storage
  • Access control: Role-based access, multi-factor authentication for all team members, principle of least privilege
  • Backups: Daily encrypted backups with 30-day retention
  • Monitoring: Continuous security monitoring, intrusion detection, and audit logging
  • AI-specific: PII filtering before third-party AI API calls. On-device AI processes data locally only. No client data used for model training without explicit consent
  • Code security: Internal security audits and code reviews on every project

For full details, see our Security & Compliance page.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach. The notification shall include:

  • The nature of the breach, including the categories and approximate number of data subjects and records concerned
  • The name and contact details of the data protection point of contact
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects

8. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligations to respond to data subject requests, including requests for:

  • Access to personal data (Article 15)
  • Rectification of inaccurate data (Article 16)
  • Erasure of data (Article 17)
  • Restriction of processing (Article 18)
  • Data portability (Article 20)
  • Objection to processing (Article 21)

The Processor shall promptly forward any data subject request received directly to the Controller and shall not respond to data subjects directly unless instructed by the Controller.

9. International Data Transfers

All primary data is stored and processed within the EU (Hetzner Cloud, Germany). Where data transfers outside the EU/EEA are necessary, the Processor shall ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) as adopted by the European Commission
  • Transfer impact assessments where required
  • Supplementary measures as necessary to ensure equivalent protection

10. Data Return & Deletion

Upon termination of the service agreement, the Processor shall, at the Controller's choice:

  • Return all personal data to the Controller in a commonly used, machine-readable format, or
  • Delete all personal data and certify deletion in writing

Deletion shall be completed within 30 days of termination, unless applicable law requires further storage. Backup copies are purged according to the 30-day backup retention schedule.

11. Audit Rights

The Controller has the right to audit the Processor's compliance with this DPA. The Processor shall:

  • Make available all information necessary to demonstrate compliance with Article 28 GDPR
  • Allow and contribute to audits, including inspections, conducted by the Controller or an independent auditor mandated by the Controller
  • Provide reasonable notice (at least 30 days) for on-site audits unless an urgent data breach investigation is required

12. Duration & Termination

This DPA shall remain in effect for the duration of the service agreement between the parties. The obligations of the Processor regarding data protection shall survive termination to the extent necessary to fulfill its data return and deletion obligations under Section 10.

13. Contact

For questions about this DPA or to exercise your rights:

Email: [email protected]

Company: Cropsly Solutions Pvt Ltd