Data processing agreement
Last updated: [Effective date]
This Data Processing Agreement (“DPA”) forms part of the Terms of service between [Legal Entity Name] (“crewmuster,” “processor”) and the customer (“you,” “controller”) and governs crewmuster’s processing of personal data on your behalf — primarily the personal data of your employees and crew.
1. Roles of the parties
For the personal data you manage in crewmuster about your crew, you are the controller and crewmuster is the processor. You determine the purposes and means of the processing; crewmuster processes that data only to provide the service and on your documented instructions. Where you are itself a processor for another controller, crewmuster acts as a sub-processor and the same obligations apply.
2. Definitions
“Personal data,” “processing,” “controller,” “processor,” “data subject,” and “personal data breach” have the meanings given in applicable data protection law, including the EU and UK GDPR. “Applicable data protection law” means the privacy and data protection laws that apply to the processing, including the GDPR, UK GDPR, and the CCPA/CPRA where relevant.
3. Scope and instructions
crewmuster will process personal data only: (a) to provide and support the service; (b) on your documented instructions, including those in the Terms, this DPA, and your use of the service; and (c) as required by law (in which case crewmuster will inform you unless legally prohibited). The details of processing are set out in Annex I.
4. Confidentiality
crewmuster ensures that personnel authorized to process personal data are bound by appropriate confidentiality obligations and access it only as needed to perform their duties.
5. Security
crewmuster implements appropriate technical and organizational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the state of the art, the costs, and the risk. Current measures are summarized in Annex II.
6. Sub-processors
You give crewmuster general authorization to engage sub-processors to help provide the service. crewmuster will: (a) impose data protection obligations on each sub-processor that are no less protective than those in this DPA; (b) remain responsible for its sub-processors’ performance; and (c) maintain a current list of sub-processors (Annex III) and give you reasonable notice of intended changes, so you can object on reasonable data-protection grounds.
7. Assisting you (data-subject requests)
Taking into account the nature of the processing, crewmuster will assist you with appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights (access, correction, deletion, portability, restriction, and objection). If crewmuster receives such a request directly, it will refer the data subject to you.
8. Personal data breaches
crewmuster will notify you without undue delay after becoming aware of a personal data breach affecting your personal data, and will provide information reasonably available to help you meet your notification obligations.
9. Data protection impact assessments
crewmuster will provide reasonable assistance with data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to crewmuster.
10. Return and deletion
On termination of the service, crewmuster will, at your choice, delete or return your personal data, and delete existing copies, unless law requires storage. You can also export your data while the service is active. [Specify the post-termination window, e.g., data deleted within [30] days.]
11. Audits
crewmuster will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you appoint, subject to reasonable confidentiality and security conditions and reasonable notice.
12. International transfers
Where crewmuster transfers personal data across borders in a way that requires a transfer mechanism, it will use an appropriate one (for example, the EU standard contractual clauses and the UK addendum), incorporated by reference where applicable.
13. CCPA
To the extent the CCPA/CPRA applies, crewmuster acts as a “service provider.” crewmuster will not sell or share personal data, will not retain, use, or disclose it except to provide the service (or as permitted by the CCPA), and will not combine it with data from other sources except as the CCPA allows.
14. Order of precedence
If this DPA conflicts with the Terms regarding the processing of personal data, this DPA controls.
Annex I — Details of processing
| Subject matter | Provision of crewmuster’s scheduling, availability, and task service. |
|---|---|
| Duration | For the term of the service, plus the return/deletion period in section 10. |
| Nature and purpose | Hosting, storing, and processing personal data to operate scheduling, availability, tasks, and cross-location coverage on the controller’s behalf. |
| Types of personal data | Names, contact details, role/position, location assignment, availability, scheduled shifts, and task activity of the controller’s crew; account administrator details. |
| Categories of data subjects | The controller’s employees, crew, and account administrators. |
| Special categories | None intended. The service is not designed to process special-category data; do not enter it. |
Annex II — Security measures
Current measures include (complete/adjust to your actual practices before publishing):
- encryption of data in transit (TLS) and at rest;
- role-based access controls and least-privilege access for personnel;
- authentication controls for accounts;
- logical separation of customer data;
- regular backups and a documented recovery process;
- vendor and sub-processor due diligence;
- monitoring, logging, and an incident-response process.
Annex III — Sub-processors
The following sub-processors help crewmuster provide the service (confirm and complete this list before publishing):
| Sub-processor | Purpose | Location |
|---|---|---|
| [Hosting provider, e.g. Vercel] | Application hosting | [Region] |
| [CDN/hosting, e.g. Cloudflare] | Website hosting and content delivery | [Region] |
| [Payment processor] | Subscription billing | [Region] |
| [Email/support provider] | Transactional email and support | [Region] |
| [Analytics provider, if any] | Product analytics | [Region] |
Contact
Questions about this DPA or to send data-protection notices, email hello@crewmuster.com or write to [Company address].