Data Processing Addendum

The Controller determines the purposes and means of processing. We act as Processor, processing personal data only on the Controller’s documented instructions (including via the product’s features) and as described in these terms and the Privacy Policy.

We process personal data to provide Crossary: ingesting uploaded specification artifacts, extracting field inventories, generating and storing mapping suggestions, and producing exports. Processing lasts for the duration of the Controller’s account, unless otherwise required by law.

Personal data is whatever the Controller includes in account details and uploaded content. Data subjects may include the Controller’s users, team members, and any individuals referenced within uploaded artifacts. The Controller is responsible for ensuring it has a lawful basis to upload such content.

• process personal data only on documented instructions;
• ensure personnel with access are bound by confidentiality;
• implement appropriate technical and organizational security measures (see section 7);
• assist the Controller, taking into account the nature of processing, with data-subject requests and with security, breach-notification, and impact-assessment obligations.

The Controller authorizes our use of the subprocessors listed on the Subprocessors page. We impose data-protection obligations on each subprocessor and remain responsible for their performance. We will inform the Controller of intended changes and allow a reasonable opportunity to object on data-protection grounds.

Where a data subject contacts us directly, we will refer them to the Controller. We will provide reasonable assistance to help the Controller respond to access, rectification, erasure, portability, and objection requests.

We maintain measures including: passwords hashed with bcrypt; encryption in transit (TLS); EU-hosted storage and database; tenant isolation; authentication rate-limiting; and error monitoring. A fuller description is available on request.

We will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data, and provide information reasonably available to assist the Controller’s own notification obligations.

On termination, or on the Controller’s request, we delete the Controller’s personal data. Account deletion cancels any active subscription and removes workspaces, projects, integrations, uploaded artifacts, and exports, including the underlying stored files, subject to limited retention required by law and routine backup cycling. The Controller can also delete individual integrations or projects in-product at any time, which erases their data and stored files.

We will make available information reasonably necessary to demonstrate compliance with this DPA and contribute to audits as required by applicable law, subject to reasonable confidentiality and security safeguards.

Where processing involves transfers outside the European Economic Area, we rely on appropriate safeguards such as the EU Standard Contractual Clauses and/or the EU–US Data Privacy Framework where the recipient is certified.

In the event of a conflict between this DPA and the Terms of Service on data-protection matters, this DPA prevails. This DPA is governed by the law of Portugal.