Data Processing Agreement

Last Updated: May 11, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between CRMLynk, a trade name of Andrew Lee Jenkins LLC, a Virginia limited liability company ("CRMLynk," "Processor," "we," "us," or "our"), and the entity subscribing to CRMLynk's services ("Subscriber," "Controller," "you," or "your").

This DPA applies to the extent that CRMLynk processes Personal Data on your behalf when providing the OAuth token brokering and webhook routing services described in the Agreement. Where a Subscriber acts as a processor on behalf of its own clients, CRMLynk acts as a sub-processor, and references to "Controller" in this DPA shall refer to the relevant controller in the processing chain.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses (where applicable), the Standard Contractual Clauses shall prevail.

2. Definitions

Capitalized terms not defined in this DPA have the meanings given to them in the Agreement. The following definitions apply to this DPA:

"Applicable Data Protection Law" means all data protection and privacy laws applicable to the processing of Personal Data under this DPA, including but not limited to: the EU General Data Protection Regulation 2016/679 ("GDPR"); the UK Data Protection Act 2018 and UK GDPR; the Swiss Federal Act on Data Protection ("FADP"); the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"); the Virginia Consumer Data Protection Act ("VCDPA"); and any other applicable US state privacy laws.
"Controller" means the entity that determines the purposes and means of the processing of Personal Data. Under the CCPA/CPRA, this corresponds to a "Business."
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed. Under the CCPA/CPRA, this corresponds to a "Consumer."
"Personal Data" means any information relating to a Data Subject that is processed by CRMLynk in connection with the services. This includes OAuth tokens, user identifiers, webhook payload contents, and any other information that constitutes personal data under Applicable Data Protection Law. Under the CCPA/CPRA, this corresponds to "Personal Information."
"Processing" means any operation performed on Personal Data, whether by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Processor" means the entity that processes Personal Data on behalf of the Controller. Under the CCPA/CPRA, this corresponds to a "Service Provider."
"Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data processed by CRMLynk.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission in Implementing Decision (EU) 2021/914.
"Sub-processor" means any third party engaged by CRMLynk to process Personal Data on behalf of the Subscriber.

3. Scope of Processing

3.1 Roles of the Parties

The Subscriber is the Controller (or Processor acting on behalf of its own controller) of Personal Data. CRMLynk is the Processor (or Sub-processor) and will process Personal Data only as described in this DPA and the Agreement.

3.2 Processing Description

The details of the processing are described in Annex I (Processing Details) attached to this DPA, including: the subject matter and duration of the processing, the nature and purpose of the processing, the types of Personal Data processed, and the categories of Data Subjects.

3.3 Controller Obligations

The Subscriber warrants that:

It has a lawful basis under Applicable Data Protection Law for the processing of Personal Data by CRMLynk.
It has provided any required notices to, and obtained any required consents or authorizations from, Data Subjects for the processing described in this DPA.
Its instructions to CRMLynk comply with all Applicable Data Protection Law.
It has assessed the suitability of CRMLynk's technical and organizational measures for the intended processing.

4. CRMLynk's Obligations as Processor

4.1 Documented Instructions

CRMLynk will process Personal Data only in accordance with the Subscriber's documented instructions, as set out in this DPA and the Agreement. CRMLynk will not process Personal Data for any other purpose, including for its own purposes such as marketing, analytics, profiling, advertising, or sale of data. If CRMLynk is required by applicable law to process Personal Data other than as instructed by the Subscriber, CRMLynk will inform the Subscriber of that legal requirement before processing, unless prohibited by law from doing so.

CRMLynk will promptly notify the Subscriber if, in CRMLynk's reasonable opinion, an instruction from the Subscriber infringes Applicable Data Protection Law. CRMLynk will not carry out a processing instruction that it reasonably believes infringes Applicable Data Protection Law, unless the Subscriber confirms the instruction in writing after being notified.

4.2 Confidentiality

CRMLynk will ensure that all personnel authorized to process Personal Data are bound by enforceable confidentiality obligations, whether contractual or statutory. Access to Personal Data is limited to personnel who require it for the performance of the services.

4.3 Security of Processing

CRMLynk will implement and maintain appropriate technical and organizational measures to protect Personal Data against Security Incidents, as described in Annex II (Technical and Organizational Measures). These measures take into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of Data Subjects.

4.4 Data Subject Rights

Taking into account the nature of the processing, CRMLynk will assist the Subscriber by implementing appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Subscriber's obligation to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law (including rights of access, rectification, erasure, restriction, portability, and objection).

If CRMLynk receives a request directly from a Data Subject, CRMLynk will promptly redirect the Data Subject to the Subscriber and notify the Subscriber, unless prohibited by law from doing so.

4.5 Compliance Assistance

Taking into account the nature of the processing and the information available to CRMLynk, CRMLynk will assist the Subscriber in ensuring compliance with its obligations relating to: (a) security of processing; (b) notification of Security Incidents; (c) data protection impact assessments; (d) prior consultation with supervisory authorities, where required; and (e) maintaining records of processing activities carried out on behalf of the Subscriber, as required by Article 30(2) of the GDPR.

4.6 Data Minimization and Purpose Limitation

CRMLynk's processing of Personal Data is limited to what is strictly necessary to provide the services. Specifically:

OAuth tokens are exchanged and delivered to the Subscriber via one-time retrieval codes. CRMLynk does not read, parse, or analyze token contents beyond what is technically required for the exchange.
Retrieval codes are stored in Cloudflare KV with a five-minute time-to-live and are automatically and irrecoverably deleted upon expiration or first retrieval.
Webhook payloads are routed from providers to the Subscriber's deployment in real time. CRMLynk does not store, log, index, or analyze webhook payload contents.
CRMLynk does not access end-user content (emails, calendar events, social media posts, messages, or files). CRMLynk handles only the authentication, token exchange, and webhook routing layers.
CRMLynk does not create user profiles, aggregate data across Subscribers, or derive insights from processed data.
CRMLynk does not combine Personal Data received from one Subscriber with Personal Data from other Subscribers or from any other source.

5. Sub-processors

5.1 General Authorization

The Subscriber provides general written authorization for CRMLynk to engage Sub-processors to assist in providing the services, subject to the requirements of this Section 5. The current list of Sub-processors is set out in Annex III (Sub-processor List).

5.2 Notification of Changes

CRMLynk will notify the Subscriber at least thirty (30) days before adding or replacing any Sub-processor. Notification will be sent to the email address associated with the Subscriber's account. The notification will identify the new Sub-processor, describe the processing it will perform, and specify its location.

5.3 Objection Right

The Subscriber may object to a new or replacement Sub-processor by notifying CRMLynk in writing within fifteen (15) days of receiving the notification described in Section 5.2. The objection must state reasonable grounds relating to data protection. CRMLynk will use commercially reasonable efforts to make available to the Subscriber a change in the services or recommend a commercially reasonable alternative. If CRMLynk is unable to accommodate the objection within thirty (30) days, the Subscriber may terminate the affected services by providing written notice, and CRMLynk will refund any prepaid fees covering the remainder of the subscription term after the termination effective date.

5.4 Sub-processor Obligations

CRMLynk will impose on each Sub-processor, via a written agreement, data protection obligations no less protective than those set out in this DPA. CRMLynk remains fully liable to the Subscriber for the performance of each Sub-processor's obligations.

6. Security Incident Notification

6.1 Notification to Subscriber

CRMLynk will notify the Subscriber without undue delay, and in any event within forty-eight (48) hours, after becoming aware of a Security Incident affecting the Subscriber's Personal Data. For purposes of this Section, CRMLynk is deemed to be "aware" of a Security Incident when CRMLynk has a reasonable degree of certainty that a Security Incident has occurred. CRMLynk will not delay awareness determination through unnecessary investigatory activities beyond initial confirmation. CRMLynk acknowledges that this timeline is intended to provide the Subscriber with sufficient time to meet its own notification obligations under Applicable Data Protection Law.

6.2 Content of Notification

The notification will include, to the extent reasonably available:

A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and Personal Data records affected.
The name and contact details of CRMLynk's point of contact for further information.
A description of the likely consequences of the Security Incident.
A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its adverse effects.

6.3 Cooperation

CRMLynk will cooperate with the Subscriber and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the Security Incident. CRMLynk will preserve evidence and records related to the Security Incident for a minimum of twelve (12) months following notification, or such longer period as required by applicable law. CRMLynk will provide the Subscriber with updates as new information becomes available.

6.4 No Direct Notification to Data Subjects

CRMLynk will not notify Data Subjects of a Security Incident directly unless instructed by the Subscriber or required by applicable law. Where CRMLynk is legally required to notify Data Subjects directly, CRMLynk will inform the Subscriber in advance and coordinate the notification with the Subscriber to the extent permitted by law.

7. Audit and Compliance

7.1 Information and Documentation

Upon the Subscriber's written request (no more than once per calendar year), CRMLynk will make available information reasonably necessary to demonstrate compliance with this DPA. This may include completed security questionnaires, summaries of technical and organizational measures, and relevant third-party certifications or audit reports (such as the SOC 2 Type II and ISO 27001 certifications maintained by Cloudflare, Inc. for the infrastructure on which CRMLynk operates).

7.2 Third-Party Audit Reports

CRMLynk will provide, under mutual confidentiality obligations, copies of relevant third-party audit reports or certifications covering CRMLynk's processing activities. Where CRMLynk does not independently hold such certifications, CRMLynk will provide the applicable infrastructure provider certifications along with documentation of CRMLynk's own application-level security controls.

7.3 On-site or Remote Audit

If the information provided under Sections 7.1 and 7.2 is insufficient for the Subscriber to verify compliance with this DPA, the Subscriber may conduct or commission an independent audit, subject to the following conditions:

The Subscriber must provide at least thirty (30) days' advance written notice.
Audits are limited to one per calendar year, unless required by a data protection supervisory authority, the Subscriber's financial or industry regulator, or following a confirmed Security Incident.
Audits must be conducted during business hours, with a scope limited to CRMLynk's processing of the Subscriber's Personal Data.
The audit must be conducted by the Subscriber or by a qualified, independent third-party auditor bound by confidentiality obligations. CRMLynk may reasonably object to an auditor that is a direct competitor of CRMLynk.
The Subscriber bears all costs of the audit, including any reasonable fees charged by CRMLynk for staff time. Such fees will be commercially reasonable and disclosed to the Subscriber before the audit commences.
Any findings from the audit are treated as Confidential Information of CRMLynk. This confidentiality obligation does not prevent the Subscriber from disclosing audit findings to its own regulators, supervisory authorities, or legal advisors as required by applicable law.

8. International Data Transfers

8.1 Transfer Mechanisms

CRMLynk is based in the United States. Where Applicable Data Protection Law restricts the transfer of Personal Data to countries outside the European Economic Area ("EEA"), the United Kingdom, or Switzerland, CRMLynk will ensure that appropriate safeguards are in place. These safeguards include:

Standard Contractual Clauses: The parties agree to the SCCs (Commission Implementing Decision (EU) 2021/914) as set out in Annex IV, with Module 2 (Controller-to-Processor) applying where the Subscriber is a Controller, and Module 3 (Processor-to-Processor) applying where the Subscriber is itself a Processor. The Subscriber is the "data exporter" and CRMLynk is the "data importer."
UK International Data Transfer Addendum: For transfers from the United Kingdom, the UK Addendum to the EU SCCs (as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated by reference and applies in addition to the SCCs.
Swiss Addendum: For transfers from Switzerland, the SCCs apply with the modifications necessary to comply with the FADP, including that the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

8.2 EU-US Data Privacy Framework

To the extent that transfers of Personal Data are covered by a valid adequacy decision (including the EU-US Data Privacy Framework, the UK Extension, or the Swiss-US Data Privacy Framework), such adequacy decision may serve as an additional or alternative transfer mechanism. The SCCs described in Section 8.1 remain in effect as a fallback safeguard in the event that any adequacy decision is invalidated or withdrawn.

8.3 Transfer Impact Assessment

CRMLynk has assessed the laws and practices of the United States applicable to the processing of Personal Data under this DPA. In light of the nature of the processing (short-lived token brokering with ephemeral storage and minimal data retention), the implemented safeguards (encryption in transit and at rest, five-minute TTL on retrieval codes, no persistent storage of end-user data, no human access to tokens in normal operations), and the applicable transfer mechanisms (SCCs, DPF), CRMLynk has determined that the transfer does not undermine the level of protection guaranteed by the GDPR. CRMLynk will cooperate with the Subscriber in conducting its own transfer impact assessment upon request, and will provide information about applicable US law and CRMLynk's supplementary measures as reasonably necessary for the Subscriber's assessment.

8.4 Sub-processor Transfers

Where CRMLynk transfers Personal Data to a Sub-processor located outside the EEA, the United Kingdom, or Switzerland, CRMLynk will ensure that equivalent safeguards (including, where applicable, SCCs Module 3) are in place between CRMLynk and the Sub-processor before any transfer occurs.

9. California and US State Privacy Law Provisions

9.1 CCPA/CPRA Service Provider Commitments

To the extent the CCPA/CPRA applies, CRMLynk is a "Service Provider" as defined in California Civil Code Section 1798.140(ag). CRMLynk certifies that it understands the restrictions in California Civil Code Section 1798.100(d) and will comply with them. Specifically, CRMLynk certifies that it:

Will not sell or share (as those terms are defined in the CCPA/CPRA) Personal Information received from the Subscriber.
Will not retain, use, or disclose Personal Information for any purpose other than the specific business purposes set forth in this DPA and the Agreement, or as otherwise permitted by the CCPA/CPRA.
Will not retain, use, or disclose Personal Information outside of the direct business relationship between CRMLynk and the Subscriber.
Will not combine Personal Information received from or on behalf of the Subscriber with Personal Information received from other persons or collected from the Subscriber's end users in a separate capacity, except as expressly permitted by the CCPA/CPRA.
Will notify the Subscriber if CRMLynk determines that it can no longer meet its obligations under the CCPA/CPRA.
Grants the Subscriber the right to take reasonable and appropriate steps to verify that CRMLynk uses Personal Information consistent with CRMLynk's obligations under the CCPA/CPRA.
Grants the Subscriber the right to require CRMLynk to stop and remediate any unauthorized use of Personal Information.
Permits the Subscriber to monitor CRMLynk's compliance with this Section 9 through reasonable measures, including periodic questionnaires and spot-checks, in addition to the audit rights in Section 7.
Does not collect, use, or process Sensitive Personal Information (as defined in Cal. Civ. Code Section 1798.140(ae)) except to the extent webhook payloads routed through CRMLynk may incidentally contain such information, in which case CRMLynk processes it solely for the purpose of routing and does not retain, analyze, or use it.

9.2 Virginia CDPA and Other State Laws

To the extent the Virginia Consumer Data Protection Act (Va. Code Section 59.1-579) or other US state comprehensive privacy laws apply, CRMLynk will:

Process Personal Data in accordance with the Subscriber's instructions and only for the purposes identified in this DPA. The processing instructions, nature and purpose of processing, types of data, and duration are set forth in Annex I, which is incorporated into this Section by reference for purposes of compliance with Va. Code Section 59.1-579.
Ensure that each person processing Personal Data is subject to a duty of confidentiality, as further described in Section 4.2 of this DPA.
At the Subscriber's direction, delete or return all Personal Data at the end of the service provision (subject to Section 10 of this DPA).
Upon reasonable request, make available all information necessary to demonstrate compliance with this DPA.
Allow and cooperate with reasonable assessments by the Subscriber, or arrange for a qualified and independent assessor to conduct an assessment of CRMLynk's policies and technical and organizational measures using an appropriate and accepted control standard or framework.
Engage Sub-processors only pursuant to a written contract that imposes obligations equivalent to those in this DPA.

10. Data Deletion and Return

10.1 During the Term

Due to CRMLynk's architecture, Personal Data is not persistently stored beyond the service operation:

OAuth tokens are exchanged and delivered to the Subscriber. CRMLynk does not retain copies of tokens after delivery.
Retrieval codes auto-expire within five (5) minutes via Cloudflare KV time-to-live and are automatically deleted.
Webhook payloads are routed in real time without storage.

10.2 Upon Termination

Upon termination or expiration of the Agreement, at the Subscriber's election, CRMLynk will either (a) return all Personal Data to the Subscriber in a commonly used, machine-readable format, or (b) delete all Personal Data. In either case, CRMLynk will:

Cease all processing of the Subscriber's Personal Data.
Delete all Subscriber records from Cloudflare KV (including subscriber registration entries, API key mappings, Stripe customer mappings, and resource mappings) within thirty (30) days of termination, unless the Subscriber has elected return and the data has been transferred, or retention is required by applicable law.
Instruct Sub-processors to cease processing and delete the Subscriber's data. CRMLynk will use commercially reasonable efforts to ensure Sub-processor deletion occurs within sixty (60) days of the termination date.
Upon written request, provide the Subscriber with written certification that all Personal Data has been deleted or returned.

If the Subscriber does not make an election within thirty (30) days of termination, CRMLynk will delete all Personal Data.

CRMLynk does not maintain independent backups of Cloudflare KV data. To the extent Cloudflare maintains infrastructure-level backups, deletion of KV entries by CRMLynk will be reflected in such backups in accordance with Cloudflare's standard data lifecycle.

10.3 Legal Retention

Where CRMLynk is required by applicable law to retain any Personal Data, CRMLynk will inform the Subscriber (unless prohibited by law), limit the retention to what is legally required, and continue to protect the data in accordance with this DPA for the duration of the retention period.

11. Platform-Specific Data Processing Requirements

11.1 Google API Services

To the extent CRMLynk processes data subject to the Google API Services User Data Policy, CRMLynk's use and transfer of information received from Google APIs adheres to the Google API Services User Data Policy, including the Limited Use requirements. Specifically, CRMLynk:

Uses Google user data only to provide the OAuth token brokering service as described in this DPA.
Does not transfer Google user data to third parties except as necessary for service delivery (to the Subscriber and to Sub-processors bound by equivalent restrictions), for security purposes, to comply with applicable laws, or as part of a merger, acquisition, or asset sale with prior user consent.
Does not use Google user data for serving advertisements, including retargeting, personalized, or interest-based advertising.
Does not use Google user data for creditworthiness determinations or lending qualification.
Does not allow humans to read Google user data unless the user has provided affirmative consent, it is necessary for security purposes, it is necessary to comply with applicable law, or the data has been aggregated and anonymized in compliance with applicable privacy regulations and is used solely for internal operations in accordance with the Google API Services User Data Policy.

11.2 Meta Platform Data

To the extent CRMLynk processes data subject to the Meta Platform Terms, CRMLynk acknowledges that Meta Platform Data is subject to additional restrictions. CRMLynk:

Does not persistently store Meta Platform Data. Routing mappings (such as Page ID to Subscriber deployment URL) are maintained per-Subscriber and do not contain user content.
Does not use Meta Platform Data beyond the OAuth token exchange and webhook routing services described in this DPA.
Does not use Meta Platform Data for surveillance, and will not provide Meta Platform Data to any entity conducting surveillance.
Implements a Meta Data Deletion Request callback endpoint. Upon receiving a data deletion request from Meta, CRMLynk will propagate the request to affected Subscribers and confirm deletion to Meta in accordance with Meta's requirements.
Does not retain Meta Platform Data beyond the immediate routing operation. Subscribers are responsible for their own compliance with Meta's data retention limitations, including the 90-day retention limit where applicable.

11.3 Zoom Marketplace

To the extent CRMLynk processes data subject to the Zoom Marketplace Developer Agreement, CRMLynk complies with Zoom's API Terms of Use and data handling requirements, including restrictions on data use, storage, and disclosure.

12. General Provisions

12.1 Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement, except that neither party's liability for breaches of this DPA shall be limited to the extent that such limitation would be prohibited by Applicable Data Protection Law. Notwithstanding the dispute resolution provisions in the Agreement, either party may seek injunctive or other equitable relief from any court of competent jurisdiction to prevent unauthorized processing or disclosure of Personal Data.

12.2 Term

This DPA takes effect on the date the Subscriber first subscribes to CRMLynk's services and remains in effect for as long as CRMLynk processes Personal Data on the Subscriber's behalf. Sections 6, 7, 10, and 12 survive termination.

12.3 Amendments

CRMLynk may update this DPA from time to time to reflect changes in Applicable Data Protection Law, our Sub-processor list, or our processing practices. We will notify Subscribers of material changes at least thirty (30) days in advance. Material changes that reduce the Subscriber's rights or CRMLynk's obligations under this DPA require the Subscriber's affirmative written consent. Updates to the Sub-processor list are governed by Section 5 and are not subject to this consent requirement. Non-material administrative or clarifying changes take effect upon posting.

12.4 Governing Law

This DPA is governed by the laws specified in the Agreement, except that the SCCs (Annex IV) are governed by the law of the EU Member State in which the data exporter is established (or, where the data exporter is not established in an EU Member State, the laws of Ireland).

12.5 Data Protection Officer

CRMLynk has not appointed a Data Protection Officer, as its core processing activities (token brokering with ephemeral storage and minimal data retention) do not require one under Article 37 of the GDPR. For data protection inquiries, contact us at the address below.

12.6 Contact

For questions about this DPA or to exercise any rights under it, contact us at:

CRMLynk
Email: [email protected]
Phone: (804) 617-9811
Mail: CRMLynk, Glen Allen, Virginia, United States

Annex I: Processing Details

A. List of Parties

Role	Identity	Contact
Data Exporter (Controller/Processor)	The Subscriber, as identified in the Agreement	As provided during registration
Data Importer (Processor/Sub-processor)	CRMLynk, a trade name of Andrew Lee Jenkins LLC	[email protected]

B. Description of Processing

Element	Description
Subject Matter	Managed OAuth token brokering and webhook routing for CRM platform integrations with third-party providers (Google, Microsoft, Meta, Zoom, and others).
Duration	For the term of the Agreement between CRMLynk and the Subscriber, plus any post-termination retention period described in Section 10.
Nature and Purpose of Processing	(a) Receiving OAuth authorization codes from third-party providers on behalf of the Subscriber's deployment. (b) Exchanging authorization codes for access tokens and refresh tokens via server-to-server calls to providers. (c) Storing retrieval codes in Cloudflare KV with a five-minute time-to-live for one-time Subscriber pickup. (d) Routing webhook payloads from providers to the Subscriber's registered deployment URL. (e) Refreshing expired access tokens on Subscriber request. (f) Subscriber account management (API key authentication, deployment registration, billing).
Types of Personal Data	OAuth access tokens and refresh tokens (which may contain or reference user identifiers); authorization codes; webhook payloads (which may contain user identifiers, email addresses, message content, calendar events, social media interactions, or other data depending on the provider and scopes authorized by the end user); Subscriber account information (name, email address, deployment URL, billing data); API keys.
Categories of Data Subjects	End users of the Subscriber's CRM platform who authorize connections to third-party providers (e.g., users who connect their Google, Microsoft, Meta, or Zoom accounts through the Subscriber's application). Subscriber personnel who manage the CRMLynk integration.
Sensitive Data	CRMLynk does not intentionally process special categories of data (Article 9 GDPR). However, webhook payloads routed through CRMLynk may incidentally contain sensitive information depending on the Subscriber's use case and the provider scopes authorized. CRMLynk does not inspect, classify, or store webhook payload contents.
Frequency of Transfer	Continuous, on each OAuth authorization, token refresh, and webhook event.
Retention Period	Retrieval codes: 5 minutes (auto-deleted). Webhook payloads: not retained (routed in real time). Subscriber account data: for the term of the Agreement plus 30 days.

Annex II: Technical and Organizational Measures

CRMLynk implements the following measures to protect Personal Data, taking into account the nature of the processing (OAuth token brokering and webhook routing with minimal data retention):

A. Encryption and Data Protection

All data in transit is encrypted via TLS 1.2 or higher, enforced by Cloudflare's edge network.
Cloudflare KV storage is encrypted at rest using AES-256.
OAuth client secrets and API keys are stored as Cloudflare Worker secrets (encrypted at rest, never exposed in source code or logs).
No unencrypted storage of tokens, credentials, or Personal Data at any point in the processing chain.

B. Access Controls

Subscriber API calls require a unique, per-subscriber API key (sk_live_...) validated on every request.
Administrative endpoints are protected by a separate admin API key.
No shared credentials between Subscribers.
Principle of least privilege applied to all system and personnel access.
No human access to OAuth tokens during normal operations. Token exchange is fully automated.

C. Infrastructure Security

CRMLynk runs on Cloudflare Workers (serverless edge computing). There are no traditional servers, virtual machines, or databases to compromise.
Cloudflare provides DDoS protection, Web Application Firewall, and bot management at the network edge.
Security patching and infrastructure maintenance are handled by Cloudflare's platform team. CRMLynk does not manage operating systems or server software.
Cloudflare maintains SOC 2 Type II, ISO 27001, ISO 27701, and PCI DSS Level 1 certifications for its infrastructure.

D. Data Lifecycle and Minimization

Retrieval codes are stored with a five-minute TTL in Cloudflare KV and are deleted on first use or expiration, whichever occurs first.
Webhook payloads are forwarded in real time to the Subscriber's deployment and are not stored, logged, cached, or indexed by CRMLynk.
CRMLynk does not maintain a persistent database of end-user data. The only persistent storage is Cloudflare KV, used for Subscriber registration records and short-lived retrieval codes.
CRMLynk does not write OAuth tokens, webhook payloads, or end-user identifiers to application logs.

E. Incident Detection and Response

Cloudflare's monitoring infrastructure provides real-time alerting on anomalous traffic patterns, error rates, and potential security events.
CRMLynk maintains an incident response procedure that includes identification, containment, eradication, recovery, and post-incident review.
Security Incidents are escalated and communicated in accordance with Section 6 of this DPA.

F. Operational Logging

CRMLynk maintains operational logs of API request metadata (subscriber identifier, timestamp, endpoint, HTTP status) for security monitoring and debugging purposes.
These logs do not contain token values, webhook payload contents, or end-user identifiers.

G. Organizational Measures

Access to production systems is limited to CRMLynk's principal and any contractors engaged under written confidentiality agreements.
CRMLynk conducts security reviews of Sub-processors (Nylas, Cloudflare) before engagement and periodically thereafter.
Access credentials to production systems are rotated periodically and upon personnel changes.
CRMLynk performs periodic security reviews of its Worker code, including dependency analysis and static analysis.

H. Business Continuity

CRMLynk operates on Cloudflare's globally distributed edge network, which provides inherent redundancy and failover across multiple data centers and regions.
CRMLynk does not maintain a separate disaster recovery site due to the stateless, ephemeral nature of the processing. Cloudflare KV provides built-in replication across Cloudflare's network.
Encryption keys for Cloudflare KV and Worker Secrets are managed by Cloudflare's key management infrastructure. CRMLynk does not have direct access to underlying encryption keys.

Annex III: Sub-processor List

The following Sub-processors are authorized as of the date of this DPA. CRMLynk will update this list and notify Subscribers in accordance with Section 5.2.

Sub-processor	Processing Activity	Location
Cloudflare, Inc.	Infrastructure hosting (Workers serverless compute, KV storage, DNS, CDN, DDoS protection). All CRMLynk services run on Cloudflare's global edge network.	United States (global edge network)
Nylas, Inc.	Email, calendar, and contacts API integration services. Provides OAuth connectivity and API access for productivity platforms (Gmail, Outlook, Google Calendar, Outlook Calendar, Contacts, IMAP/SMTP, Microsoft Teams) on behalf of Subscribers.	United States
Stripe, Inc.	Payment processing and subscription billing. Stripe processes Subscriber payment information and may act as an independent data controller for payment processing. Stripe is listed here for transparency; Stripe's own privacy policy and DPA govern its handling of payment data.	United States

Annex IV: Standard Contractual Clauses

Where the transfer of Personal Data from the EEA, United Kingdom, or Switzerland to CRMLynk requires appropriate safeguards under Applicable Data Protection Law, the parties agree to the following:

A. EU Standard Contractual Clauses

The parties hereby enter into the Standard Contractual Clauses adopted by the European Commission in Implementing Decision (EU) 2021/914 (the "EU SCCs"), which are incorporated by reference into this DPA. The EU SCCs are deemed completed as follows:

Module 2 (Controller-to-Processor) applies where the Subscriber is a Controller of the transferred Personal Data.
Module 3 (Processor-to-Processor) applies where the Subscriber is itself a Processor acting on behalf of its own controller.
Clause 7 (Docking Clause): The optional docking clause is included, allowing additional parties to accede to the SCCs.
Clause 9(a) (Sub-processors): Option 2 (General Written Authorization) applies, with a prior notice period of thirty (30) days.
Clause 11 (Redress): The optional language permitting complaints to an independent dispute resolution body is not included.
Clause 13 (Supervision): The competent supervisory authority is determined in accordance with Clause 13(a), based on the data exporter's establishment. Where the data exporter is not established in an EU Member State, the competent supervisory authority shall be the supervisory authority of the EU Member State in which the data exporter's representative (within the meaning of Article 27(1) GDPR) is established, or, in the absence of such representative, the supervisory authority of the EU Member State in which the relevant Data Subjects are located.
Clause 17 (Governing Law): Option 1 applies. The EU SCCs are governed by the law of Ireland.
Clause 18(b) (Forum): Disputes are resolved before the courts of Ireland.

Annex I (Processing Details), Annex II (Technical and Organizational Measures), and Annex III (Sub-processor List) of this DPA serve as the corresponding annexes to the EU SCCs.

B. UK International Data Transfer Addendum

For transfers of Personal Data from the United Kingdom, the UK Addendum to the EU SCCs as issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018 (currently version B1.0, in force March 21, 2022, or any successor version published by the ICO) is incorporated by reference. In the event of a conflict between the UK Addendum and the EU SCCs, the UK Addendum shall prevail with respect to UK transfers.

C. Swiss Transfers

For transfers of Personal Data from Switzerland, the EU SCCs apply with the following modifications: references to "Regulation (EU) 2016/679" are interpreted as references to the Swiss FADP; references to specific GDPR articles are interpreted as references to the equivalent provisions of the FADP; the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; and the term "member state" is interpreted to include Switzerland.