Live webinar · Mon, Jun 16 · 4:00 PM BST
Loading…
RSVP free

Last updated: 10 June 2026

Data Processing Agreement

This DPA reflects UK GDPR Article 28 and governs BetterCRM's processing of personal data on your behalf when you use the Service.

1. Parties and scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller", "you") and Becreative Marketing Limited (company no. 11620214), trading as BetterCRM, registered at 36 Paine Road, Norwich, NR7 9UN, United Kingdom ("Processor", "BetterCRM"). It applies where BetterCRM processes personal data on your behalf to provide the Service, and reflects Article 28 of the UK GDPR.

2. Definitions

"UK GDPR", "personal data", "processing", "data subject", "personal data breach", "sub-processor", and "supervisory authority" have the meanings in the UK GDPR. "Customer Personal Data" means personal data within Customer Data.

3. Subject matter, duration, nature, purpose

  • Subject matter: provision of the BetterCRM service.
  • Duration: until termination of the Terms and deletion/return of data per section 11.
  • Nature and purpose: hosting, storing, organising, transmitting, displaying, and otherwise processing Customer Personal Data to provide, secure, and support the Service.
  • Categories of data subjects: Controller's customers, leads, community members, employees, contractors, and any other individuals whose data Controller submits.
  • Categories of personal data: contact details, professional information, communications and message content, identifiers, usage and engagement signals, and any other data Controller chooses to submit.

4. Processor obligations

BetterCRM will: (a) process Customer Personal Data only on Controller's documented instructions, including these Terms and the Service configuration; (b) ensure persons authorised to process the data are bound by confidentiality; (c) implement appropriate technical and organisational measures (Annex A); (d) assist Controller, where reasonable, with data-subject requests, DPIAs, and consultations with supervisory authorities; (e) notify Controller without undue delay (and in any event within 72 hours of becoming aware) of any personal data breach affecting Customer Personal Data; (f) make available information necessary to demonstrate compliance and allow for audits per section 8.

5. Controller obligations

Controller warrants that it has a lawful basis to provide Customer Personal Data to BetterCRM, that its instructions comply with applicable law, and that it has provided required notices and obtained required consents from data subjects.

6. Sub-processors

Controller provides general authorisation for BetterCRM to engage sub-processors to provide the Service (e.g., cloud hosting, database, email delivery, analytics, support tooling, AI providers, payments). A current sub-processor list is available on request. BetterCRM will:

  • impose data protection obligations on sub-processors no less protective than this DPA;
  • remain liable for sub-processor performance;
  • give at least 30 days' notice of new or replacement sub-processors via email or in-product notice; Controller may object on reasonable data-protection grounds, in which case the parties will work in good faith to resolve, and Controller may terminate the affected service if no resolution is reached.

7. International transfers

Where Customer Personal Data is transferred outside the UK, BetterCRM relies on the UK International Data Transfer Agreement, the UK Addendum to the EU SCCs, or adequacy regulations, and applies supplementary measures where appropriate.

8. Audits

BetterCRM will provide, on reasonable written request and no more than once per year (or following a personal data breach), summary reports or questionnaires describing its security posture. On-site audits may be conducted by Controller or an independent auditor under NDA, at Controller's cost, with at least 30 days' notice, during business hours, and without unreasonable disruption.

9. Data subject requests

BetterCRM will, taking into account the nature of the processing, provide reasonable assistance via appropriate technical and organisational measures to help Controller respond to data-subject requests. Controller is responsible for responding to such requests.

10. Personal data breach

BetterCRM will notify Controller without undue delay (and in any event within 72 hours of becoming aware), provide available information to help Controller meet its breach-notification obligations, document the facts and remediation, and cooperate in good faith.

11. Return or deletion

On termination, and at Controller's choice, BetterCRM will delete or return Customer Personal Data within 90 days, except where retention is required by law. Backups are overwritten in the ordinary course.

12. Liability

Each party's liability under this DPA is subject to the limitations in the Terms of Service.

13. Conflict and law

If there is a conflict between this DPA and the Terms regarding personal data, this DPA prevails. This DPA is governed by the laws of England and Wales.

Annex A — Technical and organisational measures

  • Encryption in transit (TLS 1.2+) and at rest for primary data stores.
  • Access control: SSO, MFA for privileged access, least-privilege, role-based access.
  • Network security: segmented environments, firewalls, secrets management.
  • Application security: code review, dependency scanning, vulnerability management.
  • Operational security: logging and monitoring, backups, disaster recovery testing.
  • Personnel: background checks where lawful, confidentiality obligations, security training.
  • Vendor management: due diligence and contractual data protection obligations on sub-processors.
  • Incident response: 24/7 on-call, documented runbooks, post-incident reviews.

Annex B — Sub-processors

Current list available on request to hello@bettercrm.app and maintained in-product.

Becreative Marketing Limited (trading as BetterCRM) · Company no. 11620214 · Registered in England & Wales · 36 Paine Road, Norwich, NR7 9UN, United Kingdom · Legal representative: Francisco Opazo · Contact: hello@bettercrm.app.