Data Processing Overview
DeelRx CRM acts as a data processor for your business data, helping you manage customer relationships while maintaining strict compliance with privacy regulations. We process your data only as instructed by you and in accordance with applicable data protection laws.Privacy by Design: Our data processing practices are designed to comply with GDPR, CCPA, and other privacy regulations from the ground up.
Data Processing Agreement (DPA)
Our Role as Data Processor
Data Processing Scope
Data Processing Scope
- Process data only as instructed by you (the data controller)
- Implement appropriate technical and organizational measures
- Ensure data security and confidentiality
- Assist with data subject rights requests
Processing Purposes
Processing Purposes
- Customer relationship management
- Inventory tracking and management
- Financial record keeping and reporting
- Business analytics and insights
Legal Basis
Legal Basis
- Contract performance (providing CRM services)
- Legitimate interests (service improvement and security)
- Consent (where explicitly given)
- Legal obligation (compliance requirements)
Your Role as Data Controller
Data Controller Responsibilities
- Determine the purposes and means of processing
- Ensure lawful basis for processing
- Implement appropriate safeguards
- Respond to data subject requests
Your Rights
- Right to access and portability
- Right to rectification and erasure
- Right to restrict processing
- Right to object to processing
Subprocessors and Third-Party Services
Our Trusted Subprocessors
We work with carefully selected subprocessors to provide secure CRM functionality:Clerk (Authentication Services)
Clerk (Authentication Services)
- Purpose: User authentication and account management
- Data Processed: Email addresses, names, authentication tokens
- Location: United States (with EU data processing agreements)
- DPA: Yes, comprehensive data processing agreement in place
- Certifications: SOC 2 Type II, GDPR compliant
Stripe (Payment Processing)
Stripe (Payment Processing)
- Purpose: Secure payment processing and subscription management
- Data Processed: Payment information, billing details, transaction history
- Location: United States (with EU data processing agreements)
- DPA: Yes, comprehensive data processing agreement in place
- Certifications: PCI DSS Level 1, SOC 2 Type II
Netlify (Hosting Services)
Netlify (Hosting Services)
- Purpose: Website hosting and content delivery
- Data Processed: Website usage data, performance metrics
- Location: United States and EU (with data processing agreements)
- DPA: Yes, comprehensive data processing agreement in place
- Certifications: SOC 2 Type II, ISO 27001
BaseHub (Content Management)
BaseHub (Content Management)
- Purpose: Content management and CMS functionality
- Data Processed: Content data, user preferences
- Location: United States (with EU data processing agreements)
- DPA: Yes, comprehensive data processing agreement in place
- Certifications: GDPR compliant, SOC 2 Type II
PostHog (Analytics Services)
PostHog (Analytics Services)
- Purpose: Privacy-focused analytics and product insights
- Data Processed: Anonymized usage patterns, feature adoption
- Location: United States (with EU data processing agreements)
- DPA: Yes, comprehensive data processing agreement in place
- Certifications: GDPR compliant, SOC 2 Type II
Subprocessor Management
Subprocessor Oversight: All subprocessors are carefully vetted and bound by comprehensive data processing agreements.
Selection Criteria
Selection Criteria
- Privacy and security certifications
- GDPR and CCPA compliance
- Data processing agreement requirements
- Regular security assessments
Ongoing Monitoring
Ongoing Monitoring
- Regular compliance audits
- Security assessment reviews
- Performance monitoring
- Incident response coordination
Change Management
Change Management
- Advance notification of subprocessor changes
- Right to object to new subprocessors
- Termination procedures for non-compliant subprocessors
- Regular subprocessor reviews
Cross-Border Data Transfers
International Data Transfers
Transfer Mechanisms
Transfer Mechanisms
- Standard Contractual Clauses (SCCs): EU-approved contractual clauses for data transfers
- Adequacy Decisions: Transfers to countries with adequate protection
- Binding Corporate Rules: Internal data protection policies
- Certification Schemes: Privacy Shield successor frameworks
Safeguards and Protections
Safeguards and Protections
- Encryption in transit and at rest
- Access controls and monitoring
- Regular security assessments
- Incident response procedures
Your Rights
Your Rights
- Right to information about transfers
- Right to object to transfers
- Right to additional safeguards
- Right to compensation for damages
EU-US Data Transfers
Standard Contractual Clauses
- EU Commission-approved contractual clauses
- Comprehensive data protection requirements
- Regular review and updates
- Binding on all parties
Additional Safeguards
- Technical and organizational measures
- Encryption and access controls
- Regular security assessments
- Incident response procedures
Data Subject Rights Assistance
Your Rights Under GDPR
Right of Access
Right of Access
- Request information about data processing
- Obtain copies of your personal data
- Receive data in machine-readable format
- Information about data sources and recipients
Right to Rectification
Right to Rectification
- Correct inaccurate personal data
- Complete incomplete personal data
- Update outdated information
- Verify data accuracy
Right to Erasure
Right to Erasure
- Request deletion of personal data
- Remove data no longer necessary
- Withdraw consent for processing
- Object to unlawful processing
Right to Restrict Processing
Right to Restrict Processing
- Limit processing of personal data
- Suspend data processing activities
- Preserve data for legal claims
- Verify data accuracy
Right to Data Portability
Right to Data Portability
- Receive data in structured format
- Transfer data to another service
- Direct transmission between controllers
- Maintain data format and structure
Right to Object
Right to Object
- Object to processing based on legitimate interests
- Opt out of direct marketing
- Object to automated decision-making
- Withdraw consent at any time
How to Exercise Your Rights
1
Contact Us
Submit your request via email ([email protected]) or support chat.
2
Identity Verification
We may request identity verification to protect your privacy and security.
3
Request Processing
We process requests within 30 days (GDPR) or 45 days (CCPA) of receipt.
4
Response
We provide a response with the requested information or explanation of any limitations.
Our Assistance Obligations
Data Subject Rights Support: We assist you in responding to data subject rights requests from your customers.
Technical Assistance
Technical Assistance
- Provide technical tools for data access
- Assist with data export and portability
- Support data deletion and rectification
- Enable data processing restrictions
Administrative Support
Administrative Support
- Process data subject requests
- Maintain audit trails of requests
- Provide request status updates
- Coordinate with subprocessors
Data Security and Breach Response
Security Measures
Technical Safeguards
Technical Safeguards
- AES-256 encryption for data at rest and in transit
- Multi-factor authentication and access controls
- Regular security assessments and penetration testing
- Network security and monitoring systems
Organizational Safeguards
Organizational Safeguards
- Privacy and security training for all staff
- Data protection impact assessments
- Regular compliance audits and reviews
- Incident response and breach notification procedures
Breach Notification
Notification Process
Notification Process
- Immediate containment and assessment
- Notification within 72 hours of discovery
- Detailed information about the breach
- Remediation steps and timeline
Assistance Provided
Assistance Provided
- Technical support for breach response
- Coordination with regulatory authorities
- Customer notification assistance
- Post-incident security improvements
Compliance Monitoring and Audits
Regular Compliance Assessments
Internal Audits
- Annual privacy compliance reviews
- Security assessment reports
- Data processing activity audits
- Subprocessor compliance reviews
External Assessments
- Third-party security audits
- Privacy impact assessments
- Penetration testing reports
- Compliance certification reviews
Audit Rights
Your Audit Rights
Your Audit Rights
- Right to audit our data processing activities
- Access to compliance documentation
- Review of security measures and procedures
- Verification of subprocessor compliance
Audit Process
Audit Process
- Advance notice and scheduling
- Confidentiality and security requirements
- Scope and methodology agreement
- Report sharing and remediation
Data Retention and Deletion
Retention Policies
Data Retention
Data Retention
- Retain data only as long as necessary
- Follow legal and regulatory requirements
- Implement automatic deletion procedures
- Regular data minimization reviews
Data Deletion
Data Deletion
- Delete data upon request or account closure
- Secure deletion from all systems and backups
- Verification of complete deletion
- Documentation of deletion process
Contact Information
Data Protection Officer
- Email: [email protected]
- Support Chat: https://deelrxcrm.com/support
Privacy Questions
- Email: [email protected]
- Support Chat: https://deelrxcrm.com/support
Regulatory Authorities
EU Residents: You can contact your local data protection authority or the Irish Data Protection Commission. California Residents: You can contact the California Attorney General’s Office.For questions or assistance, please reach our team through the chat at https://deelrxcrm.com/support.