DPA

Data Processing Agreement

This page summarizes Cruxi’s standard processor commitments for customers using the regulatory platform. For a countersigned version or procurement questions, contact privacy@cruxi.ai.

1. Roles

When a customer uses Cruxi to process personal data submitted to the service, the customer acts as controller and Cruxi acts as processor for that customer data.

2. Processing scope

  • Subject matter: delivery and support of the Cruxi regulatory platform.
  • Categories of data: account identifiers, contact data, uploaded workspace content, usage/security logs, and privacy request records.
  • Data subjects: customer personnel, customer users, and individuals whose data is uploaded by the customer.

3. Processor commitments

  • Process customer data only to provide the service and according to documented instructions embodied in the customer agreement and DPA.
  • Bind authorized personnel to confidentiality obligations.
  • Maintain appropriate technical and organizational measures for the live service.
  • Support data-subject requests and deletion/export workflows available in the product.

4. Security measures

  • Encrypted transport for data in transit.
  • Customer-managed Cloud KMS protection on the primary production Google Cloud Storage path used for current uploaded 510(k) documents and generated submission artifacts.
  • Managed infrastructure protections for database and other at-rest layers not separately stated as app-managed encryption.
  • Restricted production access and operational controls.
  • Tracked privacy-request workflows and self-service export/delete controls in the app.

For the current verified control summary, see How Cruxi Protects Your Data.

5. Subprocessors

Cruxi may use subprocessors for hosting, database, AI processing, analytics, identity, and payment operations. Current subprocessors are listed at /pages/legal/subprocessors.html.

6. Assistance and deletion

Cruxi supports customer privacy operations through in-app export, project deletion, account deletion, and formal DSAR workflows. Upon termination, customer data is deleted or returned according to the service configuration, customer instructions, and applicable legal obligations.

7. Contact

Privacy team: privacy@cruxi.ai

Trust and security overview: /data-protection