Data Processing Agreement (DPA)
Last Updated: January 19, 2026
Summary
This standard DPA describes Cruxi’s security and privacy commitments when processing personal data on behalf of a client. For execution (e-sign / countersignature) or questions, contact privacy@cruxi.ai.
1. Parties and Roles
- Customer is the “Controller” (or “Business” under analogous laws) for Customer Personal Data.
- Cruxi is the “Processor” (or “Service Provider” under analogous laws) for Customer Personal Data.
This DPA applies when Cruxi processes personal data on Customer’s behalf in connection with the Cruxi services.
2. Processing Details
2.1 Subject matter
Provision of the Cruxi platform and related support.
2.2 Duration
For the term of the services, plus any retention period described in applicable agreements and Cruxi’s policies.
2.3 Nature and purpose
Processing necessary to provide the services (e.g., hosting, analytics for service reliability, support troubleshooting).
2.4 Categories of data subjects and data
- Data subjects: Customer users, Customer employees/contractors, and other individuals whose data is submitted to the service by Customer.
- Data categories: contact data (e.g., name, email), account identifiers, usage/security logs, and any content uploaded by Customer.
3. Processor Obligations
- Process personal data only on documented instructions from Customer (including this DPA and the Customer agreement).
- Ensure persons authorized to process personal data are bound by confidentiality.
- Implement appropriate technical and organizational measures (see Section 6).
- Notify Customer of personal data breaches without undue delay after becoming aware.
- Assist Customer with data subject requests and regulatory inquiries as described in Section 5.
4. Sub-processors
Cruxi may engage sub-processors (e.g., cloud hosting, email delivery, analytics) to provide the services. Cruxi will ensure sub-processors are subject to contractual obligations substantially similar to this DPA.
For questions about sub-processors, contact privacy@cruxi.ai.
5. Assistance
5.1 Data subject requests
Cruxi will provide reasonable assistance to Customer in fulfilling data subject rights requests (access, deletion, rectification, etc.) to the extent Customer cannot do so independently through the service.
5.2 Security, DPIAs
Upon reasonable request, Cruxi will provide information necessary to demonstrate compliance and support Customer’s DPIA/assessment efforts, subject to confidentiality and security constraints.
6. Security Measures
Controls (high-level)
- Encryption: TLS in transit; encryption at rest where supported by infrastructure.
- Access control: least privilege, restricted production access, audit logging.
- Monitoring: service health and security monitoring, incident response procedures.
- Backups: encrypted backups and controlled restore processes (where applicable).
- Vendor management: contractual controls with sub-processors.
Security controls evolve over time. If you need a security questionnaire or more detailed annex information, contact privacy@cruxi.ai.
7. International Transfers
Where personal data is transferred internationally, Cruxi will rely on valid transfer mechanisms (e.g., Standard Contractual Clauses) as applicable.
8. Deletion / Return
Upon termination of the services, Cruxi will delete or return Customer Personal Data as described in the Customer agreement, subject to legal retention requirements and backup lifecycle constraints.
9. Contact
Privacy contact
Email: privacy@cruxi.ai
Address: Cruxi, Inc., 730 Third Avenue, New York, NY 10017, United States