Skip to main content
Prax CRM — Smart. Secure. Scalable.®

Legal

Data processing addendum

Last updated: 2026-05-10

Plain-language summary, not legal advice. We've written this in plain English so you can read it. The terms apply as written; for the formal counterparts (DPA, MSA, custom contracts), email privacy@praxcrm.com.

This Data Processing Addendum ("DPA") forms part of the agreement between Praxxii Global ("Prax CRM", "we", "us", "Processor") and the Customer ("you", "Controller") for use of Prax CRM. It applies whenever we process personal data on your behalf in our capacity as your processor.

This page is the public summary; the executable PDF — countersigned by us — is available on request from privacy@praxcrm.com. Enterprise customers may negotiate custom terms.

1. Roles & subject matter

You determine the purposes and means of processing Customer Data. We process it solely on your documented instructions, as set out in the underlying Terms of Service, your configuration of the Service, and any written request you make.

  • Subject matter — the personal data you upload to or generate within Prax CRM.
  • Duration — for the term of your subscription, plus the 30-day read-only retention window described in our Privacy Policy.
  • Nature & purpose — providing the Prax CRM service: storage, retrieval, search, sorting, sending of communications you initiate, generation of reports.
  • Categories of data subjects — your employees, customers, leads, vendors, and any other individuals whose data your team chooses to put into a workspace.
  • Categories of personal data — name, contact details, employer, role, ID document numbers (if you upload them), salary, attendance, sales records, communications history, and other content as you direct.

2. Processor obligations

We will:

  • Process Customer Data only on your documented instructions, including for international transfers, unless required to do so by law (and we'll tell you if we are, unless the law itself prohibits the disclosure).
  • Ensure the people authorised to process Customer Data are bound by confidentiality obligations.
  • Apply the technical and organisational measures listed in Annex 2 below.
  • Assist you, by appropriate technical and organisational measures, with responding to data-subject requests under applicable law.
  • Assist you with security obligations, breach notifications, DPIAs and prior consultations with supervisory authorities — at your reasonable request and expense for non-trivial assistance.
  • At your choice, delete or return all Customer Data at the end of the term, except where law requires retention.
  • Make information reasonably necessary to demonstrate compliance available to you, and allow audits as described in section 7.

3. Controller obligations

You will:

  • Collect and provide Customer Data with a valid lawful basis.
  • Give privacy notices to your data subjects as required by law.
  • Configure the Service in line with the principles of data minimisation and storage limitation — only put into Prax CRM what you need to.
  • Manage Authorised User access, MFA, and offboarding.
  • Respond to data-subject requests within statutory deadlines, using the self-serve tools we provide.

4. Subprocessors

You authorise us to engage subprocessors to provide the Service. The current list, with each subprocessor's region and purpose, is at /legal/subprocessors.

  • We give you at least 30 days' notice before adding or replacing a subprocessor (via in-app banner and email to the billing contact).
  • You may object in writing during that window. If we can't accommodate the objection, you may terminate the Order for the affected services and receive a refund of pre-paid, unused fees.
  • Each subprocessor is bound by data-protection obligations no less protective than this DPA.
  • We remain liable for the acts and omissions of our subprocessors, to the extent we'd be liable for our own.

5. International transfers

Where Customer Data of EU/EEA, UK or Swiss residents is transferred outside those regions, the European Commission's Standard Contractual Clauses (Module 2 controller-to-processor or Module 3 processor-to-processor, as applicable) — together with the UK International Data Transfer Addendum and the Swiss FDPIC's adaptations — are incorporated into this DPA by reference. The clauses prevail over any conflicting provision.

For Indian residents, transfers comply with the Digital Personal Data Protection Act, 2023 and any rules notified thereunder. We do not transfer Indian personal data to countries that the Central Government of India has notified as restricted.

6. Security & breach notification

We apply the technical and organisational measures listed in Annex 2. We'll notify you of confirmed personal-data breaches without undue delay and within 72 hours of our discovery where law requires. The notice will include the nature of the breach, scope, likely consequences, mitigation steps, and a follow-up contact.

7. Audit rights

On reasonable written notice, no more than once per year (and on top of any audit triggered by a confirmed breach affecting your data), you may audit our compliance with this DPA. Audits will be conducted during business hours, at your expense, by an independent third party bound by confidentiality and not a competitor of ours, and will respect the confidentiality and operational continuity of other customers.

Where available, our SOC 2 / ISO 27001 / penetration-test reports will satisfy the audit obligation.

8. Liability

Each side's liability under this DPA is subject to the same caps and exclusions as the underlying Terms of Service. Liability under the Standard Contractual Clauses, where mandatory, prevails.

9. Term & survival

This DPA takes effect on the start of your subscription and ends when all Customer Data has been deleted or returned in line with your instructions or the default 60-day post-termination delete window. Sections that should survive (confidentiality, audit, breach notification for the period the breach relates to) survive accordingly.

Annex 1 — Description of processing

The substantive description is at section 1 above; this annex is its identifier for SCC purposes.

Annex 2 — Technical & organisational measures

We apply the following measures (non-exhaustive):

  • Tenant isolation — every list query is indexed by workspaceId; every mutation re-checks the row's workspace.
  • Encryption — TLS 1.2+ in transit; AES-256 at rest. Cryptographic key management is delegated to the underlying cloud provider's KMS.
  • Access control — role-based, designation-driven, server-side enforced. MFA (TOTP and WebAuthn passkeys) available on every plan; required for our own engineering access.
  • Authentication — Argon2id password hashing (m=64MB, t=3, p=1). Sessions stored as hashes only.
  • Brute-force protection — per-email and per-IP rate limiting on login, password reset, signup.
  • Audit logging — every create / edit / delete written to an immutable, workspace-scoped log.
  • Secure SDLC — code review on every change, automated dependency scanning, branch protection on main, signed releases.
  • Vulnerability management — public security.txt + PGP key, responsible-disclosure programme.
  • Patch & backup — managed-platform OS patching; 90-day rolling encrypted backups; documented restore procedure.
  • Incident response — on-call rotation, written runbook, post-incident reviews.
  • Personnel — background checks for engineers with production access; written confidentiality agreements; access review at offboarding.
  • Data minimisation — card CVVs never stored; PAN reduced to last-four for display; payment data lives in the gateway, not in our DB.

Annex 3 — Subprocessors

See /legal/subprocessors for the live list (region, purpose, contact). Updates publish to that page; admins receive 30 days' notice via email and an in-app banner.

Sign & return

Email privacy@praxcrm.com with your workspace domain to receive a countersign-ready PDF. Custom DPAs (specific Annex 2, custom audit windows, expanded SCCs) are available on Enterprise.