This section explains how we handle personal data on your behalf when you use Snap2CRM. We’ve written it to be transparent and easy to follow, so you understand your rights and our responsibilities under data protection laws. If anything is unclear or you need more details, just reach out – we’re happy to help.
This Data Processing Agreement (“DPA”) is entered into by and between the Customer (hereinafter the “Controller”) who uses the Snap2CRM service and
Marlon Kühn
c/o Block Services
Stuttgarter Str. 106
70736 Fellbach
Germany
Email: contact@snap2crm.com
(hereinafter the “Processor”).
This DPA forms an integral part of the Terms of Service or any other applicable service agreement (the “Agreement”) entered into between the Controller and the Processor for the provision of the Snap2CRM application and related services (the “Services”).
The purpose of this DPA is to ensure that the processing of personal data by the Processor on behalf of the Controller complies with the applicable data protection laws, in particular the General Data Protection Regulation (EU) 2016/679 (“GDPR”).
This DPA sets out the rights and obligations of the Controller and the Processor with respect to the processing of personal data in connection with the Services. Both parties agree that this DPA is legally binding upon execution of the Agreement and shall remain in effect for the duration of the processing activities performed by the Processor on behalf of the Controller.
The subject matter of this DPA is the processing of personal data by the Processor on behalf of the Controller in connection with the provision of the Snap2CRM application and related services.
The processing activities include, but are not limited to: collecting, storing, organizing, structuring, using, transmitting, and deleting personal data as necessary to provide the Services, including functionalities such as contact data extraction from scanned business cards, synchronization with HubSpot, and related customer support and operational features.
The duration of this DPA is determined by the duration of the Agreement between the Controller and the Processor. This DPA shall automatically terminate upon the termination or expiration of the Agreement, unless otherwise required by applicable law or expressly agreed by the parties.
The nature of the processing includes the technical and organizational activities necessary to scan, structure, store, and transmit business contact data using the Snap2CRM application.
The purpose of the processing is to enable users to efficiently extract contact data from scanned business cards and synchronize it with their HubSpot account. This includes transforming unstructured scan input into structured data (e.g., name, email, phone number) and transmitting this data securely to designated systems.
Additionally, the Processor may process certain metadata and usage data for the purpose of app analytics, performance monitoring, bug tracking, and customer support, to maintain and improve the quality, reliability, and security of the Services.
AI-based technologies, including large language models (LLMs) and optical character recognition (OCR) systems, may be used to facilitate text extraction from business card scans. These technologies are used solely as part of the technical data processing required to fulfill the service and do not result in automated decision-making that produces legal or similarly significant effects on the data subjects.
The processing activities carried out under this DPA relate to the following categories of data subjects:
• Business contacts whose personal data appears on scanned business cards, including but not limited to names, job titles, company names, phone numbers, and email addresses.
• Users of the Snap2CRM app, typically employees or authorized representatives of the Controller, whose data may be processed for the purposes of account management, authentication, and support.
The Processor may process the following types of personal data on behalf of the Controller in connection with the Services:
• Contact details extracted from scanned business cards, including name, job title, company name, phone number, and email address.
• Metadata generated during the use of the Snap2CRM app, such as IP addresses, device identifiers, browser user-agent strings, and log data for technical and security purposes.
• User credentials and account-related information, including login identifiers and hashed passwords, necessary for user authentication and access management.
• Free-text entries and notes optionally entered by users in designated fields within the app, such as annotations about contacts.
• Temporarily processed data by integrated third-party AI or OCR services (e.g., for text extraction or enhancement of scans), which may involve the temporary handling of contact-related information solely for the purpose of providing the Services.
The Controller shall have the following rights and obligations under this DPA and in accordance with applicable data protection laws, including the GDPR:
• The Controller is solely responsible for ensuring that the collection and processing of personal data provided to the Processor for the performance of the Services is carried out in accordance with applicable data protection laws. This includes, but is not limited to, providing appropriate notices to data subjects, obtaining all necessary consents where required, and having a valid legal basis for the processing.
• The Controller is responsible for responding to data subjects’ requests to exercise their rights under the GDPR, including the rights of access, rectification, erasure, restriction of processing, data portability, and objection. Where the Processor receives such a request directly from a data subject and identifies that the request relates to the Controller’s data, the Processor shall forward the request to the Controller without undue delay.
• The Controller must ensure that the personal data it provides to the Processor is accurate, complete, and up to date, and that such data is relevant and limited to what is necessary in relation to the purposes for which it is processed.
• The Controller shall inform the Processor without undue delay if it detects errors or irregularities in the data processing or if it becomes aware of any violations of applicable data protection laws related to the Services.
The Processor shall fulfill the following obligations in accordance with applicable data protection laws and this DPA:
• The Processor shall process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country or an international organization, unless required to do so by applicable law. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless prohibited by law.
• The Processor shall ensure that persons authorized to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including, where appropriate, measures such as pseudonymization and encryption, the ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems, and procedures for regularly testing, assessing, and evaluating the effectiveness of these measures.
• The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller’s obligation to respond to requests for exercising the data subject’s rights under the GDPR.
• The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (e.g., security of processing, notification of personal data breaches, and data protection impact assessments), taking into account the nature of processing and the information available to the Processor.
• The Processor shall not engage another processor (subprocessor) without prior specific or general written authorization of the Controller. In the case of general written authorization, the Processor shall inform the Controller of any intended changes concerning the addition or replacement of subprocessors, thereby giving the Controller the opportunity to object to such changes. The Processor shall enter into a written agreement with each subprocessor imposing data protection obligations equivalent to those set out in this DPA.
The Controller authorizes the engagement of the following sub-processors by the Processor for the purposes of delivering the Snap2CRM Services:
• HubSpot Inc. – CRM integration and data synchronization
• Google LLC – AI and cloud-based services (e.g., Gemini, Google Cloud)
• Cloudflare, Inc. – Content delivery network and security infrastructure
• Strato AG – Primary hosting provider for the Snap2CRM infrastructure
• Atlassian – Customer support and issue tracking via Jira Service Management
• Stripe Payments Europe – Payment processing services
• Google Analytics (Google LLC) – App usage analytics and performance tracking
The Processor shall ensure that each sub-processor is bound by a written data processing agreement that imposes data protection obligations substantially equivalent to those set out in this DPA. The Processor shall remain fully liable to the Controller for the performance of each sub-processor’s obligations.
The Processor shall inform the Controller in advance of any intended addition or replacement of sub-processors. This notice shall be provided via email or through an in-app notification no less than thirty (30) days prior to the change. During this period, the Controller may object to the proposed change on reasonable data protection grounds. If no objection is raised within the notice period, the sub-processor shall be deemed approved.
In connection with the provision of the Snap2CRM Services, certain personal data may be transferred to, or otherwise processed in, countries outside the European Economic Area (“EEA”), including to countries that may not provide the same level of data protection as under the GDPR.
Where such transfers occur, the Processor shall ensure that appropriate safeguards are implemented in accordance with Chapter V of the GDPR. In particular, the Processor commits to using the European Commission’s Standard Contractual Clauses (SCCs) or ensuring that an adequacy decision exists for the relevant third country, or that other legally recognized safeguards are in place.
Certain subprocessors, such as Google LLC (e.g., for the provision of Gemini AI-based processing services), may temporarily process technical data outside the EU to facilitate app functionality and performance. This processing is limited to what is necessary for the technical execution of the Services and does not involve permanent storage of personal data in third countries.
The Processor ensures that any international transfer of data is subject to contractual obligations or other legal mechanisms that guarantee an adequate level of protection for the rights and freedoms of data subjects, consistent with applicable EU data protection requirements.
The Processor shall implement and maintain appropriate technical and organizational measures (“TOMs”) to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage, as required under Article 32 of the GDPR.
These security measures shall include, but are not limited to:
• Encryption of personal data in transit and at rest, where applicable
• Role-based access controls and authentication mechanisms to limit data access to authorized personnel only
• Logging and monitoring of data access and processing activities to detect unauthorized use or anomalies
• Regular review and update of security policies and procedures, including internal audits and vulnerability assessments
• Secure development practices and system hardening for software and infrastructure components
• Data backup procedures and disaster recovery planning to ensure data integrity and availability
A detailed description of the technical and organizational measures implemented by the Processor is provided in Annex I of this Agreement. The Processor may update such measures from time to time, provided that such updates do not result in a lesser level of security than those set forth herein.
The Processor shall assist the Controller, to the extent reasonably possible and in accordance with the nature of the processing, in fulfilling the Controller’s obligation to respond to data subjects’ requests under Articles 15 to 22 of the GDPR. These rights include:
• The right of access (Art. 15)
• The right to rectification (Art. 16)
• The right to erasure (“right to be forgotten”, Art. 17)
• The right to restriction of processing (Art. 18)
• The right to data portability (Art. 20)
• The right to object (Art. 21)
• Rights relating to automated decision-making, including profiling (Art. 22)
Upon receiving such a request directly from a data subject, the Processor shall promptly forward the request to the Controller without undue delay and shall not respond to the data subject unless authorized to do so by the Controller.
The Processor shall provide all necessary assistance to the Controller in a timely manner to enable the Controller to comply with the applicable legal requirements for responding to such requests. The Processor shall support the Controller with appropriate technical and organizational measures, where necessary, and shall cooperate in good faith to address the request within the time limits set forth by the GDPR.
In the event of a personal data breach, the Processor shall notify the Controller without undue delay and, where feasible, no later than 48 hours after becoming aware of the breach. The notification shall include at least the following information, to the extent available at the time:
• A description of the nature of the personal data breach, including, where possible, the categories and approximate number of data subjects and personal data records concerned
• The name and contact details of the data protection officer or other contact point where more information can be obtained
• A description of the likely consequences of the personal data breach
• A description of the measures taken or proposed to be taken by the Processor to address the personal data breach, including, where appropriate, measures to mitigate its possible adverse effects
The Processor shall cooperate fully with the Controller and provide all necessary information and support to enable the Controller to comply with its obligations under Articles 33 and 34 of the GDPR, including notification to the competent supervisory authority and, where applicable, to the affected data subjects.
Where it is not possible to provide all the required information at the same time, the initial notification shall contain the information available at that time, and further information shall be provided without undue delay as it becomes available.
The Processor shall document all data breaches, including the facts relating to the personal data breach, its effects, and the remedial action taken. Such documentation shall enable the Controller to verify compliance with the GDPR.
The Controller has the right to audit and inspect the Processor’s data processing activities to verify compliance with this DPA and applicable data protection laws. Such audits may include on-site inspections of the Processor’s facilities or systems used in connection with the processing of personal data.
The Controller shall provide the Processor with reasonable advance notice of any intended audit or inspection, which shall be no less than thirty (30) days unless required earlier by law or in the case of a data breach. The audit shall be conducted during regular business hours and in a manner that minimizes disruption to the Processor’s operations. The Controller shall ensure that the audit is limited in scope to what is necessary to verify compliance with this DPA and shall not result in access to confidential information unrelated to the processing of personal data under this Agreement.
All information obtained or reviewed during the audit shall be treated as confidential and used solely for the purposes of assessing compliance with the DPA.
In lieu of conducting an on-site audit, the Processor may provide the Controller with existing attestations, certifications, or audit reports issued by independent third-party auditors (such as ISO 27001 certifications or SOC 2 Type II reports), provided that such documents are not older than twelve (12) months and cover the relevant processing activities performed on behalf of the Controller.
The Controller may perform no more than one (1) audit or inspection per calendar year, unless required by a competent data protection authority or due to a significant data protection incident or breach.
Upon termination or expiration of the Agreement, the Processor shall, at the choice of the Controller, delete or return all personal data processed on behalf of the Controller, unless otherwise required by applicable law to retain such data.
The Controller shall notify the Processor in writing of its choice (deletion or return) within thirty (30) days of the termination of the Agreement. If no instruction is received within this period, the Processor shall proceed with the deletion of all personal data in its possession, unless retention is required by applicable law.
Where the Controller elects to have the data returned, the Processor shall deliver the data in a commonly used, structured, and machine-readable format within thirty (30) days of receiving the Controller’s written request. The Processor may use secure electronic means for data delivery and shall ensure that the data is transferred in a secure and protected manner.
The deletion of data by the Processor shall be carried out in accordance with industry-standard practices to ensure that the data is permanently removed from active systems and backups, unless otherwise required by legal retention obligations.
Upon completion of the deletion or return process, the Processor shall provide written confirmation to the Controller that the requested action has been completed.
Each party shall be liable for the damages it causes by any breach of this DPA in accordance with applicable data protection laws, including Article 82 of the GDPR.
The Processor shall be liable for damage caused by processing only where it has not complied with obligations of the GDPR specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.
Unless otherwise provided in the Agreement, the liability of either party under this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement. Neither party shall be liable for indirect, incidental, or consequential damages, including loss of profits, except in cases of willful misconduct or gross negligence.
The Controller agrees to indemnify and hold harmless the Processor against all claims, actions, third-party claims, losses, damages, and expenses incurred by the Processor arising out of or in connection with any breach of this DPA or applicable data protection laws by the Controller, except to the extent that the Processor is responsible for the breach.
This DPA shall be governed by and construed in accordance with the laws of the Federal Republic of Germany, without regard to its conflict of law provisions.
The parties agree that the courts of Berlin, Germany, shall have exclusive jurisdiction over any disputes arising out of or in connection with this DPA, subject to any mandatory provisions of applicable data protection law.
Alternatively, the parties may mutually agree to resolve disputes through arbitration in accordance with the rules of the German Institution of Arbitration (DIS), with the seat of arbitration in Berlin and the language of the proceedings being English.
This DPA may only be amended, modified, or supplemented by a written agreement signed by both parties, unless otherwise required under applicable law. Oral agreements shall have no binding effect unless confirmed in writing.
Should any provision of this DPA be or become invalid or unenforceable, in whole or in part, the validity of the remaining provisions shall not be affected. The invalid or unenforceable provision shall be replaced by a valid and enforceable provision that most closely reflects the parties’ original intent and the economic purpose of the invalid provision.
This DPA, together with the Agreement and its Annexes, constitutes the entire agreement between the parties concerning the processing of personal data and supersedes any prior agreements, understandings, or arrangements between them, whether oral or written, relating to such subject matter.
To ensure the security and confidentiality of personal data processed on behalf of the Controller, the Processor has implemented the following technical and organizational measures (TOMs) in accordance with Article 32 of the GDPR:
1. Access Control
• Access to systems and personal data is restricted based on role-based permissions and the principle of least privilege.
• Authentication mechanisms, such as strong password policies and multi-factor authentication (MFA), are enforced for administrative and user accounts.
• Logical and physical access to processing systems is logged and regularly reviewed.
• Access rights are periodically audited and updated in case of role changes or employee offboarding.
2. Encryption
• Personal data is encrypted both in transit (e.g., via TLS/HTTPS) and at rest using industry-standard algorithms.
• Encryption keys are managed securely, with regular rotation and access limitations.
• Endpoints and APIs that transmit personal data are secured using modern cryptographic protocols.
3. Backup, Monitoring, and Failover
• Regular backups of critical data are performed and stored securely to prevent data loss.
• Monitoring tools are in place to detect anomalies, unauthorized access, and potential system failures.
• High-availability infrastructure and failover mechanisms are implemented to ensure service continuity and resilience.
• Logs are maintained and reviewed to monitor system activity and security events.
4. Staff Training and Awareness
• Employees and contractors involved in data processing receive regular training on data protection, information security, and privacy principles.
• Confidentiality agreements are signed by all personnel with access to personal data.
• Security awareness campaigns are conducted to reinforce secure data handling practices.
5. Data Minimization and Privacy by Design
• Data collection and processing are limited to what is necessary for the defined purposes.
• Pseudonymization or anonymization techniques are applied where feasible to reduce privacy risks.
• Product development follows a privacy-by-design approach, with security and data protection built into features and infrastructure from the outset.
The following sub-processors are authorized by the Controller for use by the Processor in connection with the Snap2CRM Services. Each sub-processor has entered into a written data processing agreement with the Processor that includes data protection obligations consistent with this DPA.
The Processor will notify the Controller of any intended changes to this list in accordance with the procedure described in Section 8 of this DPA.