Data Processing Agreement

(Click here for a signed Data Processing Agreement. Print it, sign it, scan it, and email it back to us.)

This Data Processing Agreement ("DPA") amends the Terms of Service ("Terms") for business and commercial Customers. If there is any conflict or inconsistency between this DPA and the Terms, this DPA will govern. Subject to the amendments in this DPA, the Terms remain in full force and effect.

This DPA reflects our mutual agreement on the terms governing the processing and security of Personal Data in connection with the General Data Protection Regulation ("GDPR"), effective in all European Economic Area ("EEA") member states as of May 25 2018. This DPA only applies to the extent that the GDPR applies to the processing of Personal Data.


The parties acknowledge and agree that:

  • Croissant is a Data Processor of Personal Data under the GDPR.
  • Customer is a Data Controller or Data Processor, as applicable, of Personal Data under the GDPR. (If Customer is a Data Processor, Customer warrants to Croissant that Customer’s instructions and actions with respect to Personal Data, including its appointment of Croissant as another Data Processor, have been authorised by the relevant Data Controller.)
  • Each party will comply with the obligations applicable to it under the GDPR with respect to the processing of Personal Data.

By entering into this DPA, Customer instructs Croissant to process Personal Data only in accordance with applicable law:

  • to provide the Data Processing and any related technical support;
  • as further specified via Customer’s use of the Data Processor services (including in the settings, preferences, and other functionality) and any related technical support;
  • as documented in the Terms of Service, Privacy Policy, and this DPA; and
  • as further documented in any other written instructions given by Customer and acknowledged by Croissant as constituting instructions for purposes of this DPA.

Croissant will comply with Customer instructions (including with regard to data transfers) unless EEA law to which Croissant is subject requires other processing of Personal Data by Croissant, in which case Croissant will inform Customer (unless that law prohibits Croissant from doing so on important grounds of public interest).


The Service includes tools for Customers to manually delete Personal Data as needed, e.g. per End User request; the Personal Data will be deleted from our systems as soon as reasonably practicable and within a maximum period of 180 days, unless EEA law requires storage.

Upon deletion of a Customer account, all Personal Data will be deleted from production and backup systems within 1 year.


Croissant maintains reasonable measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure or access. Secure (HTTPS) access is forced for Customers so login credentials and Personal Data is secure in transit. Backend access to servers and data, whether physical, shell, or administrative interfaces, is limited to employees who require it to perform their duties. No contractors or subprocessors are authorized for such access.

If Croissant becomes aware of a security breach leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer's Personal Data on our servers ("Incident"), we will notify Customer, via Customer's registered email address, of the Incident promptly and without undue delay, and take reasonable steps to minimise harm and secure Customer's data. Customer is responsible for providing a valid email address and ensuring their email address is current and valid. Our notification of or response to an Incident will not be construed as an acknowledgement of any fault or liability with respect to the Incident.

Customer agrees that they are solely responsible for their use of the Data Processor services, including securing the account credentials, systems and devices Customer uses to access the Processor Services. Croissant has no obligation to protect Customer's Personal Data that Customer elects to store or transfer outside of Croissant systems.


The GDPR gives EEA End Users the legal right to view their Personal Data, update incorrect Personal Data, and request Personal Data to be deleted. If we receive a request from an End User in the EEA in relation to Personal Data processed for a Customer, we will advise the End User to submit their request to Customer, and Customer will be responsible for responding to such request using the tools we have provided on our Site for handling Personal Data requests.

Customer agrees to use all reasonable measures to verify the identity of an End User before sharing or modifying Personal Data. Per GDPR recital 64, "the controller [Customer] should use all reasonable measures to verify the identity of a data subject [End User] who requests access, in particular in the context of online services and online identifiers."


Customer agrees that Personal Data may be transferred to Croissant in the United States of America, where it will be stored and processed. Croissant will provide at least the same level of privacy protection for EEA Personal Data as required under the U.S.-EU and U.S.-Swiss Privacy Shield frameworks.


This DPA is effective as of the date below and may be updated from time to time. We will notify you via your registered email address or a notice on this website prior to any significant changes becoming effective. You should periodically review the DPA online for the latest information.