Data Processing Agreement

This Data Processing Agreement (“DPA”) supplements the Crestento Terms of Service and Privacy Policy. It applies where you (the Customer / data Controller) use Crestento (the Processor) to process Personal Data on your behalf and either party is subject to GDPR, UK GDPR, or similar regulations.

1. Subject matter and duration

We act as a Processor of Personal Data on your behalf. Processing continues for the term of your subscription and the data-retention period described in our Privacy Policy.

2. Nature and purpose of processing

We process Personal Data to provide the Crestento service: accepting your input, generating draft reviews, storing drafts and history, exporting them as PDF or Word, and managing your subscription.

3. Categories of data subjects and personal data

Data subjects:the Customer’s employees who are the subject of performance reviews drafted using the service, and Customer’s authorised users (managers / HR staff).

Categories of personal data: employee names, review periods, manager observations, accomplishments, development goals, and any other content the Customer enters or attaches. We do not require, and we discourage entry of, sensitive categories such as health, religion, political opinions, sexual orientation, or genetic data.

4. Sub-processors

We use the sub-processors listed at /sub-processors. Each sub-processor we use publishes its own terms of service, privacy policy, and (for the larger ones) Data Processing Addendum that govern its handling of customer data. We select sub-processors who hold out published data-protection commitments at least as protective as those described in this DPA, and we update the public list when we change sub-processors.

• We provide notice of new sub-processors via the /sub-processors page before they go live.
• Sub-processors process Personal Data under their own published terms; Crestento is not responsible for the independent acts or omissions of a sub-processor outside our control. Where required, customers may raise objections to a specific sub-processor via the support address on their billing receipt — we will work with them in good faith on alternatives, though for foundational providers (database, AI, hosting) an alternative may not be operationally feasible.

5. Confidentiality and security

• We require all personnel with access to Personal Data to be bound by confidentiality obligations.
• We implement appropriate technical and organisational measures to protect Personal Data — see /security for the current baseline.

6. International transfers

Where Personal Data is transferred outside the EU/UK, we rely on the Standard Contractual Clauses (and the UK Addendum where applicable) with our sub-processors as the legal mechanism.

7. Data subject rights and Customer assistance

Where a data subject contacts us with a request to exercise their rights (access, rectification, erasure, portability), we will promptly forward the request to the Customer and assist the Customer in responding within statutory deadlines.

8. Security incident notification

We will notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Customer data, including a description of the breach, likely consequences, and measures taken or proposed.

9. Audits

On reasonable written request (no more than once per 12 months unless required by a regulator), we will respond in good faith to a documented Customer security questionnaire and share the publicly-available materials we already maintain about our practices — principally our /security and /privacy pages, our published sub-processor list, and a written response to specific questions. We are a small SaaS and do not currently hold SOC 2 or ISO 27001 certifications; we do not provide on-site or live-system audits. Where a regulator requires more, we will cooperate within what the law actually requires of a processor of our size.

10. Deletion or return on termination

On termination of your subscription, we delete Personal Data within 30 days unless retention is required by law (e.g., billing records). Customers may export their data at any time prior to deletion via the export functions in the application.

11. Liability

Liability under this DPA is governed by the limitations in our Terms of Service.

12. Counter-signed DPA

By default, this published DPA forms the data-processing terms between you and Crestento when you accept our Terms of Service, and no signature is required — using the service is acceptance.

If your procurement process requires a counter-signed document, you have two options:

• Print and sign this DPA as published and return a copy to the support address on your billing receipt — we will return a counter-signed PDF within five business days, with no substantive changes.
• Send us your own proposed DPA. We will review it in good faith and tell you whether we can sign it as-is, sign it with minor markups, or — if the obligations go beyond what we can reasonably take on as a small SaaS processor — politely decline and ask you to use the published DPA above. Review turnaround is typically 5–10 business days; we may charge a legal-review fee for materially-customised agreements, quoted in advance.