Sign inRegister
Legal

Data Processing Agreement (DPA)

This page is provided for convenience and may be updated over time.

Data Processing Agreement (DPA)

This DPA is intended for Finland/EU customers.

This Data Processing Agreement ("DPA") is part of the Terms of Service and applies when Lingonberry Island Ltd. (Bus.ID: FI2912630-1, Finland) processes personal data on behalf of the customer as a processor.

Privacy notice URL: Privacy Notice

1. Parties

  • Processor: Lingonberry Island Ltd. (Bus.ID: FI2912630-1, Finland) ("Processor")
  • Customer: The entity that has agreed to the Terms of Service ("Controller")

2. Subject matter and duration

Processor provides the Callersapp CRM service and processes personal data on behalf of Controller for the duration of the service subscription, plus any retention periods described in Section 10.

3. Nature and purpose of processing

Processor processes personal data to provide the CRM service, including user authentication, storage of workspace content, analytics, billing, and support.

4. Categories of data and data subjects

See Annex 1 for details of data categories and data subjects.

5. Controller instructions

Processor will process personal data only on documented instructions from Controller, including this DPA, the Terms of Service, and any additional written instructions agreed by the parties.

6. Confidentiality

Processor ensures that persons authorized to process personal data are bound by confidentiality obligations.

7. Security measures

Processor implements appropriate technical and organizational measures to protect personal data. See Annex 2 for details.

8. Subprocessors

Processor uses subprocessors listed in the Subprocessor List. Processor will:

  • Enter into written agreements with subprocessors that impose equivalent data protection obligations.
  • Remain responsible for subprocessors' performance.
  • Provide notice of material changes to the subprocessor list and allow Controller to object on reasonable grounds.

9. International transfers

Primary service infrastructure is hosted in the EU. Some subprocessors may process data outside the EEA.

Where personal data is transferred outside the EEA, Processor relies on appropriate safeguards such as Standard Contractual Clauses or equivalent transfer mechanisms provided by the relevant subprocessor.

10. Deletion and return

Upon termination or expiration of the service:

  • Controller has 30 days to export workspace data.
  • Processor will delete workspace data within 90 days after access ends, subject to backup retention and legal obligations.

11. Assistance with data subject requests

Processor will provide reasonable assistance to Controller to respond to data subject requests, including access, deletion, rectification, and portability, within the limits of the service and applicable law.

12. Security incidents

Processor will notify Controller without undue delay after becoming aware of a personal data breach and will provide information needed for Controller's notification obligations.

13. Audits

Upon reasonable notice, Controller may audit Processor's compliance with this DPA. Processor may satisfy audit requests through third-party certifications, reports, or summaries where appropriate to protect security and confidentiality.

14. Liability

Liability under this DPA is subject to the limitations set out in the Terms of Service unless otherwise required by applicable law.

Annex 1: Details of processing

A. Categories of data subjects

  • Customer employees, contractors, and authorized users.
  • Customer contacts stored in workspaces.
  • Customer end users or consumers where data is entered by the customer.

B. Categories of personal data

  • Identity data: name, email address, authentication identifiers.
  • Workspace content: contacts, notes, call lists, tags, and related CRM data.
  • Email integration data (if enabled): Gmail account identifiers and message metadata; optional message bodies/snippets depending on settings.
  • AI processing data (if enabled): text inputs such as email content/snippets and metadata that the Controller configures the service to send to an AI provider.
  • Usage data: IP address, device/browser identifiers, telemetry, and logs.
  • Billing data: billing contact info, Stripe customer IDs, subscription status.

C. Processing activities

  • Authentication and access control.
  • Storage, retrieval, and display of workspace content.
  • Optional Gmail sync and email history features.
  • Optional AI-assisted features using an AI provider API (if enabled).
  • Usage analytics, error monitoring, and security logging.
  • Billing and account administration.

Annex 2: Technical and organizational measures (TOMs)

The following measures are implemented or planned for production environments:

  • Access control: Firebase authentication, role-based access, and workspace isolation via tenant claims.
  • Encryption in transit: TLS for all external connections.
  • Encryption at rest: database and storage encryption provided by the hosting provider; Gmail OAuth tokens encrypted at rest in production.
  • Monitoring: Sentry error tracking and Prometheus metrics (if enabled).
  • Audit logging: security-relevant events and administrative actions.
  • Operational security: least-privilege access for staff and change controls for production systems.