Back to Home

Data Processing Agreement

Last updated: March 15, 2026

This Data Processing Agreement ("DPA") supplements and is incorporated into the Gordon CRM Terms of Service (the "Agreement") between Gordon CRM ("Company", "we", or "us") and the customer agreeing to these terms ("Customer" or "you").

In the event of any conflict or inconsistency between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

1. Definitions

  • "Applicable Law" means all worldwide data protection and privacy laws applicable to the processing of Personal Data under this DPA, including, where applicable, the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK GDPR, and the California Consumer Privacy Act of 2018, as amended ("CCPA").
  • "Controller" means the entity that determines the purposes and means of the processing of Personal Data.
  • "Customer Data" means all data, including Personal Data, that Customer submits, stores, or processes through the Gordon CRM platform.
  • "Personal Data" means any information relating to an identified or identifiable natural person processed by Gordon CRM on behalf of Customer in the course of providing the Services.
  • "Processor" means the entity that processes Personal Data on behalf of the Controller.
  • "Security Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Gordon CRM.
  • "Sub-processor" means any third-party Processor engaged by Gordon CRM to assist in fulfilling its obligations with respect to providing the Services.

2. Roles and Responsibilities

2.1. Parties' Roles: For the purposes of Applicable Law, Customer is the Controller (and/or Business) of the Personal Data, and Gordon CRM is the Processor (and/or Service Provider) processing Personal Data on behalf of Customer.

2.2. Customer's Responsibilities: Customer is solely responsible for the accuracy, quality, and legality of the Personal Data provided to Gordon CRM. Customer warrants that it has established a lawful basis for processing the Personal Data and has provided all necessary notices and obtained all necessary consents required by Applicable Law to permit Gordon CRM to process the Personal Data.

3. Gordon CRM Obligations as Processor

3.1. Processing Instructions: Gordon CRM will process Personal Data strictly in accordance with Customer's documented instructions, which are embodied in the Agreement, this DPA, and Customer's use of the Services. Gordon CRM will not process Personal Data for any other purpose unless required to do so by Applicable Law.

3.2. Confidentiality: Gordon CRM will ensure that all personnel authorized to process Personal Data are subject to strict obligations of confidentiality.

3.3. Security Measures: Gordon CRM will implement and maintain commercially reasonable technical and organizational security measures designed to protect Personal Data against unauthorized access, loss, or destruction.

4. Sub-processors

4.1. General Authorization: Customer grants Gordon CRM general written authorization to engage Sub-processors to assist in providing the Services (e.g., cloud hosting providers).

4.2. Notification of Changes: Gordon CRM will maintain an up-to-date list of its Sub-processors. Gordon CRM will provide Customer with prior notice of any intended changes concerning the addition or replacement of Sub-processors, giving Customer the opportunity to object to such changes on reasonable, data-protection-related grounds.

4.3. Sub-processor Liability: Gordon CRM will impose data protection terms on Sub-processors that provide at least the same level of protection for Personal Data as those in this DPA. Gordon CRM remains liable for any breach of this DPA caused by an act or omission of its Sub-processors.

5. Security Breach Notification

If Gordon CRM becomes aware of a confirmed Security Breach, we will notify Customer without undue delay, and where feasible, within 72 hours. Gordon CRM will provide Customer with information and cooperation reasonably necessary to assist Customer in fulfilling its data breach reporting obligations under Applicable Law. Gordon CRM's notification of a Security Breach will not be construed as an admission of fault or liability.

6. Data Subject Rights

Gordon CRM provides self-service features within the platform that allow Customer to access, correct, delete, or restrict the processing of Personal Data. If Customer cannot address a data subject's request via the platform, Gordon CRM will provide reasonable assistance to Customer, at Customer's expense, to fulfill the request. If a data subject makes a request directly to Gordon CRM, Gordon CRM will promptly redirect the data subject to Customer.

7. International Data Transfers

If the processing of Personal Data involves a transfer of data outside of the European Economic Area (EEA), the UK, or Switzerland to a jurisdiction that has not been deemed to provide an adequate level of data protection, such transfers will be governed by the Standard Contractual Clauses (Module Two: Controller to Processor) adopted by the European Commission, which are hereby incorporated by reference, or another lawful transfer mechanism recognized by Applicable Law (such as the EU-U.S. Data Privacy Framework).

8. Audits and Compliance

Upon Customer's reasonable written request, Gordon CRM will provide Customer with information reasonably necessary to demonstrate compliance with this DPA (such as a summary of our latest third-party security audits or SOC 2 report, provided under strict confidentiality). If Customer requires further verification, Customer may conduct an audit at its own expense, limited to once per calendar year, subject to mutually agreed-upon scope and timing.

9. Return or Deletion of Data

Upon termination or expiration of the Agreement, Gordon CRM will, at Customer's election or upon Customer's execution of the deletion tools within the platform, delete or return all Personal Data to Customer. Gordon CRM may retain Personal Data to the extent required by Applicable Law or within secure, automated backup archives, provided that such data remains protected and isolated from further processing until it is overwritten or deleted in accordance with Gordon CRM's standard retention schedules.

10. CCPA Specific Provisions (California)

To the extent the CCPA applies to the processing of Personal Data under this DPA, Gordon CRM certifies that it acts as a "Service Provider." Gordon CRM will not:

  • Sell or Share the Personal Information.
  • Retain, use, or disclose the Personal Information for any purpose other than for the specific business purpose of performing the Services under the Agreement.
  • Retain, use, or disclose the Personal Information outside of the direct business relationship between Customer and Gordon CRM.

Schedule 1: Details of Processing

Nature and Purpose of Processing:

Gordon CRM provides a Customer Relationship Management (CRM) platform. Personal Data is processed to allow Customer to manage contacts, track sales pipelines, utilize custom data fields, and facilitate communication in accordance with the Services.

Duration of Processing:

The duration of the Agreement and any applicable data retention period post-termination.

Categories of Data Subjects:

Customer's end-users, clients, prospects, employees, contractors, and any other individuals whose data Customer inputs into the platform.

Categories of Personal Data:

Determined entirely by the Customer via standard and custom fields, which typically includes names, email addresses, phone numbers, job titles, business addresses, IP addresses, and interaction history. Note: Processing of highly sensitive data (e.g., SSNs, PHI) is strictly prohibited under the Acceptable Use Policy.

Data Importer / Processor Contact:

Gordon CRM
Attention: Privacy and Data Protection Officer
Email: [email protected]

Data Exporter / Controller Contact:

The contact information associated with the Workspace Owner's primary billing or administrative account within the Gordon CRM platform. Gordon CRM will direct all legal notices and Security Breach notifications to this email address.

Schedule 2: Technical and Organizational Measures (TOMs)

Description of the technical and organizational security measures implemented by the Data Importer (Gordon CRM) to ensure an appropriate level of security, taking into account the nature, scope, context, and purpose of the processing.

1. Physical Access Controls

Gordon CRM hosts its application and database infrastructure with industry-leading, SOC 2 and ISO 27001 certified cloud infrastructure providers (e.g., AWS, Supabase, Vercel). We do not maintain physical servers. Physical security, environmental controls, and perimeter defense of the data centers are strictly managed by these infrastructure providers.

2. Data Encryption (In Transit and At Rest)

  • In Transit: All Customer Data transmitted between the user's browser/client and Gordon CRM servers, as well as internally between our system components, is encrypted using industry-standard protocols (TLS 1.2 or higher / HTTPS).
  • At Rest: All Customer Data stored within the Gordon CRM primary databases and backup repositories is encrypted at rest using industry-standard encryption algorithms (e.g., AES-256).

3. System Access Controls

Gordon CRM implements strict logical access controls to ensure that only authorized personnel can access the systems processing Customer Data.

  • Authentication: Access to Gordon CRM's administrative environments and cloud infrastructure requires secure authentication, including mandatory Multi-Factor Authentication (MFA) for all Gordon CRM developers and administrators.
  • Principle of Least Privilege: Internal access to Customer Data is restricted to the absolute minimum number of personnel necessary to maintain the Service, provide requested customer support, or resolve technical anomalies.

4. Data Segregation

Gordon CRM is a multi-tenant SaaS architecture. We employ strict logical data segregation at the application and database tiers to ensure that Customer Data belonging to one workspace cannot be accessed by, or leak into, another workspace.

5. Availability and Resilience (Backups)

  • Redundancy: The Gordon CRM infrastructure is designed for high availability and fault tolerance, utilizing load balancing and redundant cloud environments.
  • Backups: We perform regular, automated backups of the primary databases to ensure that Customer Data can be rapidly restored in the event of a catastrophic technical failure or data corruption incident.

6. Vulnerability Management and Application Security

  • Patching: We regularly monitor our software dependencies and third-party libraries for known security vulnerabilities and apply patches and updates in a timely manner.
  • Secure Development: Gordon CRM employs secure coding practices and conducts code reviews prior to deploying new features to the production environment to prevent common web vulnerabilities (e.g., SQL injection, Cross-Site Scripting).

7. Incident Response

Gordon CRM maintains internal procedures for responding to security anomalies. In the event of a confirmed Security Breach, Gordon CRM will promptly contain the threat, identify the scope of the compromised data, and notify the affected Customer(s) without undue delay in accordance with this DPA and Applicable Law.