Data Processing Agreement

Effective: March 1, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between EnterSolutions d.o.o. ("Processor") and the customer ("Controller") for the use of EnterCRM services. This DPA is entered into pursuant to Article 28 of the GDPR.

1. Definitions

Controller: The customer who determines the purposes and means of processing personal data through EnterCRM.

Processor: EnterSolutions d.o.o., which processes personal data on behalf of the Controller.

Personal Data: Any information relating to an identified or identifiable natural person processed through the service.

Sub-processor: Any third party engaged by the Processor to process personal data on behalf of the Controller.

2. Scope and Purpose

The Processor shall process personal data only for the purpose of providing the EnterCRM service as described in the main service agreement, including: customer relationship management, event tracking and analytics, customer segmentation and RFM analysis, campaign management and delivery (email, SMS, ads), automation workflow execution, and reporting and analytics.

3. Types of Personal Data

Contact information (name, email, phone, address)

Company and employment information

Behavioral data (page views, clicks, purchases)

Transaction and financial data

Device and technical data (IP, browser, OS)

Communication data (email opens, SMS delivery)

4. Processor Obligations

  • Process personal data only on documented instructions from the Controller
  • Ensure that persons authorized to process data are bound by confidentiality
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to data subject requests
  • Notify the Controller without undue delay of any data breach
  • Delete or return all personal data upon termination of the agreement
  • Make available all information necessary to demonstrate compliance

5. Sub-processing

The Controller provides general authorization for the Processor to engage sub-processors. The Processor will maintain an up-to-date list of sub-processors and notify the Controller of any intended changes, providing the Controller an opportunity to object. Sub-processors are bound by equivalent data protection obligations.

6. Security Measures

Encryption at rest (AES-256) and in transit (TLS 1.3)

Role-based access control with least privilege principle

Regular security assessments and penetration testing

Automated backup with point-in-time recovery

Intrusion detection and monitoring systems

Multi-tenant data isolation at database level

Audit logging for all data access and modifications

Incident response procedures and disaster recovery plan

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification shall include: the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed to address the breach.

8. Audit Rights

The Controller has the right to conduct audits, including inspections, to verify the Processor's compliance with this DPA. The Processor shall cooperate with such audits and provide all necessary information and access. Audits shall be conducted with reasonable notice and during normal business hours.

9. Data Return and Deletion

Upon termination of the service agreement, the Processor shall, at the Controller's choice, return all personal data or delete all personal data and certify deletion in writing. Data will be retained for a maximum of 30 days after termination to allow for data export, after which it will be permanently deleted from all systems including backups.

10. Term and Governing Law

This DPA shall remain in effect for the duration of the service agreement and for as long as the Processor processes personal data on behalf of the Controller. This DPA is governed by the laws of the Republic of Croatia. Any disputes shall be resolved by the competent courts in Zagreb, Croatia.

Contact

Email: legal@entersolutions.io

Address: EnterSolutions d.o.o., Zagreb, Croatia