Loading legal page…
Version 1.0 · In force from 24 April 2026
This Data Processing Agreement (DPA) supplements the CrowAgent Terms of Service between CrowAgent Ltd ("CrowAgent", the processor) and the Customer (the controller) and applies whenever CrowAgent processes personal data on behalf of the Customer. It is entered into under UK GDPR Article 28 and EU GDPR Article 28.
Subject matter: the provision of the CrowAgent platform services (EPC lookups, MEES compliance analysis, PPN 002 Social Value scoring, CSRD applicability checks, billing).
Duration:for the term of the Customer's subscription plus the retention periods set out in our Data Retention Policy.
Nature and purpose: hosting, storage, retrieval, modification, processing, and deletion of Customer personal data to deliver the services.
Data subjects:Customer employees, contractors, and representatives who use the CrowAgent platform under the Customer's account.
Categories: name, work email, job title, company, authentication metadata (password hash, MFA secrets), product usage events, billing and VAT identifiers, IP address, and error telemetry.
Special categories: none. The Customer must not upload special- category data under UK GDPR Article 9 to the platform.
CrowAgent shall:
The Customer provides a general authorisation for CrowAgent to engage sub-processors listed on our Sub-processors page. CrowAgent will inform the Customer of any intended changes via the same page and by email to the billing contact at least 30 days in advance, giving the Customer the opportunity to object on reasonable grounds. Where the Customer objects and the objection cannot be resolved, the Customer may terminate the affected services.
CrowAgent imposes the same data protection obligations on each sub-processor by written contract (SCC-based DPA or equivalent), and remains fully liable to the Customer for the performance of its sub-processors.
CrowAgent shall, taking into account the nature of the processing, assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests to exercise data subject rights. Platform self-service tooling covers access (via account export), rectification (via profile editing), and erasure (via account deletion). For other requests, Customer should email hello@crowagent.ai and we respond within 72 hours.
CrowAgent shall notify the Customer without undue delay and in any event within 48 hours of becoming aware of a personal data breach affecting Customer data. The notification will describe the nature of the breach, categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.
Customer personal data is hosted in the UK/EEA as set out on our Data Residency page. Where a sub-processor operates outside the UK/EEA, transfers are governed by the UK International Data Transfer Agreement (IDTA) or EU Standard Contractual Clauses (SCCs), with additional safeguards (encryption in transit and at rest, minimisation, access control) as required.
CrowAgent allows Customer audits once per twelve-month period with 30 days written notice. Ad-hoc audits may be conducted at Customer cost following a personal data breach affecting the Customer. CrowAgent provides current SOC-2 / ISO 27001 documentation in lieu where the Customer accepts.
Liability under this DPA is subject to the limitations in the Terms of Service. The DPA is governed by the laws of England and Wales, with jurisdiction in the courts of England.
For customers on Starter, Pro, or Portfolio plans this DPA is self-serving: clicking through at checkout accepts this DPA and the referenced sub-processor list. Enterprise customers requiring a counter-signed copy may request one at hello@crowagent.ai.