Data Processing Addendum
Last updated: June 3, 2026 Effective: June 3, 2026
This Data Processing Addendum ("DPA") sets out how ClientForge Lab, operated by Crystal Palace Metals Inc. ("Processor"), processes personal data on behalf of you, the subscriber ("Controller"), in connection with the ClientForge Lab service. This DPA is standalone — it can be signed separately — and is incorporated into and subject to the Terms of Service ("Agreement").
1. Definitions
In this DPA, the following terms have the meanings set out below. Terms used but not defined here have the meaning given in the Agreement.
| Term | Meaning |
|---|---|
| Controller | The Customer (you), who determines the purposes and means of processing personal data of Data Subjects. |
| Processor | Crystal Palace Metals Inc. (d/b/a ClientForge Lab), which processes personal data on behalf of the Controller. |
| Data Subject | The individual whose personal data is being processed — typically the Controller's end customers, leads, or prospects. |
| Personal Data | Any information relating to an identified or identifiable natural person, as defined under applicable Data Protection Laws. |
| Processing | Any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction. |
| Data Protection Laws | All applicable laws and regulations relating to the processing of Personal Data, including (as applicable): the EU General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679); the UK GDPR as incorporated into UK law by the Data Protection Act 2018; the California Consumer Privacy Act (CCPA) as amended by the CPRA; and any other applicable national or state data protection legislation. |
| Sub-Processor | Any third party engaged by the Processor to process Personal Data on behalf of the Controller. |
| Standard Contractual Clauses (SCCs) | The standard data protection clauses adopted by the European Commission for transfers of personal data to third countries (currently Commission Implementing Decision (EU) 2021/914). |
| Supervisory Authority | The competent data protection authority having jurisdiction over the Controller or Processor. |
2. Roles and Instructions
2.1 Controller and Processor
The parties acknowledge that, with respect to the Personal Data described in Section 4:
- The Controller (you) determines the purposes and means of processing that Personal Data.
- The Processor (Crystal Palace Metals Inc.) processes that Personal Data only on documented instructions from the Controller, which are set out in this DPA and the Agreement.
2.2 Compliance with Instructions
The Processor will process Personal Data only on documented instructions from the Controller, including as set out in this DPA, unless required to do so by applicable law, in which case the Processor will notify the Controller of that legal requirement before processing, unless the law prohibits such notification on grounds of public interest.
2.3 Controller Obligations
The Controller warrants that: (a) it has a valid legal basis under applicable Data Protection Laws for the processing of Personal Data it directs the Processor to perform; (b) it has obtained all necessary consents and provided all required notices to Data Subjects; and (c) its instructions to the Processor comply with applicable law.
3. Subject Matter and Scope
Subject matter: The provision of the ClientForge Lab Service, including lead capture, customer conversation management, and outreach automation via WhatsApp, email, and (where enabled) SMS.
Duration: The term of the Customer's active subscription to the Service, plus 30 days following termination (the period during which data return and deletion obligations apply — see Section 12).
Nature of processing: Storage, retrieval, transmission, display, analysis, and automated routing of Personal Data as required to operate the Service.
4. Categories of Data and Data Subjects
4.1 Categories of Personal Data
The Personal Data processed under this DPA may include, depending on what the Controller uploads or generates through the Service:
- Contact information (names, email addresses, phone numbers, business details)
- Business communication records (message content, conversation histories, notes)
- Lead and customer records (source, status, interaction history, custom fields)
- Any other data the Controller chooses to input into the Service
The Processor does not knowingly collect or process special categories of personal data (sensitive data) under this DPA. The Controller must not use the Service to process sensitive personal data (health data, biometric data, racial or ethnic origin, etc.) without first obtaining Processor's written consent and entering into appropriate supplemental terms.
4.2 Categories of Data Subjects
The Data Subjects are the Controller's end customers, leads, and prospects whose contact and communication data the Controller manages through the Service.
5. Processor Obligations
The Processor agrees to:
- Process Personal Data only on documented instructions from the Controller (including as set out in this DPA), unless otherwise required by applicable law.
- Ensure that personnel authorized to process Personal Data are subject to binding confidentiality obligations.
- Implement and maintain the technical and organizational security measures described in Annex C.
- Assist the Controller, at the Controller's expense and using appropriate technical and organizational measures, in responding to requests from Data Subjects exercising their rights under applicable Data Protection Laws (see Section 7).
- Assist the Controller, at the Controller's expense, in meeting its obligations under Articles 32–36 of the GDPR (security, breach notification, DPIAs, and prior consultation), taking into account the nature of the processing and the information available to the Processor.
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of a Personal Data Breach affecting the Controller's Personal Data (see Section 8).
- At the Controller's choice, delete or return all Personal Data on termination of the Agreement, in accordance with Section 12.
- Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA.
6. Sub-Processors
6.1 Authorization
The Controller provides general written authorization for the Processor to engage Sub-Processors, subject to the conditions in this Section. The current Sub-Processors are listed in Annex A.
6.2 Notice of Changes
The Processor will give the Controller at least 30 days' prior written notice (by email to the Controller's registered address) of any addition or replacement of Sub-Processors. If the Controller has a legitimate, documented objection to a new Sub-Processor on data protection grounds, it must notify the Processor within 15 days of notice. The parties will work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the Agreement on written notice, and the Processor will provide a pro-rated refund of prepaid fees for the remaining subscription period.
6.3 Sub-Processor Obligations
The Processor will impose data protection terms on each Sub-Processor that are no less protective than those in this DPA. The Processor remains liable to the Controller for the acts and omissions of its Sub-Processors to the same extent the Processor would be liable if performing the services directly.
7. Data Subject Rights
When a Controller receives a request from a Data Subject to exercise rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction of processing, data portability, or objection), the Processor will provide reasonable assistance to the Controller in fulfilling that request within 30 days of receiving a written request from the Controller. The Processor will not respond directly to Data Subject requests unless authorized in writing by the Controller or required by law.
8. Personal Data Breach Notification
The Processor will:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting the Controller's Personal Data.
- Provide the Controller with sufficient information to allow the Controller to meet any breach notification obligations under applicable Data Protection Laws, including: a description of the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
- Cooperate with the Controller and take reasonable steps to mitigate the effects of and remediate the breach.
9. International Transfers
9.1 Processing Location
Personal Data processed under this DPA is stored and processed in the United States (Ashburn, Virginia) unless a Sub-Processor listed in Annex A processes it in another jurisdiction as noted there.
9.2 EEA and UK Transfers
Where processing involves a transfer of Personal Data from the EEA or UK to a country that has not received an adequacy decision, the parties agree that the Standard Contractual Clauses (SCCs) as adopted by the European Commission (Module Two: Controller-to-Processor) are hereby incorporated by reference and form part of this DPA. The parties will execute completed SCCs (including Annexes) upon request. For UK transfers, the applicable UK International Data Transfer Addendum (IDTA) applies in addition.
10. Security Measures
The Processor implements and maintains the technical and organizational security measures set out in Annex C. The Processor may update these measures from time to time, provided that the overall level of security is not materially reduced.
11. Audits
11.1 Audit Rights
The Controller may, no more than once per calendar year and upon at least 30 days' prior written notice, request an audit of the Processor's data processing activities and security measures. The Processor may satisfy this obligation by providing: (a) a current independent security audit report (such as SOC 2, ISO 27001, or equivalent) if and when available; or (b) responses to a reasonable written security questionnaire. The Processor does not currently hold SOC 2 certification but plans to pursue one as the business scales.
11.2 Costs
The Controller is responsible for its own costs in conducting any audit. If the Controller engages a third-party auditor, the auditor must sign a confidentiality agreement acceptable to the Processor before accessing any Processor systems or documentation.
12. Data Return and Deletion
On termination or expiry of the Agreement, the Processor will, at the Controller's written election:
- Return: Provide a machine-readable export of the Controller's Personal Data in a standard format (CSV or JSON) within 30 days of the Controller's request; or
- Delete: Securely delete or anonymize all Personal Data within 90 days of termination.
After the deletion period, the Processor will, upon request, provide written confirmation of deletion. The Processor may retain Personal Data beyond this period only to the extent required by applicable law, in which case it will notify the Controller and process the retained data only for those legal purposes.
13. Liability
Each party's liability under this DPA is subject to the limitation of liability provisions in Section 12 of the Terms of Service. The Processor's aggregate liability to the Controller under this DPA is back-to-back with the liability cap in the Agreement (i.e., the greater of fees paid in the prior 12 months or $1,000 USD). Nothing in this DPA limits a party's liability to Data Subjects or Supervisory Authorities as required by applicable Data Protection Laws.
14. Term
This DPA is effective as of the date you accept the Agreement and remains in force for the duration of the Agreement. Obligations that by their nature should survive (including Sections 8, 9, 12, and confidentiality obligations) survive termination.
15. Execution
This DPA may be accepted electronically. Signing up for and using the Service constitutes acceptance of this DPA. For customers who require a countersigned DPA, please email privacy@clientforgelab.com to request an executed copy.
Annex A — Sub-Processors
The following Sub-Processors are currently engaged by Crystal Palace Metals Inc. in connection with the provision of the ClientForge Lab Service:
| Sub-Processor | Country | Purpose |
|---|---|---|
| Hetzner Online GmbH | USA (Ashburn, VA) | Cloud hosting and infrastructure for all Service data and application servers |
| Cloudflare, Inc. | USA | Content delivery network (CDN), DDoS protection, and DNS management |
| Stripe, Inc. | USA | Payment processing; Stripe processes cardholder data independently under its own PCI-DSS compliance |
| Resend, Inc. | USA | Transactional email delivery (account notifications, billing emails, system alerts) |
| Google LLC (Google Workspace) | USA | Internal business email and productivity tools used by Crystal Palace Metals Inc. personnel |
| Sentry (Functional Software, Inc.) | USA | Application error monitoring and crash reporting |
| BetterStack, Inc. | USA | Infrastructure logging, uptime monitoring, and incident management |
| UptimeRobot | USA | External uptime and availability monitoring |
| 2Chat (2Chat Inc.) | USA | WhatsApp Business API gateway for customer messaging on behalf of Controller |
| Twilio Inc. | USA | SMS messaging (A2P 10DLC) for customer outreach where enabled by Controller |
This list may be updated from time to time in accordance with Section 6. To receive advance notice of Sub-Processor changes, email privacy@clientforgelab.com to be added to the notification list.
Annex B — Subject Matter Details
| Field | Detail |
|---|---|
| Subject matter | Lead capture, customer conversation management, and outreach automation |
| Duration | Term of subscription + 30 days post-termination |
| Nature of processing | Storage, retrieval, transmission, display, automated routing, and analysis |
| Purpose | Providing the ClientForge Lab Service as described in the Agreement |
| Categories of personal data | Contact information; business communication records; lead and customer records; custom fields entered by Controller |
| Categories of data subjects | Controller's end customers, leads, and business prospects |
| Special categories | None (Controller must not process special categories without prior written consent from Processor) |
Annex C — Technical and Organizational Security Measures
Crystal Palace Metals Inc. implements and maintains the following security measures for the processing of Personal Data under this DPA:
C.1 Encryption
- All data transmitted between end users and the Service is encrypted in transit using TLS 1.2 or higher.
- Personal Data stored at rest on Service infrastructure is encrypted using industry-standard encryption algorithms (AES-256 or equivalent).
- Encryption keys are managed with access controls and are rotated periodically.
C.2 Access Controls
- Access to production systems and Personal Data is restricted to authorized personnel on a least-privilege basis.
- All accounts with access to production systems require multi-factor authentication (MFA).
- Access rights are reviewed periodically and revoked promptly upon role change or departure of personnel.
C.3 Audit Logging
- Access to systems processing Personal Data is logged, and logs are retained for a minimum of 90 days.
- Logs are monitored for anomalous activity using automated alerting.
C.4 Backups
- Customer Data is backed up regularly. Backups are encrypted and stored in a geographically separate location within the United States.
- Backup restoration procedures are tested periodically.
C.5 Incident Response
- We maintain a documented incident response plan that covers detection, containment, notification, and post-incident review.
- In the event of a Personal Data Breach, we follow the notification process in Section 8 of this DPA.
C.6 Vendor Management
- Sub-Processors are assessed for security practices before engagement and are required to maintain appropriate data protection and security measures.
C.7 Physical Security
- Production servers are hosted in Hetzner's Ashburn, Virginia data center, which maintains physical access controls, CCTV, and 24/7 security.
C.8 Personnel
- Employees and contractors with access to Personal Data are subject to confidentiality obligations.
- Personnel receive privacy and security awareness training.
Questions?
For DPA inquiries, to request a countersigned copy, or to submit data subject requests, contact us at privacy@clientforgelab.com.
Crystal Palace Metals Inc. 2 S Biscayne Boulevard, Suite 3200 #2415, Miami, FL 33131