Honeybee CRMLegalBack to Honeybee CRM
Back to Legal

Data Processing Agreement

Effective Date: January 1, 2026
Last Updated: January 23, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Honeybee CRM ("Processor" or "we") and the customer ("Controller" or "you") using Honeybee CRM. This DPA sets forth the terms and conditions for processing Personal Data.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, and other relevant regulations.
  • "Processing" means any operation performed on Personal Data, including collection, storage, modification, transfer, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2. Scope and Purpose of Processing

2.1 Subject Matter

This DPA applies to the processing of Personal Data by Honeybee CRM on behalf of the Controller in connection with the Service.

2.2 Nature and Purpose

The Processor processes Personal Data for the purpose of providing the Honeybee CRM service, including:

  • Storing and organizing customer relationship data
  • Enabling communication tracking and management
  • Providing analytics and reporting features
  • Facilitating integrations with third-party services

2.3 Categories of Data Subjects

  • Controller's customers and prospects
  • Controller's employees and contractors
  • Contact persons at Controller's business partners

2.4 Types of Personal Data

  • Contact information (names, email addresses, phone numbers)
  • Professional information (job titles, company names)
  • Communication records and notes
  • Transaction and interaction history
  • Any other data uploaded by the Controller

2.5 Duration

Processing continues for the duration of the Service agreement plus any retention period required by law or agreed upon termination.

3. Controller Obligations

The Controller represents and warrants that:

  • It has a lawful basis for processing Personal Data through the Service
  • It has provided appropriate notice to Data Subjects and obtained necessary consents
  • Instructions to the Processor comply with applicable Data Protection Laws
  • It will notify the Processor of any restrictions on data use that apply to specific Personal Data

4. Processor Obligations

4.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, including transfers to third countries, unless required by law.

4.2 Confidentiality

The Processor ensures that persons authorized to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of Personal Data in transit and at rest
  • Measures to ensure ongoing confidentiality, integrity, availability, and resilience
  • Ability to restore availability and access to Personal Data in a timely manner
  • Regular testing, assessing, and evaluating security effectiveness

4.4 Sub-processors

The Processor may engage Sub-processors subject to the following conditions:

  • The Processor maintains a list of current Sub-processors available upon request
  • The Controller will be notified of any intended changes to Sub-processors at least 30 days in advance
  • The Controller may object to new Sub-processors by notifying the Processor within 14 days
  • Sub-processors are bound by data protection obligations substantially similar to this DPA

4.5 Data Subject Rights

The Processor assists the Controller in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

4.6 Security Incidents

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Security Incident affecting Personal Data. The notification shall include:

  • Description of the nature of the incident
  • Categories and approximate number of Data Subjects affected
  • Likely consequences of the incident
  • Measures taken or proposed to address the incident

4.7 Compliance Assistance

The Processor assists the Controller in ensuring compliance with obligations under Data Protection Laws, including:

  • Security of processing
  • Notification of Security Incidents to authorities and Data Subjects
  • Data protection impact assessments
  • Prior consultation with supervisory authorities

5. Data Transfers

5.1 Transfer Mechanisms

For transfers of Personal Data outside the EEA, UK, or Switzerland, the Processor relies on:

  • Standard Contractual Clauses (SCCs) adopted by the European Commission
  • UK International Data Transfer Agreement or UK Addendum to EU SCCs
  • Swiss-U.S. Data Privacy Framework where applicable

5.2 Additional Safeguards

The Processor implements supplementary measures including:

  • Encryption of data in transit and at rest
  • Access controls and authentication
  • Regular security assessments
  • Policies to handle government access requests in compliance with law

6. Audits

6.1 Audit Rights

The Processor makes available to the Controller all information necessary to demonstrate compliance with this DPA and allows for and contributes to audits.

6.2 Audit Process

  • The Controller shall provide at least 30 days' written notice of an audit
  • Audits shall be conducted during normal business hours
  • The Controller bears the costs of the audit
  • Audit frequency is limited to once per year unless a Security Incident occurs

6.3 Third-Party Certifications

The Processor's hosting providers maintain industry-standard certifications. Information about our security practices is available upon request.

7. Data Deletion and Return

Upon termination of the Service:

  • The Controller may export Personal Data through the Service for 30 days
  • After 30 days, the Processor shall delete all Personal Data unless retention is required by law
  • Upon request, the Processor shall certify in writing that Personal Data has been deleted

8. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service. The Processor shall be liable for damages caused by processing that violates this DPA or Data Protection Laws.

9. Standard Contractual Clauses

Where required for international transfers, the parties agree to be bound by the Standard Contractual Clauses, which are incorporated by reference:

  • EU SCCs (Commission Implementing Decision 2021/914) - Module Two (Controller to Processor)
  • UK International Data Transfer Addendum

The completed SCCs are available upon request at legal@honeybeecrm.io.

10. Changes to this DPA

We may update this DPA to reflect changes in our practices or applicable laws. Material changes will be communicated with at least 30 days' notice. Continued use of the Service constitutes acceptance of the updated DPA.

11. Contact Information

For questions about this DPA:

Honeybee CRM
Email: legal@honeybeecrm.io
Data Protection Officer: dpo@honeybeecrm.io

© 2026 Honeybee CRM. All rights reserved.