WARMACHINECRM
CostProductDeploymentPricingFAQ
Ops · LiveDeploy →
LEGAL

Data Processing Agreement

Effective: April 26, 2026

This Data Processing Agreement (“DPA”) is entered into between ChainBreaker Consulting, operating WarMachineCRM (the “Processor”), and the Customer (the “Controller”), and forms part of the Customer Agreement (Terms of Service) governing the Controller's use of the Service.

1. Definitions

  • “Personal Data” means any information relating to an identified or identifiable natural person Processed under the Customer Agreement.
  • “Processing” means any operation performed on Personal Data, whether or not by automated means.
  • “Subprocessor” means any third party engaged by the Processor to Process Personal Data on behalf of the Controller.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • “Applicable Data Protection Law” means all data protection and privacy laws applicable to the Processing, including the EU GDPR, UK GDPR, Swiss FADP, and US state laws including CCPA/CPRA.

2. Roles & Scope

The Customer is the Controller and we are the Processor. We Process Personal Data only on the documented instructions of the Controller, which are: (a) the Customer Agreement, (b) the Service's documented features as configured by the Controller, and (c) any additional written instructions reasonably required to comply with Applicable Data Protection Law.

3. Subject Matter & Duration

  • Subject matter: providing the Service to the Controller.
  • Duration: from the start of the Customer Agreement until the deletion or return of Personal Data per Section 13.
  • Nature & purpose of Processing: executing outbound campaigns, dialer activity, lead enrichment, CRM workflow automation, and related telemetry and support.

4. Categories of Data Subjects & Personal Data

  • Data Subjects:the Controller's employees, contractors, and the prospects/contacts the Controller chooses to enter into or process through the Service.
  • Categories of Personal Data: business contact details (name, email, phone, LinkedIn URL, company, role), communication content (sequence copy, replies, call transcripts), call metadata (duration, status, timestamp), usage telemetry, and authentication credentials.

5. Subprocessors

The Controller authorizes us to engage Subprocessors to Process Personal Data on its behalf. Our current Subprocessors are listed in the Privacy Policy and may include, without limitation:

  • Supabase (database, auth, storage — US)
  • GoHighLevel / LeadConnector (CRM, sending, dialer — US)
  • Whop (payment processing — US)
  • Vercel (application hosting — US)
  • Anthropic and/or other LLM providers (sequence copy generation — US)
  • Lead enrichment providers (e.g., FindyLead) for lead data fulfillment

Notice and objection.We will provide at least 14 days' notice before engaging a new Subprocessor. The Controller may object on reasonable data-protection grounds during the notice period. If the parties cannot resolve the objection, the Controller may terminate the affected portion of the Service as its sole remedy.

Each Subprocessor is bound by written terms providing data protection obligations no less protective than those in this DPA.

6. Controller Instructions & Confidentiality

We will:

  • Process Personal Data only on documented Controller instructions, including with regard to international transfers
  • Notify the Controller if, in our opinion, an instruction infringes Applicable Data Protection Law
  • Ensure that persons authorized to Process Personal Data are bound by appropriate confidentiality obligations

7. Security Measures

We implement appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption in transit (TLS 1.2+) and at rest
  • Role-based access controls and least-privilege principles
  • Authenticated and rate-limited APIs
  • Application and infrastructure logging and monitoring
  • Documented incident response procedures
  • Regular review of Subprocessor security practices
  • Background checks where commercially reasonable

8. Data Subject Rights

We will assist the Controller, by appropriate technical and organizational measures, in responding to requests from data subjects to exercise their rights under Applicable Data Protection Law (access, correction, deletion, portability, objection, restriction). The Controller is responsible for evaluating the validity of such requests.

9. Personal Data Breach Notification

We will notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include the information reasonably necessary for the Controller to meet its own notification obligations, to the extent known at the time.

10. Audits

Upon reasonable request and no more than once per twelve-month period (unless required by a Supervisory Authority or following a confirmed Personal Data Breach), the Controller may request a written summary of our security and Processing practices. On-site or third-party audits are available subject to reasonable scheduling, scope, confidentiality, and cost-allocation terms agreed in advance.

11. International Transfers

For Personal Data transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate by reference the European Commission's Standard Contractual Clauses (Module Two: Controller to Processor) with us as data importer, together with the UK International Data Transfer Addendum and the Swiss Addendum, as applicable. The optional clauses applicable to the Controller-Processor relationship are deemed selected.

12. Return or Deletion of Personal Data

On termination of the Customer Agreement, we will, at the Controller's choice, return or delete Personal Data within 30 days, except where retention is required by Applicable Data Protection Law. Residual copies in backups will expire under our standard backup retention schedule and will not be Processed for any other purpose.

13. Liability

The liability limits set out in the Customer Agreement apply to claims under this DPA, except where prohibited by Applicable Data Protection Law. Each party is liable for damages it causes by Processing in violation of Applicable Data Protection Law.

14. Order of Precedence

In case of conflict between this DPA and the Customer Agreement regarding the Processing of Personal Data, this DPA prevails.

15. Contact

Data protection / DPA matters: alex@warmachinecrm.com. If you require a countersigned copy for your records, send a request from your business email and reference the Effective Date above.