Data Processing Agreement

By accepting the Terms and Conditions, available at https://www.crono.one/terms/ (respectively, the “Services” and the “Contract”), of which this Data Processing Agreement (“DPA”) is an integral and substantial part, you (the “Company”) get access to the services offered by Crono SaaS Ltd with registered office in 2nd Floor 168 Shoreditch High Street, E1 6RA, London, United Kingdom, Company no. 14261927 (the “Supplier” and, together with the Company, the “Parties”) through its platform (the “Platform”).

Pursuant to Article 28 of Regulation EU 2016/679 dated 27 April 2016 (hereinafter, the “Regulation”)

Whereas:

  1. the Company acts as Data Controller with reference to the personal data processed in order to implement the Contract and indicated more precisely in Annex 1 (hereinafter the “Personal Data”);

  2. Pursuant to Article 28 of the Regulation, the Data Processor is optionally designated by the Data Controller and, if appointed, is identified among subjects who, due to experience, capacity and reliability, provide the appropriate guarantee of full compliance with the applicable provisions on processing, including the safety profile;

  3. The tasks entrusted to the Data Processor must be specified in writing by the Data Controller, and the Data Processor must comply with the instructions given by the Data Controller, who, also through periodic checks, ensures that they are strictly observed;

  4. The Company has found that – and the Supplier guarantees that – the Supplier, by virtue of its experience, capacity, and reliability, can provide sufficient guarantees regarding compliance with the applicable provisions on protection of personal data, including the safety profile, as required by the Applicable Law, as defined below;

  5. It is the intention of the Company, as Data Controller, to appoint the Supplier, who accepts, as an external Data Processor.

Given the above, the Company hereby

Appoints

The Supplier as the Data Processor for the processing of Personal Data to be carried out according to the Contract and in the manner and within the limits specified below.

1. Definitions

In this DPA the terms whose first letter is written in capital letters have the same meaning as defined by the Applicable Law. The following words have the following meanings:

Applicable Law” the Regulation, as well as any other national personal data protection legislation applicable, already in force or that will enter into force after this DPA comes into force, including the provisions of the competent Supervisory Authority issued in implementation of the abovementioned laws; 

Security Measures” are measures intended to protect personal data from accidental or illegal destruction or loss, alteration, disclosure or unauthorized access, as provided for in art. 32 of the Regulation;

Sub-supplier” (or “Sub-Processor”), natural or legal persons who carry out their business for the Supplier by dealing with Personal Data belonging to the Company.

2. Obligations of the Parties

2.1 Obligations of the Supplier

2.1.1 Processing purposes

The Supplier, as Data Processor, is committed to:

  1. Processing the Personal Data for the exclusive purpose of executing the Contract, and within the limits set forth therein, while strictly adhering to the instructions given by the Company (directly as well indirectly, by purchasing and/or selecting the services/functionalities provided by the Supplier on the Platform);
  2. Only processing the Personal Data that is strictly required for a correct and full implementation of the Company, or to fulfil legal obligations;
  3. Making sure that its employees and Sub-Suppliers have access and only process the Personal Data that is strictly required for a full and correct implementation of the Contract, or to fulfil legal obligations;
  4. Processing the Personal Data in a lawful manner, according to fairness and in full compliance with the Applicable Law.

2.1.2 Security measures

The Supplier undertakes to correctly implement the Security Measures and any other security measure prescribed by the Applicable Law, taking into account the state of the art and the costs of implementation. 

Also based on new solutions provided by technical and technological progress and, taking into account the nature of the data and the characteristics of the processing, the Supplier undertakes to implement Security Measures to minimize the potential risks of destruction or voluntary or accidental loss of Personal Data, unauthorized access or processing in violation of the law.

2.1.3 Authorized persons

The Supplier agrees to:

  1. Instruct, according to article 29 of the Regulation, those responsible for processing operations (hereinafter “Authorized Persons”), choosing from among its employees who, by experience, capacity, and training, can ensure compliance with Applicable Law;
  2. Give to the Authorized Persons detailed operational instructions in writing regarding the methods for carrying out the processing entrusted to them as well as to strictly monitor the exact fulfilment of the instructions received;
  3. Implement physical, technical and organizational measures to ensure that each Authorized Persons may have access only to Personal Data that may be processed based on its authorization profile;
  4. Draft and update a list of Authorized Persons, and annually checking the scope of processing allowed.

2.1.4 Rights of the Data Subjects

The Supplier must ensure the effective exercise of the rights recognized by the Applicable Law to the Data Subjects, by undertaking to promptly notify the Company of any request to exercise such rights presented by one of the Data Subjects and to enclose a copy of the request.

The Supplier undertakes to cooperate with the Company to ensure that the requests for exercising the rights abovementioned, including requests for objection to processing, are met within the times and according to the law and, more generally, to ensure full compliance with the Applicable Law. 

2.1.5 Data communication and transfer abroad

The Supplier will not be able to exercise autonomous control over the Personal Data and undertakes to refrain from disseminating or communicating said data to third parties, unless expressly provided for in the Contract or authorized by the Company in writing, and in any case in compliance with the provisions of the information given to the data subjects and any consents they may have given in relation to the different processing purposes. 

The Company recognizes and accepts that any action that implies a processing of Personal Data through the Platform will be performed only under the Company’s instruction and, therefore, in its capacity as Data Controller: as a consequence, the Company should always evaluate to ensure to have a legitimate legal basis for the processing it is willing to undertake on the Personal Data through the Platform’s functionalities. 

In the event of transfer of Personal Data outside the territory of the European Economic Area (EEA), the Supplier undertakes to ensure that such transfer takes place in compliance with the guarantees set forth in Chapter V of the Regulation.

2.1.6 Sub-Suppliers

By signing this DPA, the Company grants a general written authorization to the Supplier, pursuant to Article 28(2) of the Regulation, to use Sub-Suppliers whose services are functional to the performance of the Contract.

If the Supplier intends to entrust a Sub-Supplier with all or part of the performance of the Contract, and this is permitted by the Contract, the Supplier shall appoint the Sub-Supplier by an act of appointment substantially equivalent to this DPA.

Upon request by the Company, the Supplier agrees to provide a list of the subjects among whom it will identify one or more Sub-Suppliers and to inform the Company of any additions or substitutions.

In the latter cases, within 7 (seven) days from the communication concerning the list and/or a possible addition or substitution, the Company shall have the right to object to the appointment of one or more of the Sub-Suppliers on the list and/or to the additions or substitutions, with reasons and in writing.

In the event of the Company’s objection to the appointment of a sub-processor, alternatively (i) the Supplier will not entrust said sub-processor or (ii) the Parties, if requested by the Supplier, shall negotiate in good faith a substitution, and if the Parties fail to agree on said substitution within 10 (ten) days, the Supplier shall have the right to terminate the Contract with immediate effect.

2.2 Obligations of the Controller

2.2.1 Principles of the processing

The Company represents and warrants that it has implemented, and continuously maintains, all appropriate and necessary technical and organizational measures in order to ensure the protection of Personal Data and to comply with the requirements and principles set forth in the Applicable Law (including, but not limited to, the principle of “limitation of storage” of Personal Data set forth in Article 5 of the Regulation), undertaking – if necessary – to provide timely instructions to the Supplier, in writing or by way of the functionalities of the Platform.

2.2.2 Methods of collecting Personal Data

The Company represents and warrants that any mode of collection of personal data processed under this DPA:

  1. will take place following the presentation to the data subjects, if requested under Articles 13 or 14 of the Regulation, of a privacy policy that is clear, simple to understand but at the same time complete and compliant with the Regulation, easily usable by the data subjects and that identifies how the information obtained will be collected and used;
  2. offers data subjects the opportunity to remain excluded from such collection and processing of such information; 
  3. provides, when necessary, for obtaining all the consents of the data subjects, to whom the personal information relates, as required by the Regulation.

2.2.3 Legal basis

Given what is stated in the previous Article, in particular, the Company guarantees and expressly declares that it will ensure that: 

  1. those affected by the processing give consent to the Company, where applicable, to the processing of their data through a free, specific, informed and unambiguous manifestation of will, for each purpose referred to in the processing operations covered by this DPA;

  2. data shall be collected in each case pursuant to an appropriate legal basis, as well as in accordance with fairness and lawfulness and for purposes corresponding to those for which they are processed under this DPA.

2.2.4 Use of Generative Artificial Intelligence technologies

The Company expressly authorizes the Supplier to use Generative Artificial Intelligence technologies, offered by Sub-Suppliers indicated in Article 2.1.6 above, for the provision of the Services that expressly require it (and are indicated by the symbol ⟡ in the Platform). 

The Company expressly authorizes the Supplier to use Generative Artificial Intelligence technologies, offered by Sub-Suppliers indicated in Article 2.1.6 above, for the provision of the Services that expressly require it (and are indicated by the symbol              in the Platform). 

3. Audit

The Supplier acknowledges that, in compliance with art. 28 of the Regulations, the Company may assess the activities carried out, in order to verify compliance with the organizational, technical and safety measures prescribed by the Applicable Law or issued by the Company as Controller.

The Company will also have the right to access, either directly or through third party auditors (appropriately bound by appropriate confidentiality obligations) not more than once a year, except in cases of extraordinary necessity and urgency, offices, computers and other IT systems/documents of the Supplier and its Sub-Suppliers (where possible, in accordance with agreements with Sub-Suppliers), where this is deemed necessary to verify that the Supplier or its Sub-Supplier acts in compliance with the obligations agreed in virtue of this DPA.

In the event of access to the Supplier’s or Sub-Supplier’s premises by the Company, it will be required to give the Supplier written notice of at least 7 working days and the verification activity shall be carried out without hindering the business of the Supplier and the Supplier’s other customers.

The Company expressly recognizes and accepts that any costs of any verification referred to in this article will be at its sole expense.

Nothing contained in this DPA presupposes Supplier’s consent to disclosure to the Company, as well as Company’s access to: 

  1. internal accounting or financial data of the Supplier; 
  2. Supplier’s trade secrets; 
  3. information which, on the basis of reasonable objections raised by the Supplier, could: (A) compromise the security of the Supplier’s systems or offices; or (B) entail the violation of the obligations of the Supplier as per the Applicable Law or of its obligations regarding security and / or confidentiality towards the Company or third parties; or 
  4. information to which the Company (or any external auditors appointed by the latter) seek to access for reasons beyond the duty of good faith in fulfilling the obligations of the Company as set out in the Applicable Law.

4. Statements and guarantees of the Supplier

4.1 Obligations as Data Processor

The Supplier states and ensures that it is aware of the obligations assumed under the Applicable Law as a result of the appointment as Data Processor, and to have the required experience, skills and professionalism to perform this function.

4.2 Representative established in the EU

The Supplier states that, pursuant to Art. 27 of the Regulation, it has appointed as its Representative in the EU, Shibumi S.r.l., in the designated person of Lapo Curini Galletti, who can be contacted at the following e-mail address: crono@privacyshibumi.it.

4.3 Data Protection Officer (DPO)

The Supplier states that: 

it has not identified the Data protection Officer (DPO), as it is not subject to the obligation of designation provided for by Article 37 of the Regulation.

5. Fee

Without prejudice to what was established in the Contract, the Supplier will carry out its function as Data Processor without additional payment, unless otherwise agreed with the Company.

6. Duration

This DPA takes effect starting from the validity date of the Contract and will remain in force until the date on which the Contract is terminated, regardless of the cause for termination.

If the Contract is terminated for whatever reason, and, in any case, 3 months after the expiration of the Client’s subscription, the Supplier will delete the Personal Data in its possession, giving written confirmation to the Company without delay, unless the retention of data is required by law. Upon the Company’s request and at its full discretion, the Supplier must alternatively return the Personal Data in its possession to the Company and will delete any copies thereof.

Annex 1

Description of the processing

Data Subjects

The Personal Data processed concern the following categories of data subjects:

prospect

customers

former customers

staff/collaborators

agents

suppliers

candidates

members of corporate bodies

visitors/users of website/app

third parties entering the Company’s offices

web users to whom online advertising is delivered

other: ______________________

Data categories

The Personal Data processed concern the following categories:

main data (name, surname)

contact details (address, e-mail address, telephone number)

Company

browsing data of online users (such as cookie ID, IP address, etc.)

pseudonymized data (such as hashed e-mail addresses, etc.)

data present on social networks (such as nicknames, photographs, etc.)

data related to data subjects’ interactions with an advertising campaign (such as conversions made, etc.)

photos / videos

other: ______________________

as well as all additional categories of data that the Company requests (either orally or in writing, by any means) the Supplier to process on its behalf, even if not strictly related to the Services covered by the Contract.

Special categories of personal data / data related to criminal convictions and offences

The following categories of personal data will be processed

ethnic and racial origin

political opinions

religious or philosophical convictions

union memberships

genetic data

biometric data in order to identify a person in a univocal way

data relating to health conditions or sex life or sexual orientation

personal data relating to crimes, criminal convictions and related security measures

 

Or


There is no processing of categories of personal data and/or data related to criminal convictions and offences

Nature and purpose of the processing

The processing consists of the performance on behalf of the Controller of the following operations:

collection

registration

organization

structuring

conservation

adaptation or modification

extraction

consultation

use

communication (by transmission, dissemination of making available)

comparison or interconnection

limitation

deletion

destruction

Product

Platform
Rewrite with AI
Integrations
Web Extension

Resources

Blog
Media Kit
Get a Demo
Affiliate Program

Legal

Terms
Privacy Policy
GDPR
Linkedin
Product

Platform

Web Extension

Rewrite with AI

Integrations

Blog

Media Kit

Get a Demo

Affiliate Program

Terms

Privacy Policy

GDPR

Linkedin

Copyright © Crono SaaS Ltd 2025 . Headquarters: London, United Kingdom. All rights reserved. Crono Saas Ltd. 2nd Floor, 168 Shoreditch High Street, London, E1 6RA. VAT: GB447958927

Disclaimer: Crono is not affiliated, associated, authorized, endorsed by, or in any way officially connected with Microsoft or LinkedIn, or any of their subsidiaries or affiliates.

The name LinkedIn, as well as related names, marks, logos, emblems, and images are registered trademarks of their respective owners.

⚡️Bolt - The B2B Sales newsletter by Crono

Subscribe to our newsletter to receive monthly updates and insights on the future of B2B Sales!