Data Processing Agreement

Effective date: May 15, 2026 · Last updated: May 23, 2026

This DPA is incorporated by reference into the Erkmo Terms of Service. To execute a signed copy of this DPA, contact legal@erkmo.com.

This Data Processing Agreement (“DPA”) forms part of the agreement between the entity identified in the Erkmo account (“Controller” or “Client”) and Erkmo Inc. (“Processor” or “Erkmo”) for the provision of the Erkmo platform (the “Service”).

1. Definitions

  • Controller means the Client who determines the purposes and means of the processing of personal data through its use of the Service.
  • Processor means Erkmo Inc., which processes personal data on behalf of the Controller.
  • Personal Data means any information relating to an identified or identifiable natural person, as defined in the GDPR or any applicable data-protection legislation.
  • Sub-Processor means a third party engaged by Erkmo to process personal data on behalf of the Controller.
  • Data Subject means the identified or identifiable natural person to whom personal data relates.
  • Processing means any operation performed on personal data, including collection, recording, storage, retrieval, use, disclosure, and erasure.

2. Scope of Processing

Erkmo processes personal data solely to provide the Service as instructed by the Controller. Processing activities include:

  • Analytics: collection and aggregation of website and application usage data, including page views, events, referral sources, and device/browser metadata.
  • Form submissions: storage and management of data submitted through forms built with the Erkmo form builder.
  • CRM: storage of contacts, companies, pipeline records, and associated communications.
  • Email campaigns: processing of email addresses and email content for the purpose of sending transactional and marketing emails on the Controller’s behalf.
  • Company identification: transient use of IP addresses to identify the company or organization associated with a network connection, for B2B analytics purposes. The IP address is not stored alongside the identification result.
  • Customer intelligence: generation of visitor profiles, segmentation, conversion attribution, campaign performance analysis, and visitor journey reconstruction, subject to the consent and privacy controls described in Erkmo’s Privacy Policy.

Categories of data subjects may include the Controller’s website visitors, form respondents, email subscribers, CRM contacts, and end users.

3. Processor Obligations

3.1 Processing Instructions

Erkmo shall process personal data only on documented instructions from the Controller, including with respect to international transfers, unless required to do so by applicable law. If such a legal requirement arises, Erkmo will inform the Controller before processing unless prohibited from doing so by law.

3.2 Confidentiality

Erkmo ensures that all personnel authorized to process personal data are bound by obligations of confidentiality, whether contractual or statutory.

3.3 Security Measures

Erkmo implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures are described in Section 6 of this DPA.

4. Sub-Processors

The Controller authorizes Erkmo to engage Sub-Processors to assist in providing the Service. A current list of Sub-Processors is available at /sub-processors.

4.1 Notice of Changes

Erkmo will provide at least 30 days’ advance notice before adding or replacing a Sub-Processor, by updating the Sub-Processor list and, where possible, notifying the Controller by email.

4.2 Right to Object

The Controller may object to a new Sub-Processor by notifying Erkmo in writing within 30 days of the notice. If the Controller objects and Erkmo cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service without penalty.

4.3 Sub-Processor Agreements

Erkmo imposes data-protection obligations on each Sub-Processor that are no less protective than those in this DPA.

5. Data Breach Notification

In the event of a personal data breach, Erkmo will notify the Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification will include:

  • A description of the nature of the breach.
  • The categories and approximate number of data subjects and records affected.
  • A description of the likely consequences of the breach.
  • The measures taken or proposed to address the breach and mitigate its effects.

6. Security Measures

Erkmo implements the following technical and organizational measures:

  • Encryption at rest: AES-256-GCM encryption for stored data and payment card tokens.
  • Encryption in transit: TLS 1.2 or higher for all data transmitted between clients, the Service, and Sub-Processors.
  • Password hashing: bcrypt with a minimum work factor of 12 for all user passwords.
  • Role-based access control: fine-grained permissions enforced at the application layer, ensuring users can only access data for sites they are authorized to manage.
  • Multi-tenant isolation: all database queries are scoped to the authenticated tenant. Cross-tenant data access is architecturally prevented.
  • Audit logging: administrative and security-related actions are logged and retained.
  • Vulnerability management: regular dependency updates and security patching.

7. Data Subject Requests

Erkmo will assist the Controller in fulfilling data-subject requests (access, rectification, erasure, portability, restriction, and objection) within 10 business days of receiving the Controller’s written request. Where feasible, Erkmo provides self-service tools that allow the Controller to fulfill such requests directly.

8. Data Deletion

Upon termination of the Service agreement, Erkmo will delete all personal data processed on behalf of the Controller within 30 days, unless retention is required by applicable law. The Controller may export their data during the 30-day post-termination period using the Service’s export tools or API.

9. Audit Rights

The Controller (or an independent third-party auditor appointed by the Controller) may audit Erkmo’s compliance with this DPA up to once per year, upon at least 30 days’ prior written notice. Audits shall be conducted during normal business hours, in a manner that minimizes disruption to Erkmo’s operations, and subject to reasonable confidentiality obligations. Erkmo may satisfy audit requests by providing relevant certifications, audit reports (e.g., SOC 2), or written responses to the Controller’s reasonable inquiries.

10. International Transfers

To the extent that Erkmo processes personal data originating from the European Economic Area (EEA), the United Kingdom, or Switzerland in a country that has not received an adequacy decision, the parties agree that such transfers shall be governed by the Standard Contractual Clauses (SCCs) adopted by the European Commission, which are incorporated into this DPA by reference.

Erkmo will implement supplementary measures where necessary to ensure that the level of protection required by applicable data-protection law is maintained.

11. Duration

This DPA shall remain in effect for the duration of the Controller’s use of the Service and shall automatically terminate upon the expiry or termination of the main service agreement, subject to the data-deletion obligations in Section 8.

12. Contact

For questions about this DPA or to execute a signed copy, contact legal@erkmo.com.

Erkmo Inc. · erkmo.com