Last Update: March 31, 2025
This Data Processing Agreement (“DPA”) is part of the BritoCRM Terms and Conditions (“Terms”), available at https://britocrm.com/terms, and governs the processing of personal data by BritoCRM, a service offered under the Brito Marketing brand, based in Miami, Florida, United States (“we”, “BritoCRM”, or the “Processor”), on behalf of you, the Subscriber (“you” or the “Controller”). This DPA becomes effective upon accepting the Terms or using the Services.
Definitions
Personal Data: Any information related to an identified or identifiable individual processed by BritoCRM on behalf of the Controller (e.g., names, emails, phone numbers).
Processing: Any operation performed on Personal Data, such as collection, storage, use, or deletion.
Data Protection Laws: Include, among others, the California Consumer Privacy Act (CCPA), the Federal Law on Personal Data Protection held by Private Parties (Mexico), Law 1581 of 2012 (Colombia), and other applicable laws in the jurisdictions where the Subscriber operates.
Security Incident: Any unauthorized access, loss, disclosure, or alteration of Personal Data.
Purpose and Scope
2.1 Purpose: This DPA sets out the obligations of BritoCRM as the Processor and the Subscriber as the Controller regarding the processing of Personal Data in the context of the Services.
2.2 Scope: It applies to all Personal Data processed by BritoCRM to provide the Services described in the Terms (e.g., customer management, marketing automation).
Obligations of the Controller
3.1 Legal Compliance: As the Controller, you are responsible for:
Ensuring that the processing of Personal Data complies with the applicable Data Protection Laws.
Obtaining all necessary consents, authorizations, and notices from data subjects (e.g., customers, employees).
Determining the purposes and means of processing.
3.2 Instructions: You must provide BritoCRM with documented and lawful instructions for the processing of Personal Data, which will be deemed to be included in the Terms and this DPA, unless otherwise agreed in writing.
Obligations of the Processor
4.1 Authorized Processing: BritoCRM will process the Personal Data solely in accordance with the Controller’s instructions and for the following purposes:
To provide the Services (e.g., storing contact data, sending marketing campaigns).
To improve the Services through anonymous and aggregated analytics, provided that no identifiable Personal Data is reproduced.
To comply with legal obligations.
4.2 Security Measures: We implement appropriate technical and organizational measures to protect Personal Data, including:
Data encryption in transit and at rest.
Daily backups with a recovery objective within 48 hours after a critical failure.
Restricted access controls for authorized personnel only.
4.3 Confidentiality: All of our staff with access to Personal Data is subject to confidentiality obligations.
4.4 Incident Notification: In the event of a Security Incident, we will notify the Controller without undue delay (within a maximum of 72 hours after discovery) via email to the registered address, detailing the incident and measures taken.
Subprocessors
5.1 General Authorization: You authorize BritoCRM to hire subprocessors (e.g., hosting providers, email services) to provide the Services, as long as:
We maintain an updated list of subprocessors at www.britocrm.com/subprocessors.
We impose data protection obligations on subprocessors that are equivalent to those in this DPA.
5.2 Notification: We will inform you of any new subprocessor at least 15 days in advance via email or on our Site. If you object in writing within that period, we will negotiate in good faith; otherwise, you may terminate the Services without penalty.
International Transfers
6.1 Location: Personal Data is primarily stored on servers in the United States.
6.2 Compliance: For transfers outside the Controller’s jurisdiction (e.g., from Mexico or Colombia to the U.S.), we apply safeguards such as standard contractual clauses or technical measures to comply with the Data Protection Laws. You agree to these transfers as necessary for the Services.
Data Subject Rights
7.1 Assistance: BritoCRM will assist the Controller, to the reasonable and technical extent possible, in responding to data subject requests (e.g., access, rectification, deletion), as long as you notify us in writing at support@britocrm.com.
7.2 Costs: If the assistance involves significant efforts, we may charge a reasonable fee.
Audits
8.1 Right: You may audit our compliance with this DPA once a year, with 30 days’ prior notice and during business hours, provided it does not interfere with our operations.
8.2 Costs: You will bear all costs of the audit, unless a material breach attributable to BritoCRM is found.
Deletion and Retention
9.1 Deletion: Upon termination of the Subscription Term or this DPA, we will delete Personal Data within 60 days, unless laws (e.g., U.S. tax laws) require retention.
9.2 Retention: We may retain anonymized or aggregated data for internal analytics.
Liability
10.1 Limit: BritoCRM’s liability for breaches of this DPA is limited to the amounts paid by you in the last 12 months, as per the Terms.
10.2 Exclusion: We will not be liable for breaches resulting from your instructions, failure to obtain consent, or violations of the Data Protection Laws by you.
Term and Termination
11.1 Duration: This DPA will remain in effect as long as the Terms are in effect or BritoCRM processes Personal Data on your behalf.
11.2 Survival: The confidentiality, liability, and deletion clauses will survive termination.
Contact
For inquiries related to this DPA:
BritoCRM
6303 Blue Lagoon Dr Suite 400-2301, Miami, FL 33126
Email: info@britocrm.com
Phone: +1 305-760-4411
Note: Brito Marketing is a reference brand and not an official point of contact.
Let me know if you need any further assistance!
