Data Processing Agreement

“Controller” means the organisation that determines the purposes and means of processing personal data (the Relon CRM subscriber).

“Processor” means Dysruptive Technologies Ltd, which processes personal data on behalf of the Controller.

“Personal Data” has the meaning given in Article 4(1) GDPR.

“Processing” has the meaning given in Article 4(2) GDPR.

The Controller determines what personal data is entered into Relon CRM and for what purposes. The Processor processes that data solely on the Controller's documented instructions, as set out in these Terms of Service and this DPA.

The Processor shall not process personal data for its own purposes or disclose it to third parties except as required to provide the service or as required by law.

The subject matter of processing is the operation of the Relon CRM platform as described in the Terms of Service. Processing commences when the Controller creates an account and continues until the subscription is terminated and data is deleted per the retention policy (30 days post-termination).

Processing is performed to provide the CRM, project management, and analytics features of Relon CRM. Specific processing activities include: storing and retrieving CRM records, generating reports, sending transactional emails, and (for Growth/Scale plans) passing selected data to AI providers for insight generation.

Categories of personal data processed: names, email addresses, phone numbers, job titles, company information, and any other personal data the Controller inputs into leads, clients, contacts, or projects.

Categories of data subjects: the Controller's customers, leads, contacts, and employees whose data is entered into the platform.

The Controller grants general authorisation for the Processor to engage the following sub-processors, subject to the same data protection obligations as this DPA:

The Processor will notify the Controller of any intended addition or replacement of sub-processors with at least 14 days' notice, giving the Controller the opportunity to object.

Transfers of personal data from the EEA or UK to the USA are made under the Standard Contractual Clauses (SCCs) adopted by the European Commission (2021/914) and the UK Addendum where applicable. The Processor shall ensure all sub-processors in third countries are bound by equivalent transfer mechanisms.

The Processor maintains the following technical and organisational measures (TOMs) to protect personal data:

• TLS 1.2+ encryption for all data in transit
• AES-256 encryption for sensitive credentials at rest
• bcrypt password hashing (cost factor 10)
• httpOnly, Secure, SameSite cookies for session tokens
• Role-based access controls with per-organisation permission scoping
• Account lockout after repeated failed login attempts
• Audit logging of sensitive data access and changes

The Processor will assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability, restriction, objection) within 5 business days of receiving the Controller's request.

Controllers may export their organisation's data at any time from within the platform. For erasure requests that require action beyond the standard platform controls, contact privacy@relon.com.

The Processor will notify the Controller without undue delay (and no later than 72 hours after becoming aware) of any personal data breach likely to result in a risk to the rights and freedoms of data subjects.

The Controller may request information necessary to demonstrate compliance with this DPA. The Processor shall make available all information necessary and allow for audits, conducted by the Controller or an auditor appointed by the Controller, subject to reasonable advance notice and confidentiality obligations.

Data protection enquiries and data subject rights requests: privacy@relon.com · Dysruptive Technologies Ltd, Ghana.