Legal

Data Processing Agreement

Last updated: July 8, 2026

This Data Processing Agreement (the “DPA”) forms part of, and is incorporated by reference into, the Terms of Use between you (“Customer”, “Controller”) and Crumbtrail (“we”, “us”, “Processor”). It applies to our processing of Personal Data on your behalf through the Service, and it takes effect automatically when the Service processes such data. Where it conflicts with the Terms of Use on the subject of data protection, this DPA controls.

Capitalized terms not defined here have the meaning given in the Terms of Use. “Data Protection Laws” means all laws applicable to the processing of Personal Data under this DPA, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended (CCPA/CPRA). “Personal Data”, “controller”, “processor”, “process”, “data subject”, and “personal data breach” have the meanings given in the GDPR; under the CCPA, we act as your “service provider”.

1. Roles and scope

For Customer Data that contains Personal Data relating to your end users, you are the Controller and we are the Processor acting solely on your documented instructions. Your instructions are set out in the Terms of Use, this DPA, and your use and configuration of the Service (including your capture, masking, and retention settings). You are responsible for the accuracy, quality, and lawfulness of the Personal Data and of the means by which you acquired it, and for establishing a lawful basis for the processing.

The subject matter, duration, nature, and purpose of the processing, the types of Personal Data, and the categories of data subjects are described in Annex A. We will process Personal Data only for the purpose of providing and supporting the Service and will not sell it, share it for cross-context behavioral advertising, retain, use, or disclose it for any other purpose, or combine it with data from other sources except as permitted by Data Protection Laws.

2. Processor obligations

We will process Personal Data only on your documented instructions, including with regard to international transfers, unless required to act otherwise by law that applies to us; in that case we will inform you of the legal requirement before processing, unless the law prohibits it. We will promptly inform you if, in our opinion, an instruction infringes Data Protection Laws.

We ensure that personnel authorized to process Personal Data are bound by appropriate confidentiality obligations. We will provide you with reasonable assistance, taking into account the nature of the processing and the information available to us, to help you meet your obligations for security, data-protection impact assessments, prior consultation, and responses to data subjects.

3. Security

We implement and maintain appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorized disclosure or access, as described in Annex B. These include encryption of Personal Data in transit and at rest, sealed authenticated encryption of connector credentials, one-way hashing of API keys and tokens, access controls, and a client-side redaction layer that masks common secrets and personal data on a best-effort basis before capture. You are responsible for configuring capture, masking, and access in a way appropriate to the sensitivity of your data.

4. Sub-processors

You provide general authorization for us to engage sub-processors to help deliver the Service. Our current sub-processors are listed in Annex C and, in more detail, in the Privacy Policy. We impose data-protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will give you reasonable prior notice of any new sub-processor (by updating the list and, on request, notifying you), and you may object on reasonable data-protection grounds; if we cannot reasonably address your objection, you may terminate the affected part of the Service.

5. Data subject requests

Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. If we receive such a request directly, we will not respond except on your instructions, and will refer the data subject to you, unless legally required to respond.

6. Personal data breach

We will notify you without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a personal data breach affecting Personal Data we process for you, and will provide the information reasonably available to us to help you meet your own notification obligations. Our notification is not an acknowledgement of fault or liability.

7. International transfers

Where we process Personal Data originating from the EEA, UK, or Switzerland in a country that has not received an adequacy decision, the transfer is governed by the applicable Standard Contractual Clauses (and the UK International Data Transfer Addendum where relevant), which are incorporated into this DPA by reference and completed with the details in the Annexes. In the event of a conflict, those clauses prevail over this DPA with respect to the transfer they govern.

8. Return and deletion

On expiry or termination of the Service, or earlier on your instruction, we will delete Personal Data processed on your behalf in accordance with your plan's retention window and our routine purge processes, and will delete existing copies unless applicable law requires us to retain them. Session and evidence data is automatically purged from storage and our database at the end of the applicable retention window.

9. Audit

We will make available information reasonably necessary to demonstrate compliance with this DPA and, on your written request no more than once per year (or following a personal data breach), allow for and contribute to an audit, including through up-to-date third-party reports or questionnaires where available. On-site audits, where warranted, are conducted on reasonable notice, during business hours, subject to confidentiality, and in a manner that does not disrupt our operations.

10. CCPA terms

To the extent the CCPA applies, we act as a service provider and certify that we understand and will comply with these restrictions: we will not sell or share Personal Data, will not retain, use, or disclose it outside the direct business relationship or for any purpose other than the services specified in the Terms, and will not combine it with personal information from other sources except as the CCPA permits.

11. Liability

Each party's liability arising out of or related to this DPA is subject to the exclusions and limitations of liability set out in the Terms of Use, and any reference to the liability of a party means the aggregate liability of that party under the Terms of Use and this DPA together.

Annex A — Details of processing

  • Subject matter and duration: capture and diagnosis of software defects for the duration of the Service and the applicable retention window.
  • Nature and purpose: recording session evidence and assembling fix-ready context to help engineers and, where enabled, AI coding agents diagnose issues.
  • Categories of data subjects: your end users, employees, testers, and other individuals who interact with your applications instrumented with the Service.
  • Types of Personal Data: as determined by your capture and masking configuration — for example identifiers, interaction and network metadata, redacted payloads, console output, environment and feature-flag state, and, where enabled, backend spans and row-level database changes. You are instructed not to capture special-category data or payment card data.

Annex B — Security measures

  • Encryption of Personal Data in transit (TLS) and at rest through our infrastructure providers.
  • Connector credentials sealed with authenticated encryption (AES-256-GCM) and not readable back by us.
  • API keys and CLI tokens stored only as one-way hashes; passwords managed by our identity provider and never stored by us.
  • Client-side redaction layer that masks common secrets and personal data before capture; tenant-scoped access controls; automatic purge of evidence at the end of the retention window.

Annex C — Sub-processors

  • Supabase — authentication and database hosting.
  • Railway — application hosting.
  • Stripe — payment processing and billing.
  • OpenRouter and the AI model providers it routes to — optional AI-assisted diagnosis (redacted, derived metadata only).
  • PostHog — aggregate, tenant-level product metrics.
  • Resend — transactional and product email.

Contact

Questions about this DPA can be sent to privacy@crumbtrail.dev.