GDPR
Data Processing Addendum (GDPR)
Last Updated: January 21, 2026
This Data Processing Addendum ("DPA") forms part of the Terms and Conditions or other written agreement ("Agreement") between the customer ("Customer" or "Controller") and WicWac Inc., operating as Crisphive ("Crisphive" or "Processor").
This DPA applies where Crisphive processes Personal Data on behalf of the Customer that is subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or other applicable European data protection laws.
1. Parties
- Data Controller: The Customer using the Crisphive Service.
- Data Processor: WicWac Inc. (Operating as Crisphive), Suite 1420, 99 Bank Street, Ottawa, Ontario, K1P 1H4, Canada
2. Definitions
Capitalized terms not defined in this DPA have the meaning given in the GDPR or the Agreement.
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" has the meaning set out in Article 4(2) GDPR.
- "Sub-processor" means any third party engaged by Crisphive to process Personal Data on behalf of the Customer.
- "EEA" means the European Economic Area.
3. Scope and Purpose of Processing
Crisphive processes Personal Data solely for the purpose of providing the Crisphive scheduling and workforce management platform, including:
- Account management
- Scheduling and job coordination
- Notifications and communications
- Platform support and maintenance
- Security and performance monitoring
Processing is limited to what is necessary to deliver the Service.
4. Categories of Data and Data Subjects
4.1 Data Subjects
- Customer employees
- Contractors and field workers
- Authorized users
- End-customers (as uploaded by Customer)
4.2 Categories of Personal Data
- Names, email addresses, phone numbers
- Job assignments, schedules, and locations
- Account credentials (hashed)
- Usage and audit logs
- Support communications
Special categories of data are not intended to be processed unless explicitly agreed in writing.
5. Controller and Processor Responsibilities
5.1 Customer (Controller)
The Customer represents that it has a lawful basis to collect and process Personal Data, has provided all required privacy notices to data subjects, and that its instructions to Crisphive comply with GDPR.
5.2 Crisphive (Processor)
Crisphive shall process Personal Data only on documented instructions from the Customer, ensure that all personnel authorized to process data are subject to confidentiality obligations, implement appropriate technical and organizational security measures, and assist the Customer in fulfilling its obligations under GDPR.
6. Confidentiality
Crisphive ensures that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory.
7. Security Measures (Article 32 GDPR)
Crisphive implements reasonable and appropriate safeguards, including:
- Role-based access controls
- Encryption in transit where applicable
- Secure infrastructure and hosting environments
- Logging and monitoring
- Incident response procedures
Security measures are reviewed periodically and adjusted as needed.
8. Sub-Processors
8.1 Authorization
The Customer provides general authorization for Crisphive to engage Sub-processors.
8.2 Obligations
Crisphive ensures Sub-processors are bound by written agreements, provide GDPR-level protections, and process data only for authorized purposes.
8.3 Sub-Processor List
A current list of Sub-processors may be provided upon request.
9. International Data Transfers
Personal Data may be processed outside the EEA, including in Canada and the United States. Where required, Crisphive relies on Standard Contractual Clauses (SCCs) and other lawful transfer mechanisms under GDPR.
10. Data Subject Rights Assistance
Crisphive will assist the Customer, where reasonably possible, in responding to requests related to:
- Access
- Rectification
- Erasure
- Restriction
- Objection
- Data portability
Crisphive does not respond directly to Data Subject requests unless legally required.
11. Data Breach Notification
Crisphive shall:
- Notify the Customer without undue delay upon becoming aware of a Personal Data Breach
- Provide available information to support compliance with Articles 33 and 34 GDPR
Notification shall include the nature of the breach, likely consequences, and mitigation steps where available.
12. Data Retention and Deletion
Upon termination of the Agreement:
- Crisphive will delete or return Personal Data within a reasonable timeframe
- Data may be retained where legally required
- Backups may persist for a limited period until overwritten
13. Audits and Compliance
Upon reasonable written notice, the Customer may:
- Request documentation demonstrating compliance
- Conduct audits limited to one per year (unless required by law)
Audits must not unreasonably disrupt Crisphive's operations.
14. Liability
Liability under this DPA is subject to the limitations set out in the Agreement, to the maximum extent permitted by applicable law.
15. Governing Law
This DPA is governed by the laws of Ontario, Canada, and applicable EU/UK data protection law where required.
16. Order of Precedence
In the event of conflict:
- 1. This DPA
- 2. The Agreement
- 3. Any other applicable documents
17. Contact for Data Protection Matters
Email: support@crisphive.com
WicWac Inc. (Operating as Crisphive)
Suite 1420, 99 Bank Street
Ottawa, Ontario K1P 1H4
Canada
Schedule 1 — Summary of Processing
| Item | Description |
|---|---|
| Nature of Processing | Hosting, storage, access, transmission |
| Purpose | Scheduling & workforce management |
| Duration | Term of Agreement |
| Data Subjects | Employees, contractors, customers |
| Data Types | Contact, scheduling, usage data |