JennyERPJennyERP
Sign inSign up

Data Processing Agreement

GDPR-compliant DPA for enterprise customers processing personal data on JennyERP.

Last updated: May 20, 2026

Need a signed DPA?

For B2B customers with GDPR or equivalent compliance requirements, we provide a Data Processing Agreement signed via DocuSign within 2 business days. No negotiation needed for standard SCC-based DPAs.

Request signed DPADownload DPA template (coming soon)

1. Roles

Under GDPR, you (the customer) are the Data Controller. We (JennyERP Inc.) act as the Data Processor for the personal data you upload (customer/supplier names, emails, addresses, etc.).

2. Categories of data & data subjects

We process personal data including: names, emails, phone numbers, addresses, and any other personal info you put into customer/supplier records. Data subjects are your end customers, suppliers, and team members.

3. Purpose

We process this data solely to provide the JennyERP Service per our agreement — storage, display, analytics, sharing per your instructions. We don't use your customer data for our own purposes.

4. Sub-processors

We use the following sub-processors:
  • Aliyun (Frankfurt OSS) — image and document storage
  • Stripe — payment processing
  • NetEase Qiye Email — transactional email delivery
We notify you 30 days before adding new sub-processors. You can object to changes.

5. Data location

Primary servers: Frankfurt, Germany (eu-central-1). All EU customer data stays in the EU. Non-EU customers may have data transferred to Frankfurt with SCC-based safeguards.

6. Security measures

TLS 1.2+ encryption in transit, AES-256 at rest, hashed passwords (bcrypt), least-privilege access, annual pen testing, incident response plan. We notify you within 72 hours of any breach affecting your data.

7. Data subject rights

We help you respond to data subject requests (access, deletion, portability) within 30 days. Our tooling lets you self-serve most requests via the dashboard.

8. Audit rights

Enterprise customers (Growth+ plan) can request an annual audit of our security practices. We provide SOC 2 Type II reports (planned for 2027) or equivalent attestations.

9. Term

This DPA is effective for the duration of your subscription. Upon termination, we delete or return all personal data within 90 days (except where retained for legal compliance per Privacy Policy §5).

10. Standard Contractual Clauses

For non-EU customers, our DPA incorporates the European Commission's 2021 Standard Contractual Clauses (SCCs) for international transfers. Available in the signed DPA package.

Contact

Data Protection Officer: contact@jennycrm.com
Legal: contact@jennycrm.com
See also our Privacy Policy and Terms of Service.