Need a counter-signed PDF?

Email legal@hellogrowthcrm.com with your company name and we will return a counter-signed copy within two business days.

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written agreement (the "Agreement") between the customer subscribing to HelloGrowthCRM (the "Customer" or "Controller") and Soor LLC and its affiliate Meru Technosoft Pvt. Ltd. (collectively "HelloGrowthCRM" or the "Processor"). It governs the processing of personal data carried out by HelloGrowthCRM on behalf of the Customer in connection with the Service. This DPA is effective as of May 20, 2026.

1. Parties and Scope

The parties to this DPA are:

Processor:Soor LLC, 16192 Coastal Hwy, Lewes, DE 19958, USA, and its affiliate Meru Technosoft Pvt. Ltd. (collectively "HelloGrowthCRM").
Controller: The Customer, being the entity or individual that has entered into the Agreement with HelloGrowthCRM and whose account governs this DPA.

This DPA applies to all personal data processed by the Processor on behalf of the Controller in connection with the provision of the HelloGrowthCRM service, including CRM functionality, communications, AI features, analytics, billing, and integrations as configured by the Controller.

2. Definitions

Personal Datameans any information relating to an identified or identifiable natural person ("Data Subject" or "Data Principal") that is processed through the Service by or on behalf of the Controller.
Processing means any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
Controller (or Data Fiduciary under DPDPA) means the Customer, who determines the purposes and means of processing Personal Data.
Processor (or Data Processor under DPDPA) means HelloGrowthCRM, which processes Personal Data on behalf of the Controller.
Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller, as listed in Section 5 of this DPA.
GDPR means the EU General Data Protection Regulation 2016/679, including the UK GDPR and Data Protection Act 2018 where applicable.
DPDPA means the Digital Personal Data Protection Act, 2023 of India and all rules and regulations enacted thereunder.
Applicable Data Protection Lawsmeans the GDPR, DPDPA, CCPA/CPRA, and any other applicable privacy or data-protection law, as relevant to the Controller's jurisdiction and the data being processed.

3. Processor Obligations

HelloGrowthCRM (as Processor) shall:

Process on instructions only: Process Personal Data solely on documented instructions from the Controller, including with respect to transfers to a third country, unless required to do so by applicable law.
Confidentiality: Ensure that all personnel authorised to process Personal Data are subject to appropriate confidentiality obligations and are trained on data protection requirements.
Security: Implement and maintain the technical and organisational measures described in Annex A, including: SOC 2 Type II certification (Soor LLC, audit period 1 February 2025 to 30 June 2025); TLS 1.2+ encryption in transit; AES-256 encryption at rest; role-based access controls; multi-factor authentication for all internal systems; and annual independent penetration testing.
Data subject rights assistance: Assist the Controller, by appropriate technical and organisational means, in responding to Data Subject / Data Principal rights requests within 5 business days of receipt.
Breach notification: Notify the Controller of any confirmed Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 72 hours after becoming aware, providing the information required under Article 33(3) GDPR and equivalent DPDPA provisions to the extent then known.
Data deletion:Upon termination of the Agreement and on the Controller's instruction, delete all Customer Personal Data within 30 days of termination, unless applicable law requires retention for a longer period (in which case the Processor will continue to apply the protections of this DPA until deletion is permitted).
Audit cooperation: Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits upon 14 days' written notice. The Controller may request a copy of HelloGrowthCRM's most recent SOC 2 Type II report and a completed standard security questionnaire (CAIQ-Lite or similar) once per twelve-month period.
Data Protection Impact Assessments: Assist the Controller with data-protection impact assessments and prior consultations to the extent reasonably required by Applicable Data Protection Laws.

4. Controller Obligations

The Controller (Customer) shall:

Lawful basis: Ensure that there is a valid lawful basis for the processing of Personal Data under Applicable Data Protection Laws, including obtaining any necessary consents from Data Subjects / Data Principals before providing their data to the Processor.
Data accuracy: Ensure that Personal Data provided to the Processor is accurate, up to date, and limited to what is necessary for the purposes described in this DPA.
Instructions: Provide documented processing instructions that comply with Applicable Data Protection Laws and notify the Processor promptly of any changes to those instructions.
Special categories: Not upload special-category, financial, biometric, or health data to the Service unless an explicit written addendum is in place with the Processor.

5. Sub-processors

The Controller provides general authorisation for HelloGrowthCRM to engage the following Sub-processors for the activities described below. HelloGrowthCRM will provide at least 30 days' prior written notice (by email or in-app notification) before adding or replacing any Sub-processor handling Customer Personal Data. The Controller may object on reasonable data-protection grounds within the notice period.

Sub-processor	Purpose / Activity	Location
Supabase / AWS	Database hosting and storage	USA
Cloudflare	CDN, DDoS protection, edge networking	Global
Microsoft Azure / OpenAI	AI features (CRM assistance, summarisation, drafting)	USA
Vercel	Application hosting and deployment	Global
Razorpay	Payment processing	India

HelloGrowthCRM will impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA and will remain liable to the Controller for the performance of each Sub-processor's obligations. The full and up-to-date list of Sub-processors is also available at /subprocessors.

6. International Data Transfers

Where Personal Data is transferred outside the EEA or UK, HelloGrowthCRM relies on the European Commission Standard Contractual Clauses 2021/914 ("SCCs") Modules 2 (Controller-to-Processor) and 3 (Processor-to-Processor) as applicable, together with the UK International Data Transfer Addendum where relevant. The SCCs are incorporated by reference into this DPA; Annex I, II and III of the SCCs are populated by the corresponding Annexes of this DPA.

For transfers from India, HelloGrowthCRM complies with the cross-border data transfer regime under Section 20 of the DPDPA, and transfers Customer Personal Data only to countries or entities that provide adequate protection as notified by the Central Government, or under Standard Contractual Clauses or equivalent safeguards.

7. Data Subject Rights

Data Subjects (and Data Principals under the DPDPA) have the right to:

Access: Obtain confirmation of whether their Personal Data is being processed and a copy of that data.
Rectification: Request correction of inaccurate or incomplete Personal Data.
Erasure: Request deletion of Personal Data no longer necessary for the purposes for which it was collected, subject to legal retention obligations.
Portability: Receive Personal Data in a structured, commonly used, and machine-readable format where technically feasible.

HelloGrowthCRM will acknowledge rights requests within 72 hours of receipt and fulfil confirmed requests within 30 days, or notify the Controller of any extension where permitted by Applicable Data Protection Laws. Requests may be submitted via the self-serve form at /legal/data-rights/request or by emailing legal@hellogrowthcrm.com.

8. Security Measures

HelloGrowthCRM maintains the following technical and organisational security measures:

SOC 2 Type II: Soor LLC is audited under the AICPA SOC 2 Type II framework (audit period 1 February 2025 to 30 June 2025). The current certificate is available at /security.
Encryption: AES-256 encryption at rest; TLS 1.2+ encryption in transit; encrypted backups with key rotation.
Role-based access control (RBAC): Least-privilege access for all HelloGrowthCRM personnel; quarterly access reviews; separation of duties.
Multi-factor authentication (MFA): MFA enforced for all HelloGrowthCRM internal systems and personnel accounts.
Annual penetration testing: Independent third-party penetration test conducted annually; findings remediated in accordance with severity ratings.
Network security: Private VPC, security groups, WAF, and DDoS protection at the edge.
Monitoring: 24/7 telemetry, error tracking, anomaly detection, and audit logging retained for 12 months.
Backups: Point-in-time recovery, daily snapshots retained 30 days, periodic restore drills; RPO 5 minutes or less, RTO 4 hours or less.
Personnel: Background checks where permitted by law, annual privacy and security training, and NDAs for all personnel with access to Customer Personal Data.

9. Term and Termination

This DPA commences on the effective date of the Agreement and remains in force for the duration of the subscription and any post-termination data retention period. Upon termination or expiry of the Agreement:

The Processor will delete all Customer Personal Data within 30 days of the termination date, unless applicable law requires retention for a longer period.
Upon the Controller's written request, the Processor will provide written confirmation that all Customer Personal Data has been deleted, within 10 business days of the request.
Obligations relating to the protection of Personal Data already processed will survive termination of this DPA for so long as the Processor retains any Customer Personal Data.

10. Governing Law

This DPA is governed by the laws of the State of Delaware, USA, without regard to its conflict of law provisions, except that where Applicable Data Protection Laws require otherwise, the law specified by those laws will apply to the relevant clauses of this DPA.

11. Contact

For questions regarding this DPA, data processing inquiries, or to request a counter-signed copy, contact:

Email: legal@hellogrowthcrm.com
Organisation: Soor LLC (HelloGrowthCRM), 16192 Coastal Hwy, Lewes, DE 19958, USA
India contact: Meru Technosoft Pvt. Ltd. contact grievance@hellogrowthcrm.com

Annex A - Technical and Organisational Measures (TOMs)

Encryption: AES-256 at rest; TLS 1.2+ in transit; encrypted backups; encryption-key rotation.
Access control: SSO + MFA for HelloGrowthCRM personnel; role-based access; least-privilege; quarterly access reviews.
Network: Private VPC, security groups, WAF, DDoS protection at the edge.
Application: SAST and dependency scanning in CI; manual and automated security review of every PR; annual independent penetration test.
Monitoring: 24/7 telemetry, error tracking, anomaly detection, audit logging retained 12 months.
Backups: Point-in-time recovery, daily snapshots retained 30 days, periodic restore drills.
Personnel: Background checks where permitted by law, annual privacy and security training, NDAs.
Incident response: Documented IR plan, on-call rotation, post-incident reviews shared with affected customers.
Resilience: Multi-AZ Postgres, automated failover, RPO 5 minutes or less, RTO 4 hours or less.

Annex B - Sub-Processors

The authorised Sub-processors are listed in Section 5 of this DPA and at /subprocessors. Material additions or replacements will be communicated as set out in Section 5 (30 days' prior written notice).

Annex C - Cross-Border Transfer Information

Data exporter (Controller): The Customer, as identified in the Agreement.
Data importer (Processor): Soor LLC, 16192 Coastal Hwy, Lewes, DE 19958, USA, and Meru Technosoft Pvt. Ltd. (India).
Transfer mechanism (EEA/UK): European Commission Standard Contractual Clauses 2021/914, Modules 2 and 3 as applicable; UK Addendum where relevant.
Transfer mechanism (India): DPDPA Section 20 cross-border transfer regime.
Frequency: Continuous, for the duration of the Agreement.
Categories of data and Data Subjects / Data Principals: As described in this DPA.
Competent supervisory authority:As designated under the Controller's applicable law.

Signature

Acceptance of the Agreement and continued use of the Service constitutes acceptance of this DPA. For a counter-signed copy, contact legal@hellogrowthcrm.com with your company name, billing address, and signatory details. We will return a counter-signed copy within two business days.

Need a counter-signed PDF?

Email legal@hellogrowthcrm.com with your company name and we will return a counter-signed copy within two business days.

1. Parties and Scope

The parties to this DPA are:

Processor:Soor LLC, 16192 Coastal Hwy, Lewes, DE 19958, USA, and its affiliate Meru Technosoft Pvt. Ltd. (collectively "HelloGrowthCRM").
Controller: The Customer, being the entity or individual that has entered into the Agreement with HelloGrowthCRM and whose account governs this DPA.

2. Definitions

Personal Datameans any information relating to an identified or identifiable natural person ("Data Subject" or "Data Principal") that is processed through the Service by or on behalf of the Controller.
Processing means any operation or set of operations performed on Personal Data, including collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
Controller (or Data Fiduciary under DPDPA) means the Customer, who determines the purposes and means of processing Personal Data.
Processor (or Data Processor under DPDPA) means HelloGrowthCRM, which processes Personal Data on behalf of the Controller.
Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller, as listed in Section 5 of this DPA.
GDPR means the EU General Data Protection Regulation 2016/679, including the UK GDPR and Data Protection Act 2018 where applicable.
DPDPA means the Digital Personal Data Protection Act, 2023 of India and all rules and regulations enacted thereunder.
Applicable Data Protection Lawsmeans the GDPR, DPDPA, CCPA/CPRA, and any other applicable privacy or data-protection law, as relevant to the Controller's jurisdiction and the data being processed.

3. Processor Obligations

HelloGrowthCRM (as Processor) shall:

Process on instructions only: Process Personal Data solely on documented instructions from the Controller, including with respect to transfers to a third country, unless required to do so by applicable law.
Confidentiality: Ensure that all personnel authorised to process Personal Data are subject to appropriate confidentiality obligations and are trained on data protection requirements.
Security: Implement and maintain the technical and organisational measures described in Annex A, including: SOC 2 Type II certification (Soor LLC, audit period 1 February 2025 to 30 June 2025); TLS 1.2+ encryption in transit; AES-256 encryption at rest; role-based access controls; multi-factor authentication for all internal systems; and annual independent penetration testing.
Data subject rights assistance: Assist the Controller, by appropriate technical and organisational means, in responding to Data Subject / Data Principal rights requests within 5 business days of receipt.
Breach notification: Notify the Controller of any confirmed Personal Data Breach affecting Customer Personal Data without undue delay, and in any event within 72 hours after becoming aware, providing the information required under Article 33(3) GDPR and equivalent DPDPA provisions to the extent then known.
Data deletion:Upon termination of the Agreement and on the Controller's instruction, delete all Customer Personal Data within 30 days of termination, unless applicable law requires retention for a longer period (in which case the Processor will continue to apply the protections of this DPA until deletion is permitted).
Audit cooperation: Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits upon 14 days' written notice. The Controller may request a copy of HelloGrowthCRM's most recent SOC 2 Type II report and a completed standard security questionnaire (CAIQ-Lite or similar) once per twelve-month period.
Data Protection Impact Assessments: Assist the Controller with data-protection impact assessments and prior consultations to the extent reasonably required by Applicable Data Protection Laws.

4. Controller Obligations

The Controller (Customer) shall:

Lawful basis: Ensure that there is a valid lawful basis for the processing of Personal Data under Applicable Data Protection Laws, including obtaining any necessary consents from Data Subjects / Data Principals before providing their data to the Processor.
Data accuracy: Ensure that Personal Data provided to the Processor is accurate, up to date, and limited to what is necessary for the purposes described in this DPA.
Instructions: Provide documented processing instructions that comply with Applicable Data Protection Laws and notify the Processor promptly of any changes to those instructions.
Special categories: Not upload special-category, financial, biometric, or health data to the Service unless an explicit written addendum is in place with the Processor.

5. Sub-processors

Sub-processor	Purpose / Activity	Location
Supabase / AWS	Database hosting and storage	USA
Cloudflare	CDN, DDoS protection, edge networking	Global
Microsoft Azure / OpenAI	AI features (CRM assistance, summarisation, drafting)	USA
Vercel	Application hosting and deployment	Global
Razorpay	Payment processing	India

6. International Data Transfers

7. Data Subject Rights

Data Subjects (and Data Principals under the DPDPA) have the right to:

Access: Obtain confirmation of whether their Personal Data is being processed and a copy of that data.
Rectification: Request correction of inaccurate or incomplete Personal Data.
Erasure: Request deletion of Personal Data no longer necessary for the purposes for which it was collected, subject to legal retention obligations.
Portability: Receive Personal Data in a structured, commonly used, and machine-readable format where technically feasible.

8. Security Measures

HelloGrowthCRM maintains the following technical and organisational security measures:

SOC 2 Type II: Soor LLC is audited under the AICPA SOC 2 Type II framework (audit period 1 February 2025 to 30 June 2025). The current certificate is available at /security.
Encryption: AES-256 encryption at rest; TLS 1.2+ encryption in transit; encrypted backups with key rotation.
Role-based access control (RBAC): Least-privilege access for all HelloGrowthCRM personnel; quarterly access reviews; separation of duties.
Multi-factor authentication (MFA): MFA enforced for all HelloGrowthCRM internal systems and personnel accounts.
Annual penetration testing: Independent third-party penetration test conducted annually; findings remediated in accordance with severity ratings.
Network security: Private VPC, security groups, WAF, and DDoS protection at the edge.
Monitoring: 24/7 telemetry, error tracking, anomaly detection, and audit logging retained for 12 months.
Backups: Point-in-time recovery, daily snapshots retained 30 days, periodic restore drills; RPO 5 minutes or less, RTO 4 hours or less.
Personnel: Background checks where permitted by law, annual privacy and security training, and NDAs for all personnel with access to Customer Personal Data.

9. Term and Termination

The Processor will delete all Customer Personal Data within 30 days of the termination date, unless applicable law requires retention for a longer period.
Upon the Controller's written request, the Processor will provide written confirmation that all Customer Personal Data has been deleted, within 10 business days of the request.
Obligations relating to the protection of Personal Data already processed will survive termination of this DPA for so long as the Processor retains any Customer Personal Data.

10. Governing Law

11. Contact

For questions regarding this DPA, data processing inquiries, or to request a counter-signed copy, contact:

Email: legal@hellogrowthcrm.com
Organisation: Soor LLC (HelloGrowthCRM), 16192 Coastal Hwy, Lewes, DE 19958, USA
India contact: Meru Technosoft Pvt. Ltd. contact grievance@hellogrowthcrm.com

Annex A - Technical and Organisational Measures (TOMs)

Encryption: AES-256 at rest; TLS 1.2+ in transit; encrypted backups; encryption-key rotation.
Access control: SSO + MFA for HelloGrowthCRM personnel; role-based access; least-privilege; quarterly access reviews.
Network: Private VPC, security groups, WAF, DDoS protection at the edge.
Application: SAST and dependency scanning in CI; manual and automated security review of every PR; annual independent penetration test.
Monitoring: 24/7 telemetry, error tracking, anomaly detection, audit logging retained 12 months.
Backups: Point-in-time recovery, daily snapshots retained 30 days, periodic restore drills.
Personnel: Background checks where permitted by law, annual privacy and security training, NDAs.
Incident response: Documented IR plan, on-call rotation, post-incident reviews shared with affected customers.
Resilience: Multi-AZ Postgres, automated failover, RPO 5 minutes or less, RTO 4 hours or less.

Annex B - Sub-Processors

Annex C - Cross-Border Transfer Information

Data exporter (Controller): The Customer, as identified in the Agreement.
Data importer (Processor): Soor LLC, 16192 Coastal Hwy, Lewes, DE 19958, USA, and Meru Technosoft Pvt. Ltd. (India).
Transfer mechanism (EEA/UK): European Commission Standard Contractual Clauses 2021/914, Modules 2 and 3 as applicable; UK Addendum where relevant.
Transfer mechanism (India): DPDPA Section 20 cross-border transfer regime.
Frequency: Continuous, for the duration of the Agreement.
Categories of data and Data Subjects / Data Principals: As described in this DPA.
Competent supervisory authority:As designated under the Controller's applicable law.

Data Processing Agreement (DPA)

1. Parties and Scope

2. Definitions

3. Processor Obligations

4. Controller Obligations

5. Sub-processors

6. International Data Transfers

7. Data Subject Rights

8. Security Measures

9. Term and Termination

10. Governing Law

11. Contact

Annex A - Technical and Organisational Measures (TOMs)

Annex B - Sub-Processors

Annex C - Cross-Border Transfer Information

Signature

Data Processing Agreement (DPA)

1. Parties and Scope

2. Definitions

3. Processor Obligations

4. Controller Obligations

5. Sub-processors

6. International Data Transfers

7. Data Subject Rights

8. Security Measures

9. Term and Termination

10. Governing Law

11. Contact

Annex A - Technical and Organisational Measures (TOMs)

Annex B - Sub-Processors

Annex C - Cross-Border Transfer Information

Signature