Data Processing Agreement (DPA)

1. Purpose

This Data Processing Agreement (the “DPA”) governs the processing of personal data carried out by HUB DESPACHOS Y PYMES S.L. (“HUB Consultores”, the “Processor”) on behalf of the User’s organization (the “Controller”) when the User uses the MCP Bridge — AI for Bitrix24 application (the “Software”) to access CRM data stored in their Bitrix24 portal.

This DPA forms an integral part of the End-User License Agreement (EULA) accepted by the Controller upon installation of the Software, and complies with Article 28 of the General Data Protection Regulation (GDPR — Regulation (EU) 2016/679).

In the event of conflict between this DPA and the EULA or the Privacy Policy with respect to processing of personal data on behalf of the Controller, this DPA prevails.

2. Definitions

Terms not defined here have the meaning given to them in the GDPR. In particular:

• Controller — the User’s organization operating the Bitrix24 portal.
• Processor — HUB Consultores.
• Sub-processor — any third party engaged by the Processor to process personal data on behalf of the Controller.
• Personal Data — any information relating to an identified or identifiable natural person stored in the Controller’s Bitrix24 portal and accessed through the Software.

3. Subject Matter, Nature and Purpose of Processing

4. Categories of Data Subjects and Personal Data

Categories of data subjects:

• Employees of the Controller who use the Software
• Leads, contacts, customers, and other natural persons whose data the Controller stores in their Bitrix24 portal
• Any other natural persons referenced in CRM records (suppliers, partners, prospects, etc.)

Categories of personal data processed (in transit only):

• Identification data (name, surname, position, company)
• Contact data (email, phone, address)
• Business data (deals, tasks, comments, attachments, custom fields the Controller has defined in Bitrix24)
• Any other personal data the Controller chooses to store in their Bitrix24 portal and access through the Software

Special categories of data (GDPR Art. 9):

The Software is not designed to process special categories of data (e.g., health, racial origin, religion, sexual orientation). However, if the Controller stores such data in their Bitrix24 portal and queries it through the Software, the data will transit through the Processor’s infrastructure. The Controller is solely responsible for ensuring a valid legal basis under Art. 9 GDPR for such processing.

Recommendation. The Processor recommends that the Controller configure access controls in Bitrix24 (field-level permissions, role restrictions, custom field visibility) to prevent the Software from accessing fields containing special categories of data unless a documented Art. 9 legal basis and the additional safeguards required by Spanish LOPDGDD Art. 9 are in place.

5. Obligations of the Processor

The Processor shall:

1. Process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to third countries (GDPR Art. 28(3)(a)). The Controller’s instructions are defined as: the API requests issued by authorized users via the AI assistant of their choice. Any other processing requires additional written instructions.

2. Ensure that persons authorized to process personal data have committed to confidentiality or are under appropriate statutory obligations of confidentiality (Art. 28(3)(b)).

3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32). Specific measures are described in Section 12 of the Privacy Policy and include: encryption in transit (TLS 1.2+), application-level encryption at rest of OAuth tokens and the mcp_token using the Fernet symmetric scheme (cryptography library) with the TOKEN_ENCRYPTION_KEY held outside the database; SHA-256 hashing for token lookup indices and the revoked-tokens blacklist; disk-level encryption at the infrastructure layer; strict access control; OAuth scope minimization; audit logging; rate limiting; and intrusion detection.

4. Respect the conditions for engaging sub-processors as set out in Section 7 of this DPA (Art. 28(2) and (4)).

5. Assist the Controller, taking into account the nature of the processing, by appropriate technical and organizational measures, in fulfilling its obligation to respond to requests from data subjects exercising their GDPR rights (Art. 28(3)(e)).

6. Assist the Controller in ensuring compliance with obligations under Articles 32-36 (security, breach notification, DPIAs, consultation with the supervisory authority) (Art. 28(3)(f)).

7. At the choice of the Controller, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage (Art. 28(3)(g)). In practice, since the Processor does not store CRM data at rest, no deletion is required upon termination — the Controller’s data resides only in their Bitrix24 portal at all times.

8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, at the Controller’s expense and during normal business hours, with at least 30 days’ prior written notice (Art. 28(3)(h)).

6. Personal Data Breach Notification

The Processor shall notify the Controller without undue delay and in any event within 48 hours of becoming aware of a personal data breach involving personal data processed on behalf of the Controller. This window is deliberately shorter than the 72-hour period the Controller has under GDPR Art. 33(1) toward its competent supervisory authority, so that the Controller retains sufficient time to assess the breach and, where required, notify the supervisory authority and affected data subjects. Where the Processor becomes aware of a confirmed high-risk breach, it will notify the Controller as soon as reasonably possible — and without waiting for the 48-hour limit — to enable the Controller to meet its obligations to data subjects under Art. 34.

The notification shall include, to the extent possible:

• The nature of the breach, including the categories and approximate number of data subjects and records concerned;
• The likely consequences of the breach;
• The measures taken or proposed to address the breach and mitigate adverse effects.

The Processor shall cooperate with the Controller in fulfilling the Controller’s own notification obligations under Art. 33-34 GDPR.

7. Sub-processors

7.1 General authorization

The Controller hereby grants the Processor general authorization to engage sub-processors, subject to the conditions set out in this Section 7.

7.2 Current sub-processors

The current list of sub-processors is:

7.3 Changes to sub-processors

The Processor shall notify the Controller at least 30 days in advance of any intended addition or replacement of sub-processors that will process the Controller’s personal data. Notification will be sent through the Software’s “What’s new” panel and via email where available.

The Controller may object to the change in writing within 30 days of notification, stating reasonable grounds. If the parties cannot reach an agreement, the Controller may terminate the relevant processing arrangement by uninstalling the Software.

7.4 Obligations of sub-processors

When engaging a sub-processor, the Processor shall impose on it the same data protection obligations as set out in this DPA by way of a written contract (Art. 28(4)). In particular:

• Sentry (Functional Software, Inc. / Functional Software GmbH): the Processor has accepted Sentry’s Data Processing Addendum via Sentry’s Legal & Compliance dashboard. The Sentry DPA relies on the EU-US Data Privacy Framework certification — self-certified by Functional Software, Inc. and verifiable on the official DPF list at dataprivacyframework.gov — and Standard Contractual Clauses (2021).
• Hetzner Online GmbH: sub-processor under Hetzner’s standard Auftragsverarbeitungsvertrag (AVV) framework. Hetzner is a German company subject to GDPR; the data centers used by the Software are located in the European Union.

Copies of the executed sub-processor agreements are available to the Controller upon written request to the Processor’s contact address.

8. International Data Transfers

8.1 Architecture and roles

The Software is designed so that the Processor’s own infrastructure (application servers, database, error monitoring) remains within the European Economic Area (EEA). Specifically:

• Application servers and database: Hetzner, Nuremberg, Germany (EU).
• Error monitoring: Sentry EU region — Frankfurt, Germany.

No CRM data is stored at rest by the Processor at any location.

8.2 Onward transfer to the Controller’s chosen AI assistant

The principal transfer of personal data outside the EEA that may occur in connection with the Software is the onward transfer of CRM data from the Processor to the AI assistant the Controller has authorized (e.g., Claude.ai, ChatGPT, or other MCP-compatible assistants), which may be located in the United States or elsewhere.

This onward transfer takes place on documented instructions from the Controller (GDPR Art. 28(3)(a)). The instruction is materialised in the act of the Controller authorising a specific AI assistant via the Software’s OAuth flow. The Processor does not select the destination of the transfer; it forwards the data in transit to the assistant chosen by the Controller.

The Controller is the party responsible, under GDPR Chapter V, for ensuring that an appropriate transfer mechanism is in place between itself (as data exporter) and the AI assistant (as data importer) before authorising that assistant. The Processor supports the Controller in this assessment by maintaining the sub-processor list in Section 7.2 with the safeguards documented therein.

8.3 Available safeguards for the AI-assistant transfer

For the onward transfer to a US-based (or other non-EEA) AI assistant, the Controller should rely on the following mechanisms, in order of applicability:

1. European Commission Standard Contractual Clauses (Decision 2021/914) (“SCCs (2021)”) concluded between the data exporter (the Controller, or the Bitrix24 instance acting on its behalf) and the assistant’s provider as data importer, supplemented by a transfer impact assessment where required. As of the effective date of this DPA, this is the mechanism publicly documented by both Anthropic (Claude) and OpenAI (ChatGPT) for EU personal data transfers.

2. EU-US Data Privacy Framework (DPF) certification of the receiving party, where — and only where — the provider has self-certified and remains on the active DPF list. The Controller must verify the provider’s current certification status at the official list (https://www.dataprivacyframework.gov) before relying on this mechanism, as certifications can be added, withdrawn, or invalidated over time.

The Processor does not warrant the certification status or the validity of any provider’s transfer mechanism; it surfaces the information in Section 7.2 to assist the Controller’s own Chapter V assessment.

8.4 Derogations under Art. 49

The Processor does not rely on the derogations of GDPR Art. 49 (including Art. 49(1)(a) “explicit consent”) as a routine safeguard for the onward transfer described in Section 8.2. As stated by the European Data Protection Board in its Guidelines 2/2018, the Art. 49 derogations are exceptional and not appropriate for transfers that are massive, repetitive or systematic in nature. The transfers carried out by the Software in normal use fall within those categories and must therefore be supported by SCCs (2021), DPF certification (where applicable), or another appropriate mechanism under GDPR Chapter V.

9. Audits and Inspections

The Controller may, at its own expense and with at least 30 days’ prior written notice, conduct an audit (including inspections of the Processor’s facilities) to verify compliance with this DPA. Audits shall be carried out during normal business hours and in a manner that does not interfere with the Processor’s business operations.

Such audits shall not occur more than once per 12-month period unless triggered by (i) a documented, material compliance concern notified to the Processor in writing, or (ii) a request from a competent supervisory authority addressed to the Controller in respect of the processing carried out by the Processor on the Controller’s behalf.

The Processor may satisfy audit requests by providing existing third-party audit reports (e.g., ISO 27001, SOC 2) when available, together with a written summary of the technical and organisational measures actually implemented at the time of the request.

10. Liability

Each party’s liability under this DPA is subject to the limitations of liability set out in the EULA, except where mandatory law (in particular GDPR Art. 82) provides otherwise. Each party shall be liable for damage caused by processing which infringes the GDPR only where it has not complied with obligations specifically directed to it or where it has acted outside or contrary to the lawful instructions of the Controller.

11. Duration and Termination

This DPA is effective for the duration the Controller has the Software installed on their Bitrix24 portal. It automatically terminates upon uninstallation of the Software.

Upon termination:

• All OAuth tokens and routing data held by the Processor (as Controller for those records — see Privacy Policy Section 3.1) are deleted within 24 hours.
• No CRM data deletion is required, as the Processor never stores CRM data at rest (Section 5(7) above).

12. Governing Law

This DPA is governed by Spanish law and shall be construed in accordance with the EULA. Disputes are subject to the same jurisdiction clauses as the EULA (Section 12 of the EULA).

13. Contact

For any matter related to this DPA, contact:

• Email: [email protected] (subject line: “MCP Bridge — DPA”)
• Address: HUB DESPACHOS Y PYMES S.L., Avenida Benito Pérez Armas, 2 - PTL 2,6 B, Santa Cruz de Tenerife, Spain
• Phone: +34 822 684 008

14. Modifications to this DPA

The Processor may update this DPA from time to time to reflect changes in applicable data protection law, EDPB or supervisory authority guidance, sub-processor changes, or material modifications to the technical and organisational measures. Material modifications will be notified to the Controller at least 30 days before they take effect, through the Software’s “What’s new” panel and, where available, by email to the contact registered in the Bitrix24 portal.

The Controller may object to any material modification in writing, within the 30-day notice period, stating reasonable grounds. If the parties cannot reach an agreement, the Controller may terminate the relevant processing arrangement by uninstalling the Software, which will trigger the deletion timetable described in Section 11.

Non-material changes (typographical corrections, clarifications that do not affect the rights or obligations of the Controller or data subjects, updates to contact details) take effect upon publication of the revised DPA at the URL where this document is hosted.

Last updated: 2026-06-05 Version: 1.1

Changelog

v1.1 (2026-06-05) — GDPR hardening review:

• §4 — Added explicit recommendation to the Controller to apply access controls in Bitrix24 to prevent the Software from accessing fields containing special categories of data without a documented Art. 9 legal basis.
• §5(3) — Surfaced application-level Fernet encryption of OAuth tokens and mcp_token, SHA-256 hashing for lookups and the revoked-tokens blacklist. Disk-level encryption clarified as a complementary measure at the infrastructure layer.
• §6 — Personal data breach notification window kept at 48 hours, deliberately tighter than the Controller’s GDPR Art. 33(1) 72-hour deadline so that the Controller retains its full notification runway. Rationale added inline.
• §7.2 — Sub-processor table expanded with: explicit data-centre location (Hetzner Nuremberg, Germany — EU); explicit Sentry EU region (Frankfurt — ingest.de.sentry.io); per-row safeguards for any non-EEA transfer; clarification of the role of Bitrix24 vs the AI assistant. For Anthropic (Claude) and OpenAI (ChatGPT) the primary transfer mechanism is identified as Standard Contractual Clauses (2021); the EU-US Data Privacy Framework is treated as a conditional safeguard subject to the Controller verifying the provider’s current certification status at dataprivacyframework.gov.
• §7.4 — Added explicit references to the executed Sentry DPA (via Sentry’s Legal & Compliance dashboard) and to the Hetzner AVV framework. Copies available upon written request.
• §8 — International transfers section rewritten following EDPB Guidelines 2/2018: SCCs (2021) are now identified as the primary safeguard for the onward transfer to the AI assistant, and the EU-US Data Privacy Framework as a conditional safeguard requiring Controller verification on the official DPF list. Art. 49(1)(a) “explicit consent” removed as a routine safeguard; the Processor relies on documented Controller instructions instead.
• §9 — Audit cadence capped at once per 12-month period, with exceptions for documented compliance concerns or supervisory authority requests.
• §14 (new) — Modifications clause: 30-day advance notice for material changes, with a Controller right to object and terminate by uninstalling the Software.

v1.0 (2026-05-21) — Initial publication.