Data Processing Agreement applies to the app Ideas CRM (api_ideas) operated by
pibiCo Compañía de Inteligencia de Negocio y Control SL
CIF ES B52567831 · Avenida de La Costa, 35-6T, 33201 Gijón, Asturias, España
Support: soporte@pibico.es · DPO: soporte@pibico.es
Version: 1.0.0 · Effective from: 2026-05-10

Data Processing Agreement (DPA)

Annex to the service contract between Customer and pibiCo Compañía de Inteligencia de Negocio y Control SL for compliance with Regulation (EU) 2016/679 (GDPR).

1. Parties

  • Data Controller ("Customer"): the entity or organization that has contracted the Service.
  • Data Processor: pibiCo Compañía de Inteligencia de Negocio y Control SL, VAT ES B52567831, Avenida de La Costa 35-6T, 33201 Gijón, Asturias, Spain.

2. Subject matter

The Processor will process personal data on behalf of the Controller only to provide the contracted services (Ideas CRM) per documented instructions of the Controller.

3. Data processed

  • email
  • name
  • org

4. Categories of data subjects

  • Employees, collaborators and members of the Customer
  • End-clients of the Customer whose data is managed within the Service

5. Processor obligations

The Processor undertakes to:

  • Process data only per Controller's documented instructions
  • Ensure confidentiality by authorized personnel
  • Apply appropriate technical and organizational measures (encryption at rest and in transit, access control, audit logs, backups)
  • Assist the Controller in handling data subject rights
  • Notify security breaches without undue delay, max 72 hours
  • Delete or return data at end of service
  • Allow reasonable audits by the Controller or independent auditor

6. Sub-processors

The Processor does not use external sub-processors to provide the Service. Any future addition will be notified 30 days in advance.

7. International transfers

Where sub-processors are located outside the EEA, transfers are made under Standard Contractual Clauses (SCC) approved by the European Commission or Adequacy Decisions.

8. Security measures

The Processor applies among others:

  • Encryption in transit (TLS 1.2+) and at rest (AES-256)
  • Passwordless authentication (WebAuthn passkeys) and MFA
  • Role-based access control (RBAC)
  • Immutable audit logs
  • Encrypted backups with recovery plan
  • Regular security testing and dependency review

9. Security breach

In case of breach affecting Controller's personal data, the Processor will notify the Controller without undue delay, within 72 hours of becoming aware, including:

  • Nature of the breach
  • Categories and approximate number of affected data subjects
  • Measures taken or proposed
  • Processor contact point to coordinate response

10. Audit rights

The Controller may request documentary evidence of compliance (audit reports, certifications, technical descriptions) up to once a year or after any relevant breach. On-site audits require prior agreement and are performed during business hours without interrupting the Service.

11. Term and termination

This DPA enters into force upon Service subscription and remains in force while the Customer maintains an active account. Upon termination, the Processor will delete or return personal data per Controller's documented instruction, except for legal retention obligation (billing data: 6 years).

12. Liability

Each party is liable for its own GDPR breaches. Processor liability is limited per the Service Terms.

Last updated: 2026-05-10 · Version 1.0.0

© 2026 pibiCo