Our security overview, GDPR-aligned Data Processing Agreement, and subprocessor list for customers using CommitControl.
CommitControl is designed with a security-first architecture appropriate for enterprise CRM and commercial operations environments. Core controls include tenant-isolated architecture, role-based access controls, least privilege principles, encrypted transport using TLS 1.2+, MFA for administrative access, audit logging, infrastructure monitoring, backup and recovery procedures, secure OAuth integration handling, vulnerability management, incident response procedures, and secure software development lifecycle practices.
CommitControl continuously evaluates and improves its operational security posture.
This Data Processing Agreement ("DPA") forms part of the principal agreement between ZEUS GLOBAL, trading as CommitControl.com ("Processor"), and the CommitControl customer ("Controller"). This DPA governs the processing of Company Personal Data by CommitControl in connection with the provision of the Service. CommitControl acts as a Processor on behalf of the Customer, and the Customer acts as the Controller.
The Services include operation of the CommitControl.com platform, CRM integrations, user management, authentication, subscription management, billing support, analytics and reporting, customer support, notifications, operational telemetry, backups, and related support services.
CommitControl may process names, email addresses, telephone numbers, job titles, CRM contact records, sales opportunity data, usage and telemetry data, IP addresses, authentication metadata, support communications, uploaded customer business data, cookies, and identifiers.
Processing purposes include account provisioning, platform operation, CRM integration support, billing and subscription management, analytics and reporting, customer support, fraud prevention, security monitoring, legal compliance, and product improvement.
CommitControl shall process personal data only on documented instructions from the Customer, as required by the principal agreement, or as required by applicable law. If CommitControl believes an instruction violates applicable data protection law, CommitControl shall promptly notify the Customer.
CommitControl may engage approved subprocessors. CommitControl shall maintain a current subprocessor list, provide notice of material changes, impose equivalent data protection obligations, and remain responsible for subprocessor compliance. Customers may reasonably object to new subprocessors on data protection grounds.
Where you enable an optional messaging integration, data you direct CommitControl to send (such as a Weekly Risk Briefing) is shared with that platform: Slack (US/EU) or Microsoft Teams (global). These integrations are optional, enabled by you, and can be disconnected at any time.
CommitControl shall implement appropriate technical and organisational measures under Article 32 GDPR, including encryption in transit, encryption at rest where appropriate, role-based access controls, least privilege access, MFA for administrative access, audit logging, vulnerability management, security monitoring, backup and recovery procedures, incident response capabilities, and secure development practices.
CommitControl shall notify the Customer without undue delay and no later than 48 hours after becoming aware of a Personal Data Breach affecting Customer Personal Data. Notifications shall include the nature of the breach, categories of data affected, approximate impact, mitigation measures, remediation steps, and contact details for follow-up.
CommitControl shall not transfer personal data outside the EEA without appropriate safeguards. Where applicable, safeguards may include EU Standard Contractual Clauses, adequacy decisions, and contractual protections.
Upon termination of Services, Customer may request return of data. CommitControl shall securely delete or return Customer Personal Data within 30 days unless otherwise required by law. CommitControl may retain limited archived data where legally required.
CommitControl shall provide reasonable information necessary to demonstrate compliance. Customers may review security documentation, rely on third-party audit reports, or request reasonable audits subject to confidentiality obligations.
CommitControl shall provide reasonable assistance with access requests, deletion requests, portability requests, objection requests, and regulatory obligations.
Liability under this DPA shall align with the principal agreement except where prohibited by law. Nothing limits liability for fraud, willful misconduct, or unlawful exclusion of GDPR obligations.
This DPA is governed by the laws of Ireland. The Irish courts shall have exclusive jurisdiction.
ZEUS GLOBAL, trading as CommitControl.com. Email: legal@commitcontrol.com.