Legal

Data Processing Addendum

How we process the personal data you and your End Users put into Crumb Cloud, as your processor. Last updated June 21, 2026.

How to use this DPA. This Addendum forms part of the Terms of Service between you ("Customer", "Controller") and Localhost Labs LLC ("Crumb", "Processor") for Crumb Cloud. It applies automatically when you use the Service to process personal data subject to GDPR, UK GDPR, or similar laws. If your organization needs a countersigned copy, email [email protected].

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms. "Data Protection Laws" means all laws applicable to the processing of personal data under this Addendum, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act as amended (CCPA/CPRA). "Controller", "Processor", "Data Subject", "Personal Data", and "Processing" have the meanings given in the Data Protection Laws. "Customer Personal Data" means Personal Data within Customer Content that we process on your behalf.

2. Roles & scope

For Customer Personal Data, you are the Controller and we are the Processor (or, where you are yourself a processor for your End Users, we are your sub-processor). Each party will comply with its obligations under the Data Protection Laws. This Addendum applies to our processing of Customer Personal Data for as long as we hold it.

3. Our processing obligations

We will:

  • process Customer Personal Data only on your documented instructions (which include the Terms, this Addendum, your configuration of the Service, and your use of its features), unless required by law (in which case we'll tell you, if permitted);
  • ensure personnel authorized to process Customer Personal Data are bound by confidentiality;
  • implement the technical and organizational security measures described in Section 7;
  • respect the conditions in Section 5 for engaging sub-processors;
  • assist you, taking into account the nature of the processing, in responding to Data Subject requests (Section 6) and in meeting your obligations around security, breach notification, and data-protection impact assessments (Articles 32–36 GDPR);
  • at your choice, delete or return Customer Personal Data at the end of the Service (Section 9); and
  • make available the information reasonably necessary to demonstrate compliance with this Addendum (Section 8).

4. Details of processing (Annex)

  • Subject matter: provision of the Crumb Cloud feedback-loop Service.
  • Duration: the term of your subscription, plus any post-termination export/deletion window.
  • Nature & purpose: hosting, storing, routing, triaging, and notifying on product feedback; tying feedback to accounts and revenue; delivering email; and, where enabled, optional AI features and session replay.
  • Categories of Data Subjects: your team members and your End Users (the customers who submit feedback).
  • Categories of Personal Data: names, email addresses, workspace/account records, the content of feedback submissions, page/app/session context attached at capture, usage and device metadata (including IP address), and — only if you enable Session Record — a masked replay of an End User's session.
  • Special categories: none are requested or required. You should not submit special-category data through the Service.

5. Sub-processors

You grant general authorization for us to engage sub-processors to provide the Service. Our current sub-processors are listed at crumb.localhostlabs.net/subprocessors. We impose data-protection obligations on each sub-processor that are no less protective than those in this Addendum, and we remain responsible for their performance. We will give you a way to receive notice of a new or replacement sub-processor before it begins processing, with a reasonable window to object on legitimate data-protection grounds; if we can't resolve a reasonable objection, you may terminate the affected part of the Service.

6. Data Subject requests

The Service gives you controls to access, correct, export, and delete Customer Personal Data yourself. If we receive a request directly from one of your Data Subjects, we will not respond except on your instruction or as legally required, and will instead refer them to you. Taking into account the nature of the processing, we will assist you in fulfilling your obligation to respond to Data Subject rights requests.

7. Security

We maintain technical and organizational measures appropriate to the risk, including: encryption of data in transit (TLS); encryption at rest for sensitive credentials such as integration tokens; access controls and least-privilege practices for personnel; network isolation (the application is reached through a secured tunnel with no open inbound ports); and logging and monitoring. We review these measures and may update them, provided the level of protection is not materially reduced.

8. Audit

We will make available information reasonably necessary to demonstrate compliance with this Addendum and, on reasonable prior request and no more than once per year (unless required by a supervisory authority), allow for and contribute to audits conducted by you or an independent auditor bound by confidentiality, subject to reasonable safeguards for our other customers' data and our infrastructure.

9. Return & deletion

On termination or expiry of the Service, you may export Customer Personal Data for a reasonable period. After that window, we will delete or anonymize Customer Personal Data within our systems, except where retention is required by law, and removal from routine backups occurs on our standard backup cycle.

10. International transfers

We are based in the United States and may process Customer Personal Data in the US and in regions where our sub-processors operate. Where Data Protection Laws require a transfer mechanism for cross-border transfers of Customer Personal Data, the parties agree that the applicable Standard Contractual Clauses (and the UK Addendum, where relevant) are incorporated into this Addendum by reference, with you as data exporter and us as data importer, completed by the details in Section 4.

11. California (CCPA/CPRA)

Where the CCPA applies, we act as a "service provider" for Customer Personal Data. We will not sell or share it, will not retain, use, or disclose it for any purpose other than providing the Service (or as otherwise permitted by the CCPA), and will not combine it with data from other sources except as the CCPA allows. We certify we understand and will comply with these restrictions.

12. Breach notification

We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and will provide the information reasonably available to help you meet your own notification obligations.

13. General

This Addendum is governed by the same law and dispute-resolution terms as the Terms. If any conflict arises between this Addendum and the Terms regarding the processing of Customer Personal Data, this Addendum controls. To the extent required, the Standard Contractual Clauses prevail over both for the conflicts they address. Questions: [email protected].