Template — not legal advice. This document is a starting template. Review it with qualified counsel before relying on it.
Super Sweet CRM

Data Processing Addendum

Last updated: June 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between you (the “Customer” / data controller) and Super Sweet CRM (the “Processor”) and governs the processing of personal data by the Service on the Customer's behalf.

1. Roles of the parties

The Customer is the controller of the personal data contained in Customer Data. Super Sweet CRM acts as a processor, processing personal data only on the Customer's documented instructions, including as set out in the Terms and this DPA.

2. Scope and nature of processing

  • Subject matter: provision of the CRM Service integrating with GoHighLevel.
  • Categories of data subjects: the Customer's contacts, leads, and the Customer's own users.
  • Categories of personal data: names, contact details, messages, appointment and pipeline data, and related metadata.
  • Duration: for the term of the Customer's use of the Service, subject to the deletion terms below.

3. Processor obligations

  • process personal data only on the Customer's documented instructions;
  • ensure personnel are bound by confidentiality;
  • implement appropriate technical and organizational security measures;
  • assist the Customer with data-subject requests and security obligations;
  • make available information needed to demonstrate compliance.

4. Security measures

Super Sweet CRM maintains measures including encryption in transit, row-level tenant isolation, least-privilege access controls, rate limiting, audit logging of privileged actions, and error monitoring.

5. Sub-processors

The Customer authorizes Super Sweet CRM to engage the sub-processors listed in our Privacy Policy (currently Supabase, Stripe, Resend, GoHighLevel, and Ollama). Super Sweet CRM will impose data-protection obligations on sub-processors and remains responsible for their performance. We will give notice of new sub-processors so the Customer may object.

6. International transfers

Where personal data is transferred across borders, the parties will rely on a lawful transfer mechanism as required by applicable law.

7. Personal data breach

Super Sweet CRM will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably necessary to enable the Customer to meet its own notification obligations.

8. Deletion and return of data

On termination, or on the Customer's request, Super Sweet CRM will delete Customer Data from the Service. The Customer may export its data before deletion. Because GoHighLevel is the system of record, the underlying CRM data remains under the Customer's control there. Cached copies are purged on workspace deletion.

9. Audits

Super Sweet CRM will make available information reasonably necessary to demonstrate compliance and will contribute to audits as required by applicable law, subject to reasonable confidentiality and security safeguards.

10. Contact

Data-protection inquiries? Email support@sweetcrm.app.