Data Processing Addendum

DRAFT — Under Legal Review

This Data Processing Addendum ("DPA") is entered into between Granite Logic, LLC ("Processor", "Crafted Call") and the Customer ("Controller") who has accepted the Terms of Service.

Note: This document is being finalized with legal counsel. For a legally binding countersigned copy, contact legal@craftedcall.com.

Definitions

"Customer Personal Data" means personal data processed by Crafted Call on behalf of the Customer under the Terms of Service.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.

"Processing" has the meaning given in the GDPR.

"Data Subject" means the individual to whom Customer Personal Data relates.

"Sub-processor" means any third party engaged by Crafted Call to process Customer Personal Data.

Scope and Purpose of Processing

Crafted Call processes Customer Personal Data solely for the purpose of providing the Service as described in the Terms of Service. The nature of processing includes: storage, retrieval, display, transmission, and deletion of data.

Duration of processing: for the term of the Customer's subscription, plus any statutory retention period.

Categories of Personal Data

Crafted Call may process the following categories of Customer Personal Data on behalf of the Customer:

• Artist identity data: names, email addresses, biographical information
• Submission content: artwork files, artist statements, portfolio materials
• Communication records: jury feedback, organizational messages
• Transaction data: submission fees, event ticket purchases

Crafted Call does not process special categories of personal data (as defined in GDPR Art. 9) on behalf of Customers unless explicitly agreed.

Categories of Data Subjects

• Artists and applicants who submit to the Customer's calls for artists
• Organization members (staff, jurors, volunteers) managed by the Customer
• Event registrants and attendees

Retention

Crafted Call retains Customer Personal Data for the duration of the Customer's subscription. Upon termination, data is deleted within 90 days unless the Customer requests earlier deletion or a legal hold applies.

Security Measures

Crafted Call implements the following technical and organizational security measures to protect Customer Personal Data:

• Encryption at rest: AES-256 via AWS RDS and S3 SSE-S3
• Encryption in transit: TLS 1.3 enforced at the load balancer; HSTS preload enabled
• Access control: Organization-scoped role-based access plus PostgreSQL row-level security
• Authentication: AWS Cognito with optional MFA (TOTP)
• Audit logging: Immutable audit trail with 90-day customer-visible retention
• Backups: RDS automated backups with 7-day retention and point-in-time recovery

Full details at craftedcall.com/security.

Subprocessors

Crafted Call engages the following sub-processors, all of which are bound by data processing agreements consistent with this DPA:

Full sub-processor list: craftedcall.com/legal/subprocessors

Crafted Call provides 30 days' advance notice before engaging a new sub-processor that processes Customer Personal Data.

International Transfers

Customer Personal Data is stored in AWS us-east-1 (United States). Transfers of personal data from the EEA to the United States are conducted pursuant to the Standard Contractual Clauses (SCCs) adopted by the European Commission (Decision 2021/914). Copies of applicable SCCs are available on request.

Data Subject Rights

Crafted Call will assist the Customer in responding to Data Subject requests under GDPR Arts. 15–20 (access, rectification, erasure, portability, restriction, objection). Customers may manage data subject requests via their organization settings or by contacting support@craftedcall.com.

Data export and erasure workflows are available at craftedcall.com/settings/privacy.

Personal Data Breach Notification

Crafted Call will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a personal data breach affecting Customer Personal Data, consistent with GDPR Art. 33. The notification will include: the nature of the breach, categories and approximate number of affected data subjects, likely consequences, and measures taken or proposed.

Customer is responsible for notifying relevant supervisory authorities as required by applicable law.

Audit Rights

Upon written request (30 days' advance notice), Crafted Call will make available to the Customer all information necessary to demonstrate compliance with this DPA. The Customer may conduct an audit no more than once per calendar year; audits will be subject to a confidentiality agreement and will not unreasonably disrupt Crafted Call operations.

Liability and Indemnification

Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. Where required by applicable law (GDPR Art. 82), each party shall be liable for damages caused by processing that infringes this DPA or applicable data protection law.

Termination

This DPA terminates automatically upon termination of the Customer's Terms of Service agreement. Sections 6 (Retention), 11 (Breach Notification), 12 (Audit Rights), and 13 (Liability) survive termination.

Return and Deletion of Personal Data

Upon termination of the Terms of Service or at the Customer's written request, Crafted Call will return or delete Customer Personal Data within 90 days. Crafted Call may retain anonymized or aggregated data that does not identify individuals.

Signatures

This DPA is accepted by the Customer upon acceptance of the Terms of Service. For a countersigned paper copy, contact legal@craftedcall.com.

Processor: Granite Logic, LLC

By: ___________________________

Title: ___________________________

Date: ___________________________

Controller (Customer):

Organization: ___________________________

By: ___________________________

Title: ___________________________

Date: ___________________________