OmniCRM Data Processing Addendum (DPA)

Effective Date: 19 May 2026
Last Updated: 01 May 2026

This Data Processing Addendum forms part of the agreement between: OmniCRM UK Ltd (“Processor”) and the Customer (“Controller”) and governs the processing of personal data under UK GDPR.

1. DEFINITIONS

Terms used in this Addendum have the meanings given in the UK GDPR. The UK supervisory authority is the Information Commissioner's Office.

2. ROLES OF THE PARTIES

Customer: Data Controller

OmniCRM: Data Processor

OmniCRM processes personal data only according to the Controller’s instructions.

3. SUBJECT MATTER OF PROCESSING

Processing relates to the provision of CRM software and related support services.

4. DURATION OF PROCESSING

Processing continues for the duration of the customer subscription.

Upon termination: Customers have 30 days to export data after this period data may be permanently deleted.

5. CATEGORIES OF PERSONAL DATA

Data may include:

Contact information

Communications records

CRM notes

Marketing records

Appointment data

Uploaded documents

6. SPECIAL CATEGORY DATA

Customers may choose to store sensitive information including:

Medical records

Health information

Treatment records

Legal case notes

Sensitive personal information

OmniCRM processes and/or stores such information solely on behalf of the Controller.

7. SECURITY MEASURES

OmniCRM implements security measures including:

Encryption
AES-256 encryption at rest
TLS 1.2 or TLS 1.3 encryption in transit

Access Control
Role-based access permissions

Authentication
Multi-Factor Authentication required for OmniCRM internal staff and customer staff accounts

Data Isolation
Multi-tenant architecture isolating customer environments

Audit Logs
System logs recording user actions

Backups
Infrastructure redundancy and automated backups through Amazon Web Services

8. ACCESS TO DATA

Customer data may be accessed by authorised OmniCRM staff only where necessary for:

Support

System maintenance

Managed service assistance

All OmniCRM staff are bound by strict confidentiality obligations.

9. SUB-PROCESSORS

OmniCRM uses a variety of infrastructure or communications providers. These providers process data under contractual safeguards.

Customers may also connect additional sub-processors through platform integrations at their discretion. To access our active list of known sub-processors read our full sub-processor list.

10. INTERNATIONAL DATA TRANSFERS

Data may be transferred to the United States due to infrastructure hosting. Transfers are protected through recognised safeguards including frameworks associated with the EU-US Data Privacy Framework and standard contractual mechanisms.

11. DATA BREACH NOTIFICATION

OmniCRM will notify the Controller of a confirmed personal data breach within 48 hours of discovery.

The Controller remains responsible for determining whether regulatory notification is required.

12. DATA SUBJECT RIGHTS

OmniCRM will assist the Controller in responding to requests including:

Access requests

Deletion requests

Correction requests

Where technically feasible.

13. DATA EXPORT

Customers may export their data in CSV format using platform tools.

14. DELETION OF DATA

Following termination and expiration of the 30-day export window:

Customer data will be permanently deleted from active systems.

15. AUDITS

Controllers may request reasonable information demonstrating compliance with this Addendum.

16. GOVERNING LAW

This Addendum is governed by the laws of England and Wales.

OmniCRM affordable email marketing tool for small businesses

Unlock the true potential of your business with Omni. Your partner in growth and scalability. Designed to adapt to your evolving needs.

[email protected]

About

Careers

Earn with Omni

© 2026 Omni CRM - All Rights Reserved.

Website design by South Coast Design