Data Processing Agreement — CronusAI
1. Parties and Definitions
Business: The organization that subscribes to CronusAI services and determines the purposes and means of processing personal information, acting as a "Business" under the California Consumer Privacy Act as amended (CCPA §1798.140(c)).
Service Provider: SOFTBLITZ PESQUISA DESENVOLVIMENTO E CONSULTORIA DE SOFTWARE DO BRASIL LTDA - ME, operating the CronusAI platform at Av. Paulista 1471, Conj. 1110, Bela Vista, São Paulo – SP, CEP 01311-927, Brazil. The Service Provider processes personal information on behalf of the Business pursuant to a written contract that prohibits the Service Provider from: (1) selling or sharing personal information; (2) retaining, using, or disclosing the information outside the direct business relationship; (3) combining the information with other data except as permitted by CCPA §1798.140(ag)(1)–(3).
Consumer: A natural person who is a California resident, as defined in CCPA §1798.140(g), or a resident of another jurisdiction with analogous rights (e.g., Virginia CDPA, Colorado CPA, Connecticut CTDPA).
Personal Information: Information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a particular consumer or household, as defined in CCPA §1798.140(v).
2. Purpose of Processing
This Data Processing Agreement governs the processing of personal information by the Service Provider on behalf of the Business in connection with CronusAI, an HR SaaS platform within the OrbittAI ecosystem providing time tracking, payroll, employment contracts, employee management, and AI analytics.
The Service Provider processes personal information solely for the permitted purposes set out in the Business's service agreement and in accordance with documented instructions. The Service Provider acts exclusively as a Service Provider under CCPA §1798.140(ag) and does not use personal information for its own commercial purposes outside the performance of the services.
3. Categories of Personal Information (per CCPA)
The Service Provider processes the following categories of personal information, as referenced in CCPA §1798.140(v)(1):
| CCPA Category | Description | Examples |
|---|---|---|
| Identifiers | Names, email addresses, IP addresses, device identifiers | Name, email, phone, avatar |
| Personal Information (§1798.80(e)) | Commercial information, employment-related data | Job title, salary, hire date, address |
| Internet/electronic activity | Browsing history, interaction data | Logs, session data, platform usage |
| Geolocation data | Physical location | Coordinates from digital signatures |
| Professional/employment information | Employment history, performance data | Contracts, evaluations, time records |
| Financial information | Bank and payment data | Bank account, payment history, receipts |
| Inferences | Derived data, analytics | Productivity metrics, AI insights |
The Service Provider does not determine the purposes of processing and processes data strictly within the scope authorized by the Business. No "sale" or "sharing" of personal information occurs in the performance of the services under CCPA §1798.140(ah) and (z).
4. Data Subjects
Data subjects whose personal information is processed include: employees and contractors of the Business; company administrators and users with company_admin or system_admin roles; and any other natural persons whose data the Business instructs to be processed through CronusAI. The Business is responsible for informing data subjects of the processing and their rights under applicable law.
5. Security Measures (NIST Framework)
The Service Provider implements reasonable security measures aligned with industry standards and the NIST Cybersecurity Framework (Identify, Protect, Detect, Respond, Recover) to protect personal information against unauthorized access, destruction, loss, alteration, or disclosure. Such measures include: (a) AES-256 encryption for data at rest and TLS 1.3 for data in transit; (b) role-based access control (RBAC) with roles system_admin, company_admin, and employee; (c) JWT-based authentication and bcrypt hashing for credentials; (d) audit logging of sensitive operations; (e) robust password policies; (f) encrypted backups and periodic recovery testing; (g) logical segregation of data between customers (multi-tenancy). Security measures are reviewed and updated periodically.
6. Subprocessors
The Service Provider may engage subprocessors to perform specific processing activities. Subprocessors are bound by written agreements requiring equivalent obligations regarding security and compliance with applicable privacy laws. Current subprocessors include: cloud infrastructure providers (e.g., Fly.io, Cloudflare R2), email service (Resend), AI provider (OpenAI), and database hosting (PostgreSQL). The Business will be informed of significant additions or changes to subprocessors and may object on reasonable grounds. An updated subprocessor list is available upon request.
7. Cross-Border Transfers
When processing involves cross-border transfers of personal information (e.g., from the United States to Brazil or other jurisdictions), the Service Provider will implement appropriate safeguards such as Standard Contractual Clauses (SCCs), transfer impact assessments, and supplementary measures where required. The Business will be informed of transfers that affect its data, and applicable agreements will be made available for review.
8. Breach Notification (State Laws)
In the event of a security incident involving unauthorized access to, acquisition of, or disclosure of personal information, the Service Provider will notify the Business without unreasonable delay. Notification will include the nature and scope of the incident, the categories of data affected, steps taken or proposed to address the incident, and recommendations for the Business.
The Service Provider will cooperate with the Business to meet breach notification obligations under state laws, including but not limited to: California Civil Code §1798.82; New York SHIELD Act (NY Gen Bus L §899-aa); Texas Business and Commerce Code §521.053; and other applicable state breach notification statutes. Timelines for notification to regulators and affected individuals vary by state (e.g., California: without unreasonable delay; some states specify maximum periods). The Business remains responsible for determining whether notification to regulators or consumers is required; the Service Provider will provide information reasonably necessary to support such determinations.
9. Audit Rights
The Business may request information and documentation from the Service Provider to demonstrate compliance with this Agreement and applicable privacy laws. Upon reasonable notice (minimum 30 days) and during business hours, the Service Provider will allow audits by the Business or its designated auditors, subject to confidentiality agreements and a reasonable limitation on frequency (no more than once per year, unless required by law or following a significant incident). As an alternative to an on-site audit, the Service Provider may provide an independent audit report (e.g., SOC 2 Type II) or certification when available.
10. Assistance with Data Subject Requests
The Service Provider will assist the Business in fulfilling requests exercised by consumers under CCPA §1798.100 (right to know), §1798.105 (right to delete), §1798.106 (right to correct), §1798.110 (right to limit), and §1798.111 (right to opt out of sale/sharing). Assistance includes: confirming whether personal information is processed; providing access; correcting inaccuracies; deleting data; restricting use of sensitive personal information; and facilitating opt-out of sale or sharing. Support will be provided in a timely manner consistent with statutory response deadlines (e.g., 45 days under CCPA, extendable as permitted).
The Business will respond directly to consumers; the Service Provider will provide technical and operational support, including export, correction, and deletion capabilities for data under its control.
11. Return or Deletion of Data
Upon termination of the services or upon the Business's request, the Service Provider will delete or return all personal information processed on behalf of the Business, except where retention is required by law or regulation. Deletion will be performed in a secure and irreversible manner to the extent technically feasible; copies and backups will be deleted where permitted by law. The Business may request export of data in a structured format prior to deletion.
The return or deletion will be completed within 30 days of termination or request, unless law requires a different timeline.
12. Confidentiality
The Service Provider will keep confidential all personal information and confidential information of the Business to which it has access in connection with the services. Employees and subcontractors with access to such information are bound by equivalent confidentiality obligations. The obligation survives termination of this Agreement.
13. Liability Allocation
To the extent permitted by applicable law, each party will be liable for its own breaches of this Agreement and applicable privacy laws. The Service Provider's aggregate liability arising from or related to this Agreement will be subject to the limitations and exclusions set forth in the main service agreement between the parties. The parties will cooperate in good faith to address any regulatory inquiries or claims related to the processing.
14. Term and Termination
This Agreement is effective upon acceptance of the CronusAI Terms of Service or execution of a service contract that incorporates it, and continues for the duration of the services. Upon termination of the main agreement, provisions regarding confidentiality, return/deletion of data, liability, and audit will survive as necessary to fulfill post-termination obligations. Material changes to this Agreement will be communicated at least 30 days in advance; the Business may terminate services before changes take effect if it does not agree.
Contact for privacy and data processing matters:
Email: dpo@orbittai.com