Data Processing Agreement
of Dinamic5
This agreement governs the processing of personal data by Dinamic5 on behalf of its customers, in compliance with GDPR Article 28.
Last updated: April 2026
1. Introduction
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Dinamic5 (“Processor”) and the customer (“Controller”) for the provision of the CRM Service.
This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”) and applicable Israeli privacy law.
Note: This DPA is provided in English. The English version shall govern in case of any discrepancy with translations.
2. Definitions
- “Personal Data”, “Processing”, “Data Subject”, “Controller”, “Processor”, “Sub-processor” — as defined in GDPR Article 4.
- “Service” means the Dinamic5 CRM platform.
- “CRM Data” means all personal data entered into the Service by the Controller.
3. Subject Matter, Duration, and Scope
- Subject matter: Processing of personal data as part of providing the CRM Service.
- Duration: For the term of the service agreement between the parties.
- Nature and purpose: Cloud-based CRM hosting, data storage, communication features (WhatsApp, telephony, email), workflow automation.
- Types of personal data: Contact details (name, email, phone, address), business records, communication content (messages, call recordings), documents, financial information (quotes, invoices).
- Categories of data subjects: Controller’s customers, leads, contacts, employees, and business partners.
4. Obligations of the Processor (Art. 28(3)(a)–(h))
(a) Process personal data only on documented instructions from the Controller, including regarding international data transfers. The Processor shall inform the Controller if, in its opinion, an instruction infringes GDPR or other applicable data protection law.
(b) Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Take all measures required pursuant to Article 32 of the GDPR (security of processing), including:
- Encryption of data in transit (TLS 1.3 / AES-256)
- Isolated per-tenant databases (full database-level separation)
- Automatic daily backups
- Role-based access control (RBAC)
- Comprehensive audit logging (tracking all record changes)
- Dedicated servers hosted in Germany (EU)
(d) Respect the conditions for engaging sub-processors as set out in Section 6 below.
(e) Assist the Controller, taking into account the nature of processing, by appropriate technical and organizational measures, in responding to requests from data subjects exercising their rights under GDPR Chapter III.
(f) Assist the Controller in ensuring compliance with Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor. This includes assistance with:
- Security of processing
- Data breach notification
- Data protection impact assessments
- Prior consultation with supervisory authorities
(g) At the Controller’s choice, delete or return all personal data to the Controller after the end of the provision of services, and delete existing copies unless applicable law requires storage. See Section 8 for specific timelines.
(h) Make available to the Controller all information necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
5. Obligations of the Controller
The Controller warrants that it has a lawful basis for processing personal data entered into the Service.
The Controller is responsible for the accuracy, quality, and legality of personal data provided to the Processor.
The Controller shall ensure that data subjects have been properly informed about the processing in accordance with Articles 13 and 14 of the GDPR.
6. Sub-Processors
The Controller grants the Processor a general written authorization to engage sub-processors.
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller an opportunity to object within 30 days.
If the Controller objects, the parties shall discuss in good faith. If no resolution is reached, the Controller may terminate the affected services.
The Processor shall impose the same data protection obligations on sub-processors by way of contract.
If a sub-processor fails to fulfill its data protection obligations, the Processor shall remain fully liable to the Controller.
Current sub-processors are listed below and are available upon request at privacy@dinamic5.com:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Contabo GmbH | Server infrastructure and hosting | Germany (EU) |
| Cloudflare, Inc. | DNS, SSL, email routing | United States |
| Resend, Inc. | Transactional email delivery | United States |
| Paycall (CallIndex Ltd.) | Cloud PBX, call routing and recording (Israeli tenants) | Israel |
| Plivo, Inc. | Cloud PBX, call routing (international tenants) | United States |
| Sumit | Payment processing (Israeli tenants, ILS) | Israel |
| Paddle Ltd. | Payment processing (international, USD) | United Kingdom |
| PayPal Holdings, Inc. | Payment processing (global fallback) | United States |
| Meta Platforms, Inc. | Facebook Lead Ads integration (inbound data only) | United States |
7. International Data Transfers
- The Service is hosted in Germany (EU).
- Data transfers to Israel are covered by EU adequacy decision 2011/61/EU.
- Data transfers to sub-processors in the United States are subject to Standard Contractual Clauses (SCCs) or the EU-US Data Privacy Framework, as applicable.
- Data transfers to the United Kingdom are covered by the EU adequacy decision for the UK.
8. Data Deletion and Return
Upon termination of the Service, the Processor shall:
- Delete all CRM Data (database and files) within 30 days of account closure.
- Purge all backup copies within 90 days.
Account registration data (name, email) may be retained for up to 12 months for legal and audit purposes.
Payment records are retained as required by applicable tax law (up to 7 years).
The Controller may export their data before account closure using the Service’s built-in export features.
9. Data Breach Notification
The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Controller’s data.
Notification shall include:
- The nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences
- Measures taken or proposed
The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
10. Audit Rights
The Controller or its authorized auditor may audit the Processor’s compliance with this DPA.
Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and no more than once per year unless a data breach has occurred.
The Processor may charge reasonable costs for audit support beyond standard scope.
11. Liability
Liability under this DPA is subject to the limitations set out in the Terms of Service.
Each party shall be liable for damages caused by processing that violates this DPA or applicable data protection law.
12. Term and Termination
This DPA shall remain in effect for the duration of the Service agreement.
Obligations regarding data protection survive termination for as long as the Processor processes personal data on behalf of the Controller.
13. Governing Law
This DPA shall be governed by the laws of the State of Israel. The exclusive jurisdiction shall be the competent courts in the Tel Aviv district.
14. Contact
For questions about this DPA:
- Email: privacy@dinamic5.com
- WhatsApp: Click here
Questions About Data Processing? Talk to Us
Our team is available to answer any question about data processing and privacy.
Contact Us