← Back to home

Data Processing Agreement

Last updated: May 14, 2026

This document reflects current PassCryp practices and is reviewed regularly. For binding requests (signed DPA, SCCs), email legal@passcryp.com.

This Data Processing Agreement ("DPA") forms part of your agreement with PassCryp and reflects the parties' obligations under GDPR Article 28 and similar laws (UK GDPR, Swiss FADP, CCPA/CPRA where applicable). For a counter-signed PDF, email legal@passcryp.com.

1. Roles of the parties

For account data (email, display name, plan, billing identifiers, audit and login events), PassCryp acts as an independent data controller. For your vault content (item titles, ciphertext, IVs, tags), PassCryp acts as a data processor on your behalf — the content is encrypted on your device with a key derived from your master password, and we cannot decrypt it.

2. Subject matter, duration and purpose

PassCryp processes personal data only as needed to provide the service: authentication, encrypted storage and synchronisation, billing, security monitoring, and customer support. Processing continues for the duration of your subscription, plus the retention windows described in our Privacy Policy.

3. Sub-processors

Our current sub-processors and their locations are listed on the sub-processors page. We commit to giving at least 30 days' advance notice of any change so you can object. If you object, you may terminate the affected service.

4. Technical and organisational measures

Zero-knowledge end-to-end encryption (Argon2id key derivation, AES-256-GCM with per-item IVs), TLS 1.3 in transit, encrypted backups, role-based access controls, hardware-key MFA for staff, immutable audit logging, quarterly access reviews, and breach notification within 72 hours.

5. International data transfers

Where personal data is transferred outside the EEA, UK or Switzerland, we rely on the European Commission's Standard Contractual Clauses (2021/914), the UK Addendum, and equivalent Swiss safeguards, together with the supplementary measures described in our Security page.

6. Data subject rights and assistance

We will assist you in responding to data subject access, rectification, erasure, restriction, portability and objection requests. Most can be fulfilled directly in-app via Settings → Privacy & Data; for anything else, email privacy@passcryp.com and we will respond within 30 days.

7. Return and deletion

On termination, you may export your data from Settings at any time. We delete account and vault data within 30 days of confirmed account closure unless retention is required by law (for example, billing records under tax law).

8. Contact

Data Processing Agreement requests: legal@passcryp.com. Privacy questions: privacy@passcryp.com. Security disclosures: security@passcryp.com.