Data Protection Terms

The standing data-protection terms that apply where a CrewCreate engagement (Statement of Work or equivalent) incorporates them by reference. UK GDPR / DPA 2018 Article 28 compliant. Multi-cloud — covers AWS, Google Cloud, Microsoft Azure and any other cloud platform used in delivery.

Version 1.0

Introduction

These are CrewCreate's standing Data Protection Terms ("DP Terms"). They govern the parties' obligations regarding the Processing of Personal Data where a Statement of Work, Order Form, or other engagement document between Crew Create Ltd ("CrewCreate", "we", "our") and a client ("Client", "you") expressly incorporates them by reference.

These DP Terms are drafted to be incorporated, not to stand alone. If you're reviewing them outside the context of a Statement of Work that incorporates them, they don't bind anyone — they're a public reference for how we handle Personal Data when engaged.

CrewCreate is a UK Ltd (Crew Create Ltd, company no. 16770038, registered at 20 Grange Road, Winchester, Hampshire SO23 9RT). Our processing operations are based in the United Kingdom, and we work across multiple cloud platforms — Amazon Web Services, Google Cloud Platform, Microsoft Azure, and others — typically delivering inside the client's or end-client's own cloud account.

Where these terms conflict with the Statement of Work that incorporates them, the Statement of Work prevails. Where the Statement of Work is silent, these DP Terms apply. The version of these DP Terms applicable to an engagement is the version in force at the date the Statement of Work is issued; subsequent amendments published here do not change the terms of an engagement that has already been issued, unless the parties agree otherwise in writing.

1. Roles

Where CrewCreate Processes Personal Data in performing services under a Statement of Work that incorporates these DP Terms:

1.1 CrewCreate acts as a processor of the Personal Data where the Client is itself the Controller, or as a sub-processor where the Client engages CrewCreate downstream of a controller / processor relationship the Client holds with a third party (typically an end client).

1.2 In either case, CrewCreate Processes Personal Data only on the documented instructions of the Client, which (where the Client is not the Controller) reflect the lawful instructions of the Controller.

1.3 The Client warrants that it has the lawful authority and an appropriate written agreement with any upstream Controller to engage CrewCreate in the capacity described in §1.1 and to give CrewCreate the instructions set out in the Statement of Work.

2. CrewCreate's standing Sub-processors

CrewCreate uses the following standing sub-processors to perform its services. Pre-authorisation of these sub-processors is conferred by the Client when the Client signs a Statement of Work that incorporates these DP Terms.

2.1 Cloud platforms

Where the engagement is delivered into a cloud account (the Client's, an end client's, or a CrewCreate-operated test environment), CrewCreate may use the following cloud platforms as sub-processors as the engagement requires:

  • Amazon Web Services (Amazon Web Services EMEA SARL / Amazon Web Services, Inc.)
  • Google Cloud Platform (Google Cloud EMEA Limited / Google LLC)
  • Microsoft Azure (Microsoft Ireland Operations Limited / Microsoft Corporation)
  • Anthropic (Anthropic UK Ltd / Anthropic PBC) — for direct Claude API usage during delivery, where the Statement of Work permits

Where delivery takes place inside an account the Client (or end client) controls, the cloud-platform vendor is already an established sub-processor or processor by virtue of the Client's existing cloud customer agreement; CrewCreate operates within that account boundary and does not bring the cloud-platform vendor into the chain as an additional CrewCreate sub-processor.

2.2 AI / language-model providers

Where the engagement uses generative-AI capabilities, CrewCreate may invoke one or more of the following model providers, only where the Statement of Work names the provider in scope or authorises generative-AI usage generally:

  • Anthropic Claude — via Anthropic's API (Anthropic PBC), or via Claude hosted in AWS Bedrock, Google Cloud Vertex AI, or Microsoft Azure AI
  • OpenAI — via OpenAI's API (OpenAI, LLC), or via Microsoft Azure OpenAI Service, where the engagement requires it (typically for comparative evaluation against a Client's existing baseline)
  • AWS Bedrock-hosted models (Amazon-managed and third-party foundation models hosted by AWS)
  • Google Cloud Vertex AI-hosted models
  • Microsoft Azure AI Service-hosted models

The specific model providers and models in scope for an engagement are confirmed in the Statement of Work.

2.3 CrewCreate operational tools

The following are operational tools CrewCreate uses to run its business. They may incidentally Process Personal Data relating to an engagement (for example, a Client point-of-contact's email address may pass through CrewCreate's email system in the course of engagement correspondence). They are not used for Processing Client Personal Data outside that incidental scope, and Client data is not copied into them.

  • Google Workspace (Google Cloud EMEA Limited) — email, calendar, shared documents
  • GitHub (GitHub, Inc., a subsidiary of Microsoft Corporation) — source-code version control for engagement code, where applicable
  • Claude Code (Anthropic PBC) — agentic developer assistant used by CrewCreate personnel during engagement delivery (code authoring, documentation, scripted analysis); invokes the Anthropic Claude API per §2.2, with training-data retention opted out

2.4 Engagement-specific sub-processors

Any sub-processor that is not named above and is required for a specific engagement is named in the Statement of Work for that engagement. The Client's signature on the Statement of Work constitutes authorisation of those engagement-specific sub-processors.

2.5 Adding a new sub-processor

Where CrewCreate proposes to engage an additional sub-processor not covered by §§2.1–2.4, we will give the Client written notice before the new sub-processor begins Processing. If the Client reasonably objects on data-protection grounds, the parties will discuss in good faith. If no acceptable resolution is reached, the Client may terminate the affected services on written notice, with CrewCreate entitled to invoice for hours consumed to the date of termination.

CrewCreate remains liable to the Client for the acts and omissions of its sub-processors in respect of their Processing of Personal Data on the Client's behalf.

3. Documented instructions

CrewCreate Processes Personal Data only on the documented instructions of the Client, including with regard to transfers outside the United Kingdom or the European Economic Area.

The Statement of Work (including any details-of-Processing table in it) is the Client's initial documented instruction. Further instructions during the engagement are to be given in writing (email is sufficient).

CrewCreate will not implement an instruction it reasonably believes would result in a breach of UK GDPR or DPA 2018, and will promptly notify the Client where it forms that view.

4. Confidentiality

CrewCreate ensures that personnel authorised to Process Personal Data are bound by enforceable obligations of confidentiality (whether contractual, professional, or statutory), and restricts access to Personal Data to those personnel who require such access for the performance of the engagement.

5. Security measures

CrewCreate implements appropriate technical and organisational measures to protect Personal Data against unauthorised or unlawful Processing and against accidental loss, destruction, damage, alteration, or disclosure, taking into account the state of the art, the cost of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects.

The measures applied to a typical engagement include, at minimum:

  • Multi-factor authentication on accounts with access to Personal Data
  • Encryption in transit (TLS 1.2 or higher) and at rest (AES-256 or cloud-provider-managed equivalent) for stored Personal Data
  • Access logging and audit trails for systems Processing Personal Data
  • Role-based access control with least-privilege defaults
  • Segregation of any Personal Data from CrewCreate's general working environment (use of Client-provided cloud accounts where possible)
  • A documented procedure for security-incident response and notification
  • Periodic review of authorised personnel and rotation of secrets

Where the services are delivered into the Client's or end-client's cloud account, CrewCreate relies on the Client's account-level controls and Processes Personal Data only within the account boundary defined by the Client. CrewCreate does not export Personal Data to its own environment except as expressly required for the engagement and authorised in writing, or as permitted under the Local Processing exception below.

Local Processing exception. Where, exceptionally, the Services require temporary local Processing of Personal Data on CrewCreate-operated equipment outside the Client's cloud account boundary — for example, schema inspection of a delivered extract, or offline debugging of a transformation that cannot run in the Client's environment — such Processing is permitted only where: (i) the equipment is encrypted at rest under industry-standard full-disk encryption (Apple FileVault, BitLocker, LUKS or equivalent); (ii) the Personal Data is confined to a named local scratch location that is excluded from automatic synchronisation or backup services (including, where applicable, iCloud Drive, Time Machine, OneDrive and Google Drive); (iii) the Personal Data is securely purged within seventy-two (72) hours of the operational need ending, with overwrite of the underlying storage where the platform supports it; and (iv) the occurrence is recorded in CrewCreate's engagement notes as a documented exception, with timestamp, scope, and purge confirmation. Local Processing under this paragraph does not constitute a transfer of Personal Data outside the United Kingdom or the EEA for the purposes of §10, provided CrewCreate's equipment is located within the United Kingdom; where CrewCreate's equipment is temporarily located outside the United Kingdom, §10 applies in addition to this paragraph.

6. Data Subject rights

Taking into account the nature of the Processing, CrewCreate will provide reasonable assistance to the Client (or, via the Client, to the Controller) in fulfilling the obligation to respond to requests from Data Subjects exercising rights under UK GDPR or DPA 2018 (access, rectification, erasure, restriction, portability, objection, automated decision-making).

CrewCreate will not respond directly to any Data Subject request unless instructed in writing by the Client.

Assistance under this section is included in the engagement fee up to a reasonable threshold (typically up to two requests per engagement). Material additional effort is chargeable at CrewCreate's then-current rate via change order.

7. Personal Data Breach notification

CrewCreate notifies the Client without undue delay, and in any event within seventy-two (72) hours of becoming aware, of any Personal Data Breach affecting Personal Data Processed under the engagement. The notification will include, to the extent then known:

  • The nature of the breach
  • The categories and approximate number of Data Subjects and records affected
  • The likely consequences
  • The measures taken or proposed to address the breach and to mitigate its effects

CrewCreate will provide the Client with such reasonable further assistance as the Client requires to comply with its (or the Controller's) obligations under Articles 32–36 of UK GDPR (security, breach notification to the supervisory authority and Data Subjects, Data Protection Impact Assessments, prior consultation with the supervisory authority).

8. Records and audit

CrewCreate maintains a written record of Processing activities carried out on behalf of the Client in accordance with Article 30(2) UK GDPR.

CrewCreate makes available to the Client all information reasonably necessary to demonstrate compliance with these DP Terms on written request, with up to ten (10) business days for response on routine requests.

The Client may, on not less than thirty (30) days' prior written notice and not more than once in any twelve-month period (except following a confirmed Personal Data Breach affecting the engagement), audit CrewCreate's compliance with these DP Terms. Audits will be carried out during normal business hours, will not unreasonably disrupt CrewCreate's operations, and will be at the Client's cost (including reimbursement of CrewCreate's reasonable time at CrewCreate's then-current rate). CrewCreate's compliance with relevant industry certifications, where applicable, may be relied on in lieu of a physical audit at CrewCreate's reasonable election.

9. Return or deletion of Personal Data

On termination or expiry of the engagement, CrewCreate will, at the Client's election (notified within thirty (30) days of termination), either return all Personal Data to the Client or securely delete it, including from any backups except where retention is required by applicable law. CrewCreate will certify completion of return or deletion in writing within fourteen (14) days of the Client's election.

Where backups are subject to a scheduled overwrite cycle, CrewCreate may retain Personal Data in those backups for the standard retention period provided it is encrypted at rest and not further Processed.

CrewCreate may retain Personal Data after termination only to the extent required by applicable law (for example, tax records), and only for the period strictly required.

10. International transfers

CrewCreate's personnel and primary operations are based in the United Kingdom. CrewCreate does not transfer Personal Data outside the United Kingdom or the EEA except:

  • Into the Client's or end-client's cloud account (AWS, Google Cloud, Microsoft Azure, or otherwise), in which case the transfer is governed by the Client's or end-client's existing cloud customer agreement and its associated data-transfer addendum; or
  • With the Client's prior written authorisation and on the basis of an appropriate transfer mechanism (an Adequacy Decision, the UK International Data Transfer Agreement, the UK Addendum to the EU Standard Contractual Clauses, or equivalent).

Engagements that use generative-AI providers based outside the United Kingdom (Anthropic, OpenAI, and Google / Microsoft / Amazon model APIs) may, by virtue of the model provider's region availability, route Personal Data through facilities in the United States or other jurisdictions. Where this applies, it is identified in the Statement of Work and is subject to the model provider's own data-transfer commitments, which CrewCreate relies on as the basis for the transfer.

11. Costs of assistance

Reasonable assistance provided by CrewCreate under §§6 (Data Subject rights) and §7 (Personal Data Breach notification) is included in the engagement fee. Material additional effort triggered by Data Subject requests, security investigations, or Controller / supervisory-authority requests is chargeable at CrewCreate's then-current rate via written change order, except where the additional effort arises from a breach of these DP Terms by CrewCreate.

12. Liability

Each party's liability arising out of or in connection with these DP Terms is capped at 100% of the total fees payable under the relevant Statement of Work, in addition to and not as part of any general liability cap in the Statement of Work.

The cap above does not apply to:

  • Either party's liability for fines imposed directly on it by a supervisory authority
  • Either party's liability for fraud, fraudulent misrepresentation, or wilful default
  • Either party's liability that cannot be limited by law (including liability for death or personal injury caused by negligence)

Each party indemnifies the other against losses arising from the indemnifying party's breach of these DP Terms, subject to the cap above.

The Statement of Work may specify a different liability framework for a given engagement, in which case the Statement of Work prevails per the precedence rule in the Introduction.

13. Survival

§4 (Confidentiality), §8 (Records and audit), §9 (Return or deletion), §10 (International transfers), §12 (Liability) and this §13 (Survival) survive termination of the engagement.

14. Definitions

For the purposes of these DP Terms:

  • Controller, Processor, Personal Data, Processing, Personal Data Breach, and Data Subject bear the meanings given in UK GDPR
  • UK GDPR means Regulation (EU) 2016/679 as retained, amended, and supplemented in UK law under the Data Protection Act 2018 and the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419)
  • DPA 2018 means the Data Protection Act 2018
  • Sub-processor means a third party engaged by CrewCreate to Process Personal Data on the Client's behalf

15. Version history

VersionEffectiveSummary
1.02026-05-29Initial publication

Permalinks to earlier versions are made available alongside the current version where any have been superseded.

16. Contact

For data-protection questions, contact: Daren Howell, Director — daren.howell@crewcreate.co.uk.

Where you are a Data Subject and wish to exercise your rights in respect of Personal Data that CrewCreate Processes under an engagement, please contact the Client (the data controller) in the first instance.

Last updated: 29 May 2026