Compliance

Cragfall is committed to protecting personal information and meeting applicable privacy laws and industry best practices. Below we summarize how we design our product and operations to address key regulatory requirements including the GDPR (EU), CCPA/CPRA (California), PIPEDA (Canada) and Quebec’s Law 25.

Our approach

• Privacy by design: We embed data minimization, purpose limitation and privacy controls into product design and release processes.
• Security controls: Data is protected with industry-standard encryption in transit (TLS) and at rest, role-based access controls, multi-factor authentication for admin access, and regular vulnerability scanning and patching.
• Accountability & governance: We maintain records of processing activities, conduct risk assessments, and require Data Processing Agreements with subprocessors.
• Incident response: We operate a documented incident response program to detect, investigate and notify affected parties and regulators as required.
• Data subject rights: We provide mechanisms to access, correct, restrict, export and delete personal data where required by law.

How we address specific laws

GDPR (EU)

For individuals in the European Economic Area we follow GDPR principles: lawful basis for processing, transparency, data minimization, purpose limitation, and strong security measures. Where applicable we support:

• Documentation of lawful bases and Data Processing Agreements with subprocessors.
• Support for data subject requests (access, rectification, erasure, portability, objection).
• Data protection by design and by default for new features.
• Technical and organizational measures to maintain confidentiality, integrity and availability.

CCPA / CPRA (California)

For California residents subject to CCPA/CPRA, we provide the rights and notices required by the law, including the ability to:

• Request disclosure of categories of personal information collected and purposes of use.
• Request deletion of personal information (subject to permitted exceptions).
• Opt-out of sales or sharing where applicable; we do not sell personal data for behavioral advertising.
• Not discriminate against individuals exercising their privacy rights.

PIPEDA (Canada)

Under Canada’s PIPEDA principles we implement accountability, consent, limited collection and retention, openness, and safeguards. Our practices include:

• Clear privacy notices describing the purposes for which personal information is collected.
• Reasonable safeguards appropriate to the sensitivity of the information (technical and organizational).
• Processes for individuals to access and correct their personal information.

Quebec Law 25

Quebec’s Law 25 modernizes provincial privacy obligations and expands individual rights. To align with those requirements we:

• Implement governance measures, including assigning privacy responsibilities and keeping processing records.
• Provide required notices and support for access, correction and deletion requests.
• Perform privacy impact assessments for higher-risk processing and maintain appropriate safeguards for sensitive data.

Operational controls & commitments

• Data processing agreements: We sign DPA contracts with customers and subprocessors to codify obligations and security expectations.
• Subprocessors: We maintain a list of subprocessors and require them to meet our security and privacy standards.
• Data residency & transfers: Where required, we support contractual protections (e.g., SCCs) and technical controls for cross-border transfers.
• Secure secrets management: We encrypt API keys, integration tokens, and other sensitive secrets at rest and restrict access using role-based controls and auditing.
• Retention & deletion: We retain personal data only as long as necessary and provide deletion tools and APIs for customers.
• Employee training: Regular privacy and security training for staff with access to production data.

How to exercise your rights or request information

If you are a user or resident looking to exercise privacy rights, request records, or get a copy of our Data Processing Agreement, please contact our privacy team at privacy@cragfall.com. For urgent security concerns or to report an incident, email security@cragfall.com.

Resources

• GDPR overview (gdpr.eu)
• CCPA information (California Attorney General)
• PIPEDA (Office of the Privacy Commissioner of Canada)
• Quebec Law 25 summary (OneTrust)

This page provides a high-level summary of Cragfall’s privacy approach and is not legal advice. For details about how we process specific categories of data, please see our full Privacy Policy or contact our privacy team.