List CRM - Privacy & Data Protection Framework

1.1 Introduction

List CRM is a customizable CRM application within the List One platform, designed to enable organizations to manage customer data, workflows, and business processes securely.

This Privacy Policy explains how data is collected, processed, stored, and protected when using List CRM.

1.2 Platform Architecture & Identity

List CRM operates under List One Identity, a centralized identity and access management system that enables:

• Organization registration
• Application subscriptions (CRM, HRMS, Drive, etc.)
• User provisioning and authentication

1.3 Nature of the Service (Important Legal Positioning)

List CRM is a fully customizable system, where organizations control:

• Modules, fields, and layouts
• Workflows and automation rules
• Permissions, roles, and sharing rules
• Data structure and enrichment

👉 Therefore:

• List CRM = Data Processor
• Customer (Company) = Data Controller

1.4 Types of Data Processed

A. Identity & Access Data

• Login credentials
• User roles

B. Business Data (Customer-Controlled)

• Leads, contacts, accounts
• Property or transactional data
• Activities, communications
• Attachments and documents

C. Customization Data

• Custom modules and fields
• Aqary scripts and automation logic
• Workflows, assignment rules
• Dashboards and widgets

D. System Data

• Logs, IP addresses
• Device and browser metadata
• Usage analytics

1.5 Legal Basis for Processing

We process data based on:

• Contractual necessity (service delivery)
• Legitimate interest (security, improvement)
• Legal obligations
• Customer instructions (as Data Processor)

1.6 Data Protection Principles

We adhere to:

• Data minimization
• Purpose limitation
• Accuracy
• Integrity and confidentiality

1.7 Security Measures

• Encryption (TLS + AES-256)
• Role-Based Access Control (RBAC)
• Audit logs & monitoring
• Multi-factor authentication (optional)
• Secure APIs and sandboxed scripting

1.8 Data Retention

• Controlled by the customer
• Retained during active subscription
• Secure deletion upon request or termination

1.9 Sub processors

We may use sub processors for:

• Cloud hosting
• Email delivery
• Analytics

All sub processors are bound by strict data protection obligations.

2.1 Parties

This DPA is between:

• Customer (Data Controller)
• List CRM / List One (Data Processor)

2.2 Scope of Processing

Includes:

• Storage
• Organization
• Structuring
• Automation (workflows, scripts)
• Retrieval and analysis

2.3 Instructions

List CRM processes data only based on customer configuration, including:

• Modules and schemas
• Automation rules
• Access permissions

2.4 Confidentiality

All personnel are bound by strict confidentiality obligations.

2.5 Security Measures

We implement:

• Logical access controls
• Encryption
• Monitoring and logging
• Incident detection and response

2.6 Data Breach Notification

• Notification within 72 hours of confirmed breach
• Includes impact, mitigation, and actions taken

2.7 Data Subject Requests

• Supported via platform tools
• Customer remains responsible for responding

2.8 Data Return & Deletion

Upon termination:

• Data export available
• Secure deletion within defined retention period

3.1 What Are Cookies

Cookies are small data files stored on your device to improve user experience and system functionality.

3.2 Types of Cookies We Use

Essential Cookies

• Authentication (List One Identity)
• Session management
• Security

Functional Cookies

• User preferences
• UI customization

Analytics Cookies

• Usage insights
• Performance monitoring

3.3 Third-Party Cookies

May include:

• Analytics providers
• Embedded integrations

3.4 Managing Cookies

Users can:

• Disable cookies via browser settings
• Clear stored cookies

Note: Disabling essential cookies may affect functionality.

4.1 Security Governance

List CRM follows a structured Information Security Management approach:

• Defined policies and procedures
• Risk-based controls
• Continuous monitoring

4.2 Access Control

• Role-Based Access Control (RBAC)
• Least privilege principle
• Multi-level permission structure
• Group-based access management

4.3 Data Security

• Encryption at rest and in transit
• Logical data isolation per organization
• Backup and recovery mechanisms

4.4 Application Security

• Secure SDLC practices
• Input validation (especially for scripts & custom fields)
• API security controls
• Regular vulnerability assessments

4.5 Operational Security

• Logging and monitoring
• Incident response procedures
• Change management

4.6 Business Continuity

• Disaster recovery planning
• High availability infrastructure
• Data backup strategies

4.7 Customer Responsibilities

Customers are responsible for:

• Proper configuration of permissions
• Lawful data collection
• Secure use of custom scripts and automations
• Compliance with applicable regulations