Crisp EU GDPR compliance status

Learn how Crisp handles GDPR compliance, data processing, privacy rights, and related security practices.

The European Union’s General Data Protection Regulation (GDPR) is a regulation that aims at harmonising EU Member State’s data privacy laws. This article describes the GDPR compliance status of Crisp.

GDPR compliance illustration

If your company needs to ensure it is GDPR-compliant, it also needs to ensure its providers (ie. Crisp) are GDPR compliant. Crisp is GDPR-compliant, and strictly enforces the regulation as to protect any user data we process and store. The list of our providers (ie. Data Processors) is available, and kept up to date, in our Data Processing Agreement (DPA).

Looking for a Data Processing Agreement? Read where you find your DPA.

Crisp holds itself to a high standard of data protection. Read our privacy policy for a full and comprehensive statement on how we process any personal data in our organisation. However, for us GDPR compliance doesn’t stop there. In this article we explain what else we do to protect and secure your data. If we have not answered your questions via our Privacy statement or any of our GDPR Compliancearticles, please contact us or have a chat with us.

Also, please note that all Crisp data processor providers have been checked to be all GDPR-compliant (Cloudflare, DigitalOcean, Stripe). See the DPA we provide for a full list of our providers.

Crisp is a French Company 🇫🇷. All Crisp data is held on servers hosted in the 🇪🇺 European Union. Our Messaging data is stored in 🇳🇱 The Netherlands and our Plugin data is stored in 🇩🇪 Germany. Servers are hosted by DigitalOcean (with a subsidiary in the EU subject to EU law).

We use relay servers outside EU to reduce latency for users connecting for terminals far from our EU servers. Those servers do not store any data except connection logs (IP address, date of connection, user-agent and source website). Those relay servers are hosted in 🇺🇸 The United States of America, United Kingdom 🇬🇧 and 🇸🇬 Singapore. We do not plan to store data outside the EU in the future.

Our products rely on other third-party services, owned, developed and operated by Crisp. Namely, Mirage for our AI features (eg. LiveTranslate, MagicReply, etc.), and Enrich for our data enrichment features (eg. automatic user avatars).

We made the choice to build our own third-party services to protect the privacy of your end-users, instead of relying on services operated by other companies. This reduces the spread of our external data processors to a bare minimum.

Certain points of Crisp GDPR compliance are subject to French National Law, where Crisp is incorporated. Thus, we have to be compliant with French data protection law, as well as with the EU GDPR. Crisp has applied GDPR compliance and French law worldwide.

1. Awareness

All employees responsible of software development & infrastructure maintenance of Crisp IM SAS, a French limited company (the owner company for Crisp) are fully aware of the GDPR requirements.

Also, code reviews are performed by our Security Officers, before any code deployment to the platform. This ensures that security breaches and bad practices are not implemented by eg. a third party temporary contractor or a Crisp employee, even if they are aware of GDPR requirements (this plays as a double human safety check).

You can check more about how we manage Crisp security internally on this article: How is security managed on Crisp services?

2. Information Crisp holds

Read our privacy policy for a more comprehensive list of all the personal data we process.

Crisp stores data on 2 kinds of parties:

Our customers (ie. the operators using the Crisp Dashboard replying to their users)
Our customers end-users (ie. the users of our customers)

Crisp does not sell, or resell, any kind of user data (whether data described in point 1 or 2 above). The data is not used for advertising (both 1 and 2) or analytics (on 2). Our business model is solely based on paid subscriptions (ie. the user is not the product).

Information held on our users

Crisp collects account information for each user (we refer to them as customers in this article), including:

Profile information → first name, last name, and profile picture.
User payment details and invoicing information → company address, country, and billing details; credit card numbers are stored by Stripe.

Crisp collects system logs including IP, user agents and time of connection. They are solely used for debugging and lawful purpose and retained maximum 1 year. This log retention policy is subject to the law of France (ie. if the judiciary system sends us a search warrant, we have to respond and provide logs up to 1 year, that contain the looked up information).

Information held on customers' end-users

End-user information may include:

End-user Email address → when provided by the end-user, thus involving a consent
End-user Phone number → when provided by the end-user, thus involving a consent
End-user Message exchanges
End-user Last activity date and time
End-user Profile information → resolved from public data shared by end-user on the Internet, see notice below

Crisp resolves end-user identity information (first and last name, avatar, company) from external APIs. Those external APIs source this data from public information that the end-user consented to share on a third-party service (eg. on social networks such as LinkedIn or X). This end-user identity information is stored on Crisp services, for as long as the Crisp customer wishes them to be stored in their Crisp CRM database. The service used to discover such user information is Enrich, a service owned and operated by Crisp.

The information help on our users' end-users is solely the responsibility of our users (ie. the individual websites using Crisp). It is the responsibility of our users to manage the data they hold in their personal Crisp Inbox and CRM, ie. to remove sensitive data if someone may happen to share it with them (eg. Social Security Numbers, etc.). It is our responsibility to secure access to this data (ie. only website operators can access it and have a right to rectification and deletion).

3. Communicating privacy information

**For all Crisp customers and users we communicate our privacy terms via our Privacy information, to be found directly in the footer of our main website, as well as via a link in your account. **As explained in our terms and privacy statement, it is the responsibility of our Customers to inform their end-users of our privacy terms, for example, when using the Crisp chatbox, or using our CRM tools

4. Individuals' rights

Crisp respects all data subject right requests. As explained in our privacy statement, we will answer and respond directly to our customer’s requests, however, we will refer data subject right requests from the customer’s end-users back to the customer, as we are merely the data processor. We will send a notice to the individual that we have acknowledged their request but as we are the data processor, and thus not the right party for answering to their data subject right request we will forward their request and assist their data controller to the best of our abilities.

5. Individual rights requests

Crisp has set out to reply to all access requests (positively or negatively or when we must forward the request) under 1 week (the legal limit from GDPR is 1 month). We offer this free of charge for our customers (paid and free).

6. Lawful basis for processing personal data

Crisp only processes personal data if we have a legal ground for doing so. We have elaborated deeply on these grounds in the privacy policy. We are not using data for any other purpose or reason, and do not collect any cookies on our main website, except for when someone is engaging with us via the customer service chatbox.

As a customer you are responsible for the legal basis to obtain your customer data. Crisp allows its customers to submit user data in an automated way, via a frontend JavaScript API and backend REST API, for instance assigning an email or avatar or name to a chatbox session, when the chatbox user is already identified to their customer website account. This data must have been provided by the customer user in a consented way, as it will get propagated to Crisp in an automatic way (if the customer implemented such API in their source code).

Crisp also provides expanded privacy settings aimed at deferring the initialization of a user session until they've directly interacted with the chatbox, to help entities with stricter data privacy policies to be in compliance. More information is available this section of our Data Privacy article.

7. Security & Features

Crisp implements security throughout all of its features, prior to integration with any tool or software.

See for an overview of the GDPR compliance of the features :

8. Children

Crisp does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identified it as relevant to control the age of users signing up for services.

Children might still be able to use the Crisp chatbox services, from the website or apps of a Crisp customer. To this extent, the Crisp customer is responsible for checking against their own users and activities regarding children regulations.

9. Data breaches

Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services. In 2 years, Crisp has had 0 major security issues, with only a few minor ones, which we fixed the same day they were reported (those would not have allowed a hack or data breach).

Security researchers and users can submit a security report to an encrypted email address (security@crisp.chat) as explained on our Security Practices docs page, for which we process reports in the same day. We also distribute bounties for valid security flaws that are reported to us. We already distributed such bounties to independent security researchers who reached to us and disclosed minor security flaws in a responsible way (ie. report was GPG/PGP-encrypted and not publicly disclosed before a fix was issued).

Here are a few measures we took to reduce any attack surface:

Aggressive use of firewalls and network isolation in our infrastructure
No access to our server systems is allowed from the public Internet, trusted administrators from the Crisp team need to connect via a trusted VPN network
We monitor any security flaw in any library we may use in our running backends, and patch them as soon as an update is issued
Use of 2-Factor-Authentication on all our sensitive accounts (eg. hosting provider, etc.)
Isolate data stores and sensitive backends on different servers
All platform backups are GPG/PGP-encrypted and stored privately, retained for a maximum of 1 week

The points listed above help reduce the probability of a major data breach occurring. You can read more on how Crisp manages security there.

**Crisp will notify their users of any data breach causing a high risk to the rights and freedoms of individuals, within 24 hours after discovering the breach and and mitigating the security flaw. If the breach must be reported due to the applicable data protection laws in your country, we will assist you with the best of our abilities. **

10. Privacy by Default and by Design

Whenever Crisp develops a new system, security comes first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and our second goal to protect the user data that's being stored and used by that system. We investigate the system via a Data Protection Impact Assessment (DPIA) for any risk for unauthorized access, modification or loss of data, and implement mitigation measures to ensure Privacy by default and Privacy by Design.

Crisp developers are well educated to software and network security, which helped us build a secure by design software over time.

11. Data Protection Officer

Crisp designated a Data Protection Officer for GDPR-related matters.

DPO information:

Email → dpo@crisp.chat
Location → Crisp offices in France

12. International

Crisp may, via its users, processes data from individuals from all over EU member states. Crisp main establishment is France, thus its supervisory authority is based in France, the French Data Protection Authorities (CNIL). Crisp is operated by Crisp IM SAS, a French limited company, identified as:

Crisp company information:

Company → Crisp IM SAS
ID / SIREN → 833085806
Address → 2 Boulevard de Launay, 44100 Nantes, France
Email → corp@crisp.chat
Phone → +33240031187

Updated on: 04/05/2026

Was this article helpful?

Thank you!