What's Crisp EU GDPR compliance status?
The European Union General Data Protection Regulation (GDPR) is a regulation that aims at unifying EU member state data privacy regulations into a single regulation, enforced on the EU single market. This article describes the GDPR compliance status of Crisp.
Crisp and GDPR (in 12 points)
The GDPR regulation can be reduced to 12 important points. For each point, we explain how Crisp handles its compliance. If we did not answer your questions in this article, you can still contact us and drop us a chat or email.
Also, please note that all Crisp data processor providers have been checked to be all GDPR-compliant (Cloudflare, DigitalOcean, Stripe). See the DPA we provide for a full list of our providers.
Crisp is a French Company ๐ซ๐ท. All Crisp data is held on servers hosted in the ๐ช๐บ European Union. Our Messaging data is stored in ๐ณ๐ฑ The Netherlands and our Plugin data is stored in ๐ฉ๐ช Germany. Servers are hosted by DigitalOcean (with a subsidiary in the EU subject to EU law).
We use relay servers outside EU to reduce latency for users connecting for terminals far from our EU servers. Those servers do not store any data except connection logs (IP address, date of connection, user-agent and source website). Those relay servers are hosted in ๐บ๐ธ The United States of America, United Kingdom ๐ฌ๐ง and ๐ธ๐ฌ Singapore. We do not plan to store data outside the EU in the future.
Our products rely on other third-party services, owned, developed and operated by Crisp. Namely, Mirage for our AI features (eg. LiveTranslate, MagicReply, etc.), and Enrich for our data enrichment features (eg. automatic user avatars). We made the choice to build our own third-party services to protect the privacy of your end-users, instead of relying on services operated by other companies. This reduces the spread of our external data processors to a bare minimum.
1. Awareness
All employees responsible of software development & infrastructure maintenance of Crisp IM SAS, a French limited company (the owner company for Crisp) are fully aware of the GDPR requirements.
Also, code reviews are performed by the Data Protection Officers (as listed in this article), before any code deployment to the platform. This ensures security breaches and bad practices are not implemented by eg. a third party temporary contractor or a Crisp employee, even if aware of GDPR requirements (this plays as a double human safety check).
You can check more about how we manage Crisp security internally on this article: How is security managed on Crisp services?
2. Information we hold
Crisp stores data on 2 kinds of parties:
- Our customers (ie. the operators using the Crisp Dashboard replying to their users)
- Our customers end-users (ie. the users of our customers)
2.1. Information held on our users
Crisp collects account information for each user (we refer to them as customers in this article), including:
- User first and last name, and profile picture
- User payment details (includes invoicing information, eg. company address and country โ the credit card number is stored by Stripe)
2.2. Information held on our users' end-users
Information held on our users' end-users include:
- End-user email address (if provided by end-user, thus involving a consent)
- End-user phone number (if provided by end-user, thus involving a consent)
- End-user message exchanges
- End-user last activity date and time
- End-user profile information (resolved from public data shared by end-user on the Internet, see notice below)
3. Communicating privacy information
Crisp customers and users privacy terms are clearly communicated in our Privacy information.
Crisp customers end-users privacy terms are the sole responsibility of Crisp customers. They should be announced on Crisp customers website.
4. Individualsโ rights
Crisp customers rights regarding to GDPR are considered and enforced, including:
- Right to be informed: we clearly inform our users about the use that will be made of their data
- Right of access: our users can access all their data, without restriction, from the Crisp apps
- Right of rectification: it's as simple as contacting us, we'll process all your rectification queries
- Right of erasure: it's as simple as contacting us, we'll process all your erasure queries
- Right to restrict processing: we don't process the data of our customers (and our customers end-users)
- Right to data portability: our users may contact us anytime if they wish to get an export of their data (this may take time, however, as the data is fragmented amongst multiple isolated data-stores)
- Right to object: we handle all requests on this matter from our users and users' end-users ( contact us)
- Right not to be subject to automated decision-making including profiling: we don't do that (and never will)
5. Subject access requests
Crisp replies to all access requests (positively or negatively) under 1 week (the legal limit from GDPR is 1 month).
We offer this free of charge for our customers (paid and free).
6. Lawful basis for processing personal data
Crisp stores user data involving a consent (ie. a conversation both parties entered by will, and exchanged eg. emails).
It is the Crisp customers responsibility to ensure user data is lawfully collected in the event they use our CRM feature. For instance, if the emails that get collected from the Crisp chatbox gets re-used for marketing campaign purposes either on Crisp or an external system, the Crisp customer has to ask for user consent upon collecting this email.
7. Consent
Consent is provided by our users explicitly when proceeding an action or task (eg. when they provide user data).
Crisp allows its customers to submit user data in an automated way, via a frontend JavaScript API and backend REST API, for instance assigning an email or avatar or name to a chatbox session, when the chatbox user is already identified to their customer website account. This data must have been provided by the customer user in a consented way, as it will get propagated to Crisp in an automatic way (if the customer implemented such API in their source code).
Crisp also provides expanded privacy settings aimed at deferring the initialization of a user session until they've directly interacted with the chatbox, to help entities with stricter data privacy policies to be in compliance. More information is available in this section of our Data Privacy article.
8. Children
Crisp does not offer online services to children, due to the nature of the service provided (business-to-business). Thus, we did not identified it as relevant to control the age of users signing up for services.
Children might still be able to use the Crisp chatbox services, from the website or apps of a Crisp customer. To this extent, the Crisp customer is responsible for checking against their own users and activities regarding children regulations.
9. Data breaches
Our team closely monitors any unauthorized system access, and has put in place multiple preventive measures to reduce the attack surface on our systems and services. In 2 years, Crisp has had 0 major security issues, with only a few minor ones, which we fixed the same day they were reported (those would not have allowed a hack or data breach).
Security researchers and users can submit a security report to an encrypted email address (security@crisp.chat) as explained on our Security Practices docs page, for which we process reports in the same day. We also distribute bounties for valid security flaws that are reported to us. We already distributed such bounties to independent security researchers who reached to us and disclosed minor security flaws in a responsible way (ie. report was GPG/PGP-encrypted and not publicly disclosed before a fix was issued).
Here are a few measures we took to reduce any attack surface:
- Aggressive use of firewalls and network isolation in our infrastructure
- No access to our server systems is allowed from the public Internet, trusted administrators from the Crisp team need to connect via a trusted VPN network
- We monitor any security flaw in any library we may use in our running backends, and patch them as soon as an update is issued
- Use of 2-Factor-Authentication on all our sensitive accounts (eg. hosting provider, etc.)
- Isolate data stores and sensitive backends on different servers
- All platform backups are GPG/PGP-encrypted and stored privately, retained for a maximum of 1 week
The points listed above help reduce the probability of a major data breach occurring. You can read more on how Crisp manages security there.
10. Data Protection by Design and Data Protection Impact Assessments
Whenever Crisp develops a new system, security comes as a first when designing the architecture of such a system. Our first goal is to protect the integrity of the new production system, and second goal to protect the user data that's being stored and used by that system.
11. Data Protection Officers
Crisp designated a Data Protection Officer, as required by GDPR:
Valerian Saliou
- Role: Co-founder & CTO
- Email: dpo@crisp.chat
- Location: Crisp offices in France (see "International" below)
12. International
Crisp may, via its users, processes data from individuals from all over EU member states.
Crisp main establishment is France, thus its supervisory authority is based in France.
Crisp is operated by Crisp IM SAS, a French limited company, identified as:
- ID / SIREN: 833085806
- Address: 2 Boulevard de Launay, 44100 Nantes, France
- Email: corp@crisp.chat
- Phone: +33240031187โฌ
Updated on: 29/06/2025
Thank you!