Data Processing Agreement (DPA)
How Spydomo processes personal data on your behalf
About this DPA
This Data Processing Agreement ("DPA") explains how Spydomo processes personal data on behalf of our customers when they use our services.
By using Spydomo and agreeing to our Terms of Service, you are also agreeing to this DPA. You do not need to sign a separate document. We provide the same privacy protections and data processing commitments to all customers.
If your organization requires a signed copy of this DPA, please contact us at info@spydomo.com and we will provide a countersigned version.
1. Definitions
Terms such as Personal Data, Processing, Controller, Processor, Data Subject and Supervisory Authority have the meanings given in applicable data protection laws (including the GDPR and UK GDPR). Applicable Data Protection Laws means all laws relating to data protection and privacy that apply to the Processing under this DPA. A Subprocessor is a third party engaged by Spydomo to Process Personal Data on behalf of the customer.
2. Subject Matter and Duration
This DPA applies where Spydomo processes Personal Data on behalf of the customer in connection with the Spydomo service (the “Services”). The Processing will continue for the term of the Main Agreement between the customer and Spydomo and until all Personal Data is deleted or returned in accordance with this DPA.
3. Nature and Purpose of Processing
Spydomo provides a competitive intelligence and insights platform for software companies. Spydomo Processes Personal Data as necessary to:
- Provide, operate, and support the Services
- Maintain security, monitor performance, and prevent abuse
- Provide customer support and handle requests from the customer
- Improve and develop the Services, in accordance with Applicable Data Protection Laws
4. Types of Personal Data and Data Subjects
Personal Data Processed under this DPA may include:
- Business contact details (e.g., name, email address, company, job title)
- Account and login information for users of the Services
- Usage data and technical data related to use of the Services
- Text or other content submitted to the Services by or on behalf of the customer, which may incidentally include Personal Data depending on how the customer uses Spydomo
Categories of Data Subjects may include the customer’s employees, contractors, and contacts, and other individuals whose data is included in content provided or connected by the customer.
5. Roles of the Parties
For Personal Data covered by this DPA:
- The customer is the Controller of the Personal Data.
- Spydomo is the Processor processing Personal Data on behalf of the customer.
Nothing in this DPA prevents Spydomo from acting as an independent Controller for certain data, for example data about its own customers and marketing activities, as described in Spydomo’s Privacy Policy.
6. Spydomo’s Obligations as Processor
Spydomo shall:
- Process Personal Data only on documented instructions from the customer, including with respect to transfers, unless required to do so by law. In such a case, Spydomo will inform the customer unless the law prohibits this.
- Ensure that persons authorized to Process Personal Data are bound by appropriate confidentiality obligations.
- Implement appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
- Notify the customer without undue delay after becoming aware of a Personal Data breach affecting Personal Data Processed on behalf of the customer, and provide information reasonably available to assist the customer in meeting its obligations.
- Taking into account the nature of the Processing, assist the customer by appropriate technical and organizational measures, where possible, in responding to Data Subject requests to exercise their rights under Applicable Data Protection Laws.
- Where required by law, assist the customer with data protection impact assessments and consultations with supervisory authorities in relation to the Services.
- Upon termination of the Main Agreement, delete or return Personal Data to the customer, at the customer’s choice, unless retention is required by law. Aggregated or anonymized data that no longer constitutes Personal Data may be retained by Spydomo.
7. Subprocessors
We work with a small number of subprocessors to help us deliver Spydomo. For each subprocessor, we assess their security and privacy practices and enter into a data processing agreement that includes appropriate data protection safeguards (such as the controller–processor Standard Contractual Clauses where required).
Any such subprocessors are permitted to process personal data only as necessary to provide the services Spydomo has engaged them to deliver, and they are prohibited from using the data for any other purpose.
We may update our list of subprocessors from time to time as we evolve our infrastructure. Where required by applicable law or by our agreements with you, we will notify you of material changes (for example via email, in-app notifications, or by updating our website). If you have a legitimate objection to a new subprocessor, you may notify us and, if we cannot reasonably address your objection, you may terminate the affected services in accordance with the Main Agreement.
| Subprocessor | Purpose | Data categories | Location / region |
|---|---|---|---|
| Microsoft Azure | Hosting infrastructure, databases, backups | Account data, usage data, logs, content processed by Spydomo | Data centers in regions selected by Spydomo (e.g., Canada, US, EU) |
| Stripe | Payment processing and subscription billing | Billing contact details, limited payment details, subscription metadata | EU/US (see Stripe's data protection documentation) |
| Clerk | Authentication and user identity management | Login identifiers, email addresses, authentication logs | EU/US (see Clerk's data protection documentation) |
| Postmark | Transactional email delivery | Email addresses, message content for notifications and account-related emails | US (with appropriate safeguards such as SCCs, per Postmark documentation) |
| Plausible Analytics | Privacy-focused website analytics | Aggregated usage data, approximate location (no cookies, no personal profiles) | EU (servers hosted in the EU) |
| OpenAI | AI-powered text analysis and summarization within Spydomo | Text content submitted for analysis, which may include public reviews or user feedback | Data centers operated by OpenAI (see OpenAI's data protection documentation) |
| Bright Data | Data collection infrastructure for publicly available web content | Public web content related to companies and tools; may incidentally include usernames or display names contained in that content | Various, depending on Bright Data infrastructure (see Bright Data's documentation) |
8. International Transfers
Where the Processing of Personal Data involves transfers outside the EEA or UK to a country not deemed to provide an adequate level of protection, Spydomo shall ensure that such transfers are made in compliance with Applicable Data Protection Laws, for example by implementing appropriate safeguards such as the EU Standard Contractual Clauses and, where applicable, the UK International Data Transfer Addendum.
9. Audits
Spydomo shall make available to the customer information reasonably necessary to demonstrate compliance with this DPA and, where required by law, allow for and contribute to audits, including inspections, by the customer or an auditor mandated by the customer.
Any audit shall be subject to reasonable prior notice, occur no more than once in any 12-month period (unless required by a supervisory authority or in response to a confirmed incident), be conducted during normal business hours, and not unreasonably disrupt Spydomo’s business. The customer shall bear its own costs and any third-party costs of such audit.
10. Customer Obligations
The customer is responsible for ensuring that it has a valid legal basis for Processing Personal Data and for providing such data to Spydomo in connection with the Services, for providing any required notices to Data Subjects, and for obtaining any required consents. The customer agrees that it will not submit special categories of personal data to the Services unless the parties have explicitly agreed otherwise in writing.
11. Miscellaneous
In the event of any conflict between this DPA and the Main Agreement, this DPA shall prevail with respect to the Processing of Personal Data. This DPA shall be governed by the same law and jurisdiction as the Main Agreement, unless otherwise required by Applicable Data Protection Laws.