Data Processing Agreement

1.1. This DPA reflects the Parties' agreement on the processing of Personal Data / Personal Information in accordance with:

• The EU/EEA General Data Protection Regulation (Regulation (EU) 2016/679) ("GDPR"),
• The South African Protection of Personal Information Act, 4 of 2013 ("POPIA"), and
• Where applicable, the UK GDPR.

1.2. This DPA supplements the Agreement. If there is any conflict between this DPA and the Agreement or Privacy Policy about data protection, this DPA prevails.

For this DPA:

• "Personal Data" / "Personal Information" means any information relating to an identified or identifiable natural person, as defined in GDPR and POPIA.
• "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means.
• "Controller" / "Responsible Party" means Customer.
• "Processor" / "Operator" means Spock.
• "Sub-processor" means any third party engaged by Spock to process Personal Data on behalf of Customer.
• "Applicable Data Protection Law" means GDPR, POPIA, and any other data-protection laws that apply to Customer's use of the Service.
• "SCCs" means the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), as amended or replaced.
• "Service" means the AI assistant/workspace services described in the Agreement.

3.1. Customer is the Controller / Responsible Party. Customer determines the purposes and means of processing the Personal Data it submits to the Service.

3.2. Spock is the Processor / Operator. Spock processes Personal Data only on documented instructions from Customer and in accordance with this DPA.

3.3. Spock is also an independent Controller for certain data (account, billing, logs, communications) as described in the Privacy Policy. That controller-level processing is not covered by this DPA.

4.1. Customer instructs Spock to process Personal Data for the purpose of providing the Service as described in the Agreement, including to:

• Receive and store Customer Content in the EU (Germany) on DigitalOcean and Hetzner;
• Transmit Customer Content to the AI inference Sub-processors in the United States (currently OpenAI, Google/Gemini, Anthropic/Claude, and Groq) to generate outputs;
• Send transactional emails via Resend;
• Provide in-app support via Crisp;
• Process payments via Stripe;
• Perform security, logging, support, and billing operations.

4.2. Always-US inference. Customer acknowledges and expressly instructs Spock that all AI inference will be performed by US-based Sub-processors listed in Annex B. Customer acknowledges that each US sub-processor is bound by a GDPR-grade DPA/SCCs which Spock has accepted; this constitutes a 'binding agreement' affording adequate protection under POPIA s72(1)(b).

4.3. Spock will notify Customer if it is unable to follow an instruction due to Applicable Data Protection Law.

4.4. If Customer gives additional instructions that go beyond the Service description, Spock may charge reasonable fees or, if unlawful, refuse them.

5.1. Spock shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.2. Spock shall ensure such persons process Personal Data only on Customer's instructions.

POPIA Operator Duties. Spock warrants that it will establish and maintain the security measures referred to in POPIA ss.19 and 21, and shall notify the Responsible Party immediately where there are reasonable grounds to believe personal information has been accessed or acquired by any unauthorised person.

6.1. Spock shall implement and maintain appropriate technical and organisational measures ("TOMs") to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data. These measures are described in Annex C.

6.2. In determining the appropriate level of security, Spock shall take into account the state of the art, costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to data subjects.

6.3. Spock shall ensure data is stored in the EU (Germany) on DigitalOcean and Hetzner, and that transfers to US Sub-processors are protected by the SCCs and POPIA-compliant binding agreements.

7.1. Authorised Sub-processors. Customer gives general written authorisation for Spock to engage the Sub-processors listed in Annex B to this DPA.

7.2. Same protections. Spock shall enter into an express or implied contract with each Sub-processor that imposes data-protection obligations, including the security measures referred to in POPIA s.19, no less protective than those in this DPA, including confidentiality, security, cooperation, and deletion/return.

7.3. Notice of changes. Spock will give Customer at least 15 days' advance notice of the addition or replacement of a Sub-processor (by emailing Customer).

7.4. Right to object. If Customer has reasonable data-protection grounds to object to a new Sub-processor, Customer shall notify Spock within the notice period. Spock will discuss the concern in good faith and may (i) offer a reasonable alternative, (ii) take corrective steps, or (iii) allow Customer to terminate the affected part of the Service.

7.5. Liability. Spock remains fully liable to Customer for the performance of its Sub-processors.

8.1. EU storage; US inference. Spock stores Customer Personal Data in the EU (Germany) and transfers relevant Personal Data to Sub-processors in the United States to provide AI inference, email, and payment services.

8.2. GDPR safeguards. For transfers to the US, Spock shall ensure there is an appropriate transfer mechanism in place, including SCCs 2021/914 (typically Module 3: processor → processor), as made available by the respective Sub-processors, and supplementary measures consistent with EDPB Recommendations 01/2020 (minimisation, access controls, logging).

8.3. POPIA s72. Customer acknowledges and expressly instructs Spock that all AI inference will be performed by US-based Sub-processors listed in Annex B. Customer acknowledges that each US sub-processor is bound by a GDPR-grade DPA/SCCs which Spock has accepted; together with the juristic person protections in section 8.5, this constitutes a 'binding agreement' affording adequate protection under POPIA s72(1)(b).

8.4. TIAs. Spock shall conduct and maintain Transfer Impact Assessments (TIAs) for US Sub-processors and will make a summary of such assessments publicly available at https://spock.chat/trust and the full TIA available to Customer within 14 business days, and upon reasonable request, subject to confidentiality.

8.5. Transfer Impact Assessment Details.

8.6. POPIA Juristic Person Protection.

9.1. Taking into account the nature of the processing, Spock shall assist Customer, by appropriate technical and organisational measures, in fulfilling Customer's obligations to respond to requests from data subjects to exercise their rights under GDPR and POPIA (access, rectification, erasure, restriction, objection, portability, complaints).

9.2. If Spock receives a request directly from a data subject and the request identifies Customer, Spock will forward the request to Customer and not respond to it directly, unless legally required.

9.3. Spock may charge reasonable costs if responding to such requests becomes burdensome.

10.1. Spock shall notify Customer without undue delay and as soon as reasonably possible, but not later than 72 hours after becoming aware of a Personal Data breach affecting Customer Personal Data.

10.2. Such notification shall at least:

• Describe the nature of the breach, including, where possible, categories and approximate number of data subjects and data records concerned;
• Describe the likely consequences;
• Describe the measures taken or proposed to address the breach.

10.3. Spock will cooperate with Customer to enable Customer to meet any breach-notification obligations under GDPR and POPIA, including notifications to the Information Regulator (South Africa) or EU supervisory authorities.

11.1. Where Customer is required to carry out a DPIA (for example, because Customer is using LLMs for high-risk processing), Spock shall provide reasonable assistance and available documentation about its processing operations, Sub-processors, and security. This includes assistance for processing that involves Automated Decision Making (ADM) where required by GDPR Art. 22 or POPIA s.71.

11.2. Spock shall provide information about its AI processing pattern (EU storage → US inference; no-training settings enabled where available; short retention at model vendors) to support Customer's DPIA.

12.1. During the term, Spock will process and store Personal Data as required to provide the Service.

12.2. On termination or expiry of the Agreement or on Customer's written request, Spock shall, at Customer's choice:

• Return to Customer all Personal Data in a structured, commonly used, and machine-readable format (where technically feasible), and
• Delete or irreversibly anonymise all remaining Personal Data in its systems, except where retention is required by law or for legitimate business purposes (e.g. backups, audit logs).

12.3. For clarity:

• Application/account/workspace data: retained as per the Privacy Policy (typically 12 months) to allow export/support.
• Inference/model-call data at US Sub-processors: retained only as needed for service integrity and abuse detection, typically 7–30 days, subject to the sub-processor's own enterprise/API retention, as published in the Trust Center (https://spock.chat/trust).

13.1. Spock shall make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law. Spock may satisfy this obligation by providing a recent (less than 12 months old) third-party audit report (e.g., SOC 2 Type II, ISO 27001).

13.2. Where such information is insufficient, Customer may, no more than once per year, and on 30 days' prior written notice, conduct (or appoint an independent third party to conduct) an audit of Spock's data-processing facilities and procedures. The audit shall be limited to: (i) inspecting facilities in the EU (Germany), (ii) reviewing evidence of the No-Training Warranty, and (iii) verifying data deletion and retention controls.

13.3. Audits shall be conducted during business hours, in a manner that does not disrupt Spock's operations, and subject to appropriate confidentiality.

13.4. Where Sub-processors offer independent audit reports (e.g. SOC 2, ISO 27001), Spock may satisfy audit requests by providing those reports.

14.1. Warranty Against Training. Spock unconditionally warrants and represents that no Personal Data processed under this DPA shall be used, directly or indirectly, by Spock or any Sub-processor to train, fine-tune, or otherwise develop any artificial intelligence model, tool, or product.

14.2. Verification of No-Training Warranty. Spock warrants it (a) monitors Sub-processor terms quarterly, (b) maintains confirmations of no-training commitments for the enterprise/API channels used, and (c) will provide this verification evidence to Customer upon reasonable request.

14.3. If Spock or a Sub-processor breaches the No-Training Warranty, the breach shall be material and Spock shall, at Customer's election, provide a full refund of the last 12 months' fees, service credits, and a full right to terminate immediately.

14.4. Where such a Sub-processor later changes its position, Spock will:

• Notify Customer,
• Provide available privacy controls or a reasonable alternative, or
• Cease using that Sub-processor for Customer's data.

14.5. Notwithstanding s14.1, Customer acknowledges that Sub-processors may process technical metadata (e.g., API keys, timestamps, usage volume) for billing, security, and abuse prevention, provided such processing does not constitute 'training' or 'improving' the underlying AI model. This administrative processing of technical metadata remains subject to the cross-border transfer safeguards outlined in Section 8 of this DPA and shall not be conducted in a manner that enables the re-identification or reconstruction of Customer Content.

15.1. Each Party's liability under this DPA is subject to the limitations of liability set out in the Agreement, except where such limitation is not permitted by Applicable Data Protection Law.

15.2. Nothing in this DPA limits either Party's liability for breach of its data-protection obligations where such liability cannot be excluded under GDPR or POPIA.

16.1. This DPA shall be governed by and construed in accordance with the laws of the Republic of South Africa. Notwithstanding the foregoing, for processing activities that are subject to the EU General Data Protection Regulation (GDPR), the terms of the Standard Contractual Clauses (SCCs) incorporated in Annex D shall be governed by the laws of the Republic of Ireland.

16.2. The Parties submit to the jurisdiction of the South African courts for disputes arising out of this DPA.

In case of conflict between:

1. The SCCs (Annex D),
2. This DPA,
3. The Agreement, the order above shall apply, with SCCs taking precedence where required by law.