UK Business Hours: 10am - 6pm
Client Portal
Submit your details and a member of our team will respond within one hour during UK working hours.
Version: 1.6
Dated: 6 June 2025
This Data Processing Agreement ("DPA") details the terms and conditions governing the processing of personal data by SpotDev Services Ltd ("SpotDev") on behalf of its clients (each referred to as the "Client"). This DPA is designed to ensure that all processing of personal data carried out by SpotDev is in accordance with applicable data protection laws and the Client’s instructions.
SpotDev provides HubSpot consultancy, training, and technical implementation services. In the course of delivering these services, SpotDev may access and process certain personal data that is stored within the Client’s own HubSpot instance (or other platforms provided by the Client). Such access is strictly for the purposes defined by the Client’s instructions and the terms of this DPA.
SpotDev’s personnel may access Client Personal Data that is stored and managed within the Client’s own systems, such as their HubSpot platform. SpotDev does not export, store, or process this personal data using SpotDev’s own internal technology stack. Instead, SpotDev’s involvement is limited to actions taken within the Client’s systems, as instructed and authorised by the Client.
Client Personal Data may include information relating to individuals such as customers, leads, employees, or contractors of the Client’s organisation. Such data might typically encompass names, email addresses, telephone numbers, or other similar contact details stored within the Client’s systems.
The duration of SpotDev’s processing activities is limited to the period during which SpotDev has been granted access by the Client to the Client’s systems, and/or for the duration of any service engagement agreed upon between SpotDev and the Client. Once the engagement ends or access is revoked, SpotDev will cease to process Client Personal Data.
SpotDev’s data protection officer is the Chief Executive. This individual monitors internal compliance with data protection laws and acts as the primary contact point for any queries related to data processing and protection.
The Client acts as a data controller or a data processor on behalf of a third-party controller, and SpotDev acts as a data processor or sub-processor respectively in relation to the Client Personal Data.
The Client is responsible for ensuring that personal data it instructs SpotDev to process is collected and processed in accordance with applicable data protection laws. The Client shall ensure it has all necessary consents, notices, and permissions in place to allow SpotDev to access personal data within the Client’s systems.
Each Party shall maintain records which indicate how that Party processes personal data under its responsibility. These records will contain at least the minimum information required by the Data Protection Laws and each Party shall make that information available to any DP Regulator on request.
To the extent that the Supplier processes Client Personal Data on behalf of the Client, SpotDev shall:
Where SpotDev is relying on applicable laws as the basis for processing Client Processor Data under clause 3.2.1 above, SpotDev shall use reasonable efforts to notify the Client of this before performing the processing required by the applicable laws unless those applicable laws prohibit SpotDev from so notifying the Client.
For clarity, when providing services to the Client, SpotDev operates primarily within the Client’s systems and does not use its own internal platforms to store or process Client Personal Data. Exceptions to this are highlighted in the list below with an asterisk.
However, SpotDev uses a set of tools and services ("Sub-Processors") for its internal business operations. These Sub-Processors may include, but are not limited to:
The above systems and providers are generally used by SpotDev for managing internal operations such as project management, finance, communication, and support. SpotDev does not transfer or store Client Personal Data in these systems without explicit written agreement. If, in exceptional circumstances, certain metadata or limited client-related information (e.g., Client contact details) is stored for account management purposes, it will be in accordance with this DPA and applicable data protection laws.
Any addition or replacement of these Sub-Processors that may affect the processing of Client Personal Data (if ever required) shall be notified in advance to the Client, giving the Client an opportunity to object where legally required and justified by data protection laws.
SpotDev and its contractors may access the Client’s systems and data from:
Because SpotDev personnel, including contractors, may be physically located outside the UK, the Client Personal Data is effectively accessed across borders. However, such access occurs within the Client’s own systems and is subject to the Client’s infrastructure, controls, and any applicable safeguards the Client has in place.
SpotDev does not export, store, or otherwise transfer Client Personal Data into its own infrastructure without explicit written authorisation/instruction from the Client.
Where required by applicable data protection laws, the Client and SpotDev shall work together in good faith to put in place appropriate safeguards for any international access to personal data (such as relevant standard contractual clauses), ensuring that any cross-border access meets the standards set out under applicable laws.
For any remote access to Client Personal Data by SpotDev personnel located in South Africa, the parties agree that such access constitutes a restricted transfer for the purposes of the UK GDPR.
The UK International Data Transfer Addendum (IDTA) to the EU Commission’s Standard Contractual Clauses (Controller–Processor, Module 2, 4 June 2021) is hereby incorporated into this DPA by reference and governs each such transfer.
No separate signature to this DPA is required. When the Client signs any SpotDev proposal or scope of work, the Client is deemed to have executed this DPA (and the incorporated IDTA) for the transfers described above.
SpotDev shall maintain records of its processing activities to the extent required by data protection laws. Upon written request, and where relevant to the services provided, SpotDev shall make available such information as is reasonably necessary to demonstrate compliance with its obligations under this DPA, subject to confidentiality and commercial sensitivity considerations.
Upon termination of the service engagement or at the Client’s written request, SpotDev will cease accessing Client Personal Data. As SpotDev does not store Client Personal Data within its own systems, there is no retention of such data by SpotDev. If any incidental copies exist (e.g., in emails or Microsoft 365), SpotDev shall delete them (to the extent technically feasible) or return them to the Client as instructed, unless required by law to retain such information.
Each party is responsible for its own costs and expenses incurred in performing its obligations under this DPA, unless otherwise agreed in writing.
Provisions that by their nature should survive termination of any service engagement, including confidentiality and data protection obligations, shall remain in effect.
The parties are independent entities. Nothing in this DPA creates a partnership, joint venture, agency, or employment relationship between the parties.
This DPA does not confer any rights upon any person other than the parties to it.
No rights or obligations under this DPA may be assigned or transferred without the prior written consent of the other party, except where expressly permitted by this DPA or applicable law.
If any provision of this DPA is found to be invalid, illegal, or unenforceable, the remainder of the DPA shall remain in full force and effect. The parties agree to work together in good faith to amend the DPA to reflect the original intent, where legally possible.
No delay or omission by either party in exercising any right under this DPA shall operate as a waiver of that right, nor shall any single or partial exercise of any right preclude further exercise of that right or any other right.
Any notices related to this DPA shall be provided in writing and sent to the designated contact person(s) of each party, as agreed separately. Notices sent by post shall be deemed delivered three business days after dispatch. Notices sent by email shall be deemed delivered on the same business day, unless sent after normal working hours, in which case delivery is deemed the next business day.
This DPA may be made available electronically or in multiple versions. The current version maintained by SpotDev shall be considered authoritative unless the parties agree otherwise in writing.
This DPA shall be governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales for any disputes arising out of or in connection with this DPA.