Data Processing Agreement

Version: 1.4
Dated: 1 December 2024

Introduction

This Data Processing Agreement ("DPA") details the terms and conditions governing the processing of personal data by SpotDev Services Ltd ("SpotDev") on behalf of its clients (each referred to as the "Client"). This DPA is designed to ensure that all processing of personal data carried out by SpotDev is in accordance with applicable data protection laws and the Client’s instructions.

Purpose

SpotDev provides HubSpot consultancy, training, and technical implementation services. In the course of delivering these services, SpotDev may access and process certain personal data that is stored within the Client’s own HubSpot instance (or other platforms provided by the Client). Such access is strictly for the purposes defined by the Client’s instructions and the terms of this DPA.

Scope and Nature of Processing

SpotDev’s personnel may access Client Personal Data that is stored and managed within the Client’s own systems, such as their HubSpot platform. SpotDev does not export, store, or process this personal data using SpotDev’s own internal technology stack. Instead, SpotDev’s involvement is limited to actions taken within the Client’s systems, as instructed and authorised by the Client. 

Client Personal Data may include information relating to individuals such as customers, leads, employees, or contractors of the Client’s organisation. Such data might typically encompass names, email addresses, telephone numbers, or other similar contact details stored within the Client’s systems.

Duration of Processing

The duration of SpotDev’s processing activities is limited to the period during which SpotDev has been granted access by the Client to the Client’s systems, and/or for the duration of any service engagement agreed upon between SpotDev and the Client. Once the engagement ends or access is revoked, SpotDev will cease to process Client Personal Data.

Data Protection Officers

SpotDev’s data protection officer is the Chief Executive. This individual monitors internal compliance with data protection laws and acts as the primary contact point for any queries related to data processing and protection.

Roles and Responsibilities

The Client acts as a data controller or a data processor on behalf of a third-party controller, and SpotDev acts as a data processor or sub-processor respectively in relation to the Client Personal Data.

Client Obligations

The Client is responsible for ensuring that personal data it instructs SpotDev to process is collected and processed in accordance with applicable data protection laws. The Client shall ensure it has all necessary consents, notices, and permissions in place to allow SpotDev to access personal data within the Client’s systems.

SpotDev Obligations

  • SpotDev shall process Client Personal Data only on the Client’s documented instructions and solely for the purposes agreed with the Client.
  • SpotDev shall implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Client Personal Data and against accidental loss, destruction, or damage.
  • SpotDev shall maintain confidentiality and ensure that any authorised personnel accessing Client Personal Data are subject to confidentiality obligations.
  • SpotDev will assist the Client, where possible and at the Client’s cost, in responding to data subject requests and in demonstrating compliance with applicable data protection laws.
  • In the event of a personal data breach relating to Client Personal Data accessed by SpotDev, SpotDev shall promptly notify the Client and provide relevant information to enable the Client to meet any obligations under data protection laws.

Records and Processing

Each Party shall maintain records which indicate how that Party processes personal data under its responsibility. These records will contain at least the minimum information required by the Data Protection Laws and each Party shall make that information available to any DP Regulator on request.

To the extent that the Supplier processes Client Personal Data on behalf of the Client, SpotDev shall:

  • process that Client Personal Data only on the documented instructions of the Client, which shall include processing the Client Personal Data to the extent necessary for the Purpose, unless SpotDev is otherwise required by applicable laws. SpotDev shall notify the Client if its instructions infringe Data Protection Laws or other applicable laws;
  • implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Client Personal Data and against accidental loss or destruction of, or damage to, Client Personal Data, including as appropriate:
    • the pseudonymisation and encryption of Client Personal Data;
    • the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;
    • the ability to restore the availability and access to Client Personal Data in a timely manner in the event of a physical or technical incident; and
    • a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;
  • maintain the confidentiality of the Client Personal Data, not disclose the Client Personal Data to any third party other than as authorised to do so under this Agreement and ensure that any personnel engaged and authorised by SpotDev to process Client Personal Data have committed themselves to obligations of confidentiality;
  • assist the Client in responding to any request from a data subject and in ensuring the Client's compliance with its obligations under applicable Data Protection Laws. This process shall be provided (at the Client's cost) and shall include:
    • recording and referring all requests and communications received from data subjects or any DP Regulator to the Client which relate to any Client Personal Data promptly (and in any event within five days of receipt); and
    • not responding to any such requests without the Client's express written approval and strictly in accordance with the Client's instructions unless and to the extent required by applicable law.
    • promptly (and in any event within 24 hours):
      • notify the Client if it (or any of the Sub-Processors or SpotDev personnel) becomes aware of any actual occurrence of any Personal Data Breach in respect of any Client Personal Data; and
      • provide all information as the Client reasonably requires to report the circumstances to a DP Regulator and to notify affected data subjects under Data Protection Laws.

Where SpotDev is relying on applicable laws as the basis for processing Client Processor Data under clause 3.2.1 above, SpotDev shall use reasonable efforts to notify the Client of this before performing the processing required by the applicable laws unless those applicable laws prohibit SpotDev from so notifying the Client.

Sub-Processors

For clarity, when providing services to the Client, SpotDev operates primarily within the Client’s systems and does not use its own internal platforms to store or process Client Personal Data.

However, SpotDev uses a set of tools and services ("Sub-Processors") for its internal business operations. These Sub-Processors may include, but are not limited to:

  • HubSpot
  • Microsoft 365
  • ClickUp
  • OpenAI
  • Anthropic
  • Zapier
  • Pipedream
  • Aircall
  • CircleLoop
  • Neverbounce
  • Operating
  • QuickBooks Online
  • Stripe
  • Supered.

The above systems and providers are generally used by SpotDev for managing internal operations such as project management, finance, communication, and support. SpotDev does not transfer or store Client Personal Data in these systems without explicit written agreement. If, in exceptional circumstances, certain metadata or limited client-related information (e.g., Client contact details) is stored for account management purposes, it will be in accordance with this DPA and applicable data protection laws.

Any addition or replacement of these Sub-Processors that may affect the processing of Client Personal Data (if ever required) shall be notified in advance to the Client, giving the Client an opportunity to object where legally required and justified by data protection laws.

International Transfers

SpotDev and its contractors may access the Client’s systems and data from:

  • United Kingdom
  • European Union
  • South Africa.

Because SpotDev personnel, including contractors, may be physically located outside the UK, the Client Personal Data is effectively accessed across borders. However, such access occurs within the Client’s own systems and is subject to the Client’s infrastructure, controls, and any applicable safeguards the Client has in place.

SpotDev does not export, store, or otherwise transfer Client Personal Data into its own infrastructure without explicit written authorisation/instruction from the Client.

Where required by applicable data protection laws, the Client and SpotDev shall work together in good faith to put in place appropriate safeguards for any international access to personal data (such as relevant standard contractual clauses), ensuring that any cross-border access meets the standards set out under applicable laws.

Records and Audit

SpotDev shall maintain records of its processing activities to the extent required by data protection laws. Upon written request, and where relevant to the services provided, SpotDev shall make available such information as is reasonably necessary to demonstrate compliance with its obligations under this DPA, subject to confidentiality and commercial sensitivity considerations.

Deletion or Return of Personal Data

Upon termination of the service engagement or at the Client’s written request, SpotDev will cease accessing Client Personal Data. As SpotDev does not store Client Personal Data within its own systems, there is no retention of such data by SpotDev. If any incidental copies exist (e.g., in emails or Microsoft 365), SpotDev shall delete them (to the extent technically feasible) or return them to the Client as instructed, unless required by law to retain such information.

Costs

Each party is responsible for its own costs and expenses incurred in performing its obligations under this DPA, unless otherwise agreed in writing.

Surviving Provisions

Provisions that by their nature should survive termination of any service engagement, including confidentiality and data protection obligations, shall remain in effect.

Relationship of the Parties

The parties are independent entities. Nothing in this DPA creates a partnership, joint venture, agency, or employment relationship between the parties.

Rights of Third Parties

This DPA does not confer any rights upon any person other than the parties to it.

Assignment

No rights or obligations under this DPA may be assigned or transferred without the prior written consent of the other party, except where expressly permitted by this DPA or applicable law.

Severability

If any provision of this DPA is found to be invalid, illegal, or unenforceable, the remainder of the DPA shall remain in full force and effect. The parties agree to work together in good faith to amend the DPA to reflect the original intent, where legally possible.

Waiver

No delay or omission by either party in exercising any right under this DPA shall operate as a waiver of that right, nor shall any single or partial exercise of any right preclude further exercise of that right or any other right.

Notices

Any notices related to this DPA shall be provided in writing and sent to the designated contact person(s) of each party, as agreed separately. Notices sent by post shall be deemed delivered three business days after dispatch. Notices sent by email shall be deemed delivered on the same business day, unless sent after normal working hours, in which case delivery is deemed the next business day.

Counterparts

This DPA may be made available electronically or in multiple versions. The current version maintained by SpotDev shall be considered authoritative unless the parties agree otherwise in writing.

Governing Law and Jurisdiction

This DPA shall be governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of the courts of England and Wales for any disputes arising out of or in connection with this DPA.