Spinative — Data Processing Agreement (DPA)
Effective date: 2026-05-10 Last updated: 2026-05-10
This Data Processing Agreement (the "DPA") forms part of the Terms of Service between Ediciones Candel SL ("Spinative", "we", "Processor") and the customer accepting these Terms ("Customer", "Controller"). It governs the processing of Personal Data by Spinative on behalf of the Customer in connection with the use of the Spinative platform.
This DPA reflects the parties' agreement on the processing of Personal Data within the scope of GDPR Articles 28-29.
1. Definitions
Capitalised terms used but not defined here have the meaning given to them in the GDPR (Regulation (EU) 2016/679) or the Spinative Terms of Service.
- Personal Data — any information relating to an identified or identifiable natural person processed by Spinative on behalf of the Customer in the course of providing the Platform. - Data Subject — the natural person to whom Personal Data relates (typically the Customer's employees, contractors, or collaborators). - Sub-processor — a third party engaged by Spinative to process Personal Data on its behalf, listed at sub-processors.md.
2. Subject matter, duration, nature, purpose, types of data
| Element | Detail |
|---|---|
| Subject matter | Provision of the Spinative platform |
| Duration | Term of the underlying Terms of Service |
| Nature & purpose | Hosting, storage, transmission, organisation, retrieval, use, structuring of Personal Data to deliver the Platform |
| Types of Personal Data | Identification data (name, email), professional data (job title, studio), authentication data, communications metadata (logs), payment metadata (handled directly by Stripe) |
| Categories of Data Subject | Customer's employees, contractors, members of customer's studio, project collaborators, recipients of share links |
Spinative does not process special categories of personal data (GDPR Article 9) or data relating to criminal convictions in the ordinary course of providing the Platform. The Customer must not upload special-category data without first informing Spinative and agreeing in writing on additional safeguards.
3. Processor obligations
Spinative shall:
1. Process Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country — unless required to do so by EU or Member-State law (in which case Spinative will inform the Customer before processing, where permitted by that law). 2. Ensure that personnel authorised to process Personal Data are bound by confidentiality. 3. Implement and maintain the technical and organisational measures set out in Annex II below. 4. Engage Sub-processors only on the conditions of section 4 below. 5. Assist the Customer, taking into account the nature of processing, in fulfilling the Customer's obligation to respond to Data Subject rights requests under Articles 15-22 GDPR. 6. Assist the Customer in ensuring compliance with Articles 32-36 GDPR (security, breach notification, impact assessment, prior consultation), taking into account the nature of processing and information available to Spinative. 7. At the Customer's choice, delete or return all Personal Data to the Customer at the end of the provision of services, and delete existing copies, unless EU or Member-State law requires storage. 8. Make available to the Customer all information necessary to demonstrate compliance with Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to the conditions in section 7.
4. Sub-processors
The Customer authorises Spinative to engage the Sub-processors listed at sub-processors.md (incorporated by reference). The Customer also provides general written authorisation to engage additional Sub- processors, subject to:
- Spinative giving the Customer at least 30 days' prior notice of any new Sub-processor (by email and via the publication of an updated sub-processors.md). - The Customer's right to object to such addition for a documented reason within that notice period. If the Customer reasonably objects and Spinative cannot satisfy the objection, the Customer may terminate the relevant subscription without penalty (pro-rata refund of pre-paid fees for the remaining term). - Spinative imposing on each Sub-processor data-protection obligations no less protective than those set out in this DPA, by way of a written contract. - Spinative remaining fully liable to the Customer for the performance of each Sub-processor's obligations.
5. International transfers
Where Personal Data is transferred outside the EEA, the parties shall rely on the European Commission's Standard Contractual Clauses (implementing Decision (EU) 2021/914), the relevant module of which is incorporated by reference into this DPA. The Customer acts as data exporter and Spinative as data importer.
6. Security and breach notification
Spinative shall implement the technical and organisational measures described in Annex II. In the event of a Personal Data Breach affecting Customer Personal Data, Spinative shall:
- Notify the Customer without undue delay (and in any case within 72 hours) of becoming aware of the breach - Provide the information required by Article 33(3) GDPR to the extent then known - Reasonably cooperate with the Customer's mitigation and notification obligations
7. Audit
Once per calendar year (or more frequently if required by a competent supervisory authority or after a Personal Data Breach), the Customer or its mandated auditor may conduct an audit to verify Spinative's compliance with this DPA. The audit:
- Must be requested at least 30 days in advance in writing - Must respect the confidentiality of Spinative's other customers - Must be carried out during normal business hours - Is at the Customer's expense, unless the audit reveals a material breach by Spinative
In lieu of an on-site audit, Spinative may at its option provide a recent SOC 2 / ISO 27001 audit report or equivalent attestation.
8. Liability
Each party's liability arising out of or in connection with this DPA is governed by the limitation-of-liability provisions of the Terms of Service, except where Spanish or EU mandatory law provides otherwise. The aggregate liability of either party under this DPA is included within (and does not increase) the cap in the Terms of Service.
9. Order of precedence
In case of conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of Personal Data. The Standard Contractual Clauses prevail over this DPA where they conflict.
10. Term and termination
This DPA takes effect on the Effective Date and continues for the term of the Terms of Service. The deletion / return obligation in section 3.7 survives termination.
Annex I — description of processing
(Reproduced from section 2 above.)
| Element | Detail |
|---|---|
| Subject matter | Provision of the Spinative platform |
| Duration | Term of the underlying Terms of Service |
| Nature & purpose | Hosting, storage, transmission, organisation, retrieval, use, structuring of Personal Data to deliver the Platform |
| Types of Personal Data | Identification data, professional data, authentication data, communications metadata |
| Data Subject categories | Customer's personnel, collaborators, share-link recipients |
Annex II — technical and organisational measures
Spinative implements the following measures:
Confidentiality
- TLS 1.2+ for data in transit; HSTS enforced on spinative.com - Encryption at rest for all stored data (Supabase managed encryption); backups encrypted - Role-based access control with least-privilege defaults - Multi-factor authentication for production system access - Internal access to production data limited to a small number of designated personnel, all bound by confidentiality
Integrity
- Versioned database migrations
- Automatic snapshots and point-in-time recovery
- Code review required on all production-bound merges
Availability
- Multi-region failover at the CDN / edge layer (Vercel) - Daily database backups retained for 30 days; longer retention for paid plans where indicated - Monitoring and alerting on uptime, latency, error rate
Resilience and testing
- Regular dependency-vulnerability scanning
- Automated security advisors on the database and infrastructure
- Periodic restoration drills
Sub-processor management
- Written DPA in place with each Sub-processor
- Annual review of each Sub-processor's compliance posture
Breach response
- Documented incident-response process - Notification to Customer within 72 hours of becoming aware of a breach affecting their Personal Data - Post-incident review with corrective actions tracked to closure
Signature
This DPA does not require signature for it to take effect — it is binding upon Customer's acceptance of the Spinative Terms of Service. A countersigned copy can be provided on request to hello@spinative.com for customers whose internal process requires it.
For and on behalf of Ediciones Candel SL:
| Field | Value |
|---|---|
| Name | _____________________ |
| Title | _____________________ |
| Date | _____________________ |
| Signature | _____________________ |