Legal

Data Processing Agreement

Last updated: 10 April 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Spun App Ltd (“Processor”) and the customer entity that has subscribed to Spun (“Controller” or “Customer”). It applies whenever Spun processes personal data on the Customer’s behalf as part of providing the Service. If you need this DPA signed separately for your procurement process, email privacy@spun.bot.

1. Definitions

Data Protection Laws” means the UK GDPR, the Data Protection Act 2018, the EU General Data Protection Regulation (Regulation (EU) 2016/679), and any other applicable data protection or privacy laws.

Personal Data”, “Controller”, “Processor”, “Data Subject”, and “Processing” have the meanings given in the UK GDPR.

Customer Personal Data” means personal data that Spun processes on behalf of the Customer under the main agreement (including these Terms of Service).

Sub-processor” means any processor engaged by Spun to process Customer Personal Data.

2. Subject matter and details of processing

The details of processing carried out by Spun under this DPA are:

  • Subject matter — provision of the Spun AI growth platform.
  • Duration — the term of the main agreement, plus any period during which Spun retains Customer Personal Data as described in the Privacy Policy.
  • Nature and purpose — hosting, transmitting, and transforming customer content to generate marketing outputs, execute campaigns on connected platforms, and report on performance.
  • Types of personal data — contact details, account identifiers, authentication data, usage data, IP addresses, content submitted by users (prompts, briefs, uploaded assets), and campaign metadata. The Customer may choose to include additional categories in the content it submits.
  • Categories of Data Subject — the Customer’s authorised users, employees, and, depending on the content submitted, the Customer’s own customers, prospects, and contacts.

3. Obligations of Spun as Processor

Spun shall:

  • Process Customer Personal Data only on the Customer’s documented instructions, including those set out in the main agreement and this DPA, unless required to do otherwise by applicable law (in which case Spun shall notify the Customer before processing, unless that law prohibits notification);
  • Ensure that personnel authorised to process Customer Personal Data are bound by confidentiality obligations;
  • Implement appropriate technical and organisational measures as set out in Annex A;
  • Assist the Customer in responding to requests from Data Subjects exercising their rights under Data Protection Laws, taking into account the nature of processing;
  • Assist the Customer in ensuring compliance with its obligations under Articles 32 to 36 UK GDPR (security, breach notification, DPIAs, prior consultation);
  • At the Customer’s choice, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies unless retention is required by law;
  • Make available to the Customer all information necessary to demonstrate compliance with the obligations in Article 28 UK GDPR, and allow for and contribute to audits conducted by the Customer or an auditor it mandates (see Section 8).

4. Sub-processors

The Customer provides a general authorisation for Spun to engage sub-processors to process Customer Personal Data, subject to the following:

  • Spun maintains a current list of sub-processors at spun.bot/subprocessors;
  • Spun shall impose data protection obligations on each sub-processor that are no less protective than those in this DPA;
  • Spun shall give the Customer at least 14 days’ notice before appointing a new sub-processor by updating the sub-processor page and, where the Customer has subscribed to updates, by email. The Customer may object on reasonable data protection grounds within that period, and the parties shall work together in good faith to resolve the objection; if it cannot be resolved, the Customer may terminate the affected portion of the service;
  • Spun remains fully liable for the acts and omissions of its sub-processors.

5. International transfers

Where Spun (or a sub-processor) transfers Customer Personal Data outside the UK or the EEA, such transfers shall be subject to appropriate safeguards in accordance with Data Protection Laws, including the UK International Data Transfer Addendum (IDTA), the EU Standard Contractual Clauses (Module 3 or Module 4 as applicable), or another lawful transfer mechanism. By accepting this DPA, the Customer authorises Spun to enter into such transfer mechanisms on its behalf with its sub-processors.

6. Security

Spun implements and maintains appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. Current measures are described in Annex A.

7. Personal data breaches

Spun shall notify the Customer without undue delay and in any event within 72 hours after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include the information required under Article 33(3) UK GDPR to the extent known. Spun will cooperate with the Customer and take reasonable steps to mitigate and remediate the breach.

8. Audits

Spun shall make available to the Customer, on written request, information reasonably necessary to demonstrate compliance with this DPA, including summaries of independent audits where available. Where a Customer reasonably requires additional audit activity, the parties shall agree the scope, timing, and costs in advance. Audits shall be conducted during business hours, with at least 30 days’ notice, subject to confidentiality, and shall not unreasonably interfere with Spun’s operations.

9. Data subject requests

Spun shall, taking into account the nature of processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to Data Subject requests. Where a request is sent directly to Spun, Spun shall promptly forward it to the Customer and shall not respond directly unless required to do so by law.

10. Return and deletion

On termination or expiry of the main agreement, Spun shall, at the Customer’s choice, delete or return all Customer Personal Data within 30 days, and delete existing copies unless UK or EU law requires further storage.

11. Liability

Each party’s liability under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the main agreement.

12. Conflict

In the event of any conflict between this DPA and the main agreement, this DPA prevails with regard to the processing of Customer Personal Data.

Annex A — Technical and organisational measures

Spun implements the following measures, reviewed on an ongoing basis:

  • Encryption — TLS 1.2+ in transit; encryption at rest for databases and backups.
  • Access control — role-based access, least-privilege principles, multi-factor authentication for administrative access, and audit logging.
  • Authentication — customer authentication handled by Clerk, including support for SSO and MFA.
  • Network security — managed cloud infrastructure, DDoS protection, and web application firewall at the edge.
  • Secure development — code review, dependency scanning, and secret scanning in the CI/CD pipeline.
  • Backups — regular encrypted backups with defined retention and recovery testing.
  • Incident response — documented process with defined roles and notification timelines.
  • Personnel — confidentiality obligations, data-protection training, and background-appropriate access controls.
  • Vendor management — due diligence on sub-processors and contractual data-protection obligations no less protective than this DPA.

Annex B — Sub-processors

The current list of sub-processors is published at spun.bot/subprocessors and is incorporated into this DPA by reference.