Skip to content

Data Processing Agreement»

Last updated: November 4, 2024

This Data Processing Agreement (“DPA”) is incorporated by reference into Terms and Conditions, Master Services Agreement, or any other written agreement (the “Services Agreement”) between Customer and Spacelift, Inc. (“Spacelift”) for the purchase of services from Spacelift (as defined below) to reflect the parties’ agreement concerning the Processing of Personal Data.

This DPA does not apply if Customer and Spacelift have executed a separate Data Protection Addendum or Data Protection Agreement.

1. DEFINITIONS»

1.1. “Applicable Data Protection Laws” means all data protection and privacy laws applicable to the respective party in its role in the Processing of Personal Data under the Services Agreement, as amended, suspended or replaced from time to time, including but not limited to: (a) Regulation (EU) 2016/679 (the “EU GDPR”); (b) the EU GDPR as saved into UK law by virtue of Section 3 of the UK’s European Union Act 2018 and the UK Data Protection Act 2018 (“UK GDPR”); (c) Swiss Federal Act on Data Protection of 19 June 1992 and its corresponding ordinances (“FADP”); (d) Canadian Personal Information Protection and Electronic Documents Act (“PIPEDA”) and (e) California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”).

1.2. “Authorized Person” means any person who is required to access or otherwise Process Customer Personal Data on Spacelift’s behalf to enable Spacelift to perform its obligations under the Services Agreement and this DPA, including but not limited to Spacelift’s staff, officers, partners, and Subprocessors.

1.3. “Customer” means a) the party to the Services Agreement subscribing to Services provided by Spacelift and b) said party’s affiliates. In respect of any obligation(s) which are required to be performed by Customer, Customer will ensure that Customer, or as applicable, its affiliates will perform such obligation(s).

1.4. ”Data Subject” means the identified or identifiable natural person who is the subject of Customer Personal Data.

1.5. “Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and/or governed by Applicable Data Protection Laws.

1.6. “Personal Data Breach” means any breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed by Spacelift and/or its Subprocessors in connection with the provision of the Services.

1.7. “Processing” means any operation or set of operations that is performed on Personal Data or sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.

1.8. “Services” means the services provided by Spacelift to Customer under the Services Agreement.

1.9. “Services Agreement” means the agreement between Spacelift and Customer for the provision of the Services, consisting of Terms and Conditions, Master Services Agreement, or any other written agreement.

1.10. “Subprocessor” means any authorized third party that Processes Personal Data to assist Spacelift in fulfilling its obligations under the Services Agreement and this DPA.

1.11. “Trust Center” means Spacelift’s website at trust.spacelift.io providing insight into Spacelift’s information security posture, listing Subprocessors and Security Measures (as defined in Clause 4.2.);

1.12. Other. Capitalized terms, or any other terms, used in this DPA that are not defined in this Section 1 (Definitions) will have the meaning given to them elsewhere in this DPA and/or the Services Agreement and/or in Applicable Data Protection Laws unless otherwise specified.

2. PERSONAL DATA PROCESSING»

2.1. Roles. The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer acts as a Controller or Processor (as applicable) and Spacelift acts as a Processor or sub-processor (as applicable). Where Customer is itself a Processor of Personal Data, acting on behalf of a Controller, Customer will serve as the sole point of contact for Spacelift and Spacelift will not interact directly with (including to seek any authorizations directly from) any such Controller, other than through the regular provision of the Services to the extent required under the Services Agreement.

2.2. Scope. The subject matter of Processing of Personal Data by Spacelift, the duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and categories of Data Subjects Processed under this DPA, are further specified in Annex 1 to this DPA - Subject Matter & Details of Processing. Spacelift may make reasonable amendments to Annex 1 from time to time as Spacelift reasonably considers necessary to meet the requirements of Applicable Data Protection Laws.

2.3. Instructions. Spacelift will Process Customer Personal Data solely under and following Customer’s documented instructions and to provide the Services and as otherwise necessary to (a) perform its obligations or exercise its rights under the Services Agreement and (b) to perform its legal obligations and to establish, exercise or defend legal claims in respect of the Services Agreement (“Permitted Purpose”). For the Permitted Purpose, Customer’s instructions include (i) instructions as set out in the Services Agreement and/or this DPA; and (ii) any additional reasonable instructions provided by Customer where such instructions are consistent with the terms of the Services Agreement and/or Applicable Data Protection Laws. Spacelift will promptly inform Customer if, in Spacelift’s opinion, any instruction infringes Applicable Data Protection Laws.

2.4. Compliance with Law. The parties will comply with their obligations under Applicable Data Protection Laws concerning the Processing of Customer Personal Data. Each party will promptly notify the other party if it is unable to comply with its obligations under Applicable Data Protection Laws and/or the terms of the Services Agreement (including this DPA) as they relate to or govern the Processing of Customer Personal Data for any reason. In the event of any such non-compliance, and without prejudice to any other right or remedy available to the other party under the Services Agreement, such notifying party will take all reasonable and appropriate steps to remediate any non-compliance.

2.5. Cooperation and Assistance. Upon each party’s request, the other party will provide the requesting party with reasonable cooperation and assistance needed to fulfill its obligations under Applicable Data Protection Laws.

3. SUBPROCESSORS»

3.1. Authorization. Customer specifically authorizes Spacelift to use its Subprocessors as listed in Spacelift’s Trust Center, and generally authorizes Spacelift to engage any new Subprocessors to Process Customer Personal Data.

3.2. Obligations. While using Subprocessors, Spacelift:

  • 3.2.1. will enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this DPA; and

  • 3.2.2. remains liable for compliance with the obligations of this DPA and for any acts or omissions of the Subprocessor that cause Spacelift to breach any of its obligations under this DPA.

3.3. New Subprocessors. When any new Subprocessor is engaged, Spacelift will notify Customer of the engagement, which notice may be given via email and/or by updating the Subprocessor list available at Trust Center (Customer can subscribe to receive notifications about changes in the Trust Center). Spacelift will give such notice at least fifteen (15) days before the new Subprocessor Processes any Customer Personal Data, except that if Spacelift reasonably believes engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity or availability of Customer Personal Data or avoid material disruption to the Services, Spacelift will give such notice as soon as reasonably practicable.

3.4. Objections. Customer may object to an engagement of a new Subprocessor by informing Spacelift in writing within ten (10) days of receipt of the aforementioned notice by Customer, provided such objection is in writing and based on reasonable grounds relating to data protection. Should Customer express in writing its objection to Spacelift's appointment of a new Subprocessor on valid data protection grounds, the parties will engage in a good-faith discussion to address and resolve these concerns. Customer acknowledges that certain Subprocessors are essential to providing the Services and that objecting to the use of a Subprocessor may prevent Spacelift from offering the Services to Customer. If the parties are unable to reach a mutually agreeable resolution within a reasonable period of time, which will not exceed thirty (30) days, Customer may discontinue the use of the affected Services by providing written notice to Spacelift and Spacelift will refund a prorated amount of any prepaid fees. Except for the prorated refund, such discontinuation will not relieve Customer of any fees owed to Spacelift under the Services Agreement.

4. SECURITY»

4.1. Personnel. Spacelift will take reasonable steps to ensure the reliability of any Authorized Persons who may have access to Customer Personal Data, ensuring in each case that access is strictly limited to those individuals who need to know and/or access the relevant Customer Personal Data, as necessary for Permitted Purpose. Spacelift will ensure that Authorized Persons are informed of the confidential nature of Customer Personal Data and that they receive appropriate training regarding their responsibilities. Spacelift will impose appropriate contractual obligations on Authorized Persons, including relevant obligations regarding confidentiality, data protection, and data security.

4.2. Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing, as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, Spacelift will maintain and implement appropriate technical and organizational measures for protection of the security, confidentiality and integrity of Customer Personal Data, as presented in Spacelift’s Trust Center (the “Security Measures”). Customer acknowledges that the Security Measures may be updated from time to time to reflect process improvements or changing practices, but the modifications will not materially decrease Spacelift’s obligations as compared to those reflected in such terms as of the Effective Date of the Services Agreement and will be proportionate to the identified risks.

4.3. Customer Responsibility. Customer must thoroughly review the information provided by Spacelift regarding data security. It is Customer's responsibility to independently assess whether the Services comply with its requirements and legal obligations under Applicable Data Protection Laws. Customer acknowledges that, notwithstanding Spacelift's obligations outlined in this DPA, Customer is solely accountable for utilizing the Services. This includes (a) ensuring the Services are appropriately used to maintain a level of security appropriate to the risk associated with Customer Personal Data; (b) safeguarding the authentication credentials, systems, and devices used to access the Services; (c) securing Customer's systems and devices used in conjunction with the Services and (d) configuring, setting up, and operating the Services to align with Customer’s security and operational needs.

4.4. Personal Data Breach. Upon becoming aware of a confirmed Personal Data Breach, Spacelift will notify Customer without undue delay about details of such Personal Data Breach, unless prohibited by Applicable Data Protection Laws, provided that (i) in case of SaaS Services - Customer indicated Customer’s contact data in Spacelift’s SaaS solution under the following address: https://.app.spacelift.io/settings/security (being the domain name chosen by Customer to access Services) or (ii) in case of any other Services - Customer provided Spacelift with contact details regarding Personal Data Breaches. A delay in giving such notice requested by law enforcement and/or in light of Spacelift’s legitimate needs to investigate or remediate the matter before providing notice will not constitute an undue delay. Such notices will describe, to the extent possible, details of the Personal Data Breach. Without prejudice to Spacelift’s obligations under this Clause 4.4., Customer is solely responsible for complying with Personal Data Breach notification laws applicable to Customer and fulfilling any third party notification obligations related to any Personal Data Breaches. Spacelift’s notification of or response to a Personal Data Breach under this Clause 4.4 will not be construed as an acknowledgement of any fault or liability with respect to the Personal Data Breach.

5. AUDIT RIGHTS»

The parties recognize that Customer must be able to evaluate Spacelift's adherence to its obligations under Applicable Data Protection Laws and this DPA, specifically given Spacelift is acting as a Processor or subprocessor. At Customer's request, Spacelift will present information concerning its compliance with the obligations outlined in this DPA to Customer and/or an independent third-party auditor appointed by Customer, including completion of audit questionnaires, provision of security policies and summaries of assessments of compliance with any industry standards (such as SOC II report), and /or penetration testing. Spacelift assures Customer that (a) any information provided in response to such requests is accurate to the best of Spacelift's knowledge and (b) the individual supplying this information is authorized to do so and possesses knowledge about Spacelift's information Security Measures.

6. DATA SUBJECT RIGHTS»

Upon Customer’s request, Spacelift will provide Customer with such assistance as it may reasonably require to comply with its obligations under Applicable Data Protection Laws to respond to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws in cases where Customer cannot reasonably fulfill such requests independently. If Spacelift receives a request from a Data Subject in relation to their Personal Data, Spacelift will advise the Data Subject to submit their request to Customer, and Customer will be responsible for handling any such request.

7. DATA PRIVACY IMPACT ASSESSMENT»

Upon Customer’s request, Spacelift will provide Customer with reasonable cooperation needed to fulfill Customer’s obligation under the Applicable Data Protection Laws to carry out a data protection impact assessment or handle prior consultation with the applicable data protection authority related to Customer’s use of the Services, to the extent Customer does not otherwise have access to the relevant information, and to the extent such information is available to Spacelift.

8. DELETION OF DATA»

Spacelift will delete all copies of Customer Personal Data in its possession or control upon the termination or expiry of the Services Agreement, according to its data retention scheme. Notwithstanding the foregoing, Customer acknowledges that Spacelift may retain Customer Personal Data if required by Applicable Data Protection Laws, and such data will remain subject to the requirements of this DPA.

9. LIABILITY.»

Unless specifically agreed otherwise in the Services Agreement, each party’s liability arising out of or related to this DPA and its Annexes, whether in contract, tort or under any other theory of liability, is subject to any “Limitation of Liability” section of the Services Agreement, and any reference in such section to the liability of a party means the aggregate liability of that party under the Services Agreement and the DPA together, subject to any exclusions in accordance with Applicable Data Protection Laws and provisions of the Services Agreement.

10. INTERNATIONAL PROVISIONS»

10.1. Processing Activities. Customer acknowledges that Spacelift Processes Customer Personal Data primarily in Europe and the United States. Customer authorizes Spacelift and its Sub-processors to make international data transfers of Customer Personal Data in accordance with this DPA so long as Applicable Privacy Laws for such transfers are respected.

10.2. Jurisdiction-Specific Annexes. To the extent that Spacelift Processes Customer Personal Data originating from and protected by Applicable Data Protection Laws in one of the jurisdictions listed in Annex 2 (Jurisdiction Specific Terms), then the terms specified therein with respect to the applicable jurisdiction(s) will apply in addition to the terms of this DPA. In the event of a conflict between the Services Agreement or this DPA and an Annex, the Annex applicable to Customer Personal Data from the relevant jurisdiction will control with respect to Customer Personal Data from that relevant jurisdiction, and solely with regard to the portion of the provision in conflict.

11. MISCELLANEOUS»

11.1. Services Agreement. This DPA forms part of the Services Agreement and except as expressly set forth in this DPA, the Services Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Services Agreement, this DPA will govern.

11.2. Applicable Data Protection Laws Changes. In the event of changes to Applicable Data Protection Laws, including, but not limited to, the amendment, revision or introduction of new laws, regulations, or other legally binding requirements to which either party is subject, the parties agree to revisit the terms of this DPA, and negotiate any appropriate or necessary updates in good faith, including the addition, amendment, or replacement of any Annexes.

11.3. Termination. This DPA will automatically terminate upon expiration or termination of the Services Agreement. However, for the avoidance of doubt, the provisions of the DPA will in all cases continue to apply for as long as the Spacelift Processes Customer Personal Data on behalf of Customer.

11.4. Governing Law and Jurisdiction. Except for the provisions of the Standard Contractual Clauses included in the Annex 2 - Jurisdiction Specific Terms, if applicable:

  • 11.4.1. the parties to this DPA hereby agree to abide by the jurisdiction specified in the Services Agreement for the resolution of any disputes or claims arising under this DPA. This includes disputes related to its existence, validity, termination, or the consequences of its nullity.

  • 11.4.2. the laws governing this DPA and all non-contractual or other obligations arising from or in connection with it are determined by the country or territory designated for this purpose in the Services Agreement.

11.5. Severability. If any provision of this DPA is deemed unlawful or unenforceable, such provision will be stricken from this DPA to the extent of such illegality or unenforceability, and the remainder will remain in full force and effect.

11.6. Annexes. For the avoidance of doubt, each reference to the DPA means this DPA including its Annexes (including the Standard Contractual Clauses, if the Standard Contractual Clauses have been entered into in accordance with the Services Agreement or this DPA), consisting in:

  • 11.6.1. Annex 1: SUBJECT MATTER AND DETAILS OF PROCESSING

  • 11.6.2. Annex 2: JURISDICTION SPECIFIC TERMS

ANNEX 1: SUBJECT MATTER AND DETAILS OF PROCESSING»

1. LIST OF PARTIES»

Customer Spacelift
Name: Customer as identified in the Services Agreement Spacelift, Inc.
Address: As listed by Customer in the website purchase portal or as identified on the Services Agreement 541 Jefferson Ave. Suite 100, Redwood City CA 94063, USA
Contact Person: As listed by Customer in the website purchase portal or as identified on the Services Agreement privacy@spacelift.io
Role: Included in Clause 2.1 of the DPA Included in Clause 2.1 of the DPA
Signatures: By entering into the Services Agreement, Data Exporter is deemed to have signed the DPA, including its Annexes By entering into the Services Agreement, Data Importer is deemed to have signed the DPA, including its Annexes

2. DESCRIPTION OF PROCESSING AND TRANSFER, IF APPLICABLE»

Description Details
Categories of data subjects whose personal data is processed / transferred: Users of the software provided by Spacelift, in particular staff including volunteers, agents, temporary and casual workers
Categories of personal data processed / transferred: Name, logins, and e-mail addresses, data concerning Services usage
Are sensitive data processed / transferred? No
The frequency of processing / transfer: Continuous, as required for the provision of Services under the Services Agreement.
Nature and purpose of processing / transfer: Spacelift will process Personal Data as necessary to provide the Services under the Services Agreement.
The period for which the personal data will be retained: Specified in the Services Agreement (duration of the Services Agreement).
For transfers to (sub-) processors - the subject matter, nature, and duration of the processing: Where Spacelift engages Subprocessors it will do so in compliance with the terms of the DPA. The subject matter, nature, and duration of the Processing activities carried out by the Subprocessor will not exceed the subject matter, nature and duration of the Processing activities as described in the DPA.

ANNEX 2: JURISDICTION SPECIFIC TERMS»

1. EUROPEAN ECONOMIC AREA (EEA) AND UNITED KINGDOM (UK)»

1.1. Definitions.»

1.1.1. The definition of “Applicable Data Protection Laws” includes the General Data Protection Regulation (EU 2016/679) (“GPDR”) and the EU GDPR as saved into UK law by virtue of Section 3 of the UK’s European Union Act 2018 and the UK Data Protection Act 2018 (“UK GDPR”).

  • 1.1.2. "Restricted Transfer" means (i) where the EU GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; and (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018.

  • 1.1.3. “Standard Contractual Clauses” means (i) where the EU GDPR applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, the United Kingdom International Data Transfer Addendum to the European Commission’s Standard Contractual Clauses for international data transfers version B1.0 issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act of 2018 and entering into force on 21 March 2022, as updated, amended, or replaced from time to time ("UK IDTA").

1.2. SCCs. The parties agree that when the transfer of Personal Data from Customer to Spacelift is a Restricted Transfer, it will be subject to the appropriate Standard Contractual Clauses, being EU SCCs or UK IDTA, which are incorporated herein by reference.

1.3. EU SCCs. In relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply as follows:

  • 1.3.1. Module Two will apply to the extent that Customer is a controller of the Personal Data, and Module Three will apply to the extent that Customer is a processor of the Personal Data on behalf of a third-party controller;

  • 1.3.2. For both Modules Two and Three, Customer is the Data Exporter and Spacelift is the Data Importer.

  • 1.3.3. In Clause 7, the optional docking clause will apply;

  • 1.3.4. In Clause 9, Option 2 (General Authorization) will apply, and the period for prior notice of Sub-processor changes will be as set out in Clause 3.3. of this DPA;

  • 1.3.5. In Clause 11, the optional language will not apply;

  • 1.3.6. In Clause 17, Option 1 will apply, and the EU SCCs will be governed by Polish law;

  • 1.3.7. In Clause 18(b), disputes will be resolved before the courts of Poland;

  • 1.3.8. Annex I of the EU SCCs will be deemed complete with (as to Part A and Part B) information set out in Annex 1 to this DPA and (as to Part C) with the Polish supervisory authority;

  • 1.3.9. Annex II of the EU SCCs will be deemed completed with the information set out in the Trust Center;

  • 1.3.10. Annex III of the EU SCCs will be deemed completed with the information set out the Trust Center;

1.4. UK IDTA. In relation to Controller Personal Data that is protected by the UK GDPR, the UK IDTA will apply completed as follows:

  • 1.4.1. The EU SCCs, completed as set out above in Clause 1.3 of this Annex will also apply to transfers of such Personal Data, subject to Sub-clause 1.4.2 below;

  • 1.4.2. Tables 1 to 3 of the UK Addendum will be deemed completed with relevant information from the EU SCCs, completed as set out above, and the options "either party" will be deemed checked in Table 4. The start date of the UK IDTA (as set out in Table 4) will be the Services Agreement Effective Date.

  • 1.4.3. The parties confirmed that they adopt the following wording of the Part II of the UK IDTA: Mandatory Clauses of the Approved Addendum, being the template Addendum B.1.0 issued by the ICO and laid before Parliament in accordance with section 119A of the Data Protection Act 2018 on 2 February 2022, as it is revised under Section 18 of those Mandatory Clauses.

1.5. GDPR Penalties. Notwithstanding anything to the contrary in this DPA or in the Services Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR or UK GDPR fines issued or levied against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR or UK GDPR.

2. SWITZERLAND»

2.1. The definition of “Applicable Data Protection Laws” includes the Federal Act on Data Protection of 19 June 1992 (the “FADP”).

2.2. With respect to Personal Data transferred from Switzerland for which Swiss law (and not the law in any European Economic Area jurisdiction) governs the international nature of the transfer, (i) references to the GDPR in Clause 4 of the EU SCCs are, to the extent legally required, amended to refer to the FADP or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner; and (ii) as so amended and updated by Clause 1.3 above, the EU SCCs are incorporated herein by reference and will apply, form a part of this DPA, and take precedence over the rest of this DPA to the extent of conflict.

3. CALIFORNIA»

3.1. The definition of “Applicable Data Protection Laws” includes the California Consumer Privacy Act, as amended by the California Privacy Rights Act (“CCPA”).

3.2. The terms “business”, “commercial purpose, “service provider”, “sell” and “personal information” have the meanings given in the CCPA.

3.3. With respect to Customer Personal Data, Spacelift is a service provider under the CCPA.

3.4. Spacelift will not (a) sell Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using, or disclosing Customer Personal Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose Customer Personal Data outside of the direct business relationship between Spacelift and Customer.

3.5. The parties acknowledge and agree that the Processing of Customer Personal Data authorized by Customer’s instructions described in the DPA is integral to and encompassed by Spacelift’s provision of the Services and the direct business relationship between the parties. 3.6. Notwithstanding anything in the Services Agreement or any written agreement entered in connection therewith, the parties acknowledge and agree that Spacelift’s access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Services Agreement.

3.7. Spacelift agrees that it will provide Customer with reasonable assistance and cooperate with Customer’s obligations under CCPA to ensure that Spacelift is: (a) Processing Personal Data in a manner consistent with Spacelift’s obligations and (b) stop and remediate any unauthorized use of Personal Data.