Legal · DPA

Data Processing Agreement

Last updated: May 29, 2026

This DPA forms part of the Sparqbox Terms of Service. By accepting the Terms, you accept this DPA. A counter-signed copy is available on request: support@sparqbox.com.

1. Status and acceptance

This Data Processing Agreement ("DPA") forms part of and is incorporated by reference into the Sparqbox Terms of Service at sparqbox.com/legal. Accepting the Terms constitutes acceptance of this DPA. A counter-signed PDF is available on request to support@sparqbox.com.

2. Definitions

Terms used in this DPA have the meanings given in the GDPR (Regulation (EU) 2016/679). "Customer", "you", and "your" mean the organisation that has agreed to the Sparqbox Terms. "Sparqbox", "we", and "our" mean SupplyUp acting as operator of the Sparqbox service.

3. Roles and scope of processing

Customer is the controller and Sparqbox is the processor of Customer Personal Data. Sparqbox processes Customer Personal Data only to provide the Sparqbox service in accordance with the Terms, this DPA, and Customer's documented instructions (which include configuring the workspace and using the product interfaces).

4. Subject matter, duration, nature, purpose, data and data subjects

  • Subject matter: provision of the Sparqbox structured-idea-evaluation service.
  • Duration: the term of the Terms plus any post-termination periods required to return or delete data.
  • Nature and purpose: hosting, storage, access, transmission, computation, and AI-assisted scoring on Customer Personal Data so Customer can use the Sparqbox features.
  • Categories of data subjects: workspace users (employees, contractors, and admins authorised by Customer).
  • Categories of Personal Data: name, email, workspace role, activity and access logs, submitted idea content, scoring, comments, authentication metadata, and related technical logs.

5. Processor obligations

  • Process Customer Personal Data only on Customer's documented instructions, including those given through the product.
  • Ensure persons authorised to process Customer Personal Data are bound by confidentiality.
  • Implement and maintain the technical and organisational measures set out in Annex A.
  • Engage sub-processors only in accordance with Section 7.
  • Assist Customer with data subject requests as set out in Section 8.
  • Assist Customer with the security obligations of Articles 32-36 GDPR, taking into account the nature of processing and the information available.
  • Make available to Customer the information necessary to demonstrate compliance with this DPA and allow for audits as set out in Section 10.
  • On termination, delete or return Customer Personal Data as set out in Section 12.

6. Customer obligations

  • Maintain a valid legal basis under the GDPR for the personal data Customer instructs Sparqbox to process.
  • Provide all required privacy notices to data subjects (employees and other workspace users).
  • Give only lawful instructions for the processing of Personal Data.
  • Not upload special category data (Article 9 GDPR) into the Sparqbox service without prior written agreement covering additional safeguards.

7. Sub-processors

Customer authorises Sparqbox to engage the sub-processors listed at sparqbox.com/subprocessors. That list is incorporated into this DPA as Annex B.

Sparqbox will notify workspace admins by email at least 30 days before adding a new sub-processor that processes Customer Personal Data. Customer may object on reasonable data-protection grounds within 15 days of notice. If the parties cannot resolve the objection, Customer may terminate the affected service with a pro-rated refund of pre-paid fees for the unused remainder of the term, as Customer's sole and exclusive remedy.

Sparqbox imposes data-protection obligations on each sub-processor that are no less protective than those of this DPA, and remains liable to Customer for sub-processor performance.

8. Data subject requests

Sparqbox will, taking into account the nature of the processing, assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer's obligations to respond to data-subject requests. If Sparqbox receives a request directly from a data subject relating to Customer Personal Data, Sparqbox will forward it to Customer within 5 business days and will not respond to the request itself except on Customer instructions or where required by law.

9. Security and breach notification

Sparqbox maintains the technical and organisational measures described in Annex A. Current operational detail is published at sparqbox.com/security.

Sparqbox will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, providing: the nature of the breach, the categories and approximate number of data subjects and records concerned, likely consequences, and the measures taken or proposed to address it and mitigate possible adverse effects.

10. Audits

Sparqbox demonstrates compliance with this DPA by:

  • Publishing the security documentation at sparqbox.com/security.
  • Responding to standard security questionnaires (CAIQ Lite, SIG Lite, or equivalent) within 15 business days.

On-site audits are limited to once per calendar year, at Customer's expense, on 30 days' prior written notice, during business hours, and subject to confidentiality. Regulators with statutory rights of access are not limited by this paragraph.

11. International transfers

Where the provision of the Sparqbox service involves the transfer of Customer Personal Data from the EEA to a country outside the EEA, the transfer is conducted to a sub-processor listed in Annex B. The transfer relies on:

  • The EU-US Data Privacy Framework where the recipient is certified; or
  • The Standard Contractual Clauses for the transfer of personal data to third countries adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including Module 3 (processor to processor) where applicable. The SCCs are incorporated into this DPA by reference and apply between Sparqbox (as data exporter) and the relevant sub-processor (as data importer).

12. Return or deletion of data

On termination of the Terms, Customer may export workspace data for 30 days via the product. After the export window:

  • Customer Personal Data is deleted from production systems within 30 days; and
  • From encrypted backups within 90 days,

except where applicable law requires longer retention (including Dutch tax law for invoicing data, 7 years), in which case the data is retained for the legally required period and for the legal purpose only.

13. Liability

Each party's liability under or in connection with this DPA is subject to the exclusions and limitations of liability in the Terms.

14. Governing law

This DPA is governed by the laws of the Netherlands, consistent with the Terms.

Annex A — Technical and Organisational Measures

  • Encryption. TLS 1.2+ in transit; AES-256 at rest on database and object storage; encrypted secrets in environment variables.
  • Tenant isolation. Defence-in-depth across three layers: signed JWT with tenant identifier; application-derived tenant scope ignoring client-supplied ids; row-level security on every business table.
  • Access control. Production access limited to named individuals; logged; MFA enforced on all internal accounts; credentials rotated on schedule and after personnel change.
  • Authentication. Strong password rules, brute-force protection, SSO (SAML/OIDC) on Scale tier, short-lived sessions with revocable refresh tokens.
  • Backups and continuity. Daily encrypted backups, 30-day retention, 7-day point-in-time recovery, cross-region copies, tested recovery procedures.
  • Vulnerability management. Dependency scanning, mandatory code review, high-severity patches within 7 days, annual independent penetration test planned Q4 2026.
  • Logging and monitoring. Centralised logs, anomaly alerts, immutable audit log for sensitive actions.
  • Incident response. Documented process, 24-hour triage, customer notification without undue delay, 72-hour authority notification per Article 33 where required, post-incident review.
  • Personnel. Confidentiality obligations and security training for everyone with access to Customer Personal Data.

Current operational detail and any updates are published at sparqbox.com/security.

Annex B — Sub-processors

The current list of sub-processors, including purpose, data category, location, and transfer mechanism, is published at sparqbox.com/subprocessors and is incorporated into this DPA by reference. Workspace admins are notified by email at least 30 days before a new sub-processor handling Customer Personal Data is added.