LEGAL & POLICIES
Data Processing Agreement
Effective Date: [Date]
Last Updated: [Date]
This Data Processing Agreement ("DPA") forms part of the Creator Agreement ("Principal Agreement") between Spinhub Limited ("Processor," "Spinhub," "we," "us") and the Creator ("Controller," "you") using Spinhub's services.
Table of Contents
1. Definitions
2. Scope and Application
3. Processing Details
4. Processor Obligations
5. Controller Obligations
6. Security Measures
7. Sub-Processors
8. Data Subject Rights
9. Personal Data Breach
10. International Data Transfers
11. Audit and Inspection
12. Return and Deletion
13. Liability and Indemnification
14. Term and Termination
15. General Provisions
Annexes
- Annex I: Processing Details
- Annex II: Technical and Organizational Measures
- Annex III: Authorized Sub-Processors
1. Definitions
1.1 GDPR Terms
Terms used in this DPA have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR"):
- "Personal Data" - Any information relating to an identified or identifiable natural person
- "Processing" - Any operation performed on personal data
- "Controller" - Entity determining purposes and means of processing
- "Processor" - Entity processing personal data on behalf of the controller
- "Data Subject" - Individual whose personal data is processed
- "Supervisory Authority" - Independent public authority supervising data protection
1.2 Agreement-Specific Terms
- "Supporter Data" - Personal data of your supporters/subscribers
- "Platform Services" - Spinhub's creator platform and related services
- "Security Incident" - Breach of security leading to personal data compromise
- "Sub-Processor" - Third party engaged by Spinhub to process personal data
2. Scope and Application
2.1 Relationship of the Parties
For Supporter Data:
- You are the Controller - You determine why and how supporter data is processed
- We are the Processor - We process supporter data on your behalf
- Limited to Platform Services - Only data processed through Spinhub
For Your Data:
- We may be Controller for your account data
- See our Privacy Policy for details
- This DPA covers only processor activities
2.2 Applicability
This DPA applies when:
- You use Spinhub to interact with supporters
- We process supporter personal data for you
- GDPR or similar laws require a DPA
- Either party is in the EU/EEA
2.3 Precedence
In case of conflict:
- Mandatory law prevails
- This DPA prevails over Principal Agreement
- Principal Agreement prevails over other terms
3. Processing Details
3.1 Nature and Purpose
Nature of Processing:
- Hosting supporter accounts
- Facilitating creator-supporter interactions
- Processing payments and subscriptions
- Delivering content to supporters
- Providing analytics and insights
Purpose of Processing:
- Enable your creator services
- Manage supporter relationships
- Process financial transactions
- Provide platform features
- Ensure service security
3.2 Categories of Data
Supporter Personal Data:
- Account information (name, email, username)
- Payment data (processed by payment providers)
- Interaction data (messages, comments)
- Preference data (subscription choices)
- Technical data (IP address, device info)
Special Categories:
- Not intentionally processed
- Age verification data (21+ requirement)
- Immediately deleted after verification
3.3 Data Subjects
- Your supporters/subscribers
- Prospective supporters
- Former supporters
- Message recipients
- Content viewers
3.4 Duration
Processing continues for duration of:
- Creator Agreement term
- Plus wind-down period
- Legal retention requirements
- Until deletion completed
4. Processor Obligations
4.1 General Obligations
Spinhub shall:
- Process personal data only on documented instructions
- Ensure confidentiality of personnel
- Implement appropriate security measures
- Engage sub-processors only as permitted
- Assist with data subject requests
- Delete or return data after termination
- Demonstrate compliance with obligations
4.2 Instructions for Processing
Documented Instructions:
- This DPA and Principal Agreement
- Your use of platform features
- Written instructions via official channels
- Legal requirements
Unlawful Instructions:
- We'll notify you of legal conflicts
- Won't follow unlawful instructions
- May suspend processing if required
- Document all concerns
4.3 Personnel
Confidentiality:
- All personnel sign confidentiality agreements
- Access limited to necessary staff
- Regular training provided
- Violations result in disciplinary action
Reliability:
- Background checks conducted
- Security awareness training
- Regular performance reviews
- Access immediately revoked upon termination
4.4 Cooperation
We will reasonably assist with:
- Data protection impact assessments
- Prior consultation with authorities
- Demonstrating compliance
- Responding to supervisory authorities
- Reasonable additional measures
5. Controller Obligations
5.1 Lawful Basis
You warrant and represent:
- You have lawful basis for processing
- Processing instructions are lawful
- You've provided required notices
- You've obtained necessary consents
- You comply with applicable laws
5.2 Instructions
You shall:
- Provide clear, lawful instructions
- Not require illegal processing
- Update instructions as needed
- Use platform features appropriately
- Document special requirements
5.3 Compliance
You are responsible for:
- Your privacy policy accuracy
- Supporter consent management
- Responding to supporter requests
- Regulatory compliance
- Record keeping obligations
6. Security Measures
6.1 Technical Measures
Encryption
- Data encrypted in transit (TLS 1.3)
- Data encrypted at rest (AES-256)
- Key management procedures
- Certificate management
- Regular security updates
Access Controls
- Role-based access control
- Multi-factor authentication
- Privileged access management
- Regular access reviews
- Audit logging
Infrastructure
- Firewalls and intrusion detection
- DDoS protection
- Vulnerability scanning
- Penetration testing
- Security monitoring
6.2 Organizational Measures
Policies and Procedures:
- Information security policy
- Incident response procedures
- Business continuity planning
- Change management
- Risk assessments
Physical Security:
- Data center security (ISO 27001)
- Access restrictions
- Environmental controls
- Secure disposal procedures
- Asset management
6.3 Ongoing Improvement
- Regular security reviews
- Industry best practices adoption
- Threat intelligence monitoring
- Security awareness programs
- Continuous improvement process
7. Sub-Processors
7.1 Authorized Use
General Authorization:
- You authorize sub-processors listed in Annex III
- We may engage additional sub-processors
- 30 days notice for new sub-processors
- You may object with reasonable grounds
- Current list at: spinhub.com/sub-processors
7.2 Sub-Processor Requirements
All sub-processors must:
- Sign data protection agreements
- Provide equivalent protections
- Be located in adequate jurisdictions
- Undergo security assessments
- Maintain appropriate certifications
7.3 Liability
- We remain liable for sub-processors
- Same obligations imposed
- Regular monitoring conducted
- Immediate action for violations
- Right to audit maintained
7.4 Objection Process
If you object to a sub-processor:
- Submit written objection within 30 days
- Provide specific concerns
- We'll address or provide alternatives
- If unresolved, termination rights apply
8. Data Subject Rights
8.1 Assistance Obligation
We will assist you in responding to:
- Access requests
- Rectification requests
- Erasure requests
- Restriction requests
- Portability requests
- Objection rights
- Automated decision-making rights
8.2 Process
When we receive requests:
- Forward to you immediately
- Do not respond directly (unless authorized)
- Provide necessary data/tools
- Document all actions
- Complete within agreed timeframes
Tools Provided:
- Supporter data export
- Bulk data operations
- Deletion tools
- Access logs
- Audit trails
8.3 Timeframes
- Forward requests: Within 2 business days
- Provide data: Within 5 business days
- Complex requests: Agree timeline
- Urgent matters: 24 hours
- Legal requirements: As mandated
9. Personal Data Breach
9.1 Notification
Breach Detection:
If we detect a breach affecting supporter data:
- Investigate immediately
- Notify you without undue delay
- Maximum 24 hours from awareness
- Provide all required information
- Regular updates until resolved
9.2 Information Provided
Breach notifications will include:
- Nature of the breach
- Categories and numbers affected
- Likely consequences
- Measures taken/proposed
- Contact point for information
- Cross-border implications
9.3 Cooperation
We will:
- Assist with authority notifications
- Help with data subject notifications
- Provide evidence for investigations
- Implement additional measures
- Document all actions taken
9.4 Records
Maintain records of:
- All security incidents
- Investigation findings
- Remediation actions
- Notification timelines
- Lessons learned
10. International Data Transfers
10.1 Transfer Mechanisms
For transfers outside EU/EEA:
- Standard Contractual Clauses (SCCs)
- Adequacy decisions where applicable
- Your explicit consent where required
- Derogations under Article 49 GDPR
10.2 Standard Contractual Clauses
Module Two (Controller to Processor):
- Incorporated by reference
- Latest EU Commission version
- Ireland as competent authority
- Option 2 for Clause 9 (general authorization)
10.3 Additional Safeguards
Beyond SCCs:
- Encryption for all transfers
- Access controls
- Transfer impact assessments
- Regular review of necessity
- Minimization principles
10.4 Your Rights
You may:
- Request transfer information
- Obtain copies of safeguards
- Object to specific transfers
- Require additional protections
- Terminate for transfer violations
11. Audit and Inspection
11.1 Audit Rights
You have the right to:
- Verify our compliance
- Conduct audits or inspections
- Appoint third-party auditors
- Review security measures
- Access compliance documentation
11.2 Audit Process
Requirements:
- 30 days written notice
- Reasonable scope defined
- During business hours
- Maximum once per year
- Qualified auditors only
Our Cooperation:
- Provide requested information
- Grant facility access (if needed)
- Make personnel available
- Demonstrate compliance
- Implement agreed improvements
11.3 Audit Costs
- You bear your audit costs
- We bear our cooperation costs
- Shared costs for findings requiring remediation
- Excessive audits may incur fees
- Emergency audits at our cost if our fault
11.4 Alternatives
Instead of audits, you may:
- Accept our certifications (ISO 27001)
- Review our audit reports
- Rely on third-party assessments
- Use questionnaires
- Participate in group audits
12. Return and Deletion
12.1 Upon Termination
At your choice, we will:
- Return all personal data
- Delete all personal data
- Combination of both
- Certify completion
12.2 Return Process
If return requested:
- Export in standard format
- Secure transfer method
- Complete within 30 days
- Verify successful transfer
- Delete after confirmation
12.3 Deletion Process
If deletion requested:
- Delete from production systems immediately
- Delete from backups within 90 days
- Overwrite/destroy securely
- Provide deletion certificate
- Document deletion method
12.4 Exceptions
May retain data if required by:
- EU or member state law
- Legal proceedings
- Regulatory requirements
- Legitimate interests (limited)
- Technical limitations (explained)
13. Liability and Indemnification
13.1 Liability Caps
Our liability limited to:
- Direct damages only
- Greater of:
- €500,000
- Total fees paid in 12 months
- Excludes consequential damages
- Subject to applicable law
13.2 Indemnification
You indemnify us for:
- Your unlawful instructions
- Your breach of obligations
- Claims from your supporters
- Regulatory fines from your actions
- Third-party claims from your processing
We indemnify you for:
- Our breach of DPA obligations
- Unauthorized processing
- Security failures within our control
- Sub-processor violations
- Our negligence or willful misconduct
13.3 Mitigation
Both parties shall:
- Mitigate damages promptly
- Cooperate in defense
- Not admit liability without consent
- Provide timely notice
- Preserve relevant evidence
14. Term and Termination
14.1 Duration
This DPA:
- Begins on Principal Agreement date
- Continues during Agreement term
- Survives for transition period
- Some obligations survive termination
14.2 Termination Rights
Either party may terminate if:
- Material breach not cured (30 days)
- Legal prohibition on processing
- Regulatory order
- Principal Agreement terminates
- Insolvency/bankruptcy
14.3 Effect of Termination
Upon termination:
- Processing ceases (except as required)
- Data returned/deleted
- Certifications provided
- Cooperation continues for investigations
- Confidentiality maintained
14.4 Survival
These sections survive:
- Confidentiality
- Audit assistance for past processing
- Liability and indemnification
- Data retention (if legally required)
- Governing law
15. General Provisions
15.1 Confidentiality
Both parties shall:
- Keep terms confidential
- Protect each other's information
- Use only for intended purposes
- Disclose only as required by law
- Return/destroy upon termination
15.2 Amendments
- Changes require written agreement
- Updates for legal compliance
- Notice of proposed changes
- Termination right for material changes
- Version control maintained
15.3 Governing Law
- Governed by Irish law
- EU data protection laws apply
- Dublin courts have jurisdiction
- GDPR interpretation prevails
- Mandatory law supersedes
15.4 Notices
Send notices to:
Controller: Via registered account email
Processor:
Spinhub Limited
Attn: Data Protection Officer
[Address]
Dublin, Ireland
Email: [email protected]
15.5 Order of Precedence
- Applicable data protection law
- This DPA
- Standard Contractual Clauses
- Principal Agreement
- Other agreements
Annex I: Processing Details
A. List of Parties
Data Controller:
- Name: [Creator Name/Business]
- Address: [As registered]
- Contact: [Account email]
- Representative: [If applicable]
Data Processor:
- Name: Spinhub Limited
- Address: [Address], Dublin, Ireland
- Contact: [email protected]
- Registration: [Number]
B. Description of Processing
Categories of data subjects:
- Creator's supporters/subscribers
- Prospective supporters
- Website visitors
- Message recipients
Categories of personal data:
- Identity data (name, username)
- Contact data (email)
- Financial data (payment method)
- Transaction data
- Technical data
- Usage data
- Communication data
Sensitive data:
- None intentionally processed
- Age verification only (deleted immediately)
Processing operations:
- Collection and storage
- Organization and structuring
- Use and consultation
- Transmission to authorized parties
- Combination with platform data
- Restriction and erasure
Purpose(s):
- Provide creator platform services
- Enable supporter relationships
- Process payments
- Deliver content
- Provide analytics
- Ensure security
Duration:
- Length of Creator Agreement
- Plus legal requirements
- Until deletion requested
Transfers:
See Section 10 and sub-processor list
Annex II: Technical and Organizational Measures
Technical Security
Encryption
- TLS 1.3 for data in transit
- AES-256 for data at rest
- Encrypted backups
- Key management system
- Certificate pinning
Access Control
- Multi-factor authentication
- Role-based permissions
- Privileged access management
- Regular access reviews
- Session management
System Security
- Firewalls
- Intrusion detection/prevention
- Anti-malware
- Vulnerability scanning
- Security patching
Data Protection
- Data loss prevention
- Backup procedures
- Disaster recovery
- Business continuity
- Incident response
Organizational Security
Governance
- Security policies
- Risk assessments
- Privacy by design
- Change management
- Vendor management
Personnel
- Background checks
- Confidentiality agreements
- Security training
- Access provisioning
- Termination procedures
Physical Security
- Data center security
- Access controls
- Environmental monitoring
- Secure disposal
- Asset management
Compliance
- ISO 27001 certification
- Regular audits
- Compliance monitoring
- Policy updates
- Training programs
By using Spinhub's services, Controllers acknowledge and agree to this Data Processing Agreement.
Last Updated: [Date]
Version: 1.0
Contact Information
Support
General support: [email protected]
Creator support: [email protected]
Policy questions: [email protected]
Payment issues: [email protected]
Business Development
Partnerships: [email protected]
Premium creator program, brand collaborations, integration opportunities
Legal & Compliance
Legal matters: [email protected]
Privacy concerns: [email protected]
Data Protection Officer: [email protected]