DRAFT — pending legal review. Placeholder for business customers / B2B integrations. Spark is consumer-only at this stage; this DPA exists so the page resolves and so we can hand a real document to a B2B prospect on day one of that motion.
Version: 1.0.0 Effective date: 2026-05-15
This Data Processing Addendum supplements the Terms of Service when Spark processes personal data on behalf of a business customer ("Controller") whose end users are covered by GDPR, UK GDPR, or comparable regimes.
1. Scope
Where the Controller's end users use Spark in connection with the Controller's business, Spark acts as a "Processor" (GDPR Article 28). The categories of personal data processed are those described in our Privacy Policy.
2. Sub-processors
We engage the sub-processors listed in our live sub-processor list. We will notify the Controller at least 30 days before adding a new sub-processor, and the Controller may object on reasonable grounds.
3. Security
We implement technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls, audit logging, and periodic review.
4. International transfers
For transfers out of the EEA / UK, we rely on the Standard Contractual Clauses (2021) and the UK International Data Transfer Addendum, as applicable.
5. Data subject requests
We will assist the Controller in fulfilling DSARs within reasonable timelines.
6. Audit
The Controller may audit our security and processing practices, subject to reasonable notice and confidentiality terms, no more than once per year (more frequently if required by regulators).
7. Term and deletion
Upon termination, we will delete or return all personal data within 90 days, except where retention is required by law.
Contact
legal@mauve.app to sign a DPA for your account.