Data Processing Agreement
Data Processing Agreement (DPA) between Spacepad and its customers, in accordance with GDPR Article 28.
This Data Processing Agreement ("DPA") is entered into between Waterway Studios, operating as Spacepad, Sweelinckplein 90, 5216ED 's-Hertogenbosch, the Netherlands, KvK 88397971 ("Processor"), and the customer organization using Spacepad services ("Controller").
By using Spacepad, the Controller agrees to this DPA. This DPA supplements and forms part of the Spacepad Terms & Conditions.
1. Definitions
- Personal Data: Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- Processing: Any operation performed on Personal Data, as defined in GDPR Article 4(2).
- GDPR: Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- Data Subject: A natural person whose Personal Data is processed.
- Supervisory Authority: Autoriteit Persoonsgegevens (AP), the Dutch data protection authority.
2. Subject Matter and Duration of Processing
Subject matter: The Processor provides the Controller with a meeting room display service that reads calendar availability data from the Controller's calendar system (Microsoft 365, Google Workspace, or CalDAV).
Duration: Processing continues for the term of the subscription agreement. Upon termination, Personal Data will be deleted in accordance with Section 9.
3. Nature and Purpose of Processing
The Processor processes Personal Data solely to:
- Read room resource availability (booking status, start/end times, optionally meeting title and organizer name) from the Controller's calendar system
- Authenticate and manage user accounts belonging to the Controller's administrators
- Display room availability on tablet devices registered by the Controller
- Send transactional emails related to account management and billing
Processing occurs only on documented instructions from the Controller, as set out in this DPA and the Terms & Conditions, unless EU or Member State law requires otherwise. In such a case, the Processor will inform the Controller before processing unless prohibited by law.
4. Categories of Personal Data and Data Subjects
Categories of Personal Data processed:
| Category | Examples | Source |
|---|---|---|
| Account data | Name, email address, company name | Provided by the Controller at registration |
| Calendar metadata | Meeting titles, organizer names, start/end times, room booking status | Retrieved via Microsoft Graph API or Google Calendar API |
| Device data | Tablet device identifiers, configuration | Generated by the Processor on behalf of the Controller |
| Authentication data | OAuth tokens for calendar access | Provided by the Controller via OAuth consent flow |
| Technical logs | IP addresses, request timestamps | Generated automatically |
Categories of data subjects:
- Employees or administrators of the Controller who register accounts
- Employees of the Controller whose calendar meetings appear in room displays
- Meeting organizers and attendees where meeting titles include personal names
5. Controller Obligations
The Controller warrants and represents that:
- It has a lawful basis under GDPR for sharing Personal Data with the Processor.
- It has connected only calendar systems and resources that it is authorized to share.
- It has provided appropriate privacy notices to data subjects (employees, meeting organizers) informing them that room display data is processed by Spacepad.
- It will immediately notify the Processor of any change to applicable data protection law that materially affects this DPA.
- It will not instruct the Processor to process Personal Data in a manner that would violate applicable law.
6. Processor Obligations
The Processor commits to:
- Processing Personal Data only on the Controller's documented instructions and for no other purpose.
- Ensuring that all personnel authorized to process Personal Data are bound by binding confidentiality obligations.
- Implementing and maintaining the technical and organizational security measures described in Section 7.
- Not engaging new Sub-processors without prior general or specific authorization from the Controller (see Section 8).
- Assisting the Controller, to the extent technically feasible, in fulfilling its obligations regarding Data Subject rights (access, rectification, erasure, portability, restriction, objection) within 30 days of receiving a forwarded request.
- Notifying the Controller without undue delay (and at most within 72 hours) upon becoming aware of a Personal Data breach affecting the Controller's data.
- Providing the Controller, upon request, with all information necessary to demonstrate compliance with GDPR Article 28.
- Deleting all Personal Data of the Controller within 30 days of termination, unless EU or Member State law requires continued retention.
7. Technical and Organizational Security Measures
The Processor implements the following measures in accordance with GDPR Article 32:
Confidentiality
- Access to production systems is restricted to authorized personnel only.
- Multi-factor authentication is required for all production system access.
- All personnel are bound by confidentiality agreements.
Integrity and availability
- All data in transit is encrypted using TLS 1.2 or higher.
- Data at rest is encrypted using AES-256.
- Automated daily backups with 30-day retention, stored within the EU.
- Redundant infrastructure to maintain service availability.
Resilience and recovery
- Incident response procedures are documented and tested.
- Service recovery time objective (RTO): 4 hours for critical incidents.
Ongoing review
- Regular dependency audits and security patching.
- Periodic review of access rights.
The Processor will update these measures as necessary to reflect the evolving threat landscape and ensure an appropriate level of security.
8. Sub-processors
The Controller grants general authorization to engage the following Sub-processors. All Sub-processors process data within the EU or under appropriate GDPR safeguards (Standard Contractual Clauses):
| Sub-processor | Role | Purpose | Location | Safeguard |
|---|---|---|---|---|
| TransIP B.V. | Infrastructure | Cloud server hosting and data storage | Netherlands (EU) | EU-based |
| Cloudflare, Inc. | Infrastructure | DNS, DDoS protection, CDN | EU edge nodes | SCCs |
| Brevo (Sendinblue SAS) | Communications | Transactional email delivery | France (EU) | EU-based |
| LemonSqueezy | Billing | Subscription payment processing | EU region | SCCs |
The Processor will notify the Controller of any intended changes (additions or replacements) to this list at least 14 days in advance via email to the registered account address. The Controller may object to a new Sub-processor in writing within 14 days of notification. If the Processor cannot accommodate the objection without materially impacting the service, either party may terminate the agreement upon 30 days' notice.
All Sub-processors are bound by data protection obligations at least equivalent to those in this DPA.
9. Data Retention and Deletion
Upon termination of the subscription:
- Account data and device configuration are deleted within 30 days upon request.
- Calendar OAuth tokens are revoked and deleted immediately upon account deletion.
- Calendar metadata is not stored persistently; it is retrieved in real-time and not retained after display.
- Technical logs are retained for a maximum of 90 days for security and debugging purposes.
- Billing records are retained for 7 years to comply with Dutch legal obligations (Article 2:10 BW). This is a legal obligation independent of the DPA.
Upon request, the Processor will provide written confirmation of deletion.
10. Data Subject Rights
The Controller remains responsible for responding to Data Subject rights requests. The Processor will:
- Forward any rights requests received directly from Data Subjects to the Controller within 5 business days.
- Provide reasonable technical assistance to the Controller to fulfill requests.
- Not respond directly to Data Subjects on behalf of the Controller, except as instructed.
Data Subjects who wish to exercise their rights (access, erasure, portability, etc.) should contact the Controller directly. The Controller's employees may also delete their own Spacepad user accounts via the account settings page in the Spacepad dashboard.
11. Data Breach Notification
The Processor will notify the Controller without undue delay — and at the latest within 72 hours of becoming aware — of any Personal Data breach affecting the Controller's data. Notification will include, where available:
- The nature of the breach
- The categories and approximate number of data subjects affected
- The categories and approximate number of Personal Data records affected
- The likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
The Controller is responsible for notifying the Autoriteit Persoonsgegevens and affected Data Subjects as required by GDPR Articles 33 and 34.
12. Audits and Compliance
The Controller may request an audit of the Processor's data processing activities with at least 30 days' written notice. The Processor may satisfy audit requests by providing:
- Up-to-date third-party security certifications
- Written responses to a standard security questionnaire
- Access to relevant documentation
On-site audits may be agreed upon at additional cost. The Processor may object to an audit that would compromise the security or confidentiality of other customers' data.
13. International Data Transfers
All Personal Data is processed and stored within the European Union. Where Sub-processors are based outside the EEA, transfers are covered by Standard Contractual Clauses (SCCs) adopted by the European Commission pursuant to GDPR Article 46(2)(c). A copy of applicable SCCs is available upon request.
14. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms & Conditions, to the extent permitted by applicable law. Nothing in this DPA limits either party's liability for intentional misconduct or gross negligence.
15. Governing Law and Jurisdiction
This DPA is governed by the laws of the Netherlands. Any disputes arising from or in connection with this DPA shall be submitted to the exclusive jurisdiction of the competent courts of 's-Hertogenbosch, the Netherlands.
16. Contact
For questions regarding this DPA, to request deletion of data, or to exercise any rights:
Waterway Studios
Sweelinckplein 90
5216ED 's-Hertogenbosch
The Netherlands
Email: support@spacepad.io
Last updated: May 2026