data processing agreement
the GDPR-required contract for when Hexelity Labs processes personal data on your behalf as part of the Spirby service.
last updated May 13, 2026
this Data Processing Agreement ("DPA") forms part of the Spirby terms of service between you (the "Customer") and HEXELITY LABS S.R.L. ("Hexelity Labs", "we", "us"). it applies whenever we process personal data on your behalf in connection with the Spirby service.
by accepting the terms of service, by paying for a plan, or by continuing to use the service after this DPA is published, the Customer accepts this DPA. no separate signature is required. if your organization requires a counter-signed copy, email [email protected].
if there is a conflict between this DPA and the terms of service in respect of the processing of personal data, this DPA prevails.
1. definitions
terms used in this DPA have the meanings given in the General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"). without limiting that:
- "personal data" means information relating to an identified or identifiable natural person, where that information is processed by us on the Customer's behalf as part of the service.
- "customer personal data" means personal data that the Customer or the Customer's end-users submit to or generate inside the service (for example posts, comments, votes, and the personal data of the Customer's end-users that the Customer collects through the service).
- "sub-processor" means any third party that we engage to process customer personal data on our behalf.
- "data subject", "controller", "processor", "processing", "international transfer", "supervisory authority", and "personal data breach" have the meanings given in the GDPR.
2. roles
with respect to customer personal data, the Customer is the controller and Hexelity Labs is the processor.
the Customer is responsible for the lawfulness of its processing, for having a valid legal basis for the processing it asks us to perform, and for providing the notices and obtaining the consents required from data subjects under applicable law.
with respect to personal data we collect from the Customer's account administrators (account email, billing details, support correspondence, etc.) for the purposes of operating the service, billing, and security, Hexelity Labs is an independent controller. that processing is described in our privacy policy and is outside the scope of this DPA.
3. subject matter and duration
we process customer personal data for the duration of the agreement and for the limited additional periods needed to delete or return data as set out in section 12 below. the subject matter, nature, purpose, categories of data subjects, and categories of personal data are described in Annex I.
4. the Customer's instructions
we will process customer personal data only on the documented instructions of the Customer, including with regard to international transfers, except where required to do so by EU or member state law to which we are subject. if a legal requirement compels us to process customer personal data otherwise than on the Customer's instructions, we will inform the Customer of that requirement before processing, unless that law prohibits us from doing so on important grounds of public interest.
the agreement (terms of service, this DPA, the privacy policy, and the configuration of the service through the application UI and APIs) constitutes the Customer's complete and final instructions for processing. additional instructions outside that scope require a separate written agreement and may be subject to additional fees.
if we believe a Customer instruction infringes the GDPR or other applicable EU or member state data protection law, we will inform the Customer.
5. confidentiality
we will ensure that personnel authorized to process customer personal data are bound by a duty of confidentiality (whether by contract or statute) and have received appropriate training on their data protection obligations.
6. security of processing
we will implement and maintain the appropriate technical and organizational measures described in Annex II to ensure a level of security appropriate to the risk, taking into account the state of the art, the cost of implementation, the nature of the processing, and the rights and freedoms of data subjects.
we will review the measures in Annex II regularly and update them as necessary. updates will not materially reduce the level of security of the service.
7. sub-processors
the Customer gives Hexelity Labs general authorization to engage sub-processors for the processing of customer personal data, subject to the following conditions:
- the current list of sub-processors is in Annex III and at spirby.com/dpa.
- before engaging a new sub-processor or replacing one, we will update Annex III at least 30 days in advance.
- the Customer may object to a new sub-processor on reasonable data protection grounds within 30 days of the update by emailing [email protected]. if the Customer objects, the parties will discuss in good faith. if we cannot reasonably accommodate the objection, the Customer may terminate the affected portion of the service for cause and receive a pro-rata refund of any prepaid fees for the unused portion of the term.
- we will impose on each sub-processor data protection obligations no less protective than those in this DPA, including the obligations on confidentiality, security, audit, sub-processing, and international transfers.
- we remain liable for the acts and omissions of our sub-processors as if they were our own.
8. international transfers
we and most of our sub-processors are based in the European Economic Area. where customer personal data is transferred to a third country that is not subject to a European Commission adequacy decision applicable to the recipient, the parties enter into the European Commission's standard contractual clauses (Decision (EU) 2021/914) ("SCCs") in the configuration appropriate to the transfer (Customer is data exporter; Hexelity Labs is data importer; Module Two: controller to processor; or Module Three: processor to processor for onward transfers to sub-processors). by accepting this DPA, both parties are deemed to have signed the SCCs as so configured.
for transfers from the United Kingdom we incorporate the UK International Data Transfer Addendum to the SCCs issued by the UK Information Commissioner. for transfers from Switzerland we incorporate the SCCs as adapted by the Swiss Federal Data Protection and Information Commissioner.
we will provide reasonable supplementary information about specific transfers (recipient, country, safeguard, transfer-impact-assessment summary) on request.
9. assistance with data subject requests
we will, taking into account the nature of the processing, assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfil the Customer's obligation to respond to requests from data subjects under chapter III of the GDPR. the service provides controls that the Customer can use directly to access, correct, export, and delete personal data of its end-users. where a request requires our involvement beyond those controls, we will assist within a reasonable time.
if a data subject contacts us directly with a request relating to customer personal data, we will not respond on the substance and will, where we can identify the relevant Customer, refer the request to that Customer without undue delay.
10. assistance with controller obligations
we will assist the Customer in ensuring compliance with its obligations under articles 32 to 36 of the GDPR (security of processing, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to us.
11. personal data breaches
we will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting customer personal data. the notification will, to the extent we have the relevant information at the time:
- describe the nature of the breach including, where possible, the categories and approximate number of data subjects and records concerned;
- describe the likely consequences;
- describe the measures we have taken or propose to take to address the breach and to mitigate its effects.
where we cannot provide all of this information at the same time, we will provide it in phases as it becomes available. we will document each breach we become aware of and provide the documentation to the Customer or the relevant supervisory authority on request.
we will not assess on the Customer's behalf whether a breach is notifiable to a supervisory authority or to data subjects. the Customer is the controller and decides.
12. return or deletion of data
on termination or expiry of the agreement, we will, at the Customer's choice, delete or return all customer personal data and delete existing copies, unless EU or member state law requires us to retain the data.
unless the Customer instructs otherwise within 30 days after termination or expiry, we will delete customer personal data from the production environment within 30 days. encrypted backups containing customer personal data are overwritten on a 35-day rolling cycle. data in backups remains protected by this DPA and the security measures in Annex II until that cycle completes the deletion.
we may retain customer personal data to the extent and for the period required by EU or member state law. any such retained data remains protected by the confidentiality and security obligations in this DPA.
13. audits
on the Customer's reasonable request, no more than once per calendar year (and additionally following a personal data breach affecting the Customer or a documented allegation of non-compliance), we will make available all information necessary to demonstrate compliance with this DPA. by default we satisfy this obligation by providing third-party audit reports, security white-papers, and our completed responses to industry-standard security questionnaires.
if those materials are not sufficient to demonstrate compliance, the Customer or an independent auditor mandated by the Customer (and reasonably acceptable to us, bound by confidentiality, and not a competitor of Hexelity Labs) may carry out an audit of our facilities and processing activities, on at least 30 days' written notice, during normal business hours, in a manner that does not interfere with the operation of the service or with our obligations to other customers, and at the Customer's expense. each party bears its own costs of cooperating in the audit. the auditor will share findings with both parties.
we will contribute to and cooperate with audits by supervisory authorities to the extent required by law.
14. liability
each party's liability under or in connection with this DPA is subject to the limitation of liability provisions of the terms of service.
nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable data protection law, including liability of either party as a controller or processor under article 82 of the GDPR.
15. term and termination
this DPA takes effect on the day the Customer accepts the terms of service (or, if later, the date this DPA is first accepted) and remains in force for as long as we process customer personal data on behalf of the Customer.
certain obligations (confidentiality, security, return or deletion, liability for past acts) survive termination.
16. updates to this DPA
we may update this DPA from time to time, including to reflect changes in applicable law, changes in our sub-processor arrangements, or changes in the service. material changes will be notified at least 30 days in advance using the notification mechanism in the terms of service. minor changes (typo corrections, clarifications that do not reduce the protection of customer personal data) take effect immediately.
prior versions of this DPA are available on request.
17. order of precedence
in the event of a conflict between documents that form part of the agreement, the order of precedence is:
- this DPA, in respect of the processing of personal data;
- any plan-specific or order-form terms expressly agreed in writing between the parties;
- the terms of service;
- the privacy policy.
Annex I. description of the processing
parties. Customer (data exporter, controller) and Hexelity Labs (data importer, processor).
categories of data subjects. end-users of the Customer who interact with the Customer's Spirby boards (visitors, post authors, commenters, voters, subscribers); the Customer's own teammates whom the Customer adds to its Spirby account.
categories of personal data. identifiers (name where provided, email address, hashed user identifiers); content the data subject submits (posts, comments, votes, attachments, profile fields the Customer chooses to collect); technical data (IP address, user-agent, request timestamps, anti-abuse signals); communications between the data subject and the Customer through the service.
we do not process special categories of personal data on the Customer's behalf in the ordinary course. the Customer agrees not to upload such data into free-text fields where it would foreseeably end up in our processing.
nature and purpose of the processing. providing the Spirby service: hosting and serving the Customer's feedback boards, roadmap, and changelog; storing and routing messages between the Customer and its end-users; sending transactional email on the Customer's instructions (vote confirmations, post replies, changelog subscriptions, etc.); providing the Customer with administrative tools to access, export, and delete the data; protecting the service from abuse and fraud; supporting the Customer when they ask for help.
duration of the processing. for the duration of the agreement, plus the deletion windows in section 12.
frequency of the processing. continuous, for as long as the Customer's account is active.
Annex II. security measures
we maintain a written information security program with administrative, technical, and physical safeguards designed to protect customer personal data against unauthorized or unlawful access, destruction, loss, alteration, or disclosure.
access control. role-based access to production systems with least-privilege defaults. mandatory multi-factor authentication for all administrative access. unique accounts per individual; no shared credentials. quarterly access reviews; immediate revocation on offboarding.
network and infrastructure security. application and database run on hardened virtual hosts; production databases are not exposed to the public internet. inter-machine traffic between application, database, backups, and observability is restricted to a private overlay network and authenticated. firewalling at the host level. operating-system images patched on a routine cadence; high-severity vulnerabilities patched on an emergency cadence.
encryption. TLS 1.2 or higher for all data in transit between the data subject's device and the service and between our services and our sub-processors. AES-256 for data at rest in the production database storage volume and in backups. session cookies and authentication tokens issued and validated using cryptographically secure primitives.
application security. secure software development practices including code review, dependency vulnerability scanning, automated tests covering security-relevant logic, rate limiting on authentication and other abuse-prone endpoints, input validation, output sanitization, content security policy headers, and protection against the OWASP Top 10 categories.
backups. encrypted off-site backups taken on a defined schedule, retained on a rolling 35-day cycle, and tested for restorability on a documented periodicity.
logging and monitoring. centralized application and security logs with retention defined in the privacy policy. alerting on security-relevant events. error and uptime monitoring. incident response runbooks.
personnel. all personnel with access to customer personal data are bound by written confidentiality obligations and receive periodic data protection and security training.
vendor management. sub-processors are reviewed for security and privacy posture before engagement and bound by written contracts including the obligations in section 7.
incident response. documented procedures for detecting, responding to, and notifying personal data breaches, including the timeline and information requirements in section 11.
business continuity. documented procedures for restoring service after major incidents, including database restoration from backup and recovery of the application stack.
we update these measures over time. we will not materially reduce the overall level of security of the service.
Annex III. sub-processors
current sub-processors (as of the date at the top of this document):
| sub-processor | service | location | type of data |
|---|---|---|---|
| Servers Camp S.R.L. (Serverscamp) | application hosting, primary database, S3-compatible object storage. provider terms: https://serverscamp.com/legal/terms | Romania | all customer personal data submitted through the service |
| Hetzner Online GmbH | encrypted off-site backups, self-hosted observability (error reports, logs, metrics, analytics) | Germany | backups containing customer personal data; technical data; hashed identifiers |
| Resend, Inc. | transactional email delivery (vote confirmations, comment subscriptions, changelog emails, account emails) | United States | recipient email address, message contents we generate from the service |
| Cloudflare, Inc. | DNS, CDN, custom-domain SSL, edge bot protection | United States, with global edge | network-level data (IP address, request metadata) needed to route and protect requests |
where a sub-processor is located outside the EEA, transfers are governed by the safeguards in section 8.
related independent controllers
the following providers are not sub-processors under this DPA but are listed here for transparency because they process personal data of the Customer's account administrators in connection with the relationship between the Customer and Hexelity Labs:
- Polar (Polar Software, Inc., United States) acts as the Merchant of Record for paid Spirby subscriptions. Polar is the seller on the invoice issued to the Customer, processes payments on its own infrastructure, and is responsible for collecting and remitting any applicable transaction taxes. Polar is an independent controller of the personal data it collects from the Customer's billing administrator (billing address, payment method information, tax identifiers). Polar's privacy policy: https://polar.sh/legal/privacy. Polar's terms: https://polar.sh/legal/terms. this DPA does not apply to Polar's processing.
contact
questions about this DPA, requests for the SCC text, or sub-processor inquiries: [email protected].