SpinnableSpinnable
Back to Home

Data Processing Agreement

Last updated May, 2026

Preamble

This Data Processing Agreement ("DPA") forms part of, and is incorporated by reference into, the Terms and Conditions available at spinnable.ai/terms-and-conditions (the "Agreement" or "ToS") between Spinnable, Inc., a Delaware corporation with its registered office at 251 Little Falls Drive, Wilmington, DE 19808 ("Spinnable," "we," or "Processor"), and the entity or individual who has accepted the Agreement ("Customer," "you," or "Controller").

This DPA applies automatically to all Customers whose use of the Spinnable platform (the "Service") involves the Processing of Personal Data that is subject to Data Protection Laws. By accepting the Agreement, you also accept the terms of this DPA. No separate signature is required.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

Contact: legal@spinnable.ai

1. Definitions

  • 1.1 "Applicable Data Protection Laws" — all data protection and privacy laws applicable to the Processing of Personal Data under this DPA, including: (a) the EU GDPR 2016/679; (b) the UK GDPR and UK DPA 2018; (c) the Swiss FADP; and (d) any other applicable data protection laws.
  • 1.2 "Controller" — the entity that determines the purposes and means of Processing Personal Data (= Customer).
  • 1.3 "Data Subject" — an identified or identifiable natural person to whom Personal Data relates.
  • 1.4 "EU SCCs" — the Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914.
  • 1.5 "Personal Data" — any information relating to a Data Subject that is Processed by Spinnable on behalf of Customer in connection with the Service.
  • 1.6 "Personal Data Breach" — a breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
  • 1.7 "Processing" — any operation performed on Personal Data, whether or not by automated means.
  • 1.8 "Processor" — entity that Processes Personal Data on behalf of the Controller (= Spinnable).
  • 1.9 "Sub-processor" — any third party engaged by Spinnable to Process Personal Data on behalf of Customer.
  • 1.10 "UK Addendum" — the International Data Transfer Addendum to the EU SCCs issued by the UK ICO.

2. Scope and Roles

2.1 Customer is the Controller. Spinnable is the Processor. Spinnable will Process Personal Data only on behalf of and in accordance with Customer's documented instructions.

2.2 This DPA applies to Spinnable's Processing of Personal Data in connection with the Service — specifically, the operation of AI-powered digital co-workers ("Workers").

2.3 Customer warrants that:

  • (a) it has legal authority to provide Personal Data;
  • (b) it has provided all necessary notices and obtained all necessary consents;
  • (c) its Processing instructions comply with Applicable Data Protection Laws.

2.4 The Agreement and this DPA constitute Customer's complete documented instructions. Additional instructions must be agreed in writing. Spinnable shall inform Customer if an instruction infringes Applicable Data Protection Laws.

3. Processor Obligations

3.1 Confidentiality

All persons authorized to Process Personal Data have committed to confidentiality obligations. Spinnable shall not disclose Personal Data to any third party except as permitted by this DPA.

3.2 Security Measures

  • Encryption at rest: AES-256
  • Encryption in transit: TLS 1.2+
  • Data isolation: per-account and per-Worker logical separation
  • Access controls: RBAC with least privilege
  • Infrastructure security: enterprise-grade cloud providers
  • AI model data handling: zero data retention with LLM inference providers
  • Continuous monitoring

3.3 AI-Specific Processing Safeguards

3.3.1 Neither Spinnable nor any Sub-processor (including AI model providers) shall use Customer Data — comprising prompts, inputs, outputs, logs, traces, embeddings, metadata, and any data derived from or generated during the provision of the Service — to train, fine-tune, improve, or benchmark any machine-learning or AI model, unless such data has been irreversibly anonymised such that it no longer constitutes Personal Data within the meaning of GDPR Recital 26.

3.3.2 Section 3.3.1 does not restrict Spinnable from accessing or processing Customer Data to the extent strictly necessary to deliver, maintain, secure, or remediate the Service, including error detection, debugging, performance monitoring, and incident response.

3.3.3 Spinnable ensures that each AI model provider is bound by contractual terms prohibiting the use of Customer Data for model training or improvement, consistent with this Section 3.3 and Annex 2.

3.3.4 To the extent of any conflict between this Section 3.3 and Spinnable's Terms of Service or Privacy Policy, this Section 3.3 prevails.

4. Sub-processor Management

4.1 Customer provides general written authorization to engage Sub-processors.

4.2 See Annex III below.

4.3 Spinnable enters into written DPAs with each Sub-processor and remains fully liable for their performance.

4.4 Notification: Spinnable will update this page when engaging new Sub-processors. Customers may object to a new Sub-processor within 15 calendar days of the update by contacting legal@spinnable.ai. If the objection cannot be reasonably resolved, the Customer may terminate the affected service.

4.5 Right to Object: Customer may object within 15 calendar days on data protection grounds. Spinnable will work to provide an alternative. If no alternative is feasible within 30 days, either party may terminate the affected portion of the Service with a refund of prepaid fees.

5. International Data Transfers

5.1 Primary Data Storage: Customer data at rest is stored in the European Union via Supabase's EU-hosted infrastructure.

5.2 Transfer Mechanisms (in order of priority)

  • (a) Adequacy Decision
  • (b) EU-U.S. Data Privacy Framework
  • (c) EU Standard Contractual Clauses (Module 2 — Controller to Processor)
    • Clause 9(a): General authorization with 30-day notice
    • Governing law: Ireland
    • Forum: Courts of Ireland
  • (d) UK Addendum for UK GDPR transfers
  • (e) Swiss modifications for FADP transfers

5.3 AI Inference and Global Endpoints: Customer acknowledges that AI inference through Vertex AI and Bedrock may use global endpoints, meaning data may be transiently processed outside the EEA. This processing is:

  • (a) ephemeral and real-time;
  • (b) subject to zero data retention;
  • (c) covered by the transfer mechanisms above; and
  • (d) subject to the AI safeguards in Section 3.3.

5.4 Transfer impact assessment available upon request at legal@spinnable.ai.

6. Data Subject Rights

Spinnable shall assist Customer in fulfilling Data Subject requests (access, rectification, erasure, restriction, portability, objection). If Spinnable receives a request directly, it will redirect the Data Subject to Customer. The Service provides self-service functionality for Customer to manage data directly.

7. Personal Data Breach Notification

  • Notification within 72 hours of becoming aware of a breach
  • Includes: nature of breach, categories/numbers affected, likely consequences, measures taken
  • Spinnable cooperates with investigation, mitigation, and any required notifications

8. Data Protection Impact Assessments

Reasonable assistance with DPIAs and prior consultations with supervisory authorities, at Customer's expense.

9. Audit Rights

  • Spinnable makes all information necessary to demonstrate compliance available
  • Customer may audit with 30 days' written notice
  • Once per 12-month period (unless a breach occurred or a regulator requires it)
  • Where Spinnable holds a relevant third-party audit report (SOC 2, ISO 27001), it may satisfy audit requests by providing that report
  • Customer bears audit costs, unless the audit reveals a material breach by Spinnable

10. Data Deletion and Return

  • On termination: Customer may elect return (machine-readable format) or deletion
  • If no election within 90 days → Spinnable deletes all Personal Data
  • Retention only to the extent required by applicable law
  • Written certification of deletion available upon request

11. Liability

Subject to the limitations set out in the ToS. Claims under this DPA count toward (not in addition to) the aggregate liability cap in the Agreement.

12. General Provisions

12.1 Governed by the Agreement's governing law, except where Data Protection Laws require otherwise.

12.2 Spinnable may update the DPA with 30 days' notice for material changes.

12.3 Severability and entire agreement provisions included.

12.4 DPA remains in effect for the duration of Processing; Sections 7, 9, 10, and 11 survive termination.

12.5 Supervisory Authority Cooperation. Spinnable shall cooperate with supervisory authorities to the extent required by Applicable Data Protection Laws, including in connection with any investigation, audit, or inquiry relating to the processing of Personal Data under this DPA.

Annex I — Details of Processing

Data Exporter (Controller): The Customer

Data Importer (Processor): Spinnable, Inc. — 251 Little Falls Drive, Wilmington, DE 19808 — legal@spinnable.ai

CategoryDetails
Subject matterAI-powered digital co-workers ("Workers") performing business automation tasks
DurationTerm of the Agreement + period until deletion/return
Nature & purposeReceiving, storing, organizing, retrieving Customer Data; transmitting to AI inference endpoints; generating outputs; logging, monitoring, error detection, maintenance
Types of Personal DataAs determined by Customer's use — may include: names, emails, phone numbers, job titles, employer info, addresses, IP addresses, device IDs, account data, and any other data submitted to the Service
Categories of Data SubjectsAs determined by Customer's use — may include: employees, contractors, end users, customers, prospects, suppliers
Sensitive dataService not designed for special category data (Art. 9/10 GDPR). Customer must implement appropriate safeguards if submitting such data.

Annex II — Sub-Processors

1. Current Sub-Processor List. An up-to-date list of Sub-processors authorized to process Customer Data, including their names, processing purposes, and locations, is maintained at: Sub-Processors Registry. This list is incorporated into and forms part of this DPA. The Company shall update this list prior to engaging any new Sub-processor, in accordance with Section 4 of this DPA.

2. AI Model Providers — Zero Data Retention. Spinnable engages AI model providers (including Anthropic, OpenAI, Google, AWS, and Mistral) for inference. Under zero data retention agreements, Customer Data submitted for AI processing is: (a) processed in real-time for the sole purpose of generating a response; (b) not stored, cached, or persisted by the provider after the response is delivered; and (c) not used by the provider for model training, fine-tuning, or any other purpose.

3. Customer-Directed Integrations. Third-party services that customers choose to connect to the Service (e.g., Slack, Microsoft Outlook/Teams, or other tools via integration platforms) are not Sub-processors. These connections are initiated and authorized by the customer, and data flows are governed by the customer's own agreements with those services.

Annex III — Technical & Organizational Security Measures

  • 1. Encryption — AES-256 at rest, TLS 1.2+ in transit
  • 2. Access Control — RBAC, least privilege, MFA for prod admin access
  • 3. Data Isolation — Per-account and per-Worker logical separation
  • 4. Infrastructure Security — Enterprise cloud, firewalls, intrusion detection, vulnerability scanning
  • 5. AI Processing Safeguards — Zero data retention (contractual), no training on Customer data, encrypted channels
  • 6. Monitoring & Incident Response — 24/7 monitoring (Grafana + Sentry), 72-hour breach notification
  • 7. Personnel Security — Confidentiality obligations, security training, access revocation
  • 8. Business Continuity — Regular encrypted backups, disaster recovery, EU-hosted redundancy
Terms & ConditionsPrivacy Policy