Legal
Important legal information and policies.
Version 1.0 · Effective 2026-05-03 · Last updated 2026-05-03
Last Updated: May 3, 2026 Effective Date: May 3, 2026
This Data Processing Agreement (“DPA”) forms part of and is subject to the terms of the Subscription Agreement available at /legal/terms, or the Enterprise Master Service Agreement, as applicable (the “Agreement”), between the entity identified as the customer in the Agreement (“Customer” or “Controller”) and:
SavvySpark Inc. 5900 Balcones Drive STE 100 Austin, TX 78731 United States (“SavvySpark,” “we,” “us,” or “Processor”)
(each a “Party” and collectively the “Parties”).
This DPA applies to the extent SavvySpark Processes Personal Data on behalf of Customer in connection with the Service. In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. In the event of a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
1. DEFINITIONS
1.1 “Applicable Data Protection Law” means all applicable laws relating to data protection and privacy, including: (a) The EU General Data Protection Regulation 2016/679 (“GDPR”); (b) The UK General Data Protection Regulation and Data Protection Act 2018 (“UK GDPR”); (c) The California Consumer Privacy Act as amended by the California Privacy Rights Act (“CCPA”); (d) The Texas Data Privacy and Security Act (“TDPSA”); (e) Canada’s Personal Information Protection and Electronic Documents Act (“PIPEDA”); (f) Any other applicable data protection laws.
1.2 “Controller” means the entity that determines the purposes and means of Processing of Personal Data.
1.3 “Customer Data” means any data, including Personal Data, that Customer uploads, submits, or otherwise provides to the Service, as well as data generated by the Service from such inputs (including relationship scores, AI-generated insights, and auto-created contact records).
1.4 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
1.5 “Personal Data” means any information relating to an identified or identifiable natural person, or any equivalent term under Applicable Data Protection Law.
1.6 “Personal Data Breach” means any breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.
1.7 “Processing” (and “Process”) means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
1.8 “Processor” means an entity that Processes Personal Data on behalf of a Controller.
1.9 “Service” means the SavvySpark relationship intelligence platform and related services provided to Customer under the Agreement.
1.10 “Standard Contractual Clauses” or “SCCs” means: (a) For transfers from the EU/EEA: The standard contractual clauses approved by European Commission Decision 2021/914; (b) For transfers from the UK: The International Data Transfer Agreement or UK Addendum to the SCCs.
1.11 “Sub-processor” means any third party engaged by SavvySpark to Process Personal Data on behalf of Customer.
1.12 Terms not otherwise defined herein shall have the meanings given in the Agreement or Applicable Data Protection Law.
2. SCOPE AND ROLES
2.1 Scope of Processing. This DPA applies to the Processing of Personal Data by SavvySpark on behalf of Customer in connection with the Service. The details of Processing are described in Annex I.
2.2 Roles. The Parties agree that: (a) Customer is the Controller of Customer Data; (b) SavvySpark is the Processor of Customer Data when Processing on Customer’s behalf; (c) SavvySpark may also be an independent Controller for limited Processing activities as described in Section 2.4.
2.3 Customer Obligations. Customer shall: (a) Ensure it has all necessary rights, consents, and lawful bases to provide Personal Data to SavvySpark and to authorize the Processing described in this DPA; (b) Comply with Applicable Data Protection Law in its use of the Service; (c) Provide lawful Processing instructions to SavvySpark; (d) Ensure accuracy of Personal Data provided; (e) Review, update, or delete auto-created contact records as appropriate (see Privacy Policy Section 2.4).
2.4 SavvySpark as Independent Controller. SavvySpark Processes Personal Data as an independent Controller for: (a) Business operations (invoicing, accounting, legal compliance); (b) Service improvement (aggregated and de-identified analytics only); (c) Security, fraud prevention, and abuse detection.
Such Processing is governed by the SavvySpark Privacy Policy, not this DPA.
3. PROCESSING INSTRUCTIONS
3.1 Documented Instructions. SavvySpark shall Process Personal Data only on documented instructions from Customer, including: (a) The Agreement and this DPA; (b) Customer’s use and configuration of the Service (including enabling integrations, submitting meeting debriefs, and configuring AI features); (c) Additional written instructions agreed between the Parties.
3.2 Compliance with Instructions. SavvySpark shall promptly inform Customer if, in SavvySpark’s opinion, an instruction infringes Applicable Data Protection Law. SavvySpark shall not be required to independently assess the lawfulness of Customer’s instructions but shall not knowingly Process Personal Data in violation of Applicable Data Protection Law.
3.3 Legal Requirements. If SavvySpark is required by applicable law to Process Personal Data for any other purpose, SavvySpark shall inform Customer before such Processing (unless legally prohibited from doing so).
4. CONFIDENTIALITY
4.1 Personnel Obligations. SavvySpark shall ensure that persons authorized to Process Personal Data: (a) Have committed themselves to confidentiality or are under appropriate statutory obligations; (b) Process Personal Data only as necessary to provide the Service; (c) Receive appropriate training on data protection obligations.
4.2 Access Limitations. SavvySpark shall limit access to Personal Data to personnel who require access to perform the Service.
5. SECURITY
5.1 Security Measures. SavvySpark shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. Such measures shall include, as appropriate: (a) Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256); (b) Measures to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems; (c) Measures to restore availability and access to Personal Data in a timely manner following an incident; (d) Regular testing and evaluation of the effectiveness of security measures.
5.2 Specific Measures. SavvySpark’s current technical and organizational security measures are summarized in Annex II. For enterprise customers, detailed security documentation is available in the Security Exhibit at /legal/security.
5.3 Updates. SavvySpark may update security measures from time to time, provided that updates do not materially decrease the overall level of security provided to Customer Data.
6. SUB-PROCESSING
6.1 Authorization. Customer provides general written authorization for SavvySpark to engage Sub-processors to Process Personal Data, subject to the requirements of this Section 6.
6.2 Current Sub-processors. SavvySpark’s current Sub-processors are listed in Annex III. Customer’s execution of this DPA constitutes approval of the Sub-processors listed at the time of execution.
6.3 Sub-processor Requirements. SavvySpark shall: (a) Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA; (b) Remain responsible to Customer for the acts and omissions of Sub-processors; (c) Conduct appropriate due diligence on Sub-processors before engagement and on an ongoing basis.
6.4 New Sub-processors. SavvySpark shall notify Customer at least 30 days before engaging a new Sub-processor by: (a) Updating the Sub-processor list in Annex III; and (b) Notifying Customer via email to the address associated with Customer’s account.
6.5 Objection. Customer may object to a new Sub-processor by notifying SavvySpark in writing within 30 days of receiving notice. The Parties shall discuss Customer’s concerns in good faith. If the Parties are unable to resolve the objection within 30 days, Customer may terminate the affected portion of the Service without penalty upon written notice, and SavvySpark shall refund any prepaid fees for the terminated portion on a pro-rata basis.
7. DATA SUBJECT RIGHTS
7.1 Assistance. SavvySpark shall assist Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.
7.2 Request Handling. If SavvySpark receives a request from a Data Subject regarding Customer Data: (a) SavvySpark shall promptly notify Customer (unless legally prohibited); (b) SavvySpark shall not respond directly to the Data Subject except to acknowledge receipt and redirect the request to Customer; (c) SavvySpark shall provide Customer with reasonable assistance to respond to the request.
7.3 Service Functionality. The Service provides Customer with self-service tools to access, export, correct, and delete Personal Data. Customer should use these tools to fulfill Data Subject requests where possible.
7.4 Costs. SavvySpark may charge reasonable fees for assistance beyond that which is necessary to fulfill its own legal obligations, at rates agreed in writing.
8. PERSONAL DATA BREACH
8.1 Notification. SavvySpark shall notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Data. Notification shall be sent to the email address associated with Customer’s account and to any additional security contact designated by Customer.
8.2 Notification Content. Notification shall include, to the extent available at the time of notification (with additional details provided as they become available): (a) Description of the nature of the breach, including the categories and approximate number of Data Subjects affected; (b) Categories and approximate number of Personal Data records affected; (c) Name and contact details of SavvySpark’s privacy contact (privacy@savvyspark.ai); (d) Likely consequences of the breach; (e) Measures taken or proposed to address the breach, including measures to mitigate potential adverse effects.
8.3 Assistance. SavvySpark shall cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach. SavvySpark shall also assist Customer with any notifications Customer is required to make to supervisory authorities or Data Subjects under Applicable Data Protection Law.
8.4 Records. SavvySpark shall maintain records of Personal Data Breaches, including the facts of the breach, its effects, and the remedial actions taken.
8.5 No Admission. SavvySpark’s notification of or response to a Personal Data Breach shall not be construed as an acknowledgment of fault or liability.
9. DATA PROTECTION IMPACT ASSESSMENTS
9.1 Assistance. Upon Customer’s reasonable request, SavvySpark shall provide reasonable assistance for data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law and to the extent such assessment relates to the Processing of Customer Data by SavvySpark.
9.2 Information. SavvySpark shall provide Customer with information reasonably necessary to demonstrate compliance with obligations under this DPA.
10. AUDIT
10.1 Audit Rights. SavvySpark shall make available to Customer information necessary to demonstrate compliance with this DPA.
10.2 Documentation-First Approach. SavvySpark will satisfy audit obligations by providing: (a) A current SOC 2 Type II report or equivalent third-party audit report (when available); (b) Relevant certifications; (c) Written responses to Customer’s reasonable security questionnaires (annually).
Customer agrees that provision of a current SOC 2 report shall satisfy audit obligations for the period covered by the report.
10.3 On-Site Audit. On-site audits are available only to Enterprise customers (under the Enterprise MSA) and only if: (a) a SOC 2 report is not available, AND (b) Customer has a documented regulatory obligation requiring on-site access, or has reasonable, specific grounds to believe SavvySpark is non-compliant with this DPA. On-site audits require: (a) At least 30 days’ prior written notice; (b) Conducted during normal business hours with minimal disruption; (c) Third-party auditors must execute a confidentiality agreement; (d) Customer bears all costs.
10.4 Frequency. Customer may conduct no more than one audit per 12-month period, unless: (a) Required by a supervisory authority; or (b) Following a confirmed Personal Data Breach affecting Customer Data.
11. INTERNATIONAL DATA TRANSFERS
11.1 Processing Locations. SavvySpark processes Customer Data primarily in the United States. Customer Data may be processed in any location where SavvySpark or its Sub-processors maintain facilities, as identified in Annex III.
11.2 Transfer Mechanisms. For transfers of Personal Data from the EU/EEA, UK, or Switzerland to the United States or other countries without an adequacy decision, the Parties shall rely on: (a) Standard Contractual Clauses as set forth in Annex IV; (b) The EU-US Data Privacy Framework, where applicable to SavvySpark’s Sub-processors; and/or (c) Other lawful transfer mechanisms recognized under Applicable Data Protection Law.
11.3 SCCs Application. Where Standard Contractual Clauses apply: (a) For EU transfers: Module 2 (Controller to Processor) applies, with Customer as the data exporter and SavvySpark as the data importer; (b) For UK transfers: The UK Addendum to the EU SCCs applies; (c) For Swiss transfers: The SCCs apply with modifications per Swiss Federal Act on Data Protection; (d) Annexes are completed per Annex IV of this DPA.
11.4 Transfer Impact Assessment. SavvySpark shall cooperate with Customer in conducting transfer impact assessments where required, and shall implement supplementary measures where needed to ensure adequate protection of Personal Data.
11.5 Conflict. In case of conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.
12. RETURN AND DELETION
12.1 During Term. During the term of the Agreement, Customer may export Customer Data at any time using the Service’s export functionality.
12.2 Upon Termination. Upon termination or expiration of the Agreement: (a) Customer shall have 30 days from the effective date of termination to export Customer Data using the Service’s export functionality; (b) After the 30-day export window, SavvySpark shall delete Customer Data within 90 days, including from backup systems; (c) SavvySpark shall provide written certification of deletion upon Customer’s request.
12.3 Retention Exceptions. SavvySpark may retain Personal Data to the extent required by applicable law (including billing records retained for tax and legal obligations), subject to ongoing confidentiality and security obligations under this DPA. SavvySpark shall inform Customer of any such legally required retention.
12.4 AI Interaction Logs. AI interaction logs (inputs and outputs related to AI-powered features) are retained for up to 90 days for quality assurance and abuse prevention purposes. These logs are deleted automatically after the retention period. AI outputs generated for Customer are Customer Data and are subject to the deletion provisions of this Section 12.
13. AI-SPECIFIC PROVISIONS
13.1 AI Sub-processors. SavvySpark uses third-party AI services provided by Anthropic to power meeting debrief extraction, natural language search, contact classification, and relationship recommendations. Relationship scoring (B2BR and B2PR) is a deterministic algorithm and is not powered by an AI sub-processor.
13.2 AI Outputs. All AI-generated outputs (including extracted insights, search results, and recommendations) derived from Customer Data are Customer Data and are subject to the terms of this DPA. Algorithmic relationship scores (B2BR and B2PR), although not AI-generated, are likewise treated as Customer Data and subject to this DPA.
14. CALIFORNIA-SPECIFIC TERMS (CCPA)
Where the CCPA applies to Processing of Personal Data under this DPA:
14.1 Service Provider. SavvySpark is a “Service Provider” as defined in CCPA and shall not: (a) Sell or share Personal Data; (b) Retain, use, or disclose Personal Data for any purpose other than providing the Service as specified in the Agreement; (c) Retain, use, or disclose Personal Data outside the direct business relationship between SavvySpark and Customer; (d) Combine Personal Data received from Customer with personal information received from other sources, except as permitted by CCPA.
14.2 Certification. SavvySpark certifies that it understands and will comply with the restrictions set forth in Section 14.1.
14.3 Assistance. SavvySpark shall assist Customer in responding to consumer requests to exercise their rights under CCPA, including requests to know, delete, and opt out.
14.4 No Sale or Sharing. SavvySpark does not sell Personal Data for monetary or other valuable consideration and does not share Personal Data for cross-context behavioral advertising.
15. GENERAL PROVISIONS
15.1 Order of Precedence. In case of conflict: (a) Standard Contractual Clauses; (b) this DPA; (c) the Agreement.
15.2 Liability. Each Party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, except that such limitations shall not apply to violations of Applicable Data Protection Law to the extent such limitations are prohibited by applicable law.
15.3 Term. This DPA shall remain in effect for the duration of the Agreement and shall continue until all Personal Data Processed under this DPA has been deleted or returned in accordance with Section 12.
15.4 Amendment. This DPA may be amended only by written agreement of the Parties. SavvySpark may update the Annexes to reflect changes in Sub-processors or security measures, with notice to Customer as required by this DPA.
15.5 Entire Agreement. This DPA, together with the Agreement and its Annexes, constitutes the entire agreement between the Parties regarding the Processing of Personal Data in connection with the Service.
15.6 Governing Law. This DPA is governed by the law specified in the Agreement, except that the Standard Contractual Clauses are governed as specified therein.
15.7 Contact. All notices and communications under this DPA shall be sent to:
- Customer: The email address associated with Customer’s account
- SavvySpark: privacy@savvyspark.ai
This DPA is incorporated into and accepted as part of the Subscription Agreement. No separate signature is required.
ANNEX I: PROCESSING DETAILS
Subject Matter of Processing: Processing of Personal Data as necessary to provide the SavvySpark relationship intelligence platform, including relationship scoring, CRM integration, meeting debrief processing, AI-powered insights, and related services under the Agreement.
Duration of Processing: For the term of the Agreement plus any retention period required by law or specified in this DPA (30-day export window and 90-day deletion period following termination).
Nature and Purpose of Processing:
- Storage and organization of Customer’s contact and relationship data
- Relationship scoring (B2BR and B2PR score calculation)
- AI analysis of meeting debriefs to extract contacts, companies, pain points, and opportunities
- Natural language search indexing and query processing
- Report and insight generation
- CRM synchronization (Salesforce, HubSpot, Microsoft Dynamics)
- Auto-creation of contact records from email and CRM data
- Backup and disaster recovery
- Customer support
Types of Personal Data:
- Contact information (names, email addresses, phone numbers)
- Professional information (job titles, company affiliations, departments)
- Communication metadata (email frequency, response times, interaction dates)
- Meeting notes and debrief content submitted by Customer’s users
- Relationship scores and AI-generated classifications
- CRM-synced data (deal history, activity records, custom fields)
- Auto-created contact records (derived from email addresses, names, and inferred company affiliations)
- Account credentials (username, password)
Categories of Data Subjects:
- Customer’s employees, contractors, and authorized users of the Service
- Customer’s business contacts (clients, prospects, partners, vendors)
- Individuals referenced in meeting debriefs submitted by Customer’s users
- Individuals whose information is synced from Customer’s CRM or email integrations
Sensitive Data: No special categories of sensitive data (as defined in GDPR Article 9) are intentionally processed. Account credentials are processed for authentication purposes only.
Processing Locations:
- United States
ANNEX II: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
SavvySpark implements technical and organizational measures appropriate to the risks of Processing Personal Data, including:
1. Access Control
- Role-based access controls with least-privilege principles
- Unique user identification and authentication
2. Encryption
- TLS 1.2+ for all data in transit
- AES-256 encryption for data at rest
- Encryption keys managed through AWS Key Management Service (KMS)
3. Network Security
- Network segmentation between production and non-production environments
- AWS-provided firewalls and DDoS protection (AWS Shield)
- Vulnerabilities are managed and remediated in accordance with SavvySpark’s vulnerability management practices
4. Application Security
- Code review prior to deployment via pull request workflow
5. Hosting
- Hosting on Amazon Web Services (AWS) under the shared responsibility model. AWS data centers maintain SOC 2 Type II, ISO 27001, and other industry certifications.
6. Operational Security
- Centralized logging via cloud provider services
- Patch management and timely application of security updates
7. Business Continuity
- Automated database backups
- Multi-AZ infrastructure deployment for redundancy
8. Personnel Security
- Confidentiality agreements for all personnel with access to Customer Data
9. Vendor Management
- Sub-processors are evaluated for security and data protection practices before engagement
- Contractual data protection requirements with sub-processors
Detailed technical and organizational controls are described in the Security Exhibit.
ANNEX III: SUB-PROCESSOR LIST
Current Sub-processors as of May 3, 2026:
| Sub-Processor | Purpose | Processing Activities | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure | Hosting, storage, computing, backup, content delivery | United States |
| Anthropic | AI processing | Meeting debrief extraction, natural language search, insights generation, contact classification | United States |
| Stripe | Payment processing | Subscription billing and payment processing | United States |
| PostHog | Usage analytics | Aggregated platform usage analytics and service improvement | United States |
Notification of Changes: Customers are notified of Sub-processor changes via email at least 30 days before engagement, as described in Section 6.4.
Contact for Sub-Processor Inquiries: privacy@savvyspark.ai
ANNEX IV: STANDARD CONTRACTUAL CLAUSES REFERENCE
For Transfers from the EU/EEA
The Standard Contractual Clauses (Module 2: Controller to Processor) approved by European Commission Implementing Decision (EU) 2021/914 are incorporated by reference and apply to transfers of Personal Data to countries without an adequacy decision under GDPR Article 45.
Module Selection: Module 2 (Controller to Processor)
Clause 7 (Docking Clause): Applies. Additional controllers may accede to these SCCs by executing the DPA.
Clause 9(a) (Sub-processors): Option 2 (General written authorization) applies. Time period for objection: 30 days.
Clause 11 (Redress): Optional redress language does not apply.
Clause 13(a) (Supervision): The competent supervisory authority shall be determined in accordance with Clause 13(a) based on Customer’s establishment or, where Customer is not established in the EU, the Member State where Customer’s EU representative is appointed or where Customer’s Data Subjects are located.
Clause 17 (Governing Law): The laws of the Republic of Ireland.
Clause 18 (Choice of Forum and Jurisdiction): The courts of the Republic of Ireland.
Annex I.A (List of Parties):
- Data Exporter: Customer, as identified in the Agreement
- Data Importer: SavvySpark Inc., 5900 Balcones Drive STE 100, Austin, TX 78731, United States. Contact: privacy@savvyspark.ai
Annex I.B (Description of Transfer): As set forth in Annex I of this DPA.
Annex I.C (Competent Supervisory Authority): As determined under Clause 13(a) above.
Annex II (Technical and Organizational Measures): As set forth in Annex II of this DPA.
For Transfers from the UK
The UK Addendum to the EU Standard Contractual Clauses (as approved by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) applies. Tables completed as follows:
- Table 1: Parties as identified in this DPA
- Table 2: Module 2 (Controller to Processor) selected
- Table 3: Annexes as set forth in this DPA
- Table 4: Neither Party may end the UK Addendum per Section 19
For Transfers from Switzerland
The SCCs apply with the following modifications:
- References to “Regulation (EU) 2016/679” include the Swiss Federal Act on Data Protection (“FADP”)
- References to “EU,” “Union,” and “Member State” include Switzerland
- Competent supervisory authority: Swiss Federal Data Protection and Information Commissioner (FDPIC)
- Governing law and forum: Switzerland
This Data Processing Agreement is effective as of May 3, 2026.
Cross-Reference: Privacy Policy, Subscription Agreement, Security Exhibit, Cookie Policy, AI Terms