Data Processing Agreement
Last updated: May 2026.
Overview
This Data Processing Agreement ("DPA") applies to business or enterprise customers who access HuddleSpy services and are subject to data protection obligations under applicable law. Individual consumer users are governed by the HuddleSpy Privacy Policy. This DPA describes the roles, responsibilities, and obligations of HuddleSpy LLC ("Processor") and the customer entity ("Controller") with respect to personal data processed through the HuddleSpy platform.
Definitions
"Personal Data" means any information relating to an identified or identifiable natural person processed through the HuddleSpy platform on behalf of the Controller. "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion. "Sub-processor" means any third party engaged by HuddleSpy to process Personal Data.
Scope of Processing
HuddleSpy processes Personal Data solely for the purpose of providing the services described in the Terms of Service. HuddleSpy will not process Personal Data for any purpose other than as instructed by the Controller or as required by applicable law. HuddleSpy will inform the Controller if it believes an instruction violates applicable data protection law.
Sub-processors
HuddleSpy engages the following sub-processors in the delivery of its services:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database and authentication | United States |
| Stripe | Payment processing and billing | United States |
| Sentry | Error monitoring and observability | United States |
| Inngest | Event scheduling and workflow automation | United States |
| Resend | Transactional and marketing email delivery | United States |
| Anthropic | AI prediction generation | United States |
| Vercel | Frontend hosting and edge delivery | United States |
| Railway | Backend API hosting | United States |
HuddleSpy will notify Controllers of any intended changes to sub-processors with reasonable advance notice.
Security Measures
HuddleSpy implements appropriate technical and organizational measures to protect Personal Data against unauthorized access, disclosure, alteration, or destruction. These measures include encrypted data transmission (TLS), access controls and authentication requirements, error monitoring with PII scrubbing, and regular security reviews. For a full description of security measures, refer to the Incident Response Policy.
Data Subject Rights
HuddleSpy will assist Controllers in responding to data subject requests to the extent technically feasible. Controllers are responsible for determining the legal basis for processing and for communicating with data subjects directly.
Data Retention and Deletion
Upon termination of services, HuddleSpy will delete or anonymize Controller Personal Data within 30 days, except where retention is required by applicable law. Billing records are retained for 7 years as required by financial recordkeeping obligations.
Breach Notification
HuddleSpy will notify Controllers without undue delay upon becoming aware of a Personal Data breach affecting Controller data, in accordance with the Incident Response Policy.
Contact
For DPA inquiries or to request a signed DPA for enterprise procurement purposes, contact: contact@huddlespy.com.
Related Legal Documents