Trust

Explore key legal and IT security documents at 3D Spark, to understand how we protect and manage data while upholding our commitment to client relationships

Data Processing Agreement (DPA)

This Data Processing Agreement (“Agreement” or “DPA”) is entered into by and between:

3D Spark GmbH, a company organized under the laws of Germany, with its registered office at Klaus-Groth-Str. 88, 20535 Hamburg, Germany (hereinafter referred to as the “Data Processor”),

and

[Customer Name], [a company organized under the laws of [Country/Region],] with its principal place of business at [Address] (hereinafter referred to as the “Data Controller”).

This DPA is effective as of the later of (i) the effective date of the Agreement between the parties for the provision of services by the Data Processor to the Data Controller (the “Service Agreement”) or (ii) the date this DPA is fully executed by both parties (the “Effective Date”).

1 Scope and Applicability of the Data Processing Agreement  
1.1 Effective Date This DPA is effective as of the later of the following dates (the “Effective Date”): (i) the effective date of the Agreement between the parties for the provision of services by the Data Processor to the Data Controller (the “Service Agreement”) or (ii) the date this DPA is fully executed by both parties.  

1.2 Relationship to the Service Agreement This DPA supplements and forms an integral part of the Service Agreement between the Data Processor and the Data Controller. It governs the processing of personal data that the Data Processor performs on behalf of the Data Controller in the course of providing services as specified in the Service Agreement. If any provisions of this DPA conflict with terms in the Service Agreement relating specifically to data processing or data protection, the terms of this DPA shall prevail. All other terms of the Service Agreement remain unaffected and in full force and effect.  

1.3 Purpose of the DPA This DPA establishes the responsibilities and obligations of both the Data Controller and the Data Processor to ensure the protection and privacy of personal data, as required by the General Data Protection Regulation (GDPR) and any other applicable data protection laws. It outlines specific obligations, rights, and duties of each party in the context of processing personal data on behalf of the Data Controller.  

1.4 Roles of the Parties For purposes of this DPA and the GDPR: The Data Controller is the party that determines the purposes and means of the processing of personal data. The Data Processor is the party that processes personal data on behalf of, and according to the documented instructions of, the Data Controller for purposes specified in the Service Agreement. Each party acknowledges and agrees to adhere to the obligations applicable to it under this DPA and the GDPR. The Data Controller is responsible for ensuring that its instructions to the Data Processor are lawful and meet all applicable data protection requirements.

2 Definitions  
For the purposes of this Data Processing Agreement, the following terms shall have the meanings set forth below. Any capitalized terms not defined here will have the meanings ascribed to them in the Service Agreement or the GDPR.  

2.1 Applicable Data Protection Law
Refers to all data protection laws and regulations applicable to the processing of personal data under this DPA, including, but not limited to, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).  

2.2 Data Controller
The entity that determines the purposes and means of processing personal data, as defined under the GDPR.  

2.3 Data Processor
The entity that processes personal data on behalf of the Data Controller, as defined under the GDPR.  

2.4 Data Subject
Any identified or identifiable natural person to whom the personal data relates, as defined under the GDPR.  

2.5 Personal Data
Any information relating to an identified or identifiable natural person (Data Subject), including, but not limited to, names, contact details, identification numbers, online identifiers, or other data that can directly or indirectly identify the individual, as defined under the GDPR.  

2.6 Processing
Any operation or set of operations performed on personal data, whether automated or manual, including collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction, as defined under the GDPR.  

2.7 Sub-processor
Any third party appointed by or on behalf of the Data Processor to process personal data on behalf of the Data Controller in connection with this DPA.  

2.8 Data Breach
A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, as defined under the GDPR.  

2.9 Supervisory Authority
An independent public authority established by a European Union (EU) Member State pursuant to the GDPR, which is responsible for monitoring compliance with data protection laws.  

2.10 Technical and Organizational Measures (TOMs)
The security measures, policies, and practices implemented by the Data Processor to ensure the confidentiality, integrity, availability, and resilience of personal data, in accordance with Article 32 of the GDPR.  

3 Scope of Data Processing  
The scope of data processing under this Agreement includes all activities required to deliver the services provided by 3D Spark’s SaaS platform. These activities encompass the collection, storage, transmission, analysis, and, if necessary, deletion of personal data related to the service provided to the Data Controller.

3.1 Categories of Personal Data Processed
3D Spark GmbH processes several categories of personal data to ensure the effective operation and support of its platform. The specific types of personal data processed may include:
a. Contact Information: Data such as names, email addresses, usernames, and job titles, collected to facilitate communication, account management, and support functions.
b. Account Activity Data: Details about user actions within the platform, including login times, system interactions, and significant user actions (e.g. create, edit, delete or updating data), which help us provide a seamless and secure user experience.
c. Technical Data: System logs, IP addresses, device information, and browser types collected to monitor and ensure platform security, diagnose issues, and support customer service requests.  

These categories allow us to tailor our services to meet customers’ needs, monitor platform health, and ensure data protection.  

3.2 Purposes of Data Processing
The data processing activities conducted by 3D Spark GmbH are strictly aligned with the following purposes:
a. Service Provision: Delivering the core functionalities of the SaaS platform, which includes managing customer accounts, enabling secure user interactions, and processing requests from the Data Controller.
b. Customer Support: Assisting customers with queries, troubleshooting technical issues, and providing platform guidance through effective customer service operations.
c. Security Monitoring: Protecting the platform and customer data by monitoring for unauthorized access attempts, suspicious activity, and system vulnerabilities to maintain a secure environment.
d. Performance Optimization: Collecting non-personal, anonymized data through system analytics to enhance platform stability, improve user experience, and optimize application performance.
e. Compliance: Ensuring compliance with GDPR and other applicable data protection regulations, including data retention, deletion, and audit obligations.  

Each processing purpose is aligned with GDPR principles, ensuring that customer data is only used as needed to deliver services and maintain high standards of privacy and security.  

3.3 Processing Duration
Personal data is retained only as long as necessary to fulfill the purposes outlined in this Agreement, or as required by law. Specific retention periods include:
a. Operational Data: Retained for the duration of the Service Agreement.
b. Customer Support Data: Kept for a minimum of one year after the resolution of a support request, enabling continued service quality.
c. Backup Data: Incremental backups of customer data are securely stored for up to 45 days to ensure data recovery in case of technical failure.
d. Audit Logs: System access logs, user activity, and authentication events are retained for one year to support security audits, accountability, and GDPR compliance.  

Upon termination of the Service Agreement, personal data will be securely deleted within 30 days unless otherwise requested by the Data Controller.  

3.4 Data Processing Location
All data processing activities are conducted within the European Union, primarily hosted on dedicated servers managed by Hetzner Online GmbH, an ISO 27001-certified provider located in Germany. In specific cases where sub-processors outside the EU may be required, 3D Spark GmbH will ensure that all necessary safeguards are in place, including the use of Standard Contractual Clauses (SCCs) or other GDPR-compliant mechanisms.

3.5 Data Minimization and Privacy by Design
3D Spark GmbH is committed to data minimization and privacy by design principles. Only data essential for delivering services and supporting customers is collected and processed. Our platform is designed to maintain strict access control, ensuring that each user accesses only the data necessary for their role, thereby limiting data exposure and enhancing security.

4 Obligations of the Data Processor  
3D Spark GmbH, as the Data Processor, is committed to upholding stringent data protection practices in accordance with GDPR requirements. This section outlines the obligations of 3D Spark to ensure that personal data is processed securely, transparently, and solely as directed by the Data Controller.  

4.1 Processing on Documented Instructions
3D Spark GmbH will process personal data only based on documented instructions provided by the Data Controller, as agreed within the scope of this DPA and the underlying Service Agreement. This commitment includes processing personal data solely for the purposes specified by the Data Controller and in alignment with applicable data protection laws. If, at any point, 3D Spark GmbH believes that an instruction from the Data Controller infringes GDPR or other relevant regulations, it will promptly inform the Data Controller and seek clarification before proceeding.  

4.2 Implementation of Technical and Organizational Measures
3D Spark GmbH will implement and maintain appropriate technical and organizational measures to safeguard personal data against unauthorized access, loss, alteration, or destruction. These measures are designed to ensure a level of security appropriate to the nature, scope, context, and purposes of the data being processed, as well as the risks involved. Key security measures include:
a. Access Control: Role-based access controls are enforced, with multi-factor authentication required for administrative access. Access permissions are reviewed regularly to ensure that only authorized personnel have access to personal data.
b. Encryption: Data is encrypted in transit using TLS v1.2+ and, for backup data, at rest using AES-256. This protects personal data from unauthorized access during transmission and storage.
c. Incident Monitoring and Response: Real-time monitoring tools and automated threat responses are in place to detect and mitigate potential security incidents. In the event of a security incident involving personal data, 3D Spark GmbH will follow the procedures outlined in Section 7 of this Agreement.
d. Employee Training: Employees with access to personal data receive regular security and data protection training to stay current with best practices and GDPR requirements.  

4.3 Confidentiality and Data Access Controls
3D Spark GmbH ensures that all personnel authorized to process personal data are bound by confidentiality obligations. Employees and contractors are only granted access to personal data on a need-to-know basis and are subject to strict access control protocols that align with GDPR standards. 3D Spark GmbH also employs identity and access management (IAM) systems, such as single sign-on (SSO) with two-factor authentication (2FA), to control and track employee access to systems handling personal data. These controls are regularly audited to ensure compliance with our access policies.  

4.4 Assistance with Data Subject Rights
The Data Processor will assist the Data Controller in meeting its obligations concerning data subject rights under GDPR. This includes supporting requests for:
a. Access: Providing data subjects with information on the processing of their personal data, upon request by the Data Controller.
b. Rectification: Correcting inaccurate or incomplete data, as instructed by the Data Controller.
c. Erasure: Deleting personal data upon the Data Controller’s instruction when no longer needed or in response to a valid data subject request.
d. Restriction of Processing: Temporarily limiting the processing of data if a data subject exercises their right to restriction, in accordance with the Data Controller’s instructions.

3D Spark GmbH will respond to such requests within a reasonable time frame to enable the Data Controller to meet GDPR response deadlines.  

4.5 Notification and Management of Data Breaches
In the event of a data breach involving personal data processed on behalf of the Data Controller, 3D Spark GmbH will:
a. Immediate Notification: Notify the Data Controller within 72 hours of becoming aware of the breach. The notification will include information on the nature of the breach, affected data categories, approximate number of data subjects and records affected, and potential consequences.
b. Mitigation Measures: Take immediate steps to contain and mitigate the impact of the breach. This may include isolating affected systems, revoking access, or applying patches as needed.
c. Incident Reporting: Provide regular updates to the Data Controller on the status of the breach resolution and any remedial actions taken to prevent similar incidents in the future.  

4.6 Data Protection Impact Assessments (DPIA) and Compliance Assistance
3D Spark GmbH will assist the Data Controller in conducting Data Protection Impact Assessments (DPIA) when required, particularly if the processing is likely to result in a high risk to data subjects’ rights and freedoms. Assistance may include:
a. Providing Necessary Information: Supplying information on processing activities, technical and organizational measures, and potential risks related to the services.
b. Cooperating with Supervisory Authorities: Collaborating with relevant supervisory authorities as required to support DPIA or other compliance activities.  

4.7 Data Security Audits and Demonstration of Compliance
To provide the Data Controller with confidence in the Data Processor’s compliance efforts, 3D Spark GmbH will:
a. Internal Audits: Conduct regular internal audits of its data protection policies and technical and organizational measures to ensure continuous compliance with GDPR requirements.
b. Documentation and Evidence: Maintain accurate documentation of its data protection practices, including access logs, security policies, and training records, to demonstrate GDPR compliance upon request.
c. Access to Audit Reports: Provide summaries of audit findings and key security assessments to the Data Controller upon request, helping the Data Controller verify the adequacy of 3D Spark GmbH’s security measures.  

4.8 Deletion or Retention upon Termination
Upon termination of the Service Agreement, 3D Spark GmbH will either delete or, at the Data Controller’s request, return all personal data processed on behalf of the Data Controller, as specified below.
a. Retention of User Accounts: To facilitate potential reactivation, 3D Spark GmbH may retain user accounts and related configuration data for up to one year after the termination date. This retention period provides the Data Controller with an option to resume use of the services within that timeframe without requiring a complete setup. However, 3D Spark GmbH is not obligated to retain or restore user accounts beyond this period unless specifically requested by the Data Controller.
b. Data Deletion after Retention Period: After the one-year retention period, or upon explicit request by the Data Controller, all personal data associated with the user account will be securely and irreversibly deleted, except where legal obligations require extended retention.
c. Data Deletion Request: If the Data Controller requests immediate deletion of user accounts upon termination, 3D Spark GmbH will securely delete all personal data within 30 days of receiving the request.

5 Sub-processors  
3D Spark GmbH may engage third-party service providers, or “sub-processors,” to support the delivery of its SaaS platform. These sub-processors assist in functions such as data hosting, customer support, and software development, and each is carefully selected based on their data protection practices and compliance with GDPR requirements. This section clarifies our commitments to managing and notifying the Data Controller about sub-processors.  

5.1 Use of Sub-processors
3D Spark GmbH may use sub-processors to perform specific processing activities on behalf of the Data Controller. These sub-processors are engaged to assist in providing infrastructure and services that enhance the platform's functionality, security, and user experience. Each sub-processor operates under a data processing agreement that incorporates obligations equivalent to those in this DPA, ensuring GDPR compliance.  

5.2 Approval and Notification of Sub-processors
The Data Processor maintains a list of current sub-processors and will provide this list to the Data Controller upon request. 3D Spark GmbH is committed to transparency regarding any sub-processors that process the Data Controller's personal data, and will follow these procedures for notifying and obtaining approval from the Data Controller:
a. Notification of New Sub-processors: The Data Processor will provide written notice at least 14 days in advance of any intended changes concerning the addition or replacement of sub-processors. This notice will include details on the new sub-processor and the nature of processing they will perform.
b. Objection to Sub-processors: The Data Controller has the right to object to a new sub-processor, but objections must be based on specific and verifiable concerns regarding the sub-processor’s compliance with GDPR standards or security measures directly affecting personal data processed under this DPA. Objections cannot be raised based on general preferences or operational differences that do not impact data protection or compliance.
c. Resolution of Objections: In cases where the Data Controller raises an objection, 3D Spark GmbH will work in good faith to address the Data Controller’s concerns. If an agreement cannot be reached after reasonable efforts, the Data Controller may choose to terminate the Service Agreement solely concerning the affected processing activities related to the sub-processor in question.  

5.3 Obligations of Sub-processors
All sub-processors engaged by 3D Spark GmbH are required to adhere to data protection obligations that are consistent with those outlined in this DPA. This ensures that personal data processed by sub-processors is safeguarded and managed in compliance with GDPR. Obligations include, but are not limited to:
a. Data Security: Implementing appropriate technical and organizational measures to protect personal data.
b. Confidentiality: Binding sub-processor personnel to confidentiality obligations regarding the personal data processed on behalf of the Data Controller.
c. Cooperation with Data Controller Requests: Assisting 3D Spark GmbH in responding to data subject requests, breach notifications, and compliance reviews as required by this DPA.  

5.4 Current List of Sub-processors
The following are the primary sub-processors currently engaged by 3D Spark GmbH to support the provision of its SaaS platform:
a. Hetzner Online GmbH: Provides dedicated data hosting services within ISO 27001-certified data centers in the EU, ensuring physical and environmental security for the platform.
b. HubSpot: Used for customer relationship management, providing tools for secure communication, service coordination, and customer support within the EU.
c. Atlassian Products (e.g., Bitbucket, JIRA): Supports software development and code version control, as well as a ticket-system within secure, GDPR-compliant environments hosted in the EU.

In addition to these core sub-processors, 3D Spark GmbH utilizes additional EU-based sub-processors for specific services essential to the operation and enhancement of the platform, including:
a. Payment and Finance Services: To facilitate secure payment processing, billing, and financial management.
b. Customer Communication: Tools used to communicate with customers, deliver service updates, and respond to support inquiries.
c. Tutorials and Feature Showcasing: Services that provide in-app tutorials, guidance, and feature announcements to enhance the user experience.
d. Analytics and Usage Statistics: Systems used to gather anonymized or aggregated data on platform usage, supporting performance optimization and insights for product improvement.  

Each of these additional sub-processors operates under agreements that include GDPR-compliant data protection obligations to ensure personal data is handled securely and transparently. 3D Spark GmbH provides advance notice of any significant changes to these sub-processors to allow the Data Controller to assess and, if necessary, object to new engagements as described in Section 5.2.  

5.5 Compliance Monitoring of Sub-processors
3D Spark GmbH relies on each sub-processor’s published compliance certifications, third-party audit reports, and terms of service updates to verify their ongoing adherence to GDPR and this DPA. For sub-processors that regularly undergo independent audits (e.g., ISO 27001, SOC 2), 3D Spark GmbH reviews available audit summaries and compliance documentation as necessary. If a sub-processor makes significant changes to its GDPR-related commitments, or if a compliance issue arises that affects the Data Controller’s personal data, 3D Spark GmbH will assess the impact and, if needed, take corrective action. This may involve requesting further assurances, adjusting data processing practices, or, if compliance cannot be restored, terminating the engagement with that sub-processor.  

5.6 Liability for Sub-processors
The Data Processor retains full responsibility for the actions and compliance of any engaged sub-processors, ensuring that the Data Controller’s personal data is processed securely and in accordance with GDPR, regardless of which sub-processors are utilized.  

6  Data Subject Rights  
Under GDPR, data subjects have specific rights regarding their personal data. 3D Spark GmbH, as the Data Processor, will assist the Data Controller in fulfilling these rights by implementing processes that enable timely responses to data subject requests. This section outlines the measures taken by 3D Spark GmbH to support the Data Controller in upholding data subject rights.  

6.1 Assistance with Data Subject Requests
3D Spark GmbH will assist the Data Controller in responding to data subject requests as required by GDPR. The Data Processor will enable and support the Data Controller in responding to the following rights:
a. Right of Access: Providing data subjects with access to their personal data upon request by the Data Controller. This includes details on the categories of data processed, the purposes of processing, and any sub-processors involved.
b. Right to Rectification: Assisting in correcting or updating inaccurate or incomplete personal data held by the Data Processor, as directed by the Data Controller.
c. Right to Erasure: Facilitating the secure deletion of personal data upon the Data Controller’s instruction when legally required or in response to a valid request from the data subject.
d. Right to Restriction of Processing: Temporarily restricting data processing activities upon the Data Controller’s instruction, such as when the accuracy of data is contested or processing is deemed unlawful but the data subject prefers restriction over erasure.
e. Right to Data Portability: Enabling the export of personal data in a structured, commonly used, and machine-readable format upon request. This allows data subjects to transfer their personal data to another controller if desired.
f. Right to Object: Assisting in halting or restricting processing activities if a data subject objects based on legitimate grounds, in accordance with instructions from the Data Controller.

6.2 Process for Handling Requests
To facilitate a smooth and compliant response process for data subject requests, 3D Spark GmbH has established procedures to respond to the Data Controller’s requests for assistance in a timely and efficient manner:
a. Response Times: 3D Spark GmbH will promptly acknowledge and respond to the Data Controller’s requests related to data subject rights. The Data Processor will act within a reasonable timeframe to support the Data Controller’s compliance with GDPR deadlines.
b. Documentation of Requests: All data subject requests and actions taken to fulfill them will be documented by 3D Spark GmbH. This documentation will include the type of request, date of receipt, actions taken, and completion status. The documentation will be retained as evidence of compliance and may be provided to the Data Controller upon request.  

6.3 Costs and Limitations
3D Spark GmbH will provide reasonable assistance to the Data Controller in fulfilling data subject rights, to the extent technically feasible and without requiring disproportionate resources. For data subject requests that are repetitive, complex, or require substantial technical or administrative resources, 3D Spark GmbH reserves the right to negotiate a reasonable cost-sharing arrangement with the Data Controller. In such cases, 3D Spark GmbH may also extend response times to ensure that requests are handled thoroughly and efficiently.  

6.4 Communication with Data Subjects
While 3D Spark GmbH does not directly handle requests from data subjects, it will facilitate and support the Data Controller in fulfilling these requests. Data subjects should direct their requests to the Data Controller, who will then coordinate with 3D Spark GmbH for support as needed. The Data Processor will refrain from directly responding to data subject requests unless legally obligated to do so.  

7 Technical and Organizational Measures (TOMs)  
3D Spark GmbH is committed to maintaining the confidentiality, integrity, and availability of personal data processed on behalf of the Data Controller. To achieve this, the Data Processor implements comprehensive technical and organizational measures designed to protect personal data against unauthorized access, loss, or alteration. These measures are continuously reviewed and updated to adapt to new risks, industry standards, and regulatory requirements.

7.1 Access Control
3D Spark GmbH enforces strict access controls to ensure that only authorized personnel have access to personal data:
a. Role-Based Access Control (RBAC): Access to systems and data is granted based on the specific role and responsibilities of each user, ensuring that users only access data necessary for their function.
b. Single Sign-On (SSO) with Multi-Factor Authentication (MFA): Administrative and critical system access is managed through SSO with MFA, providing an additional layer of protection for sensitive data and systems.
c. Regular Access Reviews: Access permissions are reviewed periodically to verify that only active personnel with valid requirements have access to personal data, in alignment with the principle of least privilege.  

7.2 Data Encryption
To protect data confidentiality, 3D Spark GmbH employs encryption both in transit and at rest:
a. Encryption in Transit: All data transferred between the Data Processor and the Data Controller or between internal systems is encrypted using industry-standard TLS protocols (TLS v1.2 and TLS v1.3) to protect against interception and unauthorized access.
b. Encryption at Rest: Backup data containing personal information is encrypted using AES-256, ensuring that data remains protected while stored within secure environments.  

7.3 Monitoring and Threat Detection
3D Spark GmbH actively monitors systems to detect and respond to security incidents:
a. Real-Time Monitoring: Comprehensive system monitoring is in place, to track server health, detect anomalies, and monitor potential threats in real time.
b. Automated Threat Responses: Automated scripts and configurations provide active responses to security threats, such as blocking IP addresses for repeated unauthorized access attempts. Alerts are generated and reviewed by the security team as soon as they reach critical thresholds.
c. Vulnerability Scanning: Regular vulnerability scans are conducted to identify and mitigate potential security risks within the application and infrastructure. This includes automated scanning tools, to address vulnerabilities before deployment to production.  

7.4 Incident Response and Data Breach Management
3D Spark GmbH has an established incident response plan to detect, contain, and manage security incidents involving personal data:
a. Incident Detection and Notification: Any security incidents involving personal data will trigger an immediate response, and the Data Controller will be notified within 72 hours of incident detection, in accordance with GDPR requirements or sooner depending on the threat-level outlined in the GTC.
b. Containment and Mitigation: Steps are taken to contain the incident, assess its impact, and implement corrective measures. Actions include isolating affected systems, revoking unauthorized access, and conducting root cause analyses.
c. Post-Incident Review: Following resolution, a post-incident review is conducted to identify any areas for improvement and to document findings and corrective actions taken to prevent future incidents.  

7.5 Employee Training and Security Awareness
3D Spark GmbH promotes a security-conscious culture through ongoing employee training and awareness programs:
a. Security Training: All employees receive mandatory security training upon hire and periodic refresher sessions covering data protection principles, secure handling of personal data, and incident response protocols.
b. Phishing and Social Engineering Awareness: Employees are regularly educated on identifying and reporting phishing attempts, ensuring that they remain vigilant to social engineering threats.

7.6 Privacy by Design and Default
3D Spark GmbH embeds data protection principles into the design and operation of its platform, ensuring that personal data is protected by default:
a. Data Minimization: Personal data collected and processed is limited to only what is necessary to achieve the intended purposes of processing, reducing exposure to potential risk.
b. Secure Development Practices: Our software development lifecycle includes secure coding practices, peer reviews, and automated testing, ensuring that new features are designed with data protection as a priority.
c. Default Security Settings: All default settings within the platform are configured to uphold data security, such as requiring strong passwords, enforcing role-based access, and applying privacy controls that prevent unauthorized data sharing.  

7.7 Data Retention and Disposal
Data is retained only for as long as necessary to fulfill the purposes for which it was collected, in compliance with GDPR and as specified by the Data Controller. Once data is no longer needed, secure disposal processes are applied:
a. Automated Data Deletion: Data is automatically deleted at the end of its retention period.
b. Secure Hardware Disposal: When hardware containing personal data reaches end-of-life, 3D Spark GmbH follows industry-standard disposal protocols, including data erasure or physical destruction, to prevent data recovery.  

7.8 Auditing and Compliance Verification
To demonstrate compliance with GDPR and ensure that all technical and organizational measures remain effective, 3D Spark GmbH performs regular internal reviews and audits:
a. Internal Audits: Regular audits of security policies, access control measures, and data protection practices are conducted to verify compliance with this DPA and GDPR.
b. Documentation and Evidence: Detailed records of security policies, access logs, and employee training activities are maintained to support compliance and provide transparency to the Data Controller.
c. Third-Party Assessments: Where feasible, 3D Spark GmbH reviews third-party audits and certifications (such as ISO 27001 for hosting providers) to ensure that all infrastructure supporting personal data complies with recognized standards.  

8 International Transfers  
3D Spark GmbH is committed to protecting personal data and prioritizes data processing and hosting within the European Union (EU) whenever possible. This section outlines our approach to managing international transfers and details the safeguards we employ to protect personal data that may be processed outside the EU.  

8.1 EU-Preferred Data Hosting
3D Spark GmbH strives to host and process personal data within the EU, using EU-based infrastructure and service providers whenever possible. This includes hosting services with dedicated servers at Hetzner Online GmbH, an ISO 27001-certified data center in Germany, and utilizing EU-based instances of providers like Azure and Atlassian. This EU-preferred approach aligns with our commitment to GDPR and ensures personal data remains under European regulatory protections whenever feasible.  

8.2 International Transfers for Specific Services
While we prioritize EU hosting, certain services may require data processing outside the EU, depending on the available options of third-party providers. For example, certain payment services, such as those provided by Stripe, may involve processing personal data in the United States or other non-EEA countries. In these cases, 3D Spark GmbH ensures that all necessary safeguards are in place to protect personal data.  

8.3 GDPR-Compliant Safeguards for International Transfers
In instances where data must be transferred outside the EU, 3D Spark GmbH takes the following steps to ensure GDPR compliance:
a. Standard Contractual Clauses (SCCs): We rely on SCCs approved by the European Commission for transfers to non-EEA countries, which provide legally binding protections for personal data.
b. Adequacy Decisions: Where applicable, we may transfer data to countries deemed by the European Commission to provide an adequate level of data protection.

3D Spark GmbH will notify the Data Controller of any new or significant international transfers, especially if a new sub-processor located outside the EU is engaged. This notification allows the Data Controller to review and, if necessary, raise objections to specific transfers or sub-processors, as outlined in Section 5.2 of this DPA.  

8.4 Transparency and Documentation
3D Spark GmbH maintains detailed records of all data transfers and safeguards associated with international processing to ensure transparency and compliance. Documentation regarding any non-EU processing and the implemented safeguards is available to the Data Controller upon request.  

9 Liability  
This section defines the liabilities of both the Data Controller and 3D Spark GmbH (the Data Processor) concerning data protection obligations under this Data Processing Agreement (DPA). Both parties agree to limit their liability as specified within this DPA and the underlying Service Agreement, except where otherwise restricted by applicable law.  

9.1 General Liability
Each party shall be liable for damages resulting from any breach of this DPA or GDPR only if such damages are directly caused by that party’s gross negligence, willful misconduct, or failure to fulfill its data protection obligations. Liability will be limited to actual, foreseeable damages resulting directly from the breach, excluding any indirect, incidental, or consequential damages, except as required by applicable law.  

9.2 Data Processor’s Liability
3D Spark GmbH, as the Data Processor, will be liable for damages directly resulting from its failure to comply with obligations under this DPA or applicable data protection laws, including GDPR, in cases of:
a. Gross negligence or willful misconduct leading to unauthorized access, disclosure, or processing of personal data in contradiction to the documented instructions of the Data Controller.
b. Failure to implement and maintain appropriate technical and organizational measures for data protection.
c. Breach notification delays, provided they are due to gross negligence or intentional delay.  

Liability will be limited to direct damages and excludes any indirect, incidental, or consequential damages, except as required by applicable law. Furthermore, 3D Spark GmbH shall not be liable for any processing conducted according to the documented instructions provided by the Data Controller if those instructions are non-compliant with GDPR.

9.3 Data Controller’s Liability
The Data Controller is responsible for ensuring that any instructions provided to 3D Spark GmbH for the processing of personal data comply with applicable data protection laws. The Data Controller will bear responsibility for: Confirming that an appropriate legal basis exists for the personal data processed by 3D Spark GmbH. Ensuring that data subject rights are communicated and appropriately managed. Indemnifying 3D Spark GmbH against any claims, liabilities, or losses arising from instructions or actions by the Data Controller that contradict GDPR.  

9.4 Joint Liability and Proportional Responsibility
If both parties are jointly liable for damages due to shared responsibility, each party shall bear liability in proportion to its respective degree of fault and level of control over the processing activity in question, in line with Article 82 of the GDPR.  

9.5 Limitation of Liability
Except where otherwise required by law, the total liability of each party under this DPA shall not exceed the amount specified in the underlying Service Agreement. This limitation does not apply to damages resulting from gross negligence, willful misconduct, or liabilities that cannot be legally limited.  

9.6 Exclusions of Indirect Damages
Neither party shall be liable for indirect, special, incidental, or consequential damages, including but not limited to loss of revenue, profits, goodwill, or data, even if such damages were foreseeable, except as required by law.  

9.7 Indemnification
Each party agrees to indemnify and hold harmless the other party only for damages arising from gross negligence or willful misconduct in connection with this DPA or applicable data protection laws. The indemnifying party’s liability shall be limited to direct damages only and does not extend to any indirect, special, or incidental damages.  

9.8 Dispute Resolution
In the event of a dispute regarding liability under this DPA, both parties agree to make reasonable efforts to resolve the dispute amicably. If resolution cannot be reached, disputes shall be subject to the governing law and jurisdiction specified in Section 10 of this DPA.  

10 Governing Law and Jurisdiction  
This Data Processing Agreement (DPA) and any disputes or claims arising out of or in connection with it, including any issues regarding its existence, validity, or termination, shall be governed by and construed in accordance with the laws of Germany.  

10.1 Jurisdiction
The parties agree that any disputes arising out of or relating to this DPA shall be subject to the exclusive jurisdiction of the courts in Hamburg, Germany. Both the Data Controller and 3D Spark GmbH (the Data Processor) consent to the jurisdiction of these courts and agree to resolve any claims or legal proceedings arising from this DPA in Hamburg, Germany.  

10.2 Mandatory Mediation
Before initiating formal legal proceedings, the parties agree to attempt in good faith to resolve any dispute or claim through mediation. Either party may initiate mediation by providing written notice to the other party. Mediation shall take place within a reasonable time from the date of notice, at a mutually agreed location, or remotely if preferred by both parties. If the parties are unable to resolve the dispute through mediation within 60 days, either party may then proceed with formal court proceedings as outlined in Section 10.1.  

10.3 Injunctive Relief
Notwithstanding the foregoing, either party may seek injunctive or equitable relief in any court of competent jurisdiction if such relief is necessary to prevent irreparable harm. This provision does not limit either party’s right to seek interim or emergency relief, as required.

Have questions? Contact us.

Have questions about our legal terms or need detailed insights into our products? Contact our dedicated support team for expert assistance and comprehensive information.

Book a Demo