Data Processing Agreement
Last updated: July 18, 2026
Purpose
This Data Processing Agreement ("DPA") applies when Spark Development SRL processes personal data on behalf of a customer through the Moxy Business Management System.
Parties
- Customer: the organization using Moxy.
- Processor: Spark Development SRL, organized under the laws of Romania.
Roles
The customer is the data controller for personal data it enters into Moxy. Spark Development SRL is the data processor when processing such customer-controlled data.
Spark Development SRL may act as an independent controller for limited data such as billing, account administration, security, legal compliance, and direct business communications.
Subject matter
Providing, securing, supporting, maintaining, and improving the Moxy Business Management System for the customer.
Duration
For the duration of the customer's use of Moxy and any retention period required for backups, legal obligations, security, or dispute resolution.
Categories of data subjects
- Customer users
- Employees and contractors of the customer
- Customers and contacts of the customer
- Suppliers
- Partners
- NGO representatives
- Project participants
- Other people whose data is entered into Moxy by the customer
Categories of personal data
- Names
- Email addresses
- Phone numbers
- Job titles
- Organization and company details
- Roles and permissions
- Attendance and time-off records
- Project and time tracking data
- Internal request data
- Contract, customer, supplier, and contact information
- Technical identifiers and logs
- Support communications
Processing activities
- Hosting
- Storage
- Retrieval
- Access
- Transmission
- Organization
- Deletion
- Backup
- Security monitoring
- Support
- Diagnostics if enabled
Processor obligations
Spark Development SRL shall:
- Process personal data only on documented customer instructions, including as set out in the Service configuration
- Ensure confidentiality of authorized personnel
- Implement appropriate technical and organizational measures
- Assist the customer with data subject requests where reasonably possible
- Assist the customer with security and GDPR obligations where applicable
- Notify the customer of personal data breaches without undue delay after becoming aware
- Delete or return customer personal data at the end of the service, subject to legal obligations and backups
- Make available information reasonably necessary to demonstrate compliance
- Ensure subprocessors are bound by appropriate data protection obligations
Subprocessors and customer-enabled integrations
Spark Development SRL may use subprocessors to provide, host, secure, maintain, and support Moxy. Subprocessors are third-party service providers that may process customer personal data on behalf of Spark Development SRL.
Current subprocessors
| Subprocessor | Purpose | Location / notes |
|---|---|---|
| Hetzner Online GmbH | Dedicated server hosting, data center infrastructure, networking, storage, backups, and related infrastructure services used to operate Moxy. | Germany / European Union, depending on the specific server location. |
Spark Development SRL operates the Moxy platform primarily using infrastructure leased from Hetzner Online GmbH. This may include application servers, databases, uploaded files, internal storage, backups, logs, monitoring, and diagnostics systems.
Internal systems operated by Spark Development SRL
The following systems may be used as part of the Moxy operating environment, but are operated by Spark Development SRL on its own infrastructure or leased dedicated infrastructure and are not separate third-party subprocessors unless hosted, managed, or accessed by another external provider:
- Application servers and databases
- Uploaded file storage on the Moxy server
- Internally hosted object storage / Vault S3, if enabled
- Self-hosted Sentry or similar diagnostics and error monitoring
- Grafana, Prometheus, and related internal monitoring/log analysis tools
- Backups and operational logs
These systems may process technical data, logs, diagnostics data, uploaded files, and customer data as necessary to provide, secure, monitor, debug, and maintain Moxy.
Customer-enabled integrations
Moxy may allow customers to enable optional integrations with third-party services. These integrations are enabled, configured, or authorized by the customer in their Moxy instance. Depending on the customer's configuration, these may include:
| Provider | Purpose | When used |
|---|---|---|
| Microsoft Corporation / Microsoft Ireland Operations Limited | Microsoft 365 APIs and related Microsoft integrations, such as calendar, email, files, directory, identity, or other Microsoft Workspace functionality. | Only when enabled, authorized, or configured by the customer. |
| Google LLC / Google Ireland Limited | Google APIs and related Google Workspace integrations, such as calendar, email, files, directory, identity, or other Google Workspace functionality. | Only when enabled, authorized, or configured by the customer. |
| Customer-configured SMTP provider | Sending application emails through SMTP settings provided by the customer. | Only when configured by the customer. |
Where a customer enables a third-party integration, the customer is responsible for ensuring that it has the right to connect Moxy to that service and for reviewing the third party's applicable terms, privacy notices, and data processing terms.
If a customer configures Moxy to send emails through the customer's own SMTP provider, emails and related metadata may be processed by that provider according to the customer's configuration and the provider's own terms. Spark Development SRL does not control customer-selected SMTP providers unless otherwise agreed separately.
Future providers
Spark Development SRL does not currently use analytics cookies or third-party analytics providers for Moxy. If analytics, external diagnostics, payment processing, support tools, or other third-party providers are introduced in the future and those providers process customer personal data on behalf of Spark Development SRL, this list will be updated accordingly.
International transfers
Any transfer of personal data outside the European Economic Area shall occur only with appropriate safeguards where required by applicable law.
Technical and organizational measures
- Access control and authentication
- Least-privilege practices
- Encrypted transport where applicable
- Backups
- Logging and monitoring
- Secure hosting
- Vulnerability and patch management
- Incident response
- Separation of customer data where applicable
- Data minimization in logs
Related policies
See our Privacy Policy and GDPR & Data Protection summary for additional context.
Contact
Spark Development SRL — data protection contact: dpo@sprk.dev.