Back to home

Data Processing Agreement

Last updated: July 18, 2026

Purpose

This Data Processing Agreement ("DPA") applies when Spark Development SRL processes personal data on behalf of a customer through the Moxy Business Management System.

Parties

  • Customer: the organization using Moxy.
  • Processor: Spark Development SRL, organized under the laws of Romania.

Roles

The customer is the data controller for personal data it enters into Moxy. Spark Development SRL is the data processor when processing such customer-controlled data.

Spark Development SRL may act as an independent controller for limited data such as billing, account administration, security, legal compliance, and direct business communications.

Subject matter

Providing, securing, supporting, maintaining, and improving the Moxy Business Management System for the customer.

Duration

For the duration of the customer's use of Moxy and any retention period required for backups, legal obligations, security, or dispute resolution.

Categories of data subjects

  • Customer users
  • Employees and contractors of the customer
  • Customers and contacts of the customer
  • Suppliers
  • Partners
  • NGO representatives
  • Project participants
  • Other people whose data is entered into Moxy by the customer

Categories of personal data

  • Names
  • Email addresses
  • Phone numbers
  • Job titles
  • Organization and company details
  • Roles and permissions
  • Attendance and time-off records
  • Project and time tracking data
  • Internal request data
  • Contract, customer, supplier, and contact information
  • Technical identifiers and logs
  • Support communications

Processing activities

  • Hosting
  • Storage
  • Retrieval
  • Access
  • Transmission
  • Organization
  • Deletion
  • Backup
  • Security monitoring
  • Support
  • Diagnostics if enabled

Processor obligations

Spark Development SRL shall:

  • Process personal data only on documented customer instructions, including as set out in the Service configuration
  • Ensure confidentiality of authorized personnel
  • Implement appropriate technical and organizational measures
  • Assist the customer with data subject requests where reasonably possible
  • Assist the customer with security and GDPR obligations where applicable
  • Notify the customer of personal data breaches without undue delay after becoming aware
  • Delete or return customer personal data at the end of the service, subject to legal obligations and backups
  • Make available information reasonably necessary to demonstrate compliance
  • Ensure subprocessors are bound by appropriate data protection obligations

Subprocessors and customer-enabled integrations

Spark Development SRL may use subprocessors to provide, host, secure, maintain, and support Moxy. Subprocessors are third-party service providers that may process customer personal data on behalf of Spark Development SRL.

Current subprocessors

SubprocessorPurposeLocation / notes
Hetzner Online GmbHDedicated server hosting, data center infrastructure, networking, storage, backups, and related infrastructure services used to operate Moxy.Germany / European Union, depending on the specific server location.

Spark Development SRL operates the Moxy platform primarily using infrastructure leased from Hetzner Online GmbH. This may include application servers, databases, uploaded files, internal storage, backups, logs, monitoring, and diagnostics systems.

Internal systems operated by Spark Development SRL

The following systems may be used as part of the Moxy operating environment, but are operated by Spark Development SRL on its own infrastructure or leased dedicated infrastructure and are not separate third-party subprocessors unless hosted, managed, or accessed by another external provider:

  • Application servers and databases
  • Uploaded file storage on the Moxy server
  • Internally hosted object storage / Vault S3, if enabled
  • Self-hosted Sentry or similar diagnostics and error monitoring
  • Grafana, Prometheus, and related internal monitoring/log analysis tools
  • Backups and operational logs

These systems may process technical data, logs, diagnostics data, uploaded files, and customer data as necessary to provide, secure, monitor, debug, and maintain Moxy.

Customer-enabled integrations

Moxy may allow customers to enable optional integrations with third-party services. These integrations are enabled, configured, or authorized by the customer in their Moxy instance. Depending on the customer's configuration, these may include:

ProviderPurposeWhen used
Microsoft Corporation / Microsoft Ireland Operations LimitedMicrosoft 365 APIs and related Microsoft integrations, such as calendar, email, files, directory, identity, or other Microsoft Workspace functionality.Only when enabled, authorized, or configured by the customer.
Google LLC / Google Ireland LimitedGoogle APIs and related Google Workspace integrations, such as calendar, email, files, directory, identity, or other Google Workspace functionality.Only when enabled, authorized, or configured by the customer.
Customer-configured SMTP providerSending application emails through SMTP settings provided by the customer.Only when configured by the customer.

Where a customer enables a third-party integration, the customer is responsible for ensuring that it has the right to connect Moxy to that service and for reviewing the third party's applicable terms, privacy notices, and data processing terms.

If a customer configures Moxy to send emails through the customer's own SMTP provider, emails and related metadata may be processed by that provider according to the customer's configuration and the provider's own terms. Spark Development SRL does not control customer-selected SMTP providers unless otherwise agreed separately.

Future providers

Spark Development SRL does not currently use analytics cookies or third-party analytics providers for Moxy. If analytics, external diagnostics, payment processing, support tools, or other third-party providers are introduced in the future and those providers process customer personal data on behalf of Spark Development SRL, this list will be updated accordingly.

International transfers

Any transfer of personal data outside the European Economic Area shall occur only with appropriate safeguards where required by applicable law.

Technical and organizational measures

  • Access control and authentication
  • Least-privilege practices
  • Encrypted transport where applicable
  • Backups
  • Logging and monitoring
  • Secure hosting
  • Vulnerability and patch management
  • Incident response
  • Separation of customer data where applicable
  • Data minimization in logs

Related policies

See our Privacy Policy and GDPR & Data Protection summary for additional context.

Contact

Spark Development SRL — data protection contact: dpo@sprk.dev.