SP
SurfacePoint

Data Processing Addendum

Version 2026-07-05.1 | Last updated July 5, 2026

This DPA supplements the Terms of Service and applies where SurfacePoint processes personal data on behalf of a customer.

1. Roles and Scope

Customer acts as controller and SurfacePoint acts as processor for Customer Data processed in the Service, unless otherwise explicitly agreed in writing.

2. Processing Instructions

SurfacePoint processes personal data only on documented instructions from Customer, including use of the Service configuration and documented support requests.

3. Subject Matter and Duration

Processing covers account and operational data required to provide the Service during the subscription term and any defined post-termination retention/export window.

4. Confidentiality and Personnel Controls

Personnel with access to personal data are bound by confidentiality obligations and receive appropriate security/privacy training.

5. Subprocessors

Customer grants general authorization for subprocessors listed at /subprocessors/. SurfacePoint will provide notice of material subprocessor changes and customers may raise reasonable objections.

6. Security Measures (TOMs)

6A. Restricted and Export-Controlled Data

The standard hosted SurfacePoint Service is not currently available for export-controlled, ITAR/EAR, defense-controlled, government-classified, restricted, or unknown technical data unless a separate written agreement expressly allows that use. Customer must not include that data in Customer Data submitted to the standard hosted Service.

If Customer submits information about possible future restricted-data needs, SurfacePoint processes that information for account administration, product planning, sales follow-up, and security review. SurfacePoint does not determine legal classification, licensing requirements, or user eligibility for Customer's regulated or restricted data.

7. Audit and Assessment Rights

On reasonable notice and subject to confidentiality and security limits, Customer may request information sufficient to demonstrate compliance with this DPA.

8. Incident Notification

SurfacePoint will notify Customer without undue delay after becoming aware of a confirmed personal data breach affecting Customer Data and will provide available details for response obligations.

9. Return or Deletion

Upon termination, SurfacePoint will return or delete personal data according to contract terms, unless retention is required by law.

10. International Transfers

Where required for cross-border processing, parties will rely on approved transfer mechanisms such as EU Standard Contractual Clauses and UK transfer addendum language.

11. Conflict and Precedence

If this DPA conflicts with the Terms for data protection matters, this DPA controls for those matters.