Data Processing Agreement
Effective date: 19 February 2026 · Last updated: 19 February 2026
This Data Processing Agreement ("DPA") forms part of the agreement between the Customer ("Data Controller") and SpendApproval ("Data Processor") for the provision of the SpendApproval media spend approval service. To execute this DPA, contact [email protected].
1. Definitions
- "Data Controller" means the Customer (the agency or organisation) that determines the purposes and means of processing personal data through the SpendApproval service.
- "Data Processor" means SpendApproval, which processes personal data on behalf of the Data Controller.
- "Personal Data", "Processing", "Data Subject", and "Supervisory Authority" have the meanings given in the GDPR (Regulation (EU) 2016/679).
- "Sub-processor" means any third party engaged by the Data Processor to process Personal Data on behalf of the Data Controller.
- "Standard Contractual Clauses" ("SCCs") means the standard contractual clauses for the transfer of personal data to processors established in third countries, as adopted by the European Commission (Commission Implementing Decision (EU) 2021/914).
2. Scope and Purpose of Processing
The Data Processor processes Personal Data solely for the purpose of providing the SpendApproval media spend approval workflow service, which includes:
- Processing and routing approval requests for media spend
- Multi-channel notification delivery (email, SMS, Slack, phone)
- Recording approval decisions and generating cryptographic receipts
- Maintaining audit trails for compliance and financial record-keeping
- Enforcing approval policies (e.g., campaign pausing on rejection or timeout)
3. Categories of Personal Data
| Category | Data Elements | Data Subjects |
|---|---|---|
| User account data | Name, email, phone number, role, authentication tokens (hashed) | Agency employees, client approvers |
| Approval request data | Spend amounts, campaign identifiers, client names, approval decisions, timestamps | Requesters, approvers |
| Contact data | Name, email, phone number | Approvers, stakeholders |
| Communication logs | Notification type, delivery status, timestamps | Notification recipients |
| Call session data | Call duration, DTMF input, timestamps | Phone-based approvers |
4. Obligations of the Data Processor
4.1 Processing Instructions
The Data Processor shall process Personal Data only on documented instructions from the Data Controller, unless required to do so by applicable law. If such a legal requirement exists, the Data Processor shall inform the Data Controller prior to processing (unless prohibited by law).
4.2 Confidentiality
The Data Processor shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security Measures
The Data Processor implements the following technical and organisational measures:
- Encryption at rest: AES-256-GCM for sensitive data fields
- Encryption in transit: TLS 1.3 on all connections
- Network security: Cloudflare WAF, DDoS protection, rate limiting
- API authentication: Edge-level authentication and authorization
- Approval link security: HMAC-SHA256 signed tokens with rotating keys
- Secrets management: Infisical (self-hosted, not exposed to third parties)
- Session security: Secure, HttpOnly, SameSite=Lax cookies
- Access control: Role-based access, zero-trust architecture at the edge
- Audit logging: Immutable, cryptographically hashed receipt chains
4.4 Sub-processors
The Data Processor may engage Sub-processors to assist in providing the service. A current list of Sub-processors is maintained at spendapproval.com/legal/subprocessors.html.
The Data Processor shall:
- Notify the Data Controller of any intended changes to Sub-processors with at least 30 days' notice
- Impose data protection obligations no less onerous than this DPA on each Sub-processor via written contract
- Remain fully liable for the acts and omissions of its Sub-processors
The Data Controller may object to a new Sub-processor by notifying the Data Processor in writing within 14 days of receiving notice. If the objection cannot be resolved, the Data Controller may terminate the affected service component.
4.5 Data Subject Rights
The Data Processor shall assist the Data Controller in responding to requests from Data Subjects exercising their rights under Chapter III of the GDPR (access, rectification, erasure, portability, objection, restriction).
4.6 Data Protection Impact Assessments
The Data Processor shall assist the Data Controller with data protection impact assessments and prior consultations with supervisory authorities, where required, taking into account the nature of processing and the information available to the Data Processor.
5. Breach Notification
In the event of a Personal Data breach, the Data Processor shall notify the Data Controller without undue delay and in any case within 72 hours of becoming aware of the breach. The notification shall include:
- A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
- The name and contact details of the Data Processor's point of contact
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to address the breach
6. Data Retention and Deletion
Upon termination of the service agreement, the Data Processor shall:
- Delete or return all Personal Data to the Data Controller, at the Data Controller's election
- Delete existing copies unless applicable law requires retention
- Complete deletion within 90 days of termination, subject to the following retention obligations:
| Data Category | Post-Termination Retention | Basis |
|---|---|---|
| Approval records and receipts | Up to 7 years (if required by financial regulations) | Legal obligation |
| Communication logs | Up to 3 years | Legal obligation / legitimate interest |
| All other Personal Data | Deleted within 90 days | Contract termination |
Data retained after termination for legal compliance is access-restricted and processed solely for the purpose of meeting the retention obligation.
7. International Data Transfers
Where Personal Data is transferred to countries outside the EEA that do not benefit from an adequacy decision, the parties agree to the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows:
- Module Two (Controller to Processor) applies to transfers from the Data Controller to SpendApproval
- Module Three (Processor to Sub-processor) applies to transfers from SpendApproval to its Sub-processors
The SCCs are incorporated by reference into this DPA. In the event of any conflict between this DPA and the SCCs, the SCCs shall prevail.
8. Audits
The Data Processor shall make available to the Data Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by the Data Controller or an auditor mandated by the Data Controller.
Audits shall be:
- Conducted with reasonable advance notice (at least 30 days)
- Limited to once per calendar year (unless a breach has occurred)
- Conducted during normal business hours
- Subject to reasonable confidentiality obligations
9. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the principal service agreement between the parties.
10. Term
This DPA shall remain in effect for the duration of the principal service agreement. Obligations relating to data deletion, retention, and confidentiality survive termination.
11. Governing Law
This DPA is governed by the law specified in the principal service agreement, except where the GDPR or other applicable data protection laws mandate otherwise.
12. Contact
- Data Processor contact for DPA matters: [email protected]
- Data Processor registered address: [TO BE CONFIRMED]
- Data Protection Officer: [TO BE CONFIRMED]
Annex A: Description of Processing
| Element | Description |
|---|---|
| Subject matter | Processing of personal data as part of the SpendApproval media spend approval service |
| Duration | Duration of the principal service agreement |
| Nature and purpose | Media spend approval workflow automation, notification delivery, audit trail generation |
| Type of personal data | See Section 3 above |
| Categories of data subjects | Agency employees, client-side approvers, stakeholders |
Annex B: Technical and Organisational Measures
See Section 4.3 above. Additional detail available upon request to [email protected].
Annex C: List of Sub-processors
See spendapproval.com/legal/subprocessors.html for the current list of approved Sub-processors.