Legal
Data Processing
This page summarises our Data Processing Addendum (DPA), our sub-processor list, and the safeguards we apply to any international transfer. The signed DPA itself is provided on request.
1. Roles
- Customer is the data controller of the personal data inside files uploaded to SP3.
- SP3 is the data processor of that file content. SP3 is the data controller of account, billing, and operational metadata as described in the Privacy Policy.
2. Processing scope
SP3 processes ciphertext on behalf of the customer for the sole purpose of making it available to that customer through authenticated access. SP3 does not read, mine, profile, or sell customer content. SP3 does not use customer content to train any model.
3. Security measures (Art. 32)
- AES-256-GCM client-side encryption; keys never transit SP3.
- TLS 1.3 on the transport path with x25519 key exchange.
- Argon2id password hashing with per-account salt.
- FIDO2/WebAuthn hardware-key support; geo-aware short-lived sessions.
- Dedicated European hardware; role-based access for operators, with break-glass events logged and available to the customer on request.
4. Sub-processor list
EU-West primary colocation
An EU-based Tier III colocation operator. Scope: physical hosting of dedicated SP3 hardware. Data minimisation: no customer content ever traverses partner systems in readable form — ciphertext only. The current operator is named in the signed DPA.
Transactional email delivery
An EU-based transactional email delivery provider. Scope: outbound delivery of service-notification emails. Data shared: the recipient address and the message body we already render ourselves. The current provider is named in the signed DPA.
Payments processor
An EU-based payments provider. Scope: card authorisation and invoicing. Data shared: customer email and invoice amount. SP3 never sees card numbers. The current provider is named in the signed DPA.
Adding a new sub-processor triggers a 30-day advance notice by email. Customers may object in writing; if objection is unresolved, either party may terminate without penalty.
5. International transfers
SP3 does not transfer personal data outside the European Economic Area as part of normal operation. Customer-content ciphertext remains in the EU-West region. Where a sub-processor temporarily handles metadata from outside the EEA, transfers are covered by the European Commission's Standard Contractual Clauses plus supplementary technical measures (end-to-end encryption, IP minimisation).
6. Breach notification
In the unlikely event of a personal-data breach affecting customer data, SP3 notifies the affected customer without undue delay and in any event within 48 hours of becoming aware. The notification includes the nature, scope, likely consequences, and the measures taken to mitigate.
7. Audit rights
Customers on enterprise plans may audit SP3's processing operations once per 12 months, at their own cost and under reasonable confidentiality. Where independent third-party audit reports are available, summaries are shared on request.
8. Return or deletion
On termination of the main contract, SP3 returns or deletes all customer personal data within 30 days at the customer's option, except where retention is mandated by applicable law.