Data Processing Agreement
Last Updated: March 15, 2026 | Effective Date: March 15, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Third Space, LLC ("Processor," "Thirdspace," "we") and the entity or individual agreeing to the Terms of Service ("Controller," "Customer," "you") for the use of Emergency Unmerge by Third Space ("the Service").
This DPA is entered into to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and other applicable privacy laws.
By using the Service, this DPA is automatically incorporated into the Terms of Service. No separate signature is required.
1. Definitions
- "Controller" means the Customer who determines the purposes and means of the processing of Personal Data through its use of the Service.
- "Processor" means Third Space, LLC, which processes Personal Data on behalf of the Controller.
- "Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
- "Sub-Processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA/CPRA, and their implementing regulations.
- "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to Commission Implementing Decision (EU) 2021/914.
2. Scope and Details of Processing
2.1 Subject Matter
The Processor processes Personal Data to provide the Emergency Unmerge service, including merge detection, AI-powered reconstruction analysis, record creation, property restoration, and association recovery for accidentally merged HubSpot CRM records.
2.2 Duration
Processing continues for the duration of the Controller's use of the Service, plus any post-termination retention period specified herein.
2.3 Nature and Purpose of Processing
- Reading CRM record properties, property history, associations, and activities via HubSpot API
- Transmitting CRM data to Anthropic's Claude API for AI-powered reconstruction analysis, initiated explicitly by the Controller
- Creating new HubSpot records to restore abolished (merged-away) records
- Setting properties, restoring associations, and preserving property history on restored records
- Storing OAuth tokens, operation logs, credit balances, and billing records
2.4 Types of Personal Data
- Contact identifiers: names, email addresses, phone numbers, job titles
- Company information: names, domains, industry, revenue
- Deal information: deal names, amounts, stages
- Association metadata: relationships between records
- Engagement metadata: notes, tasks, calls, emails, meetings (used for reconstruction context)
- Property history: timestamped changes to record properties (used for AI reconstruction)
2.5 Categories of Data Subjects
- CRM contacts stored in the Controller's HubSpot portal
- Controller's employees who use the Service (portal administrators)
3. Controller Obligations
The Controller shall:
- Ensure it has a lawful basis for the processing of Personal Data and for instructing the Processor to process Personal Data on its behalf.
- Ensure it has provided any necessary notices to, and obtained any necessary consents from, data subjects.
- Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.
- Comply with its obligations under applicable Data Protection Laws.
4. Processor Obligations
The Processor shall:
4.1 Processing Instructions
Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. The Controller's instructions are documented in the Terms of Service and this DPA. The Processor shall inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.
4.2 Confidentiality
Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3 Security Measures (Article 32)
Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of Personal Data in transit (TLS 1.2+) and at rest (Fernet/AES-128-CBC with HMAC-SHA256 for OAuth tokens)
- Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
- Ability to restore the availability and access to Personal Data in a timely manner in the event of an incident
- Regular testing and evaluation of the effectiveness of security measures
- Access controls restricting database access to the application service only
- Error monitoring with PII sending disabled
4.4 Sub-Processors
The Controller provides general authorization for the Processor to engage the following Sub-Processors:
| Sub-Processor | Purpose | Location |
|---|---|---|
| Render.com | Application hosting, database hosting | United States (Oregon) |
| Anthropic (Claude API) | AI-powered reconstruction analysis | United States |
| Stripe | Payment processing | United States |
| HubSpot | CRM platform (Controller's data resides here) | United States / EU |
The Processor shall notify the Controller of any intended addition or replacement of Sub-Processors at least 30 days in advance. If the Controller objects within 30 days, the parties shall discuss the concern in good faith. If the objection cannot be resolved, the Controller may terminate the Service.
4.5 Data Subject Rights
The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by:
- Promptly forwarding any data subject requests received directly to the Controller
- Providing the Controller with the ability to access, correct, and delete Personal Data
- Deleting operation data upon Controller request
4.6 Data Protection Impact Assessments
The Processor shall assist the Controller with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required, by providing necessary information about the Processor's processing activities.
4.7 Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include:
- The nature of the breach, including categories and approximate number of data subjects and records affected
- Contact details for the Processor's point of contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate adverse effects
4.8 Deletion and Return of Data
Upon termination of the Service or upon the Controller's request:
- The Processor shall delete all Personal Data from its systems within 30 days, unless retention is required by applicable law
- The Controller may request a data export in machine-readable format (JSON) within 14 days of termination
- Records created in HubSpot during reconstruction remain under the Controller's direct control
4.9 Audits and Compliance
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor. Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations.
5. International Data Transfers
Personal Data is transferred to the United States for processing. The following transfer mechanisms apply:
5.1 Standard Contractual Clauses
The parties agree to the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows:
- Module 2 (Controller-to-Processor): Applies to transfers of Personal Data from the Controller to the Processor
- Module 3 (Processor-to-Processor): Applies to transfers from the Processor to Sub-Processors
The SCCs are incorporated by reference into this DPA. Where there is any conflict between this DPA and the SCCs, the SCCs shall prevail.
5.2 UK International Data Transfer
For transfers from the United Kingdom, the UK Addendum to the EU SCCs (as approved by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated into this DPA.
5.3 EU-US Data Privacy Framework
Where Sub-Processors are certified under the EU-US Data Privacy Framework, transfers may additionally rely on the DPF adequacy decision.
6. CCPA/CPRA Service Provider Terms
To the extent the CCPA applies, the Processor acts as a "Service Provider" under the CCPA. The Processor certifies that it:
- Shall not retain, use, or disclose Personal Information for any purpose other than performing the Service as specified in the Terms of Service, or as otherwise permitted by the CCPA
- Shall not sell or share Personal Information as defined by the CCPA
- Shall not retain, use, or disclose Personal Information outside the direct business relationship with the Controller
- Shall comply with the CCPA and provide the same level of privacy protection as required by the CCPA
- Shall notify the Controller if it determines it can no longer meet its CCPA obligations
- Shall allow the Controller to take reasonable and appropriate steps to ensure the Processor uses Personal Information in a manner consistent with the Controller's CCPA obligations
- Shall impose equivalent restrictions on any sub-contractors that access Personal Information
- Shall assist the Controller in responding to verifiable consumer requests
7. Annex: Technical and Organizational Measures
| Measure | Implementation |
|---|---|
| Encryption in transit | TLS 1.2+ for all API communications; HSTS enforced |
| Encryption at rest | Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256) for OAuth tokens |
| Access control | Database accessible only by application service; no public endpoints |
| Authentication | HubSpot OAuth 2.0; Emergency Unmerge never stores user passwords |
| AI data handling | CRM data sent to Anthropic Claude API is not used for model training; processed in memory only |
| Data minimization | Only operation metadata and billing records stored; full CRM data remains in HubSpot |
| Monitoring | Sentry error monitoring (PII disabled); application-level logging |
| Hosting security | Render.com SOC 2 Type II certified infrastructure (Oregon, US) |
| Incident response | 72-hour breach notification; template notifications maintained |
| Data deletion | Manual upon request within 30 days |
8. General Provisions
8.1. This DPA shall be governed by the same governing law as the Terms of Service.
8.2. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.
8.3. This DPA shall automatically terminate upon termination of the Terms of Service.
8.4. This DPA may be updated by the Processor with at least 30 days' notice to the Controller. Material changes that reduce the Controller's protections require the Controller's consent.
Third Space, LLC
Email: joshua@thirdspaced.com
Website: https://emergencyunmerge.com