Data Processing Agreement (DPA)

SparkleManager — Last updated: May 20, 2026

This Data Processing Agreement (“DPA”) is incorporated into and forms part of the SparkleManager Terms and Conditions (“Agreement”) between:

The Controller: The Customer (“you”) who has subscribed to the Service.

The Processor: SparkleManager (“we”, “us”, “our”), a UK-based entity.

This DPA applies to the processing of Personal Data (as defined below) by the Processor on behalf of the Controller in connection with the Service.

1. Definitions

“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” shall have the meanings ascribed to them in the UK Data Protection Law.

“Customer Data” means the Personal Data that the Controller uploads, inputs, or otherwise provides to the Processor through the Service.

“UK Data Protection Law” means the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.

2. Processing of Personal Data

2.1. Roles: The parties agree that for the Customer Data, the Controller is the Data Controller and the Processor is the Data Processor.

2.2. Details of Processing:

Subject Matter: The provision of the SparkleManager Service as described in the Agreement.
Duration: For the duration of the Agreement and until the deletion of all Customer Data by the Processor.
Nature and Purpose: To process, store, and manage Customer Data to enable the Controller to schedule work, manage clients, and invoice clients.
Categories of Data: Contact and business information relating to the Controller's customers (e.g., names, email addresses, phone numbers, addresses, appointment schedules, invoice details). The Controller agrees not to upload any Special Category Data (e.g., health or biometric data) into the Service.
Data Subjects: The customers and clients of the Controller.

2.3. Instructions: The Processor shall only process Customer Data on the documented instructions of the Controller (as set out in the Agreement and this DPA), unless required to do so by UK law.

3. Processor's Obligations

The Processor (SparkleManager) agrees to:

3.1. Confidentiality: Ensure that all personnel authorised to process Customer Data have committed themselves to strict confidentiality.

3.2. Security (Technical and Organisational Measures): Implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, including (but not limited to):

Encryption of Customer Data in transit and at rest.
Strict access controls to ensure only authorised personnel can access Customer Data on a “need-to-know” basis.
Measures to ensure the ongoing confidentiality, integrity, and availability of the processing systems.

3.3. Personal Data Breaches: In the event of a Personal Data Breach affecting Customer Data, the Processor shall:

Notify the Controller without undue delay after becoming aware of the breach.
Provide such notification to the Controller's registered account administrator email address.
Provide reasonable assistance to the Controller in mitigating and responding to the breach.

3.4. Assistance with Controller's Obligations: Taking into account the nature of the processing, the Processor shall provide reasonable assistance to the Controller:

Data Subject Rights: To respond to requests from Data Subjects exercising their rights under UK Data Protection Law (e.g., access, rectification, erasure). The Processor shall promptly notify the Controller of any such request received directly.
Data Protection Impact Assessments (DPIAs): To assist the Controller with any DPIAs related to the Service.

4. Sub-processors

4.1. Authorisation: The Controller grants the Processor general written authorisation to engage third-party sub-processors to assist in providing the Service.

4.2. Approved List: The Processor's current sub-processors are:

Clerk: Identity management and authentication (USA)
Google Cloud Platform (GCP): Hosting and core infrastructure (UK/Europe)
Stripe: Payment processing (USA)
Google Analytics: Service analytics (USA)
Sentry: Application performance monitoring and error tracking (USA)

4.3. Liability: The Processor shall remain fully liable for all acts or omissions of its sub-processors. The Processor shall have a written agreement with each sub-processor containing data protection obligations no less protective than those in this DPA.

4.4. International Transfers: For any transfers of Customer Data outside the UK, the Processor confirms it will ensure that appropriate safeguards (such as the UK-US Data Privacy Framework or Standard Contractual Clauses) are in place as required by UK Data Protection Law.

5. Audit Rights

The Processor shall make available to the Controller, upon reasonable request, all information necessary to demonstrate compliance with this DPA. The Processor agrees to facilitate audits, including inspections, by the Controller or an auditor mandated by the Controller (subject to reasonable notice and confidentiality obligations). Such audits shall be limited to the provision of relevant documentation, reports, or certifications.

6. Data Deletion

Upon termination of the Agreement, the Processor shall delete all Customer Data from its systems within thirty (30) days, unless UK law requires storage.

7. Governing Law

This DPA shall be governed by and construed in accordance with the laws of England and Wales. Any disputes shall be subject to the dispute resolution mechanism set out in the Agreement.

Terms & Conditions Privacy Policy Login