Skip to main content
DRAFT, not lawyer-reviewed. Do not rely on this document for legal purposes.

Data Processing Addendum — DRAFT OUTLINE

DRAFT — not lawyer-reviewed. This is a structured outline for counsel to convert into a full DPA when triggered. It is aligned with CONTEXT.md, PLAN.md, and privacy-policy.md Appendix C (sub-processor register) as of 2026-05-19.

Version: DRAFT-1
Document date: 2026-05-19

1. When this DPA applies

Execute a signed DPA when any of the following is true:

TriggerNotes
Enterprise contractHost requires DPA before procurement
EU/UK End Customers at scaleHost processes personal data of EU/UK residents through 3rdSpace tools
Large California cohortHost exceeds CCPA processor thresholds for California residents
Regulated industryHealthcare, financial services, or education Host mandates processor terms

US-only self-serve launch: Most small US hosts will not sign a DPA at onboarding. The Privacy Policy and Terms suffice until a trigger occurs.

2. Roles

PartyRoleExamples
Host (Organization)Controller (or joint controller) for End Customer CRM data, reservations, tickets, waivers
3rdSpace, Inc.Processor when handling Host CRM/tool data on Host instructions; Controller for Account data, internal CRM, billing, and platform operations

Clarify in the final DPA which tools are strictly processor-only vs. where 3rdSpace acts as independent controller (e.g., auto-CRM-entry into org-3rdspace internal CRM).

3. Subject matter and duration

  • Subject matter: Hosting and processing personal data submitted by Hosts through the 3rdSpace host platform.
  • Duration: Term of the Host's subscription plus retention periods in the Privacy Policy (30-day soft-delete grace, legal holds, audit logs 2 years, billing 7 years).

4. Categories of data subjects

  • Host's employees and agents (Users with memberships)
  • Host's End Customers (CRM contacts, guests, ticket buyers, form submitters, etc.)
  • Affiliates (Unlimited Affiliate Marketing)

5. Categories of personal data

Mirror Privacy Policy Section 6 — identifiers, commercial data, communications content, internet activity, geolocation (Places), financial (Stripe references), professional (staff scheduling), inferences (AI Booster when enabled).

6. Processing operations

  • Storage and retrieval (Firestore, Cloud Storage)
  • Transmission (SendGrid, Twilio, Gemini API)
  • Organization, structuring, adaptation (CRM, campaigns)
  • Erasure and restriction (soft-delete, export, deletion requests routed per Privacy Policy §19–21)

7. Sub-processors (planned register)

Counsel should finalize SCCs / DPAs with each vendor before EU processing.

Sub-processorServiceData touched
Google / FirebaseAuth, Firestore, Storage, Functions, HostingAll platform data
StripeSubscriptions, credit purchases, ConnectBilling, payout KYC
SendGridEmail deliveryEmail content, metadata
TwilioSMS, A2PSMS content, phone numbers
Google (Gemini)AI BoosterPrompt payloads per call
SentryError monitoringDiagnostics, optional replay
CloudflareTurnstile, DNSAbuse signals, IP
Google Maps PlatformPlaces, Time ZoneAddress, lat/lng

Changes: 3rdSpace will notify Hosts of material sub-processor changes per DPA standard (30 days objection right — counsel to draft).

8. Security measures

Reference Privacy Policy Section 17 and CONTEXT — Production data protection:

  • HTTPS everywhere
  • Firebase Auth; hashed passwords
  • Firestore security rules + scoped RBAC
  • PITR (7-day) and weekly exports (90-day retention) on production
  • Webhook signature verification (Stripe, Twilio)
  • Internal admin impersonation read-only with audit log

No SOC 2 attestation claimed at launch — do not promise certifications we lack.

9. International transfers

  • Launch: US-hosted businesses, USD, primary processing us-east1.
  • Future EU: Standard Contractual Clauses + UK IDTA as counsel recommends.

10. Data subject rights assistance

3rdSpace will:

  • Provide tools for Hosts to export/delete Host-controlled CRM data where technically feasible
  • Route individual requests that clearly belong to Host to the Host within a reasonable timeframe
  • Honor direct requests for Account data where 3rdSpace is controller

Export delay: Self-serve portability may take up to 14 days (Privacy Policy §20) — disclose in DPA if required.

11. Breach notification

Notify Host without undue delay after confirming a personal data breach affecting Host-controlled data. Content: nature, categories, approximate count, mitigation, contact point.

Timing and detail per applicable law — counsel to set (e.g., 72 hours for GDPR Art. 33 style).

12. Audits

Commercially reasonable audit rights: questionnaire + annual summary at launch scale; on-site audit only for enterprise tier with 30 days' notice and NDA.

13. Deletion and return

On termination or written request:

  • Host may export during notice period
  • After 30-day soft-delete windows, purge per retention schedule
  • Backup tapes roll off per PITR/export retention

14. Liability and order of precedence

Signed DPA + Order Form + Terms + Privacy. Conflicts: Order Form > DPA > Terms unless DPA explicitly states otherwise for data protection articles.

15. Action items for counsel

  • Draft full DPA from this outline when first EU enterprise or regulated Host signs
  • Add SCCs / UK addendum modules
  • Align sub-processor list with live vendor contracts
  • Confirm auto-CRM-entry and host-channel marketing roles
  • Confirm Gemini training restrictions language matches Google agreement

Last reviewed by counsel: never (not yet)

← Back to home