Data Processing Agreement

1. Definitions

• "Controller" means you, the customer using Sparrow's services
• "Processor" means Sparrow Inc.
• "Personal Data" means any information relating to an identified or identifiable natural person
• "Processing" has the meaning given in GDPR Article 4(2)
• "Sub-processor" means any third party appointed by Sparrow to process Personal Data
• "Data Protection Laws" means GDPR and all applicable data protection laws

2. Scope and Duration

This DPA applies to all Personal Data processed by Sparrow on your behalf while providing the Services. The DPA term runs concurrently with your service agreement and continues until all Personal Data is deleted or returned.

3. Sparrow's Obligations as Processor

Sparrow shall:

• Process Personal Data only on documented instructions from you
• Ensure personnel processing data are bound by confidentiality
• Implement appropriate technical and organizational security measures
• Only engage Sub-processors with your prior authorization
• Assist you in responding to data subject requests
• Assist you in ensuring compliance with GDPR obligations
• Delete or return all Personal Data upon termination
• Make available information necessary to demonstrate compliance

4. Your Rights as Controller

You may:

• Issue additional written instructions regarding data processing
• Request information about Sub-processors
• Object to the appointment of new Sub-processors
• Audit our compliance with this DPA (with reasonable notice)
• Request deletion or return of Personal Data at any time

5. Sub-processors

Current authorized Sub-processors include cloud infrastructure providers (AWS, Google Cloud), payment processors, and analytics providers. We maintain an up-to-date list at sparrow.help/subprocessors. We will notify you 30 days before adding new Sub-processors, and you may object for legitimate reasons.

6. Security Measures

Sparrow implements the following security measures (as detailed in our Security page):

• Encryption: AES-256 at rest, TLS 1.3 in transit
• Access control: RBAC, 2FA, SSO support
• Network security: VPC isolation, firewalls
• Monitoring: 24/7 security monitoring and logging
• Incident response: Defined procedures and notification
• Regular audits: SOC 2, penetration testing

7. Data Subject Rights

Sparrow provides self-service tools and API access to enable you to respond to data subject requests (access, rectification, erasure, portability, restriction). We will assist you in fulfilling these requests within the timeframes required by law.

8. Data Breach Notification

In the event of a Personal Data breach, Sparrow will notify you without undue delay and no later than 24 hours after becoming aware. Notification will include available information about the breach, affected data, likely consequences, and measures taken or proposed.

9. International Transfers

Data may be transferred to and processed in countries outside the EEA. Such transfers are subject to Standard Contractual Clauses approved by the European Commission, ensuring adequate protection regardless of location.

10. Return or Deletion of Data

Upon termination or at your request, Sparrow will delete all Personal Data within 30 days, unless required by law to retain it. You may request a final export before deletion.

11. Audit Rights

You may audit our compliance once per year with 30 days notice. We provide SOC 2 Type II reports annually as evidence of compliance. Additional audits may be subject to reasonable fees.

Contact for DPA Questions