Data Processing Agreement

Contractual terms governing SpamBlock’s processing of personal data on behalf of customers.

Last updated: 31 October 2025

This Data Processing Agreement (“DPA”) forms part of the SpamBlock Subscription Terms between SpamBlock (“SpamBlock”, “Processor”) and the customer signing up for the SpamBlock service (“Customer”, “Controller”).

1. Subject matter and duration

1.1 SpamBlock provides an anti-spam pixel that evaluates form submissions and returns an allow/deny decision. In doing so, SpamBlock processes the personal data described in Annex 1 for the term of the Customer’s Subscription.

1.2 Processing begins when the Customer enables the SpamBlock pixel and continues until the Subscription ends or the Customer instructs SpamBlock to delete the data.

2. Nature and purpose of processing

SpamBlock processes personal data solely to provide spam detection services, including:

  • Receiving form submission payloads and metadata.
  • Running automated scoring to identify suspicious activity.
  • Returning allow/deny responses and telemetry to the Customer.
  • Providing analytics, logs, and support to the Customer.

3. Categories of data

  • Data subjects: Website visitors, leads, and end-users whose information is submitted through Customer forms.
  • Personal data: Names, email addresses, free-text fields, IP addresses, user agents, and other data transmitted in form submissions.
  • Special categories of data: The Service is not intended to process special categories. Customer must not transmit such data through SpamBlock.

4. Controller obligations

The Customer is responsible for:

  • Providing lawful instructions and ensuring there is a valid legal basis for processing.
  • Informing data subjects about the use of SpamBlock, including via the Customer’s privacy notice.
  • Configuring retention settings and requesting deletion of form logs when required.
  • Responding to data subject requests (DSRs). SpamBlock will assist as described in Section 6.

5. Processor obligations

SpamBlock shall:

  • Process personal data only on documented instructions from Customer, including with respect to transfers to a third country.
  • Ensure persons authorised to process the personal data are bound by confidentiality obligations.
  • Maintain appropriate technical and organisational security measures as outlined in Annex 2.
  • Notify Customer without undue delay after becoming aware of a personal data breach.
  • Make available information necessary to demonstrate compliance and allow for audits as described in Section 7.

6. Assistance to the controller

SpamBlock will:

  • Provide reasonable assistance to Customer in fulfilling data subject access, rectification, deletion, portability, and objection requests that apply to SpamBlock’s processing.
  • Assist Customer with data protection impact assessments and consultations with supervisory authorities, taking into account the nature of processing and information available to SpamBlock.

7. Documentation

SpamBlock will make available to Customer, upon written request, the information necessary to demonstrate compliance with this DPA. Audits by the Customer or third parties are not permitted.

8. Sub-processors

SpamBlock engages the sub-processors listed below. SpamBlock will provide notice of any changes with the opportunity to object.

Sub-processor Purpose Location
Cloudflare, Inc. Hosting of edge Workers and KV storage EU / Global
Make (Integromat) Optional webhook automation used in demo flows EU

Customer authorises SpamBlock to use these sub-processors, provided SpamBlock ensures each sub-processor provides at least the same level of data protection as set out in this DPA.

9. International transfers

Where SpamBlock transfers personal data outside the EU/EEA, it will rely on an adequacy decision or the Standard Contractual Clauses (SCCs). Upon request, SpamBlock will provide a copy of the relevant SCCs executed with sub-processors.

10. Security measures

SpamBlock has implemented security measures summarised in Annex 2. Customer is responsible for assessing whether these meet its obligations under Article 32 GDPR and for configuring the Service appropriately.

11. Deletion and return of data

Upon termination or expiry of the Subscription, SpamBlock will delete form submission logs within 30 days unless EU law requires retention. Customer may also request deletion during the term by contacting [email protected].

12. Liability

The parties’ liability under this DPA mirrors the limitation of liability set out in the Subscription Terms. Nothing in this DPA limits a party’s liability for breaches of the GDPR caused by that party.

13. Governing law

This DPA is governed by German law. The exclusive place of jurisdiction is Berlin, Germany.

Annex 1 – Details of processing

  • Subject matter: Automated spam detection for web form submissions.
  • Duration: Subscription term plus up to 30 days for deletion procedures.
  • Nature and purpose: Receipt, analysis, scoring, logging, and return of form submissions to identify spam.
  • Types of data: Contact information, free-text messages, technical metadata (IP address, user agent), and other fields included by the Customer.
  • Data subjects: Visitors and end-users who submit forms protected by Customer.

Annex 2 – Technical and organisational measures

  1. Access control: Role-based access, SSO, least-privilege principles, and quarterly access reviews.
  2. Transmission security: TLS 1.2+ enforced for all data in transit.
  3. Data minimisation: Form logs retained for 90 days by default; aggregated telemetry stored without direct identifiers.
  4. Confidentiality: Employee NDAs, security awareness training, incident response plan, and logging of administrative actions.
  5. Availability: Cloudflare Workers multi-region deployment with automatic failover and daily backups of configuration data.
  6. Monitoring: Automated alerts for anomaly detection and vulnerability scanning of dependencies.

Acceptance

By continuing to use the SpamBlock Service, Customer agrees to the terms of this DPA. For a countersigned copy, please contact [email protected].