Data Processing Addendum

For personal data the customer collects through their Spyder-hosted site (visitor form submissions, analytics, contact info), the customer is the data controller and Spyder is the data processor. For personal data Spyder collects from the customer directly (account, billing), Spyder is the controller.

• Categories of data: Whatever personal data the customer chooses to collect through their site (typically: name, email, message body, IP address of submitter).
• Categories of data subjects: Visitors to the customer's site, end users of the customer's forms.
• Purpose: Operating the site, storing form submissions for the customer to retrieve.
• Duration: For the lifetime of the customer's account, plus 30 days post-deletion for backup expiration.

We use the following sub-processors to operate the service:

• Cloudflare, Inc. — edge compute (Workers), database (D1), object storage (R2), CDN. Global, with regional pinning available for Enterprise customers.
• Stripe, Inc. — billing and payment processing.
• Resend (Plus Five Five, Inc.) — operational email delivery.
• Groq, Inc. — AI inference for AI site generation and AI text rewrite features (only invoked when the customer triggers these features).

We'll give 30 days' notice before adding a new sub-processor. Customers can object via privacy@spyderapp.com within that window.

See the Security page for the technical and organizational measures we apply, including encryption in transit (TLS 1.3) and at rest (AES-256 via Cloudflare's storage layers), access controls, and audit logging.

Cloudflare's edge network is global. Where personal data of EU/UK residents is transferred outside the EEA/UK, we rely on the Standard Contractual Clauses (2021/914/EU) as the transfer mechanism. The SCCs are incorporated by reference into this DPA.

When a data subject contacts Spyder directly with a request that relates to data we hold on a customer's behalf, we'll forward the request to the customer within 5 business days. Customers are responsible for responding to data subject requests within the statutory window.

Pro and Studio customers can request a summary of our most recent security audit by emailing security@spyderapp.com. On-site audits are reserved for Enterprise contracts.

We'll notify affected customers without undue delay (and in any case within 72 hours of confirmation) of any personal data breach affecting their data.

On termination of service, the customer can export all their data. We delete the customer's data within 30 days of account closure. Backups expire on a rolling 30-day window.

Data Protection contact: privacy@spyderapp.com.