Last updated: June 2026

Scope and roles

This page summarises the Data Processing Agreement ("DPA") that forms part of the Terms of Service. The Customer is the data controller for personal data submitted to or generated within the Service. Spot Cloud B.V., registered in the Netherlands, acts as data processor on the Customer's instructions. The DPA covers personal data processed in a Customer Environment through Spot Suite products. The written agreement follows Article 28 of the General Data Protection Regulation (GDPR) for processor terms.

Processing location

All Customer Data is processed and stored in the European Union. Spot Cloud B.V. does not transfer personal data outside the EU or EEA unless the Customer gives prior written instruction and any required safeguards are in place. Production workloads, backups, and administrative tooling for a Customer Environment remain in EU regions.

Subprocessors

Spot Cloud B.V. uses two infrastructure subprocessors: Cloudflare (EU points of presence; edge hosting and content delivery) and Microsoft Azure (EU regions; compute and storage). A current subprocessor list is available on request. Customers are notified in advance of subprocessor changes and may object on grounds relating to data protection, as set out in the full DPA.

Security measures

Customer Data is encrypted at rest with AES-256 and in transit with TLS 1.3. Each Customer Environment runs on dedicated infrastructure with no shared compute or storage between tenants. Customer users authenticate through OIDC single sign-on via Microsoft Entra, with multi-factor authentication enforced by the Customer's identity provider. Spot Cloud staff access is role-based, limited to what is required for support and operations, and logged for administrative actions.

Breach notification

Spot Cloud B.V. notifies the Customer without undue delay after becoming aware of a personal data breach that affects their Customer Environment. The notice includes the information the Customer needs to meet its own obligations under Article 33 GDPR, including the nature of the breach, categories of data involved, and measures taken or proposed to address the incident.

Audit rights

Customers may request audit evidence, including the control-mapping documentation, under NDA. On-site or remote audits can be arranged under the conditions, notice periods, and confidentiality terms in the signed DPA. Spot Cloud B.V. may satisfy some requests through third-party attestations where they cover the controls in scope.

Data return and deletion

On termination of the subscription, the Customer can export Customer Data during the wind-down window stated in the order form or product documentation. After that window closes, Spot Cloud B.V. deletes Customer Data from production systems and schedules removal from backups according to the retention schedule in the full DPA. Deletion certificates are available on written request.

Contact

The full signed DPA is available to customers and prospects under NDA. Requests may be sent to legal@spot-cloud.com or through the contact page at spot-suite.com/contact.