Spiral Data Processing Addendum

Last updated: August 27, 2025

This Data Processing Addendum forms part of the agreement between Spiral Ad, Inc. (“Spiral”) and the customer that accepts the Spiral Terms of Use or a separate master agreement (the “Agreement”). It applies when Spiral processes Customer Personal Data on behalf of the Customer.

If there is a conflict between this DPA and the Agreement, this DPA controls for processing of Customer Personal Data. Capitalized terms not defined here have the meanings in the Agreement.

1. Definitions

Customer Personal Data means Personal Data in Customer Data or Outputs that Spiral processes for Customer through the Services.

Personal Data means information relating to an identified or identifiable natural person as defined by Data Protection Laws.

Data Protection Laws means all laws that apply to processing under this DPA, including GDPR, UK GDPR, Swiss FADP, and United States state privacy laws.

Controller, Processor, Subprocessor, Data Subject, Processing, Supervisory Authority have the meanings in Data Protection Laws.

Services means the products and services Spiral provides under the Agreement.

Service Data means data about use, support, and operation of the Services that Spiral collects for its own purposes.

2. Roles, scope, and instructions

2.1 Roles. Customer is Controller or is a Processor for another controller. Spiral is Processor and will process Customer Personal Data only as set out in this DPA and the Agreement.

2.2 Instructions. Spiral will process Customer Personal Data only on documented instructions from Customer. The Agreement, this DPA, and Customer configuration and documented use of the Services are the instructions. Spiral may advise if an instruction appears unlawful or would materially degrade security or performance.

2.3 Permitted purposes. Customer instructs Spiral to process Customer Personal Data to provide, secure, and support the Services, to prevent abuse, to fix and improve quality and reliability, and to meet legal requirements.

2.4 Model improvement.

Growth. Customer instructs Spiral to use Customer Personal Data in Customer’s workspace to train, fine tune, evaluate, and safety test models and features that power the Services and to develop aggregated insights, as described in the Privacy Policy. Growth does not offer a training opt out.

Enterprise. Any different training posture must be set out in an order form or an annex to this DPA. If a data training opt out is agreed, Schedule D will control.

2.5 Customer responsibilities. Customer is responsible for the accuracy, quality, and lawfulness of Customer Personal Data, for the means by which Customer obtained it, for providing required notices, and for having a lawful basis to process and to have Spiral process the data.

3. Nature and details of processing

Subject matter. Provision of the Services.

Duration. For the term of the Agreement and until deletion under this DPA.

Purpose. As in Sections 2.3 and 2.4.

Types of Personal Data. Contact details, account data, prompts, assets and references, content and outputs that may include Personal Data, technical identifiers, usage and event data.

Categories of Data Subjects. Customer staff and contractors, Customer clients and end users, and individuals whose data appears in Customer content.

4. Confidentiality and personnel

Spiral ensures that personnel who access Customer Personal Data are bound by duties of confidentiality and receive appropriate privacy and security training.

5. Security

Spiral will implement and maintain technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are described in Schedule B and may be updated to maintain or improve protection.

6. Subprocessors

6.1 Customer authorizes Spiral to use Subprocessors. Spiral remains responsible for their performance.

6.2 Spiral maintains a public list of current Subprocessors at https://spiral.ad/legal/subprocessors (the “Subprocessor Page”). Spiral will update the Subprocessors at least ten business days before authorizing any new Subprocessor Page to process Customer Personal Data. Posting an update to the Subprocessor Page is Spiral’s notice under this DPA and no additional notice will be provided. Customer may object on reasonable data protection grounds by notifying Spiral in writing within ten business days after the update is posted. If the parties cannot resolve the objection within a reasonable time, Customer may terminate the affected Services and Spiral will refund any prepaid unused fees for that part.

6.3 Spiral will impose data protection obligations on Subprocessors that are no less protective than this DPA.

7. International transfers

7.1 For transfers from the EEA, the EU Standard Contractual Clauses approved in Decision 2021 914 apply as set out in Schedule A. Module Two applies for Controller to Processor and Module Three for Processor to Processor.

7.2 For transfers subject to UK GDPR, the UK Addendum applies as set out in Schedule A.

7.3 For transfers subject to Swiss law, the Swiss Addendum applies as set out in Schedule A.

7.4 If a transfer tool becomes invalid or is enjoined, the parties will cooperate in good faith to implement a valid alternative. Spiral may suspend the affected transfers until an alternative is in place.

8. Assistance and cooperation

8.1 Data Subject requests. Taking into account the nature of the processing, Spiral will assist Customer by appropriate technical and organizational measures to help respond to rights requests. Spiral will not respond directly unless legally required or instructed by Customer. Reasonable manual assistance beyond a small standard effort may be chargeable at standard rates.

8.2 Security incidents. Spiral will notify Customer without undue delay and within seventy two hours after confirming a breach of security that leads to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data. The notice will include known details, likely consequences, measures taken or proposed, and a contact point. Spiral will cooperate to investigate, mitigate, and remediate. Documentation of incidents will be maintained.

8.3 Impact assessments and consultations. Spiral will provide information to help Customer with data protection impact assessments and regulator consultations, to the extent required by law and related to Spiral processing.

8.4 Audits. Spiral will make available information to demonstrate compliance, including summary SOC or ISO reports or similar certifications. Customer may audit once in any twelve months on reasonable notice during business hours in a way that minimizes disruption. On site access is limited to areas where Customer Personal Data is processed and requires an acceptable nondisclosure agreement. Spiral may charge reasonable fees for on site inspections or bespoke assistance.

9. Deletion and return

Upon termination or at Customer written request, Spiral will delete Customer Personal Data from active systems within thirty days and from backups within ninety days, unless retention is required by law or for legal claims. If Customer asks for a copy before deletion, Spiral will provide a machine readable export where feasible.

10. Government and third party requests

If Spiral receives a legally binding request for Customer Personal Data from a public authority, Spiral will notify Customer and will challenge the request where reasonable and lawful. Spiral will disclose only the minimum required and will keep records of disclosures.

11. United States service provider and processor terms

For Customer Personal Data subject to United States state privacy laws, Spiral will act as a service provider or processor. Spiral will not sell or share Customer Personal Data, will not retain, use, or disclose it for any purpose other than the business purposes in the Agreement and this DPA, will not retain, use, or disclose it outside the direct business relationship, and will not combine it with personal information from other sources except as permitted by law. Spiral may create de identified data consistent with legal standards.

12. Service Data

Customer acknowledges that Spiral may collect, use, retain, and disclose Service Data for its own business purposes, such as accounting, tax, billing, audit, compliance, security, abuse prevention, product improvement, and training of models used to deliver the Services, as allowed by law. Service Data is not Customer Personal Data and this DPA does not apply to Spiral processing of Service Data.

13. Liability and indemnity

Each party’s liability under this DPA is governed by the Agreement. This DPA does not increase any limits of liability in the Agreement.

14. Order of precedence and term

If there is a conflict between the SCCs and this DPA, the SCCs control for transfers they govern. Otherwise this DPA controls over the Agreement for Customer Personal Data. This DPA remains in effect while Spiral processes Customer Personal Data for Customer.

Schedule A — International transfer mechanisms

A1. EU Standard Contractual Clauses

The parties enter into the EU SCCs approved in Decision 2021 914. The clauses are incorporated with these details.
Module Two applies for Controller to Processor. Module Three applies for Processor to Processor.
Clause 7 docking is enabled.
Clause 9 uses general authorization of Subprocessors.
Clause 17 governing law is Ireland.
Clause 18 courts are in Ireland.
Annex I A Exporter Customer. Importer Spiral Ad, Inc.
Annex I B processing description is in Section 3 of this DPA.
Annex I C competent authority is the Irish Data Protection Commission.
Annex II measures are in Schedule B.
Annex III Subprocessors are listed on the public Subprocessors page.

A2. UK International Data Transfer Addendum

For transfers subject to UK GDPR the UK Addendum attaches to the SCCs. Tables map to the information in this DPA and its schedules.

A3. Swiss Addendum

For transfers subject to Swiss law the SCCs apply with Swiss modifications for governing law, forum, and authority as required.

Schedule B — Technical and organizational measures

Spiral maintains a security program that includes the following measures.

1. Information security program with documented policies and a risk based framework.

2. Access control based on least privilege, strong authentication for administrative access, and regular access reviews.

3. Encryption of Customer Personal Data in transit using TLS and at rest using industry standard encryption.

4. Network security including segmentation, firewalls, and secure management of cloud resources.

5. Logging and monitoring of access, changes, and security events with alerting and follow up.

6. Vulnerability and patch management with periodic scanning and timely remediation based on severity.

7. Secure development practices including code review, dependency management, and separation of environments.

8. Backups and resilience with tested backups and disaster recovery planning.

9. Personnel security including confidentiality agreements and security training.

10. Third party management including due diligence, data protection terms, and ongoing review of Subprocessors.

11. Incident response with a documented plan and breach notification as set out in this DPA.

12. Physical security provided by trusted data center or cloud providers.

13. Data minimization and retention to limit storage to what is needed and to delete on schedule.

Schedule C — List of Subprocessors

Spiral maintains a live list of Subprocessors with purpose, location, and transfer tool on the Subprocessors page referenced in the Privacy Policy, and available at spiral.ad/legal/subprocessors

Schedule D — Optional data training opt out

This schedule applies only if an order form or signed Enterprise agreement states that Customer has opted out of model training.

1. Spiral will not use Customer Personal Data or Outputs to train or fine tune models used to provide or improve the Services for other customers.

2. Spiral may continue to use de identified or aggregated information for security, analytics, and benchmarking.

3. This schedule does not restrict processing needed to provide the Services to Customer, including evaluation of models inside Customer’s workspace.

4. If Customer later enables training, this schedule will cease to apply on the effective date in the order form.