Data Processing Agreement

Last updated: March 17, 2026

This Data Processing Agreement (“DPA”) forms part of the service agreement between the customer organization (“Controller”) and Spherica (“Processor”) for the provision of the Spherica survey platform.

Controller information:
As identified in the main service agreement.

Processor information:
Nikolas Burk
Erich-Nehlhans-Str. 29
10247 Berlin, Germany
Email: datenschutz@spherica.ai

1. Definitions

  • Controller — The customer organization that determines the purposes and means of processing personal data through the Spherica platform.
  • Processor — Spherica, which processes personal data on behalf of the Controller.
  • Sub-processor — A third party engaged by the Processor to carry out specific processing activities on behalf of the Controller.
  • Personal Data — Any information relating to an identified or identifiable natural person as defined in Art. 4(1) GDPR.
  • Data Subject — An identified or identifiable natural person whose personal data is processed, including employees and survey participants of the Controller.

2. Scope & Purpose of Processing

Spherica processes personal data on behalf of the Controller solely to provide the organizational survey platform, including culture surveys, 360-degree feedback, pulse checks, and network analyses. The categories of personal data processed may include:

  • Employee names and email addresses
  • Organizational metadata (department, role, location)
  • Survey responses and feedback data
  • Authentication and session data

The data subjects are the Controller's employees and survey participants. Processing shall continue for the duration of the main service agreement.

3. Obligations of the Processor

Spherica shall:

  • Process personal data only on documented instructions from the Controller, unless required by applicable law (Art. 28(3)(a) GDPR).
  • Ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR).
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk (Art. 32 GDPR).
  • Assist the Controller in ensuring compliance with obligations under Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor.
  • At the choice of the Controller, delete or return all personal data after the end of the provision of services, and delete existing copies unless applicable law requires storage.
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Art. 28 GDPR.

4. Sub-processors

The Controller grants the Processor general authorization to engage sub-processors. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes. The following sub-processors are currently engaged:

  • Railway (Railway Corporation, USA) — Database hosting and application infrastructure.
  • PostHog (PostHog, Inc., USA) — Product analytics (only with end-user consent).
  • OpenAI (OpenAI, LLC, USA) — AI-powered survey analysis using aggregated and anonymized data.
  • Resend (Resend, Inc., USA) — Transactional email delivery.
  • Google (Google LLC, USA) — OAuth authentication for administrator accounts.

Each sub-processor is bound by data processing obligations no less protective than those set out in this DPA.

5. Data Security Measures

The Processor implements the following technical and organizational measures pursuant to Art. 32 GDPR:

  • Encryption at rest: All personal data stored in the database is encrypted at rest.
  • Encryption in transit: All data transmitted between users, the application, and sub-processors is encrypted using TLS 1.2 or higher.
  • Access controls: Role-based access controls ensure that only authorized personnel can access personal data.
  • Regular backups: Automated database backups are performed regularly to ensure data availability and integrity.
  • Incident response: A documented incident response procedure is in place to detect, report, and investigate security breaches.

6. Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR, including the right of access, rectification, erasure, restriction, data portability, and objection. If a data subject contacts the Processor directly, the Processor shall promptly forward the request to the Controller.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach (Art. 33 GDPR). The notification shall include:

  • A description of the nature of the breach
  • The categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

8. Data Deletion & Return

Upon termination or expiry of the main service agreement, the Processor shall, at the Controller's choice:

  • Return all personal data to the Controller in a structured, commonly used, and machine-readable format (e.g., CSV or JSON export).
  • Delete all personal data and confirm deletion in writing, unless applicable law requires further storage.

The Controller shall have 30 days after termination to request data export. After this period, the Processor shall delete all personal data within 90 days.

9. Audits & Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with Art. 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction from the Controller infringes the GDPR or other applicable data protection provisions.

10. International Data Transfers

Where personal data is transferred to sub-processors located outside the European Economic Area, the Processor ensures that appropriate safeguards are in place in accordance with Art. 46 GDPR, including:

  • The EU-U.S. Data Privacy Framework for transfers to certified U.S. organizations.
  • Standard Contractual Clauses (Art. 46(2)(c) GDPR) where the Data Privacy Framework does not apply.

The Processor shall inform the Controller promptly of any changes to the legal framework governing international data transfers that may affect the safeguards in place.

11. Duration & Termination

This DPA shall remain in effect for the duration of the main service agreement between the Controller and the Processor. Obligations relating to confidentiality, data deletion, and audit rights shall survive termination of this DPA.

12. Governing Law & Jurisdiction

This DPA shall be governed by and construed in accordance with German law. The exclusive place of jurisdiction for all disputes arising out of or in connection with this DPA shall be Berlin, Germany.

Contact

For questions regarding this Data Processing Agreement, please contact us at datenschutz@spherica.ai.