← Space Field

Legal

Policies, agreements, and the things you should know.

Heads-up: DRAFT — starter template. Awaiting UAE-licensed counsel review before formal effect. Provided in good faith; not legal advice.

Data Processing Agreement (DPA)

This Data Processing Agreement applies when a business customer ("Controller") uses Space Field ("Processor") to process personal data of its own end users. It supplements our Terms of Service and forms part of the Agreement.

1. Roles

Where you use the Service to process personal data of your customers, employees, or other data subjects, you act as the Controller and we act as the Processor.

2. Scope & instructions

We process Customer Data only to provide the Service as described in the Terms and our public documentation, and on documented instructions from the Controller. We notify the Controller if any instruction infringes applicable law.

3. Confidentiality

Personnel authorised to process Customer Data are subject to confidentiality obligations.

4. Security

We maintain technical and organisational measures including: encryption in transit (TLS 1.3) and at rest, row-level security, access logging, principle-of-least-privilege role assignment, regular dependency scanning, and incident response procedures. The current summary lives on the Trust & security page.

5. Sub-processors

We use the sub-processors listed on the Subprocessors page. We will notify Controllers of changes via that page and (for material additions) email. Controllers may object to a new sub-processor within 15 days; if no resolution is reached, the Controller may terminate the affected Service for material breach.

6. International transfers

Where Customer Data is transferred outside the EEA, UK, UAE, or other relevant jurisdiction, transfers are governed by the EU Standard Contractual Clauses (or the equivalent UK IDTA / UAE PDPL transfer mechanism), incorporated by reference.

7. Data subject rights

We provide self-service tools for Controllers to honour access, correction, deletion, and portability requests. Where a request reaches us directly, we forward it to the Controller without undue delay.

8. Breach notification

We notify Controllers of any confirmed personal data breach affecting their data without undue delay and in any case within 72 hours.

9. Audit

We make available to Controllers all information necessary to demonstrate compliance with this DPA, and accept reasonable documentation-based audits, typically once per 12 months and at the Controller's expense. SOC 2 / ISO 27001 attestation reports will be provided when issued.

10. Deletion / return

Upon termination of the Service, we delete or return Customer Data within 30 days, except where retention is required by law.

11. Signing

Most customers do not need a separately signed copy of this DPA; acceptance of the Terms of Service incorporates it by reference. If your organisation requires a counter-signed copy, email legal@spacefield.co.