Legal

Data Processing Agreement

Version v1-2026-04-09 · Last updated: April 9, 2026

This agreement governs how we process personal data on behalf of our customers and forms part of our Terms of Service for any customer subject to the GDPR or UK GDPR.

Plain-English summary: When you use The Client Space to store or share personal data about your clients, you are the "data controller" and we are the "data processor." This agreement spells out what we do with that data, how we keep it safe, who else touches it, and your rights as our customer. By accepting our Terms of Service, you also accept this DPA. If your legal team needs a counter-signed copy, email [email protected].

Parties

Data Controller ("Controller"): The customer (tenant) using The Client Space to provide services to their own clients.
Data Processor ("Processor"): Concepcion Design, operating The Client Space.
Effective date: The date the Controller accepts these terms by signing up for the service or by clicking to accept this DPA in their workspace settings.

1. Definitions

Personal Data means any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.

Processing means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, erasure, or destruction.

Data Subject means the individual to whom the Personal Data relates — typically the Controller's clients (end users) whose data is stored on the Platform.

Sub-processor means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

Platform means The Client Space software-as-a-service platform, including all associated infrastructure, APIs, and services.

Applicable Data Protection Law means the EU General Data Protection Regulation (GDPR), the UK General Data Protection Regulation, and any applicable national implementing legislation.

2. Scope and Purpose of Processing

The Processor processes Personal Data on behalf of the Controller solely to provide the Platform services, which include:

  • Secure file storage and sharing between the Controller and their clients
  • Client account management (authentication, profile data)
  • Form creation, assignment, and response collection
  • Email notifications related to platform activity
  • Billing and subscription management

The categories of Personal Data processed include:

  • Identity data: Full name, email address
  • Authentication data: Hashed passwords, MFA enrollment status
  • Content data: Files uploaded by the Controller or their clients, form responses
  • Usage data: Access logs, IP addresses
  • Communication data: Email addresses for transactional notifications
  • Affiliate data: Referral codes, referral tracking records, commission amounts, payout records (for tenants participating in the affiliate program)

The categories of Data Subjects include:

  • The Controller's clients (end users invited to the Platform)
  • The Controller's staff members with Platform access
  • Affiliates participating in the referral program (who may also be tenants)

Processing continues for the duration of the service agreement and ceases upon termination, subject to the data retention provisions below.

3. Obligations of the Processor

The Processor shall:

3.1. Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law — in which case the Processor shall inform the Controller before processing, unless prohibited by law.

3.2. Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.

3.3. Implement and maintain appropriate technical and organisational measures to ensure security appropriate to the risk, including:

  • Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2+)
  • Row-level security enforcing data isolation between tenants at the database level
  • Role-based access controls with optional multi-factor authentication
  • Regular security assessments with all findings remediated
  • Immutable audit logging of all file access operations
  • Automated content safety scanning of uploaded images
  • Rate limiting on authentication and administrative endpoints

3.4. Respect the conditions for engaging Sub-processors as set out in Section 5.

3.5. Assist the Controller, by appropriate technical and organisational measures, in fulfilling Data Subject rights requests under Chapter III of the GDPR, including:

  • Right of access and data portability: The Platform provides a self-service data export feature for Data Subjects (Account Settings > Data & Privacy > Download My Data)
  • Right to erasure: The Platform provides a self-service deletion request feature for Data Subjects. The Controller can also delete client accounts directly from the dashboard, which cascades to all associated data including files in storage.

3.6. Assist the Controller in complying with Articles 32 to 36 of the GDPR (security of processing, breach notification, DPIAs, prior consultation).

3.7. At the Controller's choice, delete or return all Personal Data after the end of services and delete existing copies unless applicable law requires storage. Specifically:

  • Upon account deletion, all Personal Data is permanently removed from the database and file storage within 30 days
  • Database backups containing the data are overwritten within the backup rotation window (7–30 days)
  • Billing records retained by Stripe are governed by Stripe's data retention policies and applicable tax law

3.8. Make available to the Controller all information necessary to demonstrate compliance with this Agreement, and contribute to audits as set out in Section 9.

4. Obligations of the Controller

The Controller shall:

4.1. Ensure that its instructions for the processing of Personal Data comply with Applicable Data Protection Law.

4.2. Have obtained all necessary consents or established another lawful basis for processing before Personal Data is submitted to the Platform.

4.3. Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.

4.4. Notify the Processor without undue delay if it becomes aware of any data breach or security incident affecting Personal Data processed through the Platform.

5. Sub-processors

5.1. The Controller provides general written authorisation for the Processor to engage Sub-processors, subject to the conditions in this Section.

5.2. The Processor currently engages the following Sub-processors:

Sub-processorPurposeLocationCertifications
Supabase, Inc.Database, authenticationUSA (AWS)SOC 2 Type II
Cloudflare, Inc.File storage (R2), CDNUSASOC 2, ISO 27001, PCI DSS
Vercel, Inc.Application hostingUSA (edge)SOC 2, ISO 27001
Stripe, Inc.Payment processingUSAPCI DSS L1, SOC 2, ISO 27001
Sinch MailgunTransactional and onboarding emailUSASOC 2 Type II
Anthropic, PBCAI processing for in-app support assistant and marketing chatbotUSASOC 2 Type II
Google LLC (Gemini API)AI processing for support assistant (when active as fallback)USASOC 2, ISO 27001
Google LLC (Analytics)Analytics (consent-gated)USASOC 2, ISO 27001
Functional Software, Inc. (Sentry)Error tracking and monitoring (IPs and user identifiers stripped before transmission)USASOC 2 Type II, ISO 27001

5.3. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors, giving the Controller the opportunity to object to such changes within 30 days. Notification will be provided via email to the Controller's registered notification email address.

5.4. Where the Processor engages a Sub-processor, the Processor shall impose the same data protection obligations as set out in this Agreement by way of contract.

5.5. The Processor shall remain fully liable to the Controller for the performance of each Sub-processor's obligations.

6. International Data Transfers

6.1. Personal Data may be transferred to and processed in the United States, where the Processor's Sub-processors are located.

6.2. Such transfers are protected by:

  • Standard Contractual Clauses (SCCs) approved by the European Commission, incorporated into agreements with Sub-processors
  • The EU–US Data Privacy Framework, where applicable (Cloudflare, Google, Stripe)
  • Data Processing Agreements with all Sub-processors

6.3. The Processor shall ensure that any transfer of Personal Data to a third country is subject to appropriate safeguards as required by Chapter V of the GDPR.

7. Data Breach Notification

7.1. The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data breach.

7.2. The notification shall include:

  • A description of the nature of the breach, including the categories and approximate number of Data Subjects and records concerned
  • The name and contact details of the Processor's contact point
  • A description of the likely consequences of the breach
  • A description of the measures taken or proposed to address the breach

7.3. The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of the breach.

8. Data Retention and Deletion

8.1. The Processor retains Personal Data in accordance with the following schedule:

Data TypeRetention Period
Account and profile dataDuration of account; deleted within 30 days of deletion request
Uploaded files and versionsDuration of client account; deleted on client or file removal
Form responsesDuration of client account; deleted on client removal
Access logs12 months (automated cleanup)
Notification logs6 months (automated cleanup)
Billing data (Stripe)7 years per tax/accounting law
Analytics data (Google)2 months
Affiliate recordsDuration of affiliate account; deleted on affiliate or tenant removal
Referral records24 months (automated cleanup)
Commission and payout records7 years per financial record-keeping law

8.2. Upon termination of the service agreement or upon Controller's request, the Processor shall delete all Personal Data within 30 days, except where retention is required by applicable law.

8.3. The Processor shall provide written confirmation of deletion upon the Controller's request.

9. Audit Rights

9.1. The Processor shall make available to the Controller, upon reasonable request and no more than once per year, information necessary to demonstrate compliance with this Agreement.

9.2. The Controller may conduct an audit, or appoint an independent third-party auditor, subject to:

  • 30 days' written notice
  • Reasonable scope and duration
  • Confidentiality obligations regarding the Processor's proprietary information
  • The audit being conducted during normal business hours

9.3. The Processor may satisfy audit requests by providing:

  • Copies of relevant security certifications or audit reports (e.g., SOC 2, when available)
  • Responses to reasonable written security questionnaires
  • Documentation of technical and organisational measures

10. Liability

10.1. Each party's liability under this Agreement is subject to the limitations and exclusions of liability set out in the Terms of Service between the parties.

10.2. Nothing in this Agreement limits either party's liability for breaches of Applicable Data Protection Law.

11. Term and Termination

11.1. This Agreement shall remain in effect for the duration of the Processor's processing of Personal Data on behalf of the Controller.

11.2. Upon termination of the underlying service agreement, the provisions of Section 8 (Data Retention and Deletion) shall apply.

12. Governing Law

12.1. This Agreement shall be governed by and construed in accordance with the laws of the jurisdiction in which the Controller is established, to the extent required by Applicable Data Protection Law.

13. Acceptance

By creating a workspace on The Client Space, or by clicking to accept this DPA in your workspace settings, you agree to be bound by this Agreement on behalf of your organisation. The date and version of your acceptance is recorded in your workspace and visible under Settings > Legal & Compliance.

If your legal or procurement team requires a counter-signed PDF copy of this DPA, please email [email protected] and we will arrange one at no additional cost.

Questions

For any questions about this Agreement, contact [email protected].