Data Processing Agreement

Last updated: June 12, 2026

This Data Processing Agreement ("DPA") forms part of the Sponja Terms of Service (the "Agreement") between Popup Moments Inc. ("Sponja") and the customer accepting the Agreement ("Customer"). It applies automatically, without signature, whenever Sponja processes personal data on Customer's behalf in the course of providing the service. Customers who need a countersigned copy for their records can email hi@sponja.ai.

1. Definitions

• "Personal data", "controller", "processor", "data subject", "processing", and "supervisory authority" have the meanings given in the GDPR.
• "GDPR" means Regulation (EU) 2016/679, and where applicable its UK equivalent ("UK GDPR").
• "Customer Data" means personal data that Customer uploads to the service or that flows into the service from integrations Customer connects, including attendee and event data as described in Annex 1.
• "Sub-processor" means a third party engaged by Sponja to process Customer Data on Sponja's behalf.

2. Roles and scope

1. For Customer Data, Customer is the controller and Sponja is the processor. Customer is responsible for the lawfulness of the Customer Data it provides, including any consents or other legal bases required to process attendee data.
2. For account data of Customer's own users (login email, name, billing contact, product usage), Sponja acts as an independent controller as described in the Privacy Policy. That processing is outside the scope of this DPA.
3. This DPA applies to the extent Customer Data is subject to the GDPR, the UK GDPR, or substantially similar data protection laws.

3. Processing instructions

Sponja will process Customer Data only on Customer's documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case Sponja will inform Customer before processing, unless the law prohibits it). The Agreement, this DPA, and Customer's configuration and use of the service constitute Customer's complete documented instructions.

4. Confidentiality

Sponja ensures that every person it authorizes to process Customer Data is bound by a contractual or statutory duty of confidentiality.

5. Security

Sponja implements and maintains the technical and organizational measures described in Annex 2, and will not materially decrease the overall security of the service during the term of the Agreement.

6. Sub-processors

1. Customer grants Sponja general authorization to engage sub-processors for the processing of Customer Data.
2. The current list of sub-processors is published at /subprocessors. Material additions are posted on that page at least 14 days before the new sub-processor begins processing Customer Data.
3. Customer may object to a new sub-processor on reasonable, data-protection-related grounds by emailing hi@sponja.ai within 14 days of the posting. If the parties cannot resolve the objection in good faith, Customer may terminate the affected service and receive a pro-rated refund of prepaid fees.
4. Sponja imposes data protection obligations on each sub-processor that are no less protective than those in this DPA, and remains liable for its sub-processors' performance.

7. Assistance with data subject rights

Taking into account the nature of the processing, Sponja will assist Customer with appropriate technical and organizational measures, insofar as this is possible, to fulfil Customer's obligation to respond to data subject requests (access, rectification, erasure, restriction, portability, objection). If a data subject contacts Sponja directly about Customer Data, Sponja will refer the request to Customer without undue delay.

8. Personal data breach

Sponja will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. The notification will describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it. Sponja will provide reasonable cooperation with Customer's own notification obligations.

9. Deletion and return

Upon termination of the Agreement, or upon Customer's verified deletion request during the term, Sponja will delete the affected Customer Data within 30 days, unless retention is required by law. Residual copies in backup systems may persist for up to an additional 30 days before being overwritten in the normal course of operations. Customer may request deletion of individual events' data or the entire account at any time by emailing hi@sponja.ai.

10. Audits and information

Sponja will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, including by completing Customer's security questionnaires and providing summaries of relevant assessments. Audits beyond documentation review require 30 days' written notice, occur at most once per year, must not unreasonably disrupt Sponja's operations, and are at Customer's expense.

11. International transfers

Sponja is based in the United States and processes Customer Data there and in the locations listed at /subprocessors. For Customer Data originating in the EU, EEA, UK, or Switzerland, the parties incorporate by reference:

• the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller to processor), with Customer as data exporter and Sponja as data importer; and
• for UK transfers, the UK International Data Transfer Addendum to the EU SCCs.

Annex 1 and Annex 2 of this DPA serve as the corresponding annexes to the SCCs. Where the SCCs conflict with this DPA, the SCCs prevail for the affected transfer.

12. Liability and governing law

Each party's liability under this DPA is subject to the limitations of liability in the Agreement. This DPA is governed by the laws of the State of Delaware, USA, except where the SCCs require otherwise for a specific transfer.

Annex 1: Processing details

• Subject matter: processing of event and attendee data to provide post-event analysis and follow-up drafting.
• Duration: the term of the Agreement, plus the deletion windows in Section 9.
• Nature and purpose: ingestion of event data from platforms Customer connects or files Customer uploads; speech-to-text transcription of event recordings; AI analysis of transcripts and attendee chat (summaries, engagement and intent scoring, segmentation); drafting of personalized follow-up emails; delivery of results to Customer and, on Customer's instruction, to Customer's connected email service provider.
• Categories of data subjects: attendees and registrants of Customer's events; Customer's team members appearing in event content (for example as hosts).
• Categories of personal data: names; email addresses; event attendance and participation times; chat messages, including messages sent to the host; voice and likeness in event recordings; transcripts derived from recordings; engagement and intent signals derived from the above.
• Special categories of data: none intended. Customer should not direct special-category data into the service; event content is processed as provided.

Annex 2: Technical and organizational measures

The current measures are described on the Security page and include:

• Encryption in transit (TLS) and at rest (AES-256).
• Access to production systems restricted to authorized personnel on a need-to-know basis, with multi-factor authentication and periodic access reviews.
• Hosting on cloud infrastructure providers that maintain ISO/IEC 27001 and SOC 2 certifications.
• Webhook signature verification and least-privilege OAuth scopes for connected integrations.
• Continuous monitoring of system health and security events, with a documented incident response and 72-hour breach notification commitment.
• Vendor due diligence and data processing terms with all sub-processors listed at /subprocessors.

Contact

Questions about this DPA, requests for a countersigned copy, or deletion requests:

Email: hi@sponja.ai
Company: Popup Moments Inc., Delaware, USA