Legal

Data processing addendum.

Version 2026-06-02Effective 2026-06-02

This addendum forms part of the Terms of Service and governs our processing of personal data on your behalf. It applies whenever you use Sparx to handle the personal data of your own customers or contacts.

1. Roles

For personal data contained in Customer Data, you are the controller and WizeWorks is the processor (or, where applicable, a service provider under U.S. state privacy laws). We process such personal data only on your documented instructions, which include the configuration choices you make in the Service and these Terms.

2. Scope of processing

We process personal data to provide the Service — for example storing customer records in the CRM, processing orders and payments in commerce, delivering email you send, and rendering the content and stores you publish. The subject matter is the operation of your tenant; the duration is the term of your subscription plus any wind-down period.

3. Categories of data & data subjects

  • Data subjects — your end customers, contacts, leads, and the recipients of your communications.
  • Categories — identifiers (name, email, phone), order and transaction history, addresses, communication preferences and consent state, and any other fields you choose to store.
  • We do not require special-category data; if you choose to process it, you are responsible for the lawful basis.

4. Our obligations

  • Process personal data only on your instructions and for no other purpose.
  • Ensure personnel authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (see our security overview).
  • Assist you, taking into account the nature of processing, in responding to data-subject requests and in meeting your security, breach-notification, and impact-assessment obligations.
  • Delete or return personal data at the end of the relationship, subject to legal retention requirements.
  • Make available information needed to demonstrate compliance and allow for audits within reasonable, agreed parameters.

5. Subprocessors

You authorize us to engage subprocessors to deliver the Service — including our cloud host, payment processor, and email provider. We impose data-protection terms on each subprocessor no less protective than those in this addendum and remain responsible for their performance. We maintain a current subprocessor list and will give notice of material changes so you can object on reasonable grounds.

6. Security & breach notification

We maintain encryption in transit and at rest, database-level tenant isolation, and access controls. If we become aware of a personal-data breach affecting your data, we will notify you without undue delay — and within 72 hours of confirming a reportable breach — with the information you reasonably need to meet your own notification duties.

7. International transfers

Where personal data is transferred across borders, we rely on appropriate safeguards (such as the EU standard contractual clauses) to the extent required by applicable law.

8. Return & deletion

On termination you may export Customer Data for a reasonable period. After that period we delete or anonymize personal data, except where we are required to retain it (for example, order records needed for tax and accounting), in which case it remains subject to these protections.

9. Acceptance

This addendum is incorporated into the Terms of Service. A countersigned copy is available for organizations that require one — email [email protected]. A signed DPA is required for tenants processing the personal data of individuals in the EU/EEA and UK.