Data Processing Agreement

This Data Processing Agreement ("DPA") forms an integral part of the SpyHour Terms and Conditions, available at the Website Terms Of Use ("SpyHour Terms and Conditions"), between (i) applicable SpyHour Company as described in the Terms and Conditions ("SpyHour") acting on its behalf and as agent for each SpyHour's affiliate; and (ii) User, as defined in the SpyHour Terms and Conditions. By using the Services, the User accepts the terms of this DPA.

This DPA sets out the additional terms, requirements, and conditions on which SpyHour will process Personal Data when providing services under the SpyHour Terms and Conditions and shall come into force simultaneously with Terms and Conditions whenever updated by SpyHour accordingly. In addition, this DPA contains the mandatory clauses required by Article 28(3) of the General Data Protection Regulation ((EU) 2016/679) ("GDPR") for contracts between controllers and processors.

This Website is owned and operated by KS & SK, LLC. ("Company," "we," or "us").

This Agreement, along with the Terms Of Use and Privacy Policy, governs your access to and use of SpyHour.com, including any content, functionality, and services offered on or through SpyHour.com (the "Website"), whether as a guest or a registered user.

Please read the Agreement carefully before you start to use the Website.

By using the Website or by clicking to accept or agree to the Terms Of Use when this option is made available to you, you accept and agree to be bound and abide by the Agreement. If you do not want to agree to the Data Processing Agreement, you must not access or use the Website.


Definitions and interpretation: The following definitions and rules of interpretation apply in this DPA. Definitions:

Affiliate: any entity controlling, controlled by, or under common control with a party, where "control" is defined as (a) the ownership of at least fifty percent (50%) of the equity or beneficial interests of the entity; (b) the right to vote for or appoint a majority of the board of directors or other governing body of the entity; or (c) the power to exercise a controlling influence over the management or policies of the entity.

Alternative Transfer Solution: a solution other than the Model Contract Clauses that enables the lawful transfer of personal data to a third country under Article 45 or 46 of the GDPR (for example, the EU-U.S. Privacy Shield).

Authorized Persons: the persons or categories of persons that User authorizes to give the SpyHour personal data processing instructions either nominated by User or with ostensible or actual authority.

Business Purposes: the Services described in the SpyHour Terms and Conditions.

Data Protection Legislation: all applicable privacy and data protection laws, including the General Data Protection Regulation ((EU) 2016/679) and, to the extent applicable, the data protection or privacy laws of any other country.

Data Subject: an individual who is the subject of Personal Data.

Model Contract Clauses: the standard data protection clauses for the transfer of personal data to processors established in third countries which do not ensure an adequate level of data protection, as described in Article 46 of the GDPR.

Personal Data: means any information relating to an identified or identifiable natural person that is processed by the SpyHour as a result of, or in connection with, the provision of the services under the SpyHour Terms and Conditions; an identifiable natural person can be identified, directly or indirectly, in particular by reference to an identifier such as a name, identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person.

Processing, processes, and process: either any activity that involves the use of Personal Data or as the Data Protection Legislation may otherwise define processing, processes, or process. It includes any operation or set of functions that are performed on personal data or sets of personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction. Processing also includes transferring Personal Data to third parties.

Personal Data Breach: a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.

This DPA is subject to the SpyHour Terms and Conditions and is incorporated into the SpyHour Terms and Conditions. Interpretations and defined terms outlined in the SpyHour Terms and Conditions apply to the understanding of this DPA.

The Annexes form part of this DPA and will affect as if set out in full in the body of this DPA. Therefore, any reference to this DPA includes the Annexes.

A reference to writing or written includes email.

In the case of conflict or ambiguity between any provision contained in the body of this DPA and any provision contained in the Annexes, the condition in the body of this DPA will prevail.

Duration of DPA

This DPA will take effect as stipulated in the recitals above and remain in effect until and expire under clause 12.

Personal data types and processing purposes

The User retains control of the Personal Data and remains responsible for its compliance obligations under the applicable Data Protection Legislation, including providing any required notices and obtaining any required consents. For the processing instructions, it gives to the SpyHour.

Annex 1 describes the subject matter, duration, nature, and purpose of processing and the Personal Data categories and Data Subject types in respect of which the SpyHour may process to fulfill the Business Purposes of the SpyHour Terms and Conditions.

Processing of Data

SpyHour and User Responsibilities. If the Data Protection Legislation applies to the processing of User Personal Data, the parties acknowledge and agree that:

  1. The subject matter and details of the processing are described in Annex 1;
  2. SpyHour is a processor of that User Personal Data under the Data Protection Legislation;
  3. User is a controller or processor, as applicable, of that User Personal Data under the Data Protection Legislation; and
  4. The User instructs SpyHour (and authorizes processor and each processor affiliate to conduct each subprocessor) to, in particular, transfer User Personal Data to any country or territory, as reasonably necessary for the provision of the Services and consistent with SpyHour Terms and Conditions; and
  5. each party will comply with the obligations applicable to it under the Data Protection Legislation concerning the processing of that User Personal Data.

If the Data Protection Legislation applies to the processing of User Personal Data and User is a processor, User warrants to SpyHour that User's instructions and actions concerning that User Personal Data, including its appointment of SpyHour as another processor, have been authorized by the relevant controller.

SpyHour will take into account the nature of the processing, assists the User by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to requests for exercising the data subject's rights laid down in Data Protection Legislation.

SpyHour will assist the controller in ensuring compliance with the obligations according to Articles 32 to 36 of GDPR taking into account the nature of processing and the information available to the processor.

Scope of Processing

User's Instructions. By entering into this DPA, the User instructs SpyHour to process User Personal Data only under applicable law:

  1. To provide the Services and related technical support.
  2. As documented in the form of the SpyHour Terms and Conditions, including this DPA.
  3. As further noted in any other written instructions given by User and acknowledged by SpyHour as constituting instructions for purposes of this DPA.

SpyHour's Compliance with Instructions. SpyHour will comply with the instructions described in Section 5.1 (User's Instructions) (including concerning data transfers) unless EU or EU Member State law to which SpyHour is subject requires other processing of User Personal Data by SpyHour, in which case SpyHour will inform User (unless that law prohibits SpyHour from doing so on substantial grounds of public interest) via the User email address.

SpyHour employees

SpyHour will ensure that all employees:

  1. Are informed of the confidential nature of the Personal Data and are bound by confidentiality obligations and use restrictions in respect of the Personal Data;
  2. Have undertaken training on the Data Protection Legislation relating to handling Personal Data and how it applies to their particular duties; and
  3. Are aware of SpyHour's responsibilities and duties and obligations under the Data Protection Legislation and this DPA.

SpyHour must at all times implement appropriate technical and organizational measures against unauthorized or unlawful processing, access, disclosure, copying, modification, storage, reproduction, display, or distribution of Personal Data, and illegal or accidental loss, destruction, alteration, disclosure, or damage of Personal Data. Technical and organizational measures are specified in Annex 2.

SpyHour must implement such measures to ensure a level of security appropriate to the risk involved, including as appropriate:

  1. The pseudonymization and encryption of personal data;
  2. The ability to provide the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  3. The ability to restore the availability and access to personal data promptly in the event of a physical or technical incident; and
  4. Process for regularly testing, assessing, and evaluating the effectiveness of security measures.
Personal Data Breach

SpyHour will promptly and without undue delay notify the User if any Personal Data is lost or destroyed or becomes damaged, corrupted, or unusable. Furthermore, SpyHour will restore such Personal Data at its own expense.

  1. SpyHour will immediately and without undue delay notify User if it becomes aware of:
  2. Any accidental, unauthorized, or unlawful processing of the Personal Data; or
  3. Any Personal Data Breach.

Where SpyHour becomes aware of (a) or (b) above, it shall, without undue delay, also provide User with the following information:

  1. Description of the nature of (a) or (b), including the categories and approximate number of both Data Subjects and Personal Data records concerned;
  2. The likely consequences; and
  3. Description of the measures taken or proposed to address (a) or (b), including actions to mitigate its possible adverse effects.

Immediately following any unauthorized or unlawful Personal Data processing or Personal Data Breach, the parties will coordinate with each other to investigate the matter. SpyHour will reasonably co-operate with the User in the User's handling of the case under Data Protection Legislation.

SpyHour will not inform any third party of any Personal Data Breach without first obtaining the User's prior written consent, except when required to do so by law.

SpyHour agrees that the User has the sole right to determine:

  1. Whether to provide notice of the Personal Data Breach to any Data Subjects, supervisory authorities, regulators, law enforcement agencies or others, as required by law or regulation or in User's discretion, including the contents and delivery method of the notice; and
  2. Whether to offer any remedy to affected Data Subjects, including the nature and extent of such treatment.
Cross-border transfers of personal data

Data storage and processing facilities. User agrees that SpyHour may, subject to Section 9.2 (Transfers of Data out of the EEA), store and process User Data in the United States of America and any other country in which SpyHour or any of its Subprocessors maintains facilities.

Transfers of Data out of the EEA.

  1. SpyHour's Transfer Obligations. If the storage or processing of User Personal Data (as set out in Section 9.1 (Data storage and processing facilities)) involves transfers of User Personal Data out of the EEA and the Data Protection Legislation applies to the transfers of such data ("Transferred Personal Data"), SpyHour will:
    1. If requested to do so by User, ensure that SpyHour as the data importer of the Transferred Personal Data enters into Model Contract Clauses with User as the data exporter of such data and that the transfers are made under such Model Contract Clauses; and/or
    2. Offer an Alternative Transfer Solution, ensure that the transfers are made under such Alternative Transfer Solution, and complete information available to User about such Alternative Transfer Solution.
  2. User's Transfer Obligations. In respect of Transferred Personal Data, the User agrees that:
    1. If under the Data Protection Legislation SpyHour reasonably requires User to enter into Model Contract Clauses in respect of such transfers, User will do so; and
    2. If under the Data Protection Legislation, SpyHour reasonably requires User to use an Alternative Transfer Solution offered by SpyHour and well requests that User takes any action (which may include execution of documents) strictly required to give full effect to such solution, User will do so.

Disclosure of Confidential Information Containing Personal Data. Suppose User has entered into Model Contract Clauses as described in Section 9.2 (Transfers of Data out of the EEA). In that case, SpyHour will, notwithstanding any term to the contrary in the applicable Agreement, ensure that any disclosure of User's Confidential Information containing personal data, and any notifications relating to any such disclosures, will be made under such Model Contract Clauses.


Consent to subprocessor engagement. User expressly authorizes the engagement of SpyHour's Affiliates as subprocessors. In addition, SpyHour generally confirms the concentration of any other third parties as subprocessors ("Third Party Subprocessors"). If User has entered into Model Contract Clauses as described in Section 10.2 (Transfers of Data out of the EEA), the above authorizations will constitute User's prior written consent to the subcontracting by SpyHour of the processing of User Data if such consent is required under the Model Contract Clauses.

Information about subprocessors. Information about subprocessors is available in Annex 1 (as may be updated by SpyHour from time to time under this DPA).

Requirements for subprocessor engagement. When engaging any subprocessor, SpyHour will:

  1. Ensure via a written contract that:
    1. The subprocessor only accesses and uses User Data to the extent required to perform the obligations subcontracted to it and does so in accordance with the applicable Agreement (including this DPA) and any Model Contract Clauses entered into or Alternative Transfer Solution adopted by SpyHour as described in Section 9.2 (Transfers of Data out of the EEA); and
    2. If the Data Protection Legislation applies to the processing of User Personal Data, the data protection obligations set out in Article 28(3) of the GDPR, as described in this DPA, are imposed on the subprocessor; and
  2. Remain fully liable for all obligations subcontracted to and all acts and omissions of the subprocessor.
Opportunity to object to subprocessor changes:
  1. When any new Third Party Subprocessor is engaged during the applicable term, SpyHour will, at least 30 days before the new Third Party Subprocessor processes any User Data, inform User of the engagement (including the name and location of the relevant subprocessor and the activities it will perform) by sending an email to the email address.
  2. User may object to any New Third Party Subprocessor by terminating the applicable Agreement immediately upon written notice to SpyHour, on condition that User provides such information within 90 days of being informed of the engagement of the subprocessor as described in Section 10.4(a). This termination proper is the User's sole and exclusive remedy if User objects to any New Third Party Subprocessor.
Complaints, data subject requests, and third party rights:
  1. SpyHour shall take such technical and organizational measures as may be appropriate, and promptly provide such information to User as User may reasonably require, to enable User to comply with:
  2. The rights of Data Subjects under the Data Protection Legislation, including subject access rights, the rights to rectify and erase personal data, object to the processing and automated processing of personal data, and restrict the processing of personal data; and
  3. Information or assessment notices served on User by any supervisory authority under the Data Protection Legislation.

SpyHour shall notify the User immediately if it receives any complaint, notice, or communication that relates directly or indirectly to the processing of the Personal Data or either party's compliance with the Data Protection Legislation.

SpyHour must notify the User within 24 hours if it receives a request from a Data Subject for access to their Personal Data or to exercise any of their related rights under the Data Protection Legislation.

SpyHour will give the User its full co-operation and assistance in responding to any complaint, notice, communication, or Data Subject request. SpyHour must not disclose the Personal Data to any Data Subject or a third party other than at User's request or instruction, as provided in this Agreement or as required by law.
Term and termination
This DPA will remain in full force and effect so long as:
  1. SpyHour Terms and Conditions remain in effect, or
  2. SpyHour retains any Personal Data related to the SpyHour Terms and Conditions in its possession or control (Term).

Any provision of this DPA that expressly or by implication should come into or continue in force on or after the SpyHour Terms and Conditions' termination to protect Personal Data will remain in full force and effect.

SpyHour's failure to comply with the terms of this DPA is a material breach of the SpyHour Terms and Conditions. In such event, the User may terminate the SpyHour Terms and Conditions practical immediately on written notice to the SpyHour without further liability or obligation.

If a change in any Data Protection Legislation prevents either party from fulfilling all or part of its SpyHour Terms and Conditions obligations, the parties will suspend the processing of Personal Data until that processing complies with the new requirements. If the parties cannot bring the Personal Data processing into compliance with the Data Protection Legislation, they may terminate relations with SpyHour Terms and Conditions on written notice to SpyHour.

Data return and destruction

Where applicable under legislation at the User's request, SpyHour will give User a copy of or access to all or part of User's Personal Data in its possession or control in the format and on the media reasonably specified by User.

On termination of relations with SpyHour for any reason, SpyHour will securely delete or destroy or, if directed in writing by User, return and not retain all or any Personal Data related to this DPA in its possession or control.

Suppose any law, regulation, or government, or regulatory body requires SpyHour to retain any documents or materials SpyHour would otherwise be required to return or destroy. In that case, it will notify the User in writing of that retention requirement, giving details of the documents or materials that it must retain, the legal basis for retention, and establishing a specific timeline for destruction once the retention requirement ends.

SpyHour will certify in writing that it has destroyed the Personal Data within no more than 90 (ninety) days after it completes the destruction unless Data Protection Legislation requires storage.


Where it is applicable under the legislation, SpyHour will keep it detailed, accurate. Up-to-date written records regarding any processing of Personal Data it carries out for User in accordance with Data Protection Legislation, including but not limited to the access, control, and security of the Personal Data, the processing purposes, categories of processing, any transfers of personal data to a third country and related safeguards, and a general description of the technical and organizational security measures (Records).

SpyHour will ensure that the Records are sufficient to enable the User to verify SpyHour's compliance with its obligations under this DPA, and SpyHour will provide the User with copies of the records upon request.

Before the commencement of processing and at regular intervals after that, users may audit the technical and organizational measures taken by SpyHour. For such purpose, the User may:
  1. Obtain information from SpyHour,
  2. Request SpyHour to submit to the User an existing attestation or certificate by an independent professional expert.

SpyHour shall, upon User's written request and within a reasonable time, provide User with all information necessary for such audit, to the extent that such information is within User's control and User is not precluded from disclosing it by applicable law, a duty of confidentiality, or any other obligation owed to a third party.

SpyHour may object in writing to an auditor appointed by the User to conduct any audit under this clause if the auditor is, in SpyHour's reasonable opinion, not suitably qualified or independent, a competitor of SpyHour, or otherwise manifestly unsuitable. Any such objection by SpyHour will require the User to appoint another auditor or conduct the audit itself.


The User warrants and represents SpyHour's expected use of the Personal Data for the Business Purposes and, as instructed explicitly by User, will comply with the Data Protection Legislation.


Any notice or other communication was given to a party under or in connection with this DPA must be in writing and delivered to: support@SpyHour.com

Clause 17.1 does not apply to the Service of any proceedings or other documents in any legal action or, where applicable, any arbitration or other method of dispute resolution.

Annex 1 - Personal Data Processing Purposes and Details

The subject matter of processing: SpyHour's provision of the Services and related technical support to User.

Duration of Processing:

Personal Data will be processed for the period of the DPA.

Nature of Processing:

SpyHour will process User Personal Data submitted, stored, sent, or received by User via the Services to provide the Services and related technical support to SpyHour in accordance with the DPA. Personal Data Categories: Contact Information, the extent of which is determined and controlled by the User in its sole discretion, and other Personal Data such as navigational data (including website usage information), email data, system usage data, application integration data, and other electronic data submitted, stored, sent, or received by end-users via the Service. Data Subject Types: Personal data submitted, stored, sent, or received via the Services may concern the following categories of data subjects: end-users, including User's employees; and any other person who transmits data via the Services. SpyHour and SpyHour Affiliates may engage third-party suppliers to provide other services such as facilities management, maintenance, and security services from time to time.
Annex 2 - Security Measures
This Annex forms an integral part of the DPA and describes the technical and organizational security measures implemented by SpyHour. SpyHour may update or modify these security measures from time to time provided that such updates and modifications do not degrade the Services' overall security.
Data Center
  1. SpyHour stores all production data in physically secure data centers.
  2. Infrastructure systems have been designed to eliminate single points of failure and minimize the impact of anticipated environmental risks. Dual circuits, switches, networks, or other necessary devices help provide this redundancy. The Services are designed to allow SpyHour to perform certain types of preventative and corrective maintenance without interruption. All environmental equipment and facilities have documented preventative maintenance procedures that detail the process for and frequency of performance in accordance with the manufacturers or internal specifications. According to established procedures, preventive and corrective maintenance of the data center equipment is scheduled through a standard change process.
  3. The data center electrical power systems are designed to be redundant and maintainable without impacting continuous operations, 24 hours a day and seven days a week. In most cases, a primary and alternate power source, each with equal capacity, is provided for critical infrastructure components in the data center. Backup power is provided by various mechanisms such as uninterruptible power supplies (UPS) batteries, which supply consistently reliable power protection during utility brownouts, blackouts, over-voltage, under-voltage, and out-of-tolerance frequency conditions. If utility power is interrupted, backup power is designed to provide transitory power to the data center, at total capacity, for up to 10 minutes until the diesel generator systems take over. The diesel generators can automatically start up within seconds to provide enough emergency electrical power to run the data center at total capacity, typically for a period of days.
  4. SpyHour has designed and regularly plans and tests its business continuity planning/disaster recovery checks.
Access Control
  1. Preventing Unauthorized Services Access:
    1. SpyHour hosts its Service with outsourced cloud infrastructure providers.
    2. Additionally, SpyHour maintains contractual relationships with vendors to provide the Service in accordance with DPA. SpyHour relies on contractual agreements, privacy policies, and vendor compliance procedures to protect data processed or stored by these vendors.
    3. SpyHour hosts its Services infrastructure with multi-tenant, outsourced infrastructure providers.
    4. SpyHour implemented a uniform password policy for its Services and correspondent tools and features. Users who interact with the Services via the user interface must authenticate before accessing non-public user data.
    5. User data is stored in multi-tenant storage systems accessible to the User via only application user interfaces and application programming interfaces. Users are not allowed direct access to the underlying application infrastructure. The authorization model in each of the tools and features of SpyHour Services is designed to ensure that only the appropriately assigned individuals can access relevant features, views, and customization options. Authorization to data sets is performed by validating the User's permissions.
    6. Public Services APIs may be accessed using an API key.
  2. Preventing Unauthorized Services Use.SpyHour implements industry-standard access controls and detection capabilities for the internal networks that support its Services:
    1. Network access control mechanisms are designed to prevent network traffic using unauthorized protocols from reaching the Services infrastructure. The technical measures implemented differ between infrastructure providers and include Virtual Private Cloud (VPC) implementations, security group assignments, and traditional firewall rules.
    2. SpyHour implemented a Web Application Firewall (WAF) solution to protect internet-accessible applications. The WAF is designed to identify and prevent attacks against publicly available network services.
    3. Security reviews parts of code stored in SpyHour source code repositories is performed, checking for coding best practices and identifiable software flaws.
    4. SpyHour conducts penetration tests annually. The penetration tests intend to identify and resolve foreseeable attack vectors and potential abuse scenarios.
    5. A bug bounty program invites and incentivizes independent security researchers to discover and disclose security flaws ethically. SpyHour implemented a bug bounty program to widen the available opportunities to engage with the security community and improve the Service's defenses against sophisticated attacks.
  3. Authorization Requirements: A subset of SpyHour and SpyHour affiliates' employees have access to User data via controlled interfaces. The intent of providing access to a subset of employees is to provide adequate customer support, troubleshoot potential problems, detect and respond to security incidents, and implement data security. SpyHour and SpyHour affiliates' employees are required to conduct themselves consistent with the SpyHour guidelines regarding confidentiality, business ethics, appropriate usage, and professional standards.
Transmission Control:
SpyHour makes HTTPS encryption (also referred to as SSL or TLS) available on every one of its login interfaces. SpyHour HTTPS implementation uses industry-standard algorithms and certificates.
Input Control
  1. SpyHour designed its infrastructure to log extensive information about the system behavior, traffic received, system authentication, and other application requests. Internal systems aggregated log data and alerted appropriate employees of malicious, unintended, or anomalous activities. SpyHour personnel, including security, are responsive to known incidents.
  2. SpyHour maintains a record of known security incidents that includes descriptions, dates and times of relevant activities, and incident disposition. Security, operations, or support personnel investigate suspected and confirmed security incidents, and appropriate resolution steps are identified and documented. For any confirmed incidents, SpyHour will take proper steps to minimize User damage or unauthorized disclosure.
  3. If SpyHour becomes aware of unlawful access to SpyHour data stored within its Services, SpyHour will:
  4. notify the affected Users of the incident;
  5. describe the steps SpyHour is taking to resolve the incident; and
  6. Provide status updates to the User contact, as SpyHour deems necessary.
  7. Notification(s) of incidents, if any, will be delivered to one or more of the User's contacts in the form SpyHour selects, which may include via email or telephone.
Availability Control
  1. The infrastructure providers use commercially reasonable efforts to ensure a minimum of 99.9% uptime. The providers maintain a minimum of N+1 redundancy to power, network, and HVAC services.
  2. Backup and replication strategies are designed to ensure redundancy and failover protections during a significant processing failure. SpyHour data is backed up to multiple durable data stores and replicated across multiple availability zones.
  3. Where feasible, production databases are designed to replicate data between no less than one primary and secondary database. All databases are backed up and maintained using at least industry-standard methods.

SpyHour Services are designed to ensure redundancy and seamless failover. The server instances that support the Services are also architected to prevent single points of failure. This design assists SpyHour operations in maintaining and updating the Services applications and backend while limiting downtime.


SpyHour. welcomes your questions or comments regarding the Data Processing Agreement:

FRISCO, TX 75033-3867
Email Address: support@spyhour.com
Effective as of January 01, 2020.
Last updated: July 01, 2021.