Data Processing Agreement (DPA)
Document Status: June 2026
This agreement ("Data Processing Agreement" or "DPA") is entered into between the Customer ("Controller") and Spotix ("Processor"), and forms an integral part of the main service agreement (Terms of Service). This agreement is concluded in accordance with GDPR Article 28(3) and Israel's Privacy Protection Law (Amendment 13).
To arrange signature of this agreement: [email protected]
Section 1: Scope, Duration, and Description of Processing
This agreement applies to the processing of player data only. With regard to creator account data, Spotix acts as an independent Controller.
Duration: For as long as the engagement between the parties is in effect.
| # | Purpose | Data Subjects | Data Categories | Recipients | Cross-Border Transfer | Deletion Schedule |
|---|---|---|---|---|---|---|
| 1 | Joining an activity | Players | Device ID (UUID), team name, security answer (plain text) | Tour creator, support | No | Upon deletion of activity or account |
| 2 | Gameplay | Players | Question answers, scores, progress, behavioral events | Tour creator | No | Upon deletion of activity or account |
| 3 | Media uploads | Players | Photos, videos, audio recordings | Tour creator, public viewing (URL) | No | Until deletion by the creator |
| 4 | Navigation and maps | Players | GPS coordinates (local processing only, not stored) | - | Mapbox (tiles only, no coordinates) | Immediate (transient) |
| 5 | Statistics and analytics | Players | Anonymous behavioral events (linked to team UUID) | Tour creator | No | Upon deletion of activity |
| 6 | Optional survey | Players | Team size, group type, first visit | Tour creator | No | Upon deletion of activity |
Section 2: Responsibilities and Roles
- The Customer (organization, museum, creator) is the "Controller" under GDPR Article 4(7).
- Spotix is the "Processor."
- The Controller is responsible for the lawfulness of processing, including the legal basis for collecting data from players.
- Initial processing instructions are as specified in this agreement. The Controller may modify instructions in writing.
Section 3: Processor Obligations (Spotix)
- Processing on instructions only: Processing solely in accordance with the Controller's instructions (Article 28(3)(a)). If an instruction conflicts with law, Spotix will notify immediately.
- Security measures: Implementation of technical and organizational security measures (Article 32) as detailed in Annex 1.
- Assistance with data subject rights: Assistance in handling data subject requests (Articles 15-21). Response within 30 days.
- Confidentiality: Any person authorized to process data is bound by confidentiality.
- Notification of security incidents: Notice without undue delay, and in any case within 72 hours (Articles 33-34). Immediate measures to mitigate harm.
- Impact assessment (DPIA): Assistance with impact assessments and prior consultation (Articles 35-36) upon request.
- Correction and deletion: Correction or deletion of data per the Controller's instruction.
- Termination of engagement: Upon termination: deletion of all data within 30 days, or return in a structured format, at the Controller's choice.
- Defense against claims: Assistance in defense against claims (Article 82).
- Periodic review: Periodic review of the effectiveness of security measures (Article 32(1)(d)).
Section 4: Controller Obligations (Customer)
- Immediate notification of any defect or irregularity discovered.
- Designating a point of contact for data protection matters.
Section 5: Data Subject Requests
- If a data subject contacts Spotix directly, the request will be forwarded to the Controller.
- Spotix provides assistance according to instructions and capability.
- Spotix is not responsible if the Controller fails to respond to a request.
Section 6: Documentation and Audit
- Spotix documents and demonstrates compliance through Annex 1 (Technical and Organizational Measures).
- Right of audit: The Controller is entitled to conduct an audit (or appoint an auditor), with prior coordination, during business hours, without interfering with operations. Spotix may require a confidentiality agreement and reject auditors who are competitors.
- Supervisory authority audit: Same terms, without requiring a confidentiality agreement.
Section 7: Sub-processors
The Customer hereby approves the use of the sub-processors listed in Annex 2.
- Modification or addition: 30-day prior notice.
- Right to object: The Controller may object on substantive grounds. If no agreement is reached, the Controller has a right of termination.
- Spotix undertakes that data protection obligations also apply to sub-processors (Articles 28(2)-(4)).
Section 8: General Provisions
- Immediate notification if data is subject to seizure, attachment, or bankruptcy proceedings.
- Changes to this agreement: in writing only.
- This agreement prevails over the main agreement on data protection matters.
- Governing law: Laws of the State of Israel, interpreted in accordance with GDPR where relevant.
Section 9: Liability and Damages
- Liability to data subjects under GDPR Article 82.
- The liability provisions in the main agreement (Terms of Service) also apply to this processing.
Signatures
Controller (Customer)
Organization Name: _______________
Authorized Signatory Name: _______________
Title: _______________
Date: _______________
Signature: _______________
Processor (Spotix)
Doron Yosha
Date: _______________
Signature: _______________
Annex 1: Technical and Organizational Measures (TOM) per GDPR Article 32
Physical Access Control
Data is stored on Supabase (Frankfurt, AWS eu-central-1 data centers) and Cloudflare R2. Spotix does not own physical servers. Physical protection is the responsibility of infrastructure providers (AWS ISO 27001, Cloudflare ISO 27001).
Logical Access Control
- Creator authentication: JWT (Supabase Auth) + server-side role check
- Privilege separation: service_role (server only) vs. anon key (client)
- Row Level Security (RLS): creators see only data from their own tours
- Passwords encrypted with bcrypt (Supabase Auth)
- No direct admin access to the database in production
Data Access Control
- Anonymous players: no endpoint for deletion or editing. Only the creator manages player data
- Creators: CRUD restricted to tours they own
- Admin actions are logged in admin_audit_log
Data Transmission Control
- All traffic encrypted via HTTPS/TLS
- API keys stored as environment variables (not in source code)
- No transfer of player data to third parties beyond approved sub-processors
Data Input Control
- Analytics events logged with server timestamp
- Score changes logged in admin_score_log with operator identity
- Admin actions logged in admin_audit_log
Availability Control
- Automated daily backup (pg_dump), retained for 60 days in Cloudflare R2
- Supabase: replication + point-in-time recovery
- Cloudflare Pages: global CDN with redundancy
- Monitoring: system_daily_snapshots with health metrics
Data Separation
- Each tour's data is logically separated (tour_id foreign key in every table)
- RLS enforces separation: a creator cannot access data from another creator's tour
- Development and production environments are completely separated
Annex 2: List of Approved Sub-processors
| Provider | Processing Location | Role | Certifications | Transfer Mechanism |
|---|---|---|---|---|
| Supabase Inc. | Frankfurt, EU (eu-central-1) | Database, authentication, Realtime | SOC 2 Type II | EU - no transfer required |
| Cloudflare Inc. | Global edge network (automatic locality) | File storage (R2), hosting (Pages), CDN | ISO 27001, SOC 2 Type II | SCC |
| Mapbox Inc. | United States | Map and navigation infrastructure | SOC 2 Type II | SCC |
| Resend Inc. | United States | Transactional email delivery | SOC 2 Type II | SCC |
| Google LLC | United States | Gemini API (translation, optional), Fonts (partial) | ISO 27001 | SCC, paid API tier |