Data Processing Agreement (DPA)

For any further assistance, please email [email protected].

Last updated: February 22, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other agreement (“Agreement”) between FatSync Software Private Limited, an Indian private limited company operating the Spike platform (“Spike”, “Processor”, “we”, “us”), and the customer entity using Spike’s services (“Controller”).

This DPA applies where Spike processes Personal Data on behalf of the Controller in connection with the provision of the Spike incident management and alerting platform.

1. Definitions#

“Personal Data” means any information relating to an identified or identifiable natural person. “Processing” means any operation performed on Personal Data, including collection, storage, use, transmission, or deletion.

“Applicable Data Protection Law” means all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation (GDPR).

2. Roles of the Parties#

The Controller determines the purposes and means of processing Personal Data. Spike acts as a Processor and processes Personal Data only on documented instructions from the Controller, as described in the Agreement and this DPA.

3. Subject Matter and Duration of Processing#

Subject Matter: Provision of the Spike incident management, alerting, escalation, and on-call scheduling platform.

Duration: For the duration of the Agreement, and until deletion or return of Personal Data in accordance with Section 8.

4. Nature and Purpose of Processing#

Spike processes Personal Data to: Provide incident management and alerting services Manage user accounts and authentication Deliver notifications via email, SMS, Phone calls, Slack, Microsoft Teams and other integrations Maintain system logs and audit trails Provide customer support

5. Categories of Personal Data#

Personal Data processed may include:

  • Names
  • Email addresses
  • Phone numbers
  • Account credentials (hashed passwords where applicable)
  • Incident-related content submitted by users

Spike does not intentionally collect special categories of personal data.

6. Categories of Data Subjects#

  • Customer employees
  • Authorized users of the Spike platform -Individuals whose contact information is configured for alerting

7. Technical and Organizational Measures#

Spike maintains administrative, technical, and organizational safeguards appropriate to the nature of the data processed, including:

  • Encryption in transit (TLS)
  • Encryption at rest via MongoDB Atlas
  • Role-based access controls
  • Authentication and access restrictions for production systems
  • Logging and monitoring of system activity
  • Cloud infrastructure hosted on AWS (United States)
  • Managed database services via MongoDB Atlas (United States)
  • A more detailed description is provided in Annex II.

8. Deletion and Return of Data#

Upon termination of the Agreement, Spike will delete or return Personal Data in accordance with the Agreement and applicable law. Customers may request deletion of data at any time via support channels.

9. Subprocessors#

Spike engages subprocessors to provide infrastructure and communication services necessary for platform operation. A current list of subprocessors is provided in Annex III and maintained at: https://spike.sh/privacy. Spike may notify customers of material changes to subprocessors.

10. International Data Transfers#

FatSync Software Private Limited (“Spike”) is incorporated in India and operates the Spike platform using infrastructure hosted in the United States.

Where Personal Data originating in the European Economic Area (EEA) or United Kingdom is transferred to FatSync Software Private Limited or further transferred to subprocessors located outside the EEA or UK, such transfers are governed by the European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914). For transfers between the Controller and Spike, Module Two (Controller to Processor) applies.

The Standard Contractual Clauses are incorporated by reference and form part of this DPA. Annex I, Annex II, and Annex III to the Standard Contractual Clauses are completed as set out in this DPA.

Standard Contractual Clauses#

The European Commission’s Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA by reference and form part of this agreement.

For transfers between the Controller and FatSync Software Private Limited, Module Two (Controller to Processor) applies. The completed Annex I, Annex II, and Annex III to the Standard Contractual Clauses are set out in this DPA. The full text of the EU Standard Contractual Clauses (2021) is available here: https://spike.sh/gdpr/eu-scc

11. Data Subject Rights#

Spike will assist the Controller, where reasonably required, in responding to requests from data subjects exercising their rights under Applicable Data Protection Law.

12. Audit Rights#

Upon reasonable notice, the Controller may request information necessary to demonstrate compliance with this DPA, subject to confidentiality and reasonable limitations.

Annex I – Description of Processing#

Parties: Controller: Customer entity entering into the Agreement Processor: Spike

Processing Description: Provision of incident management and alerting platform, including user account management, notification delivery, logging, and support.

Data Subjects: Customer employees and authorized users.

Categories of Personal Data: Names, email addresses, phone numbers, incident content, system metadata.

Frequency of Transfer: Continuous for the duration of service use.

Location of Processing: United States.

Annex II – Technical and Organizational Measures#

Spike maintains the following technical and organizational safeguards: Infrastructure and Hosting: Spike’s production infrastructure is hosted on Amazon Web Services (AWS) in the United States. Customer data is stored in MongoDB Atlas hosted in the United States.

Encryption: All data in transit is encrypted using TLS.All data at rest is encrypted using MongoDB Atlas encryption-at-rest mechanisms.

Access Control: Production system access is restricted to specifically authorized personnel. Access to AWS and MongoDB Atlas administrative accounts is limited to named individuals. Multi-factor authentication (MFA) is enforced for AWS root, IAM administrative users, and MongoDB Atlas administrative accounts.

Least Privilege: Access to production systems is granted based on role and operational necessity. As of the Effective Date, production data access is restricted to two authorized individuals.

Logging and Monitoring: Systemactivity and production access are logged. Operational logs are maintained to support troubl eshooting and security monitoring.

Data Deletion: Customer data may be deleted upon request through documented internal procedures. Upon termination of service, customer data is deleted in accordance with the Agreement.

Annex III 2 Subprocessors#

  • Amazon WebServices (United States) – Infrastructure hosting
  • MongoDB Atlas (United States) – Database hosting
  • Twilio (United States) – Phone calls and SMS delivery
  • Plivo (United States) – Phone calls and SMS delivery
  • SendGrid (United States) – Transactional email
  • Loops.so (United States) – Marketing communications
× Zoomed Image