The handling of personal data in a secure, fair, and transparent way is extremely important to us at Spellboundweb. To better protect individuals’ personal data, we provide this agreement to govern Spellboundweb’s and your handling of personal data.

If you are accepting this DPA on behalf of another party, you warrant that: (a) you have full legal authority to bind the party to this DPA; (b) you have read and understand this DPA; and (c) you agree, on behalf of Customer, to this DPA. If you do not have the legal authority to bind Customer, please do not accept this DPA.


  • “You” or “Customer” refers to the company or organisation that signs up to use Spellboundweb’s Services. In the course of providing services to customers pursuant to the Agreement, Spellboundweb may process personal data on behalf of Customer.
  • In this Data Processing Agreement (“DPA”), “Data Protection Legislation” means the General Data Protection Regulation (Regulation (EU) 2016/279), and all other applicable laws relating to processing of personal data and privacy that may exist in any relevant jurisdiction;
  • “data controller”, “data processor”, “data subject”, “personal data”, “processing”, and “appropriate technical and organisational measures” shall be interpreted in accordance with applicable Data Protection Legislation;
  • The parties agree that Customer is the data controller and that Spellboundweb is its data processor in relation to personal data that is processed in the course of providing the Service.

Our obligations

  1. Spellboundweb will process Customer Personal Data only in accordance with Instructions from Customer.
  2. Spellboundweb shall notify Customer without undue delay if, in Spellboundweb/s opinion, an instruction for the processing of personal data given by Customer infringes applicable Data Protection Legislation.
  3. Spellboundweb shall guarantee the confidentiality of personal data processed hereunder.
  4. Spellboundweb shall ensure that all Spellboundweb personnel required to access the personal data are informed of the confidential nature of the personal data.
  5. Spellboundweb shall implement and maintain appropriate technical and organisational security measures designed to protect the personal data against unauthorised or unlawful processing and against accidental loss, destruction, damage, theft, alteration or disclosure. These measures shall be appropriate to the harm which might result from any unauthorised or unlawful processing, accidental loss, destruction, damage or theft of the personal data and having regard to the nature of the personal data which is to be protected.
  6. Spellboundweb may hire other companies to provide limited services on its behalf, provided that they comply with the provisions of this Clause. Any such subcontractors will be permitted to process personal data only to deliver the services that Spellboundweb have retained them to provide, and they shall be prohibited from using personal data for any other purpose. A list of subcontractors is available to the Customer in our Privacy policy. Legitimate objections must contain reasonable and documented grounds relating to a subcontractor’s non-compliance with applicable Data Protection Legislation.
  7. If Spellboundweb becomes aware of any accidental, unauthorised or unlawful security breach, destruction, loss, alteration, or disclosure of the personal data that is processed by Spellboundweb in the course of providing the Service (an “Incident”), it shall without undue delay (not later than 48 hours after having become aware of it), notify Customer by email notification and provide Customer with a description of the Incident as well as periodic updates to information about the Incident, including its impact on Customer content. Spellboundweb shall additionally take action to investigate the Incident and reasonably prevent or mitigate the effects of the Incident.

Liability and Indemnity

  • Each party indemnifies the other and holds them harmless against all claims, actions, third party claims, losses, damages and expenses incurred by the indemnified party and arising directly or indirectly out of or in connection with a breach of this DPA.
  • This DPA shall come into effect on May 25, 2018 and shall continue until it is changed or terminated in accordance with the Terms of Service.
  • Termination or expiration of this DPA shall not discharge the parties from the confidentiality obligations herein.