Trust

Trusted by industry leaders including DB, Alstom, ÖBB, and many more, 3D Spark maintains an independently certified Information Security Management System aligned with ISO/IEC 27001:2022. Our platform, processes, and security framework are designed to ensure enterprise-grade protection for customer data and operations.

Data Processing Agreement (DPA)

3D Spark Data Processing Agreement (DPA)

This Data Processing Agreement ("Agreement" or "DPA") is entered into by and between: 3D Spark GmbH, a company organized under the laws of Germany, with its registered office at Klaus-Groth-Str. 88, 20535 Hamburg, Germany (hereinafter referred to as the "Data Processor"),

and

[Customer Name], [a company organized under the laws of [Country/Region], with its principal place of business at [Address] (hereinafter referred to as the "Data Controller").

This DPA is effective as of the later of (i) the effective date of the Agreement between the parties for the provision of services by the Data Processor to the Data Controller (the "Service Agreement") or (ii) the date this DPA is fully executed by both parties (the "Effective Date").

1 Scope and Applicability of the Data Processing Agreement  

1.1 Relationship to the Service Agreement This DPA supplements and forms an integral part of the Service Agreement between the Data Processor and the Data Controller. It governs the processing of personal data that the Data Processor performs on behalf of the Data Controller in the course of providing services as specified in the Service Agreement.

If any provisions of this DPA conflict with terms in the Service Agreement relating specifically to data processing or data protection, the terms of this DPA shall prevail. All other terms of the Service Agreement remain unaffected and in full force and effect.

1.2 Purpose of the DPA
This DPA establishes the responsibilities and obligations of both the Data Controller and the Data Processor to ensure the protection and privacy of personal data, as required by the General Data Protection Regulation (GDPR) and any other applicable data protection laws. It outlines specific obligations, rights, and duties of each party in the context of processing personal data on behalf of the Data Controller.

1.3 Roles of the Parties
For purposes of this DPA and the GDPR:
The Data Controller is the party that determines the purposes and means of the processing of personal data.

The Data Processor is the party that processes personal data on behalf of, and according to the documented instructions of, the Data Controller for purposes specified in the Service Agreement.

Each party acknowledges and agrees to adhere to the obligations applicable to it under this DPA and the GDPR. The Data Controller is responsible for ensuring that its instructions to the Data Processor are lawful and meet all applicable data protection requirements.  

2 Definitions
For the purposes of this Data Processing Agreement, the following terms shall have the meanings set forth below. Any capitalized terms not defined here will have the meanings ascribed to them in the Service Agreement or the GDPR.

2.1 Applicable Data Protection Law
Refers to all data protection laws and regulations applicable to the processing of personal data under this DPA, including, but not limited to, the General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679).

2.2 Data Controller
The entity that determines the purposes and means of processing personal data, as defined under the GDPR.

2.3 Data Processor
The entity that processes personal data on behalf of the Data Controller, as defined under the GDPR.

2.4 Data Subject
Any identified or identifiable natural person to whom the personal data relates, as defined under the GDPR.

2.5 Personal Data
Any information relating to an identified or identifiable natural person (Data Subject), including, but not limited to, names, contact details, identification numbers, online identifiers, or other data that can directly or indirectly identify the individual, as defined under the GDPR.

2.6 Processing
Any operation or set of operations performed on personal data, whether automated or manual, including collection, recording, organization, structuring, storage, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, restriction, erasure, or destruction, as defined under the GDPR.

2.7 Sub-processor
Any third party appointed by or on behalf of the Data Processor to process personal data on behalf of the Data Controller in connection with this DPA.

2.8 Data Breach A breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, personal data transmitted, stored, or otherwise processed, as defined under the GDPR.  

2.9 Supervisory Authority
An independent public authority established by a European Union (EU) Member State pursuant to the GDPR, which is responsible for monitoring compliance with data protection laws.

2.10 Technical and Organizational Measures (TOMs)
The security measures, policies, and practices implemented by the Data Processor to ensure the confidentiality, integrity, availability, and resilience of personal data, in accordance with Article 32 of the GDPR.

3 Scope of Data Processing
The scope of data processing under this Agreement includes all activities required to deliver the services provided by 3D Spark's SaaS platform. These activities encompass the collection, storage, transmission, analysis, and, if necessary, deletion of personal data related to the service provided to the Data Controller.

3.1 Categories of Personal Data Processed
3D Spark GmbH processes the following categories of personal data strictly as instructed by the Data Controller and to the extent necessary to deliver the contracted services: 

User Identity Data: Names, email addresses, and usernames of the Data Controller's end users, collected for account management and authentication purposes. 
User Activity Data: Records of user actions within the platform, including login timestamps, feature interactions, and audit trail events (e.g. create, edit, delete operations). 
Technical & Device Data: IP addresses, browser type, device identifiers, and system logs, collected for security monitoring, incident response, and platform diagnostics. These data points constitute personal data under GDPR and are treated accordingly. 

The Data Controller is responsible for ensuring that the personal data it submits to the platform for processing has an appropriate legal basis under applicable data protection law. 

3.2 Purposes of Data Processing 
The data processing activities conducted by 3D Spark GmbH are strictly aligned with the following purposes: 
Service Provision: Delivering the core functionalities of the SaaS platform, which includes managing customer accounts, enabling secure user interactions, and processing requests from the Data Controller. 
Customer Support: Assisting customers with queries, troubleshooting technical issues, and providing platform guidance through effective customer service operations. 
Security Monitoring: Protecting the platform and customer data by monitoring for unauthorized access attempts, suspicious activity, and system vulnerabilities to maintain a secure environment. 
Performance Optimization: Collecting non-personal, anonymized data through system analytics to enhance platform stability, improve user experience, and optimize application performance. 
Compliance: Ensuring compliance with GDPR and other applicable data protection regulations, including data retention, deletion, and audit obligations. 

3.3 Processing Duration 
Personal data is retained only as long as necessary to fulfill the purposes outlined in this Agreement, or as required by law. Specific retention periods include: 
Operational Data: Retained for the duration of the Service Agreement. 
Customer Support Data: Kept for a minimum of one year after the resolution of a support request, enabling continued service quality. 
Backup Data: Backup data is securely stored for up to 365 days to ensure data recovery and business continuity. Backups are encrypted at rest using AES-256 and stored in geographically separated locations within the EU. Specific retention periods may vary per customer agreement. 
Audit Logs: System access logs, user activity, and authentication events are retained for one year to support security audits, accountability, and GDPR compliance. 

Upon termination of the Service Agreement, personal data will be securely deleted within 30 days unless otherwise requested by the Data Controller. 

3.4 Data Processing Location 
All data processing activities are conducted within the European Union, primarily hosted on dedicated servers managed by Hetzner Online GmbH, an ISO 27001-certified provider located in Germany. In specific cases where sub-processors outside the EU may be required, 3D Spark GmbH will ensure that all necessary safeguards are in place, including the use of Standard Contractual Clauses (SCCs) or other GDPR-compliant mechanisms. 

3.5 Data Minimization and Privacy by Design 3D Spark GmbH is committed to data minimization and privacy by design principles. Only data essential for delivering services and supporting customers is collected and processed. Our platform is designed to maintain strict access control, ensuring that each user accesses only the data necessary for their role, thereby limiting data exposure and enhancing security. 

4 Obligations of the Data Processor 
3D Spark GmbH, as the Data Processor, is committed to upholding stringent data protection practices in accordance with GDPR requirements. This section outlines the obligations of 3D Spark to ensure that personal data is processed securely, transparently, and solely as directed by the Data Controller. 

4.1 Processing on Documented Instructions 
3D Spark GmbH will process personal data only based on documented instructions provided by the Data Controller, as agreed within the scope of this DPA and the underlying Service Agreement. This commitment includes processing personal data solely for the purposes specified by the Data Controller and in alignment with applicable data protection laws. If, at any point, 3D Spark GmbH believes that an instruction from the Data Controller infringes GDPR or other relevant regulations, it will promptly inform the Data Controller and seek clarification before proceeding. 

4.2 Implementation of Technical and Organizational Measures 
3D Spark GmbH will implement and maintain appropriate technical and organizational measures to safeguard personal data against unauthorized access, loss, alteration, or destruction. Key security measures include: 
Access Control: Role-based access controls are enforced, with multi-factor authentication required for administrative access. Access permissions are reviewed regularly to ensure that only authorized personnel have access to personal data. 
Encryption: All data is encrypted in transit using TLS v1.2+ and at rest using AES-256. This protects personal data from unauthorized access during transmission and storage. 
Incident Monitoring and Response: Real-time monitoring tools and automated threat responses are in place to detect and mitigate potential security incidents. In the event of a security incident involving personal data, 3D Spark GmbH will follow the procedures outlined in Section 7 of this Agreement. 
Employee Training: Employees with access to personal data receive regular security and data protection training to stay current with best practices and GDPR requirements. 

4.3 Confidentiality and Data Access Controls 
3D Spark GmbH ensures that all personnel authorized to process personal data are bound by confidentiality obligations. Employees and contractors are only granted access to personal data on a need-to-know basis and are subject to strict access control protocols that align with GDPR standards. 
3D Spark GmbH also employs identity and access management (IAM) systems, such as single sign-on (SSO) with two-factor authentication (2FA), to control and track employee access to systems handling personal data. These controls are regularly audited to ensure compliance with our access policies. 

4.4 Assistance with Data Subject Rights 
The Data Processor will assist the Data Controller in meeting its obligations concerning data subject rights under GDPR. This includes supporting requests for: 
Access: Providing data subjects with information on the processing of their personal data, upon request by the Data Controller. 
Rectification: Correcting inaccurate or incomplete data, as instructed by the Data Controller. 
Erasure: Deleting personal data upon the Data Controller's instruction when no longer needed or in response to a valid data subject request. 
Restriction of Processing: Temporarily limiting the processing of data if a data subject exercises their right to restriction, in accordance with the Data Controller's instructions. 

3D Spark GmbH will respond to such requests within a reasonable time frame to enable the Data Controller to meet GDPR response deadlines. 

4.5 Notification and Management of Data Breaches 
In the event of a data breach involving personal data processed on behalf of the Data Controller, 3D Spark GmbH will: 
Timely Notification: Notify the Data Controller without undue delay and, where feasible, no later than 48 hours after becoming aware of a personal data breach, providing sufficient information to enable the Data Controller to meet its own notification obligations under Article 33 GDPR. Where not all information is available within this timeframe, 3D Spark GmbH will provide an initial notification followed by further updates as information becomes available. 
Mitigation Measures: Take immediate steps to contain and mitigate the impact of the breach. This may include isolating affected systems, revoking access, or applying patches as needed. 
Incident Reporting: Provide regular updates to the Data Controller on the status of the breach resolution and any remedial actions taken to prevent similar incidents in the future. 

4.6 Data Protection Impact Assessments (DPIA) and Compliance Assistance 
3D Spark GmbH will assist the Data Controller in conducting Data Protection Impact Assessments (DPIA) when required, particularly if the processing is likely to result in a high risk to data subjects' rights and freedoms. Assistance may include: 
Providing Necessary Information: Supplying information on processing activities, technical and organizational measures, and potential risks related to the services. 
Cooperating with Supervisory Authorities: Collaborating with relevant supervisory authorities as required to support DPIA or other compliance activities. 

4.7 Data Security Audits and Demonstration of Compliance 
To provide the Data Controller with confidence in the Data Processor's compliance efforts, 3D Spark GmbH will: 
Internal Audits: Conduct regular internal audits of its data protection policies and technical and organizational measures to ensure continuous compliance with GDPR requirements. 
Documentation and Evidence: Maintain accurate documentation of its data protection practices, including access logs, security policies, and training records, to demonstrate GDPR compliance upon request. 
Audit Rights: Upon the Data Controller's written request and with reasonable prior notice of at least 14 days, 3D Spark GmbH will make available to the Data Controller (or its designated third-party auditor, subject to reasonable confidentiality obligations) the information necessary to demonstrate compliance with this DPA. This may include access to relevant documentation, policies, and audit reports. On-site audits may be conducted no more than once per calendar year, during normal business hours, and at the Data Controller's expense. 3D Spark GmbH may satisfy this obligation by providing current third-party audit certifications (e.g. ISO 27001) in lieu of a direct audit, where the Data Controller agrees. 

4.8 Deletion or Return upon Termination 
Upon termination or expiry of the Service Agreement, 3D Spark GmbH will, at the Data Controller's choice, either securely delete or return all personal data processed on behalf of the Data Controller, unless applicable law requires continued storage. 
Standard Deletion: Unless the Data Controller requests otherwise, all personal data will be securely and irreversibly deleted within 30 days of the termination date. 
Data Return: Upon written request made before or within 30 days of termination, 3D Spark GmbH will provide an export of the Data Controller's personal data in a structured, machine-readable format prior to deletion. 
Residual Data: Deletion of personal data from backup systems will occur in the course of normal backup rotation and will be completed within the applicable backup retention period (see Section 3.3). During this period, backup data will not be actively processed and will remain subject to the security measures set out in this DPA. 

3D Spark GmbH will provide written confirmation of deletion upon request. 

5 Sub-processors 
3D Spark GmbH may engage third-party service providers, or "sub-processors," to support the delivery of its SaaS platform. These sub-processors assist in functions such as data hosting, customer support, and software development, and each is carefully selected based on their data protection practices and compliance with GDPR requirements. 
5.1 Use of Sub-processors 
3D Spark GmbH may use sub-processors to perform specific processing activities on behalf of the Data Controller. Each sub-processor operates under a data processing agreement that incorporates obligations equivalent to those in this DPA, ensuring GDPR compliance. 

5.2 Approval and Notification of Sub-processors 
The Data Processor maintains a list of current sub-processors and will provide this list to the Data Controller upon request. 3D Spark GmbH will follow these procedures for notifying and obtaining approval from the Data Controller: 
Notification of New Sub-processors: The Data Processor will provide written notice at least 14 days in advance of any intended changes concerning the addition or replacement of sub-processors. This notice will include details on the new sub-processor and the nature of processing they will perform. 
Objection to Sub-processors: The Data Controller may object to the appointment of a new sub-processor by providing written notice within 14 days of receiving notification, setting out the reasonable grounds for the objection. 3D Spark GmbH will work in good faith to address the Data Controller's concerns. If the parties cannot reach a resolution within 30 days, the Data Controller may terminate the affected part of the Service Agreement by written notice. Continued use of the services after the 14-day notification period shall be deemed acceptance of the new sub-processor. 

5.3 Obligations of Sub-processors 
All sub-processors engaged by 3D Spark GmbH are required to adhere to data protection obligations consistent with those outlined in this DPA. Obligations include, but are not limited to: 
Data Security: Implementing appropriate technical and organizational measures to protect personal data. 
Confidentiality: Binding sub-processor personnel to confidentiality obligations regarding the personal data processed on behalf of the Data Controller. 
Cooperation with Data Controller Requests: Assisting 3D Spark GmbH in responding to data subject requests, breach notifications, and compliance reviews as required by this DPA. 

5.4 Current List of Sub-processors 
The following sub-processors are currently engaged by 3D Spark GmbH in connection with the processing of personal data under this DPA: 
Hetzner Online GmbH (Germany): Primary infrastructure provider. Dedicated server hosting and storage within ISO 27001-certified data centers in Germany. All customer data is stored and processed on Hetzner infrastructure. 
HubSpot, Inc. (United States): Limited processing of end-user identifiers submitted via in-product feedback and bug reporting functionality, prior to anonymization. Data transfers to the United States are governed by HubSpot's standard Data Processing Agreement incorporating Standard Contractual Clauses (EU Commission Decision 2021/914). Personal data is not retained by HubSpot beyond the anonymization step. 
PostHog (United States): Platform analytics and usage statistics. Processes anonymized or pseudonymized usage data to support product improvement and performance monitoring. Data transfers are governed by Standard Contractual Clauses. 
Stripe (United States): Payment processing and billing. Processes billing contact data of the Data Controller solely for the purpose of payment execution. Stripe does not process end-user personal data of the Data Controller's users. Data transfers are governed by Standard Contractual Clauses and Stripe's ISO 27001 certification. 

3D Spark GmbH will maintain an up-to-date list of sub-processors and make it available to the Data Controller upon request. Any changes to this list will be communicated in accordance with Section 5.2. 

5.5 Compliance Monitoring of Sub-processors 
3D Spark GmbH relies on each sub-processor's published compliance certifications, third-party audit reports, and terms of service updates to verify their ongoing adherence to GDPR and this DPA. If a sub-processor makes significant changes to its GDPR-related commitments, or if a compliance issue arises that affects the Data Controller's personal data, 3D Spark GmbH will assess the impact and, if needed, take corrective action. This may involve requesting further assurances, adjusting data processing practices, or, if compliance cannot be restored, terminating the engagement with that sub-processor. 

5.6 Liability for Sub-processors 
The Data Processor retains full responsibility for the actions and compliance of any engaged sub-processors, ensuring that the Data Controller's personal data is processed securely and in accordance with GDPR, regardless of which sub-processors are utilized. 

6 Data Subject Rights 
Under GDPR, data subjects have specific rights regarding their personal data. 3D Spark GmbH, as the Data Processor, will assist the Data Controller in fulfilling these rights by implementing processes that enable timely responses to data subject requests. 

6.1 Assistance with Data Subject Requests 
3D Spark GmbH will assist the Data Controller in responding to data subject requests as required by GDPR. The Data Processor will enable and support the Data Controller in responding to the following rights: 
Right of Access: Providing data subjects with access to their personal data upon request by the Data Controller. This includes details on the categories of data processed, the purposes of processing, and any sub-processors involved. 
Right to Rectification: Assisting in correcting or updating inaccurate or incomplete personal data held by the Data Processor, as directed by the Data Controller. 
Right to Erasure: Facilitating the secure deletion of personal data upon the Data Controller's instruction when legally required or in response to a valid request from the data subject. 
Right to Restriction of Processing: Temporarily restricting data processing activities upon the Data Controller's instruction, such as when the accuracy of data is contested or processing is deemed unlawful but the data subject prefers restriction over erasure. 
Right to Data Portability: Enabling the export of personal data in a structured, commonly used, and machine-readable format upon request. This allows data subjects to transfer their personal data to another controller if desired. 
Right to Object: Assisting in halting or restricting processing activities if a data subject objects based on legitimate grounds, in accordance with instructions from the Data Controller. 

6.2 Process for Handling Requests 
Response Times: 3D Spark GmbH will promptly acknowledge and respond to the Data Controller's requests related to data subject rights within a reasonable timeframe to support the Data Controller's compliance with GDPR deadlines. 
Documentation of Requests: All data subject requests and actions taken to fulfill them will be documented by 3D Spark GmbH. This documentation will include the type of request, date of receipt, actions taken, and completion status. The documentation will be retained as evidence of compliance and may be provided to the Data Controller upon request. 

6.3 Costs and Limitations 
3D Spark GmbH will provide reasonable assistance to the Data Controller in fulfilling data subject rights to the extent technically feasible and within commercially practicable limits. Where requests are manifestly excessive or repetitive, the parties will agree in good faith on an appropriate approach. 

6.4 Communication with Data Subjects 
While 3D Spark GmbH does not directly handle requests from data subjects, it will facilitate and support the Data Controller in fulfilling these requests. Data subjects should direct their requests to the Data Controller, who will then coordinate with 3D Spark GmbH for support as needed. The Data Processor will refrain from directly responding to data subject requests unless legally obligated to do so. 

7 Technical and Organizational Measures (TOMs) 
3D Spark GmbH is committed to maintaining the confidentiality, integrity, and availability of personal data processed on behalf of the Data Controller. The Data Processor implements comprehensive technical and organizational measures designed to protect personal data against unauthorized access, loss, or alteration. These measures are continuously reviewed and updated to adapt to new risks, industry standards, and regulatory requirements. 

7.1 Access Control 
Role-Based Access Control (RBAC): Access to systems and data is granted based on the specific role and responsibilities of each user, ensuring that users only access data necessary for their function. 
Single Sign-On (SSO) with Multi-Factor Authentication (MFA): Administrative and critical system access is managed through SSO with MFA, providing an additional layer of protection for sensitive data and systems. 
Regular Access Reviews: Access permissions are reviewed periodically to verify that only active personnel with valid requirements have access to personal data, in alignment with the principle of least privilege. 

7.2 Data Encryption 
Encryption in Transit: All data transferred between the Data Processor and the Data Controller or between internal systems is encrypted using industry-standard TLS protocols (TLS v1.2 and TLS v1.3) to protect against interception and unauthorized access. 
Encryption at Rest: All data at rest, including production databases and backup data, is encrypted using AES-256. 

7.3 Monitoring and Threat Detection 
Real-Time Monitoring: Comprehensive system monitoring is in place to track server health, detect anomalies, and monitor potential threats in real time. 
Automated Threat Responses: Automated scripts and configurations provide active responses to security threats, such as blocking IP addresses for repeated unauthorized access attempts. Alerts are generated and reviewed by the security team as soon as they reach critical thresholds. 
Vulnerability Scanning: Regular vulnerability scans are conducted to identify and mitigate potential security risks within the application and infrastructure. This includes automated scanning tools, to address vulnerabilities before deployment to production. 

7.4 Incident Response and Data Breach Management 
Incident Detection and Notification: Any security incidents involving personal data will trigger an immediate response, and the Data Controller will be notified without undue delay and no later than 48 hours after detection, in accordance with GDPR requirements or sooner depending on the threat-level outlined in the GTC. 
Containment and Mitigation: Steps are taken to contain the incident, assess its impact, and implement corrective measures. Actions include isolating affected systems, revoking unauthorized access, and conducting root cause analyses. 
Post-Incident Review: Following resolution, a post-incident review is conducted to identify any areas for improvement and to document findings and corrective actions taken to prevent future incidents. 

7.5 Employee Training and Security Awareness 
Security Training: All employees receive mandatory security training upon hire and periodic refresher sessions covering data protection principles, secure handling of personal data, and incident response protocols. 
Phishing and Social Engineering Awareness: Employees are regularly educated on identifying and reporting phishing attempts, ensuring that they remain vigilant to social engineering threats.

7.6 Privacy by Design and Default 
Data Minimization: Personal data collected and processed is limited to only what is necessary to achieve the intended purposes of processing, reducing exposure to potential risk. 
Secure Development Practices: Our software development lifecycle includes secure coding practices, peer reviews, and automated testing, ensuring that new features are designed with data protection as a priority. 
Default Security Settings: All default settings within the platform are configured to uphold data security, such as requiring strong passwords, enforcing role-based access, and applying privacy controls that prevent unauthorized data sharing. 

7.7 Data Retention and Disposal 
Automated Data Deletion: Data is automatically deleted at the end of its retention period. 
Secure Hardware Disposal: When hardware containing personal data reaches end-of-life, 3D Spark GmbH follows industry-standard disposal protocols, including data erasure or physical destruction, to prevent data recovery. 

7.8 Auditing and Compliance Verification 
Internal Audits: Regular audits of security policies, access control measures, and data protection practices are conducted to verify compliance with this DPA and GDPR. 
Documentation and Evidence: Detailed records of security policies, access logs, and employee training activities are maintained to support compliance and provide transparency to the Data Controller. 
Third-Party Assessments: Where feasible, 3D Spark GmbH reviews third-party audits and certifications (such as ISO 27001 for hosting providers) to ensure that all infrastructure supporting personal data complies with recognized standards. 

8 International Transfers 
3D Spark GmbH is committed to protecting personal data and prioritizes data processing and hosting within the European Union (EU) whenever possible. 

8.1 EU-Preferred Data Hosting 
3D Spark GmbH strives to host and process personal data within the EU, using EU-based infrastructure and service providers whenever possible. This includes hosting services with dedicated servers at Hetzner Online GmbH, an ISO 27001-certified data center in Germany. This EU-preferred approach aligns with our commitment to GDPR and ensures personal data remains under European regulatory protections whenever feasible. 

8.2 International Transfers for Specific Services 
While we prioritize EU hosting, certain services may require data processing outside the EU, depending on the available options of third-party providers. For example, certain payment services, such as those provided by Stripe, may involve processing personal data in the United States or other non-EEA countries. In these cases, 3D Spark GmbH ensures that all necessary safeguards are in place to protect personal data. 

8.3 GDPR-Compliant Safeguards for International Transfers 
In instances where data must be transferred outside the EU, 3D Spark GmbH takes the following steps to ensure GDPR compliance: 
Standard Contractual Clauses (SCCs): We rely on SCCs approved by the European Commission for transfers to non-EEA countries, which provide legally binding protections for personal data. 
Adequacy Decisions: Where applicable, we may transfer data to countries deemed by the European Commission to provide an adequate level of data protection.

3D Spark GmbH will notify the Data Controller of any new or significant international transfers, especially if a new sub-processor located outside the EU is engaged. This notification allows the Data Controller to review and, if necessary, raise objections to specific transfers or sub-processors, as outlined in Section 5.2 of this DPA. 

8.4 Transparency and Documentation 
3D Spark GmbH maintains detailed records of all data transfers and safeguards associated with international processing to ensure transparency and compliance. Documentation regarding any non-EU processing and the implemented safeguards is available to the Data Controller upon request. 

9 Liability 
This section defines the liabilities of both the Data Controller and 3D Spark GmbH (the Data Processor) concerning data protection obligations under this Data Processing Agreement (DPA). Both parties agree to limit their liability as specified within this DPA and the underlying Service Agreement, except where otherwise restricted by applicable law. 

9.1 General Liability 
Each party's liability under this DPA shall be limited to direct damages and shall be subject to the limitations set out in the Service Agreement, to the maximum extent permitted by applicable law. Nothing in this DPA limits either party's liability where such limitation is not permitted under Article 82 GDPR or other applicable mandatory law. 

9.2 Data Processor's Liability 
3D Spark GmbH's liability for damages arising from Processing under this DPA is limited to direct, foreseeable damages and shall not exceed the amounts specified in the underlying Service Agreement. 3D Spark GmbH shall not be liable for any Processing carried out in accordance with documented instructions provided by the Data Controller. Indirect, incidental, or consequential damages are excluded to the maximum extent permitted by applicable law. 

9.3 Data Controller's Liability 
The Data Controller is responsible for ensuring that any instructions provided to 3D Spark GmbH for the processing of personal data comply with applicable data protection laws.
-The Data Controller will bear responsibility for: Confirming that an appropriate legal basis exists for the personal data processed by 3D Spark GmbH. 
-Ensuring that data subject rights are communicated and appropriately managed. 
-Indemnifying 3D Spark GmbH against any claims, liabilities, or losses arising from instructions or actions by the Data Controller that contradict GDPR. 

9.4 Joint Liability and Proportional Responsibility 
If both parties are jointly liable for damages due to shared responsibility, each party shall bear liability in proportion to its respective degree of fault and level of control over the processing activity in question, in line with Article 82 of the GDPR. 

9.5 Limitation of Liability 
Except where otherwise required by law, the total liability of each party under this DPA shall not exceed the amount specified in the underlying Service Agreement. This limitation does not apply to damages resulting from gross negligence, willful misconduct, or liabilities that cannot be legally limited. 

9.6 Exclusions of Indirect Damages 
Neither party shall be liable for indirect, special, incidental, or consequential damages, including but not limited to loss of revenue, profits, goodwill, or data, even if such damages were foreseeable, except as required by law. 

9.7 Dispute Resolution 
In the event of a dispute regarding liability under this DPA, both parties agree to make reasonable efforts to resolve the dispute amicably. If resolution cannot be reached, disputes shall be subject to the governing law and jurisdiction specified in Section 10 of this DPA. 

10 Governing Law and Jurisdiction 
This Data Processing Agreement (DPA) and any disputes or claims arising out of or in connection with it, including any issues regarding its existence, validity, or termination, shall be governed by and construed in accordance with the laws of Germany. 

10.1 Jurisdiction 
The parties agree that any disputes arising out of or relating to this DPA shall be subject to the exclusive jurisdiction of the courts in Hamburg, Germany. Both the Data Controller and 3D Spark GmbH (the Data Processor) consent to the jurisdiction of these courts and agree to resolve any claims or legal proceedings arising from this DPA in Hamburg, Germany. 

10.2 Mandatory Mediation 
Before initiating formal legal proceedings, the parties agree to attempt in good faith to resolve any dispute or claim through mediation. Either party may initiate mediation by providing written notice to the other party. Mediation shall take place within a reasonable time from the date of notice, at a mutually agreed location, or remotely if preferred by both parties. If the parties are unable to resolve the dispute through mediation within 60 days, either party may then proceed with formal court proceedings as outlined in Section 10.1. 

10.3 Injunctive Relief 
Notwithstanding the foregoing, either party may seek injunctive or equitable relief in any court of competent jurisdiction if such relief is necessary to prevent irreparable harm. This provision does not limit either party's right to seek interim or emergency relief, as required. 

Have questions? Contact us.

Have questions about our legal terms or need detailed insights into our products? Contact our dedicated support team for expert assistance and comprehensive information.

Book a Demo
Book a Demo
+49 40 2263 6776-0
info@3dspark.de
Company
About Us
Product
Press Center
Career
Resources
Blogs
Webinars
News
Events
© 2026 3D Spark GmbH. All right reserved.
Imprint
Privacy Policy
General Terms & Conditions