Spellit demo
Discover how our AI-assistant, Spellit, can boost your business. We'll walk you through how the service works and answer all your questions
Data Processing Agreement (DPA)
Last Updated: 07 Jule, 2025
This Data Processing Agreement ("DPA") applies to all personal data processed by Nakama Agency (“Provider”) in the course of providing Spellit.ai services to its customers (“Clients”). By using the Spellit.ai service, the Client agrees to the terms of this DPA.
1. SUBJECT AND PURPOSE OF PROCESSING
1.1. The Provider, acting as data processor, processes personal data strictly for the purpose of providing AI-based analytics of audio, video, and text files as instructed by the Client (data controller). The Provider may use aggregated and anonymized data for statistical, analytical, or product improvement purposes.
1.1. The Provider, acting as data processor, processes personal data strictly for the purpose of providing AI-based analytics of audio, video, and text files as instructed by the Client (data controller). The Provider may use aggregated and anonymized data for statistical, analytical, or product improvement purposes.
2. CATEGORIES OF DATA AND DATA SUBJECTS
2.1. Categories of data: audio, video, and text files; file metadata; CRM fields (e.g., name, contact information, deal parameters, internal IDs); email addresses; other business communications and materials as provided by the Client.
2.2. Data subjects: Client’s employees, representatives, contractors, business partners, or any other individuals whose data the Client lawfully provides for analysis.
2.3. No biometric, special category, or sensitive data is knowingly processed. Provider does not use data for identification or reidentification.
2.1. Categories of data: audio, video, and text files; file metadata; CRM fields (e.g., name, contact information, deal parameters, internal IDs); email addresses; other business communications and materials as provided by the Client.
2.2. Data subjects: Client’s employees, representatives, contractors, business partners, or any other individuals whose data the Client lawfully provides for analysis.
2.3. No biometric, special category, or sensitive data is knowingly processed. Provider does not use data for identification or reidentification.
3. OBLIGATIONS OF THE PARTIES
3.1. The Client acts as data controller and is solely responsible for ensuring all necessary consents, notices, and legal bases for providing and processing personal data in connection with the Service.
3.2. The Provider processes personal data solely on documented instructions from the Client, and only as necessary for performing the Service.
3.3. The Provider shall not process personal data for its own purposes, nor for any direct marketing, profiling, or resale. The Provider may use aggregated and anonymized data as set out in Section 1.1.
3.1. The Client acts as data controller and is solely responsible for ensuring all necessary consents, notices, and legal bases for providing and processing personal data in connection with the Service.
3.2. The Provider processes personal data solely on documented instructions from the Client, and only as necessary for performing the Service.
3.3. The Provider shall not process personal data for its own purposes, nor for any direct marketing, profiling, or resale. The Provider may use aggregated and anonymized data as set out in Section 1.1.
4. TECHNICAL AND ORGANIZATIONAL MEASURES
4.1. The Provider implements industry-standard technical and organizational security measures to protect personal data, including (where applicable):
(a) encryption in transit and at rest;
(b) access control with role-based permissions;
(c) limiting data access to authorized personnel only;
(d) regular security reviews and training;
(e) audit logging;
(f) pseudonymization or anonymization when possible;
(g) such measures are appropriate in light of the nature, scope, context, purposes of processing, sensitivity, risks, and costs.
4.2. The Provider regularly reviews its security measures and updates as necessary to maintain an appropriate level of protection.
4.1. The Provider implements industry-standard technical and organizational security measures to protect personal data, including (where applicable):
(a) encryption in transit and at rest;
(b) access control with role-based permissions;
(c) limiting data access to authorized personnel only;
(d) regular security reviews and training;
(e) audit logging;
(f) pseudonymization or anonymization when possible;
(g) such measures are appropriate in light of the nature, scope, context, purposes of processing, sensitivity, risks, and costs.
4.2. The Provider regularly reviews its security measures and updates as necessary to maintain an appropriate level of protection.
5. USE OF SUBPROCESSORS AND THIRD PARTIES
5.1. The Provider may engage subprocessors (such as cloud infrastructure providers, AI/ML service providers, IT support and analytics vendors) at its sole discretion for processing personal data solely for purposes of providing the Service. All such subprocessors are contractually bound to data protection obligations no less stringent than those set out in this DPA and GDPR. The Provider may change, add, or replace subprocessors at any time without notice to or consent from the Client.
5.1. The Provider may engage subprocessors (such as cloud infrastructure providers, AI/ML service providers, IT support and analytics vendors) at its sole discretion for processing personal data solely for purposes of providing the Service. All such subprocessors are contractually bound to data protection obligations no less stringent than those set out in this DPA and GDPR. The Provider may change, add, or replace subprocessors at any time without notice to or consent from the Client.
6. INTERNATIONAL DATA TRANSFERS
6.1. The Provider may transfer or process personal data outside the European Economic Area (EEA) as necessary for providing the Service (e.g., for cloud storage, AI/ML processing). All such transfers will be conducted in compliance with GDPR, including as necessary Standard Contractual Clauses or other transfer mechanisms required by GDPR.
6.2. The Provider ensures all subprocessors comply with GDPR and relevant data protection requirements.
6.1. The Provider may transfer or process personal data outside the European Economic Area (EEA) as necessary for providing the Service (e.g., for cloud storage, AI/ML processing). All such transfers will be conducted in compliance with GDPR, including as necessary Standard Contractual Clauses or other transfer mechanisms required by GDPR.
6.2. The Provider ensures all subprocessors comply with GDPR and relevant data protection requirements.
7. DATA SUBJECT RIGHTS AND ASSISTANCE
7.1. The Provider assists the Client in fulfilling its obligations to respond to requests from data subjects (DSR) regarding access, rectification, erasure, restriction, portability, or objection, as required by GDPR. The Provider shall not respond directly to data subjects unless legally required, but promptly forwards such requests to the Client.
7.1. The Provider assists the Client in fulfilling its obligations to respond to requests from data subjects (DSR) regarding access, rectification, erasure, restriction, portability, or objection, as required by GDPR. The Provider shall not respond directly to data subjects unless legally required, but promptly forwards such requests to the Client.
8. DATA BREACH NOTIFICATION
8.1. The Provider shall notify the Client without undue delay, and in any case no later than 168 hours (7 days) after becoming aware of any actual or suspected personal data breach affecting the Service, providing all relevant information reasonably required for the Client to comply with its own obligations.
8.1. The Provider shall notify the Client without undue delay, and in any case no later than 168 hours (7 days) after becoming aware of any actual or suspected personal data breach affecting the Service, providing all relevant information reasonably required for the Client to comply with its own obligations.
9. DATA RETENTION AND DELETION
9.1. The Provider will retain personal data for the duration of the Client’s use of the Service. Upon termination of the Client’s account or upon written request, the Provider will delete or anonymize all personal data within 90 days, unless otherwise required by law.
9.1. The Provider will retain personal data for the duration of the Client’s use of the Service. Upon termination of the Client’s account or upon written request, the Provider will delete or anonymize all personal data within 90 days, unless otherwise required by law.
10. INFORMATION REQUESTS
10.1. Upon written request from the Client (no more than once per year and with at least 90 days’ prior notice), the Provider will provide the Client with information reasonably necessary to demonstrate compliance with this DPA and applicable data protection laws. No physical or remote audit, inspection, or direct access to Provider’s systems or data will be granted. The Provider is not required to disclose commercial secrets, intellectual property, information relating to other clients, or any information that may compromise Provider’s security or operations.
10.1. Upon written request from the Client (no more than once per year and with at least 90 days’ prior notice), the Provider will provide the Client with information reasonably necessary to demonstrate compliance with this DPA and applicable data protection laws. No physical or remote audit, inspection, or direct access to Provider’s systems or data will be granted. The Provider is not required to disclose commercial secrets, intellectual property, information relating to other clients, or any information that may compromise Provider’s security or operations.
11. MISCELLANEOUS
11.1. The Provider may update this DPA at any time by posting a revised version on its service website https://spellit.ai/data_processing_agreement or notifying Clients. Such updates become effective upon posting or notification.
11.2. Any notices under this DPA must be given in writing to Provider at info@nakama.email or through the contact information provided on www.spellit.ai.
11.3. This DPA is governed by the laws of the Netherlands.
11.4. The Provider shall not be liable for non-material damages or loss of control, except in cases of gross negligence or wilful misconduct. The Provider shall not be liable for the Client’s failure to obtain any required consents or comply with its obligations as data controller under applicable law. The Provider’s liability is limited to the minimum required under applicable law and does not extend to indirect, special, or consequential damages.
11.1. The Provider may update this DPA at any time by posting a revised version on its service website https://spellit.ai/data_processing_agreement or notifying Clients. Such updates become effective upon posting or notification.
11.2. Any notices under this DPA must be given in writing to Provider at info@nakama.email or through the contact information provided on www.spellit.ai.
11.3. This DPA is governed by the laws of the Netherlands.
11.4. The Provider shall not be liable for non-material damages or loss of control, except in cases of gross negligence or wilful misconduct. The Provider shall not be liable for the Client’s failure to obtain any required consents or comply with its obligations as data controller under applicable law. The Provider’s liability is limited to the minimum required under applicable law and does not extend to indirect, special, or consequential damages.