Data processing agreement
Last updated: June 18, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Use and any related agreement (the "Agreement") between Smplrspace Pte Ltd, 10 Petain Road #04-01, Singapore 208089 ("Smplrspace", "we", the "Processor") and the customer that accepts the Agreement (the "Customer", "you", the "Controller"). It governs our processing of personal data that you upload to or generate through the Smplrspace platform (the "Service") on your behalf.
Where this DPA conflicts with the rest of the Agreement in relation to the processing of personal data, this DPA prevails.
1. Definitions
"Data protection law" means all applicable laws relating to the processing of personal data, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Swiss FADP, and applicable US state privacy laws. "Controller", "processor", "data subject", "personal data", "processing", and "personal data breach" have the meanings given in the GDPR. "Customer Personal Data" means personal data that we process on your behalf under the Agreement, as described in Annex 1.
2. Roles and scope
For Customer Personal Data, you are the Controller and Smplrspace is the Processor. You determine the purposes and means of processing; we process Customer Personal Data only to provide the Service and only as set out in this DPA. Each party will comply with its obligations under data protection law. You are responsible for ensuring you have a lawful basis to collect the Customer Personal Data and to instruct us to process it.
3. Processing instructions
We will process Customer Personal Data only on your documented instructions, including those set out in the Agreement and this DPA, unless required to do otherwise by law (in which case we will inform you, unless the law prohibits it). We will inform you if, in our opinion, an instruction infringes data protection law.
4. Confidentiality
We ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and access the data only as needed to provide the Service.
5. Security
We implement appropriate technical and organizational measures to protect Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as described in Annex 2. We regularly review these measures.
6. Sub-processors
You provide general authorization for us to engage the sub-processors listed in Annex 3 to process Customer Personal Data. We impose data protection obligations on each sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We maintain the current list of sub-processors in Annex 3. You may register at [email protected] to be notified in advance of any intended addition or replacement of a sub-processor, so that you have the opportunity to object on reasonable data-protection grounds.
7. Data subject rights
Taking into account the nature of the processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to fulfill your obligation to respond to requests from data subjects exercising their rights. If we receive such a request directly, we will direct the data subject to you and will not respond on your behalf unless instructed.
8. Assistance
Taking into account the nature of processing and the information available to us, we will assist you in ensuring compliance with your obligations relating to security of processing, personal data breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
9. Personal data breach notification
We will notify you without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to us to help you meet your notification obligations.
10. Deletion and return
On termination of the Service, or at your request, we will delete or return all Customer Personal Data, and delete existing copies, unless retention is required by law. Residual copies in routine backups will be deleted in the ordinary course of our backup cycle.
11. Audits and information
We will make available to you information reasonably necessary to demonstrate compliance with Article 28 of the GDPR, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable notice, confidentiality, and frequency limits. We may satisfy this obligation by providing relevant third-party certifications or audit reports where available.
12. International transfers
Where processing of Customer Personal Data involves a transfer outside the EEA, the UK, or Switzerland to a country without an adequacy decision, the transfer is made under appropriate safeguards, such as the European Commission's Standard Contractual Clauses (and the UK Addendum and Swiss adaptations where applicable), which are incorporated by reference.
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
14. Term and termination
This DPA takes effect when you accept the Agreement and continues for as long as we process Customer Personal Data on your behalf.
15. Governing law
This DPA is governed by the law that governs the Agreement, except where data protection law requires otherwise.
Annex 1 — Details of processing
- Subject matter: provision of the Smplrspace platform (interactive 2D and 3D spatial visualization, data management, and related features).
- Duration: the term of the Agreement.
- Nature and purpose: hosting, storing, processing, and displaying Customer content and data to provide the Service.
- Types of personal data: identifiers and contact details of the Customer's authorized users; and any personal data the Customer chooses to include in spaces, models, or datasets (for example, names, identifiers, or location/occupancy data relating to the Customer's employees, occupants, or visitors).
- Categories of data subjects: the Customer's authorized users; and individuals whose data the Customer includes in the Service (for example, employees, occupants, or visitors).
Annex 2 — Technical and organizational measures
- Encryption of data in transit using TLS.
- Encryption of data at rest for stored data, via our infrastructure providers' default encryption.
- Authentication managed by a specialized identity provider (Auth0).
- Role-based access to the platform, so users access only the organizations and data they are authorized to.
- Nightly backups of production data.
- Logging and monitoring of application errors and infrastructure.