Documentation Index
Fetch the complete documentation index at: https://docs.spitshake.io/llms.txt
Use this file to discover all available pages before exploring further.
This DPA is incorporated by reference into the Terms of Service whenever a Tenant causes SpitShake to process personal information of data subjects located in the EEA, the United Kingdom, or Switzerland. An executed signature copy is available on request from dpo@spitshake.io for enterprise Tenants.
Parties
This Data Processing Addendum (“DPA”) is between the Tenant (the “Controller”) and IVERIFI, LLC, a Connecticut limited liability company d/b/a SpitShake (the “Processor”). IVERIFI, LLC is wholly owned by ADS CORP.1. Roles
- For personal information of Signers and other end-users provided by Controller to the Service, Controller is the data controller and Processor is the data processor.
- For personal information Processor collects or generates for its own business operations — including Tenant-administrator account data, billing records, platform security and fraud signals, aggregated analytics, and legal-compliance records — Processor acts as an independent controller. This DPA does not govern that processing; Processor’s Privacy Policy does.
2. Processing details (Annex I)
| Item | Content |
|---|---|
| Subject matter | Electronic signature orchestration, document storage, optional identity-verification handoff, and audit evidence production. |
| Duration | For the term of the Terms of Service, plus the post-termination data-export window and any legally required retention. |
| Nature of processing | Storage, transmission, access control, cryptographic signing, rendering, and audit logging. |
| Purpose | To provide the Service as configured by Controller. |
| Data subjects | Signers; Tenant Authorized Users; any third party named in a document (witnesses, observers, CC recipients). |
| Personal data categories | Identifiers (name, email, phone); signature images and typed marks; document field values (variable by template; may include health or financial data where Controller configures such fields); device and connection metadata (IP, user-agent); timestamps; where identity-bound signing is enabled, a cryptographically signed handoff token containing a verified-name claim and a third-party verification reference. |
| Sensitive categories | Only where Controller’s template collects such data. Processor does not intentionally solicit sensitive categories beyond what Controller configures. |
3. Processor obligations
Processor will:- Process personal data only on documented instructions from Controller (which include the Terms of Service, this DPA, and Controller’s configuration of the Service), except where required by Union or Member State law (with prompt notice to Controller where lawful).
- Ensure that persons authorized to process personal data are bound by confidentiality.
- Implement the technical and organizational measures described in Annex II.
- Assist Controller in responding to data-subject rights requests (see § 6) and in fulfilling Controller’s obligations under GDPR Articles 32–36.
- Make available to Controller the information reasonably necessary to demonstrate compliance with Article 28 (see § 8).
4. Subprocessors (Annex III)
Controller grants Processor general authorization to engage subprocessors in accordance with Article 28(2) and (4). The current list of subprocessors — with purpose, region, and data categories — is maintained at /legal/subprocessors. Processor will give Controller at least 30 days’ advance notice of any addition or replacement of subprocessors by updating that page. Controller may object on reasonable grounds within the notice window by writing to dpo@spitshake.io. Where the parties cannot in good faith agree on an alternative, Controller may terminate the affected part of the Service with a pro-rata refund of prepaid fees.5. International transfers
Where Processor transfers personal data from the EEA, the UK, or Switzerland to a country that has not received an adequacy decision, the transfer is governed by:- The EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Modules 2 and 3, incorporated by reference with the options in Annex IV below.
- The UK International Data Transfer Addendum (IDTA) where UK personal data is transferred out of the UK.
- The Swiss FADP addendum where Swiss personal data is transferred out of Switzerland.
6. Data-subject rights assistance
Taking into account the nature of the processing, Processor will assist Controller by appropriate technical and organizational measures, insofar as possible, to respond to requests to exercise data-subject rights under Chapter III of the GDPR. Where Processor receives such a request directly from a data subject relating to Controller’s data, Processor will not respond to it on the merits and will instead direct the data subject to Controller. Assistance is provided through email / ticket submissions to dpo@spitshake.io. Processor will cooperate in good faith; Processor does not commit in this DPA to a specific response-time SLO beyond applicable law.7. Security incident notification
Processor will notify Controller of a Personal Data Breach (as defined in GDPR Article 4(12)) affecting Controller’s personal data without undue delay after becoming aware of it, in accordance with GDPR Article 33 and applicable law. The notice will include the information required by Article 33(3) to the extent then known, supplemented as more information becomes available.8. Audit
Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA, and will reply to Controller’s written questionnaires concerning security controls no more than once per year, unless a regulator or a material security incident justifies more frequent engagement. Direct inspection audits, where required by enterprise Controllers’ own regulators, are available on 30 days’ written notice, during business hours, at Controller’s cost, subject to mutually agreed scope and an auditor that is not a competitor of Processor.9. Deletion or return
Within 60 days after the end of the provision of Services, Processor will (at Controller’s choice) return or delete the personal data it processes on Controller’s behalf, and certify deletion to Controller on written request — except to the extent retention is required by law or by the integrity of executed documents’ audit chains (which are retained for seven (7) years under Processor’s retention policy and are not individually re-identifiable once the associated account is terminated, unless required for litigation hold).10. Technical and organizational measures (Annex II)
Processor maintains the following measures today — this annex describes controls in force now, not aspirational or planned:- Access control. Multi-factor authentication is enforced on Processor’s administrative user accounts. Role-based access restricts personnel to the data categories needed for their role. Administrative access to production is logged.
- Encryption. TLS is used for data in transit. AES-256 is used for data at rest, including ActiveRecord-Encryption-protected columns for identifier and metadata fields, and a per-document encryption pipeline for signed PDF content.
- Audit logging. A cryptographically chained, append-only audit log records access to, and modifications of, personal data relevant to signing activity. A PostgreSQL trigger enforces append-only semantics at the database level.
- Pseudonymization. Document signer identifiers are hashed for post-completion retention where re-identification is not required.
- Incident response. Application-level error conditions and security signals are monitored continuously through third-party error monitoring (see Subprocessors) with PII-scrubbing rules applied before transmission.
- Secure software development. Code changes are reviewed before merging to main; static security analysis is run on each change (Brakeman); production deploys run automated test suites before taking traffic.
- Vendor management. Subprocessors are engaged under written data-processing terms at least as protective as this DPA.
- Physical security. Inherited from cloud infrastructure providers listed in Subprocessors; no Processor-owned data center.
- Personnel. Confidentiality obligations apply to all personnel with access to personal data.
11. Annex IV — Transfer specifics
- SCC modules selected: Module 2 (controller-to-processor) as primary; Module 3 (processor-to-processor) where Processor engages subprocessors outside adequate countries.
- Competent supervisory authority: as designated by Controller in its written instructions; where not specified, the supervisory authority of the EEA Member State of Controller’s EU representative or main establishment.
- Governing law of SCCs: as specified in the SCC optional clauses; the parties agree to the law of the Member State of the competent supervisory authority.
- Optional Clause 7 (docking): adopted.
- Option 1 / Option 2 of Clause 11(a): Option 1 (no independent dispute-resolution body).
12. Miscellaneous
- Order of precedence. This DPA controls over conflicting provisions of the Terms of Service with respect to processing of personal data of EEA, UK, or Swiss data subjects.
- Term. This DPA is effective on the date the Terms of Service are accepted and continues for as long as Processor processes Controller’s personal data.
- Amendment. Material amendments will be offered in writing; non-material amendments (e.g. updating subprocessor list, clarifying contact addresses) take effect on posting.
This DPA is provided by IVERIFI, LLC d/b/a SpitShake (a Connecticut limited liability company wholly owned by ADS CORP). Last updated: 2026-04-19.