Data Processing Agreement

Last Updated: March 28, 2026 · Effective: March 28, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Third Space, LLC ("Processor," "Thirdspace," "we") and the entity or individual agreeing to the Terms of Service ("Controller," "Customer," "you") for the use of Safe Merge ("the Service").

This DPA is entered into to ensure compliance with applicable data protection laws, including the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the UK General Data Protection Regulation, the California Consumer Privacy Act as amended by the CPRA ("CCPA"), and other applicable privacy laws.

By using the Service, this DPA is automatically incorporated into the Terms of Service. No separate signature is required.

1. Definitions

"Controller" means the Customer who determines the purposes and means of the processing of Personal Data through its use of the Service.
"Processor" means Third Space, LLC, which processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by the Processor on behalf of the Controller through the Service.
"Sub-Processor" means any third party appointed by the Processor to process Personal Data on behalf of the Controller.
"Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, UK GDPR, CCPA/CPRA, and their implementing regulations.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses annexed to Commission Implementing Decision (EU) 2021/914.

2. Scope and Details of Processing

2.1 Subject Matter

The Processor processes Personal Data to provide the Safe Merge service, including CRM record snapshots, merge detection, snapshot-based unmerge operations, 3-stage duplicate detection analysis, web search verification, and Emergency Unmerge reconstruction.

2.2 Duration

Processing continues for the duration of the Controller's use of the Service, plus any post-termination retention period specified herein.

2.3 Nature and Purpose of Processing

Processing Activity	Description	Sub-Processor(s)
CRM record reading	Reading CRM record properties and associations via HubSpot API	None (direct API)
Automated CRM record snapshots	Creating compressed JSON snapshots of full record states (all property values and association mappings) at point-in-time. Full snapshots are stored in our encrypted PostgreSQL database (primary). Where technically feasible within HubSpot's per-property size limits, a supplementary encoded copy is also written to a custom property on the record in the Controller's HubSpot portal.	Render (database hosting)
Snapshot comparison	Comparing pre-merge and post-merge record states to detect changes	None
Unmerge operations	Recreating abolished records during snapshot-based unmerge operations	None (direct HubSpot API)
Duplicate detection advanced matching	Transmitting CRM record fields (names, emails, phone numbers, company names, domains) to Anthropic's API for advanced pattern matching, duplicate identification, and confidence scoring	Anthropic
Web search verification	Using Anthropic's web_search tool to retrieve publicly available information for validating duplicate match confidence	Anthropic
Emergency Unmerge reconstruction	Transmitting CRM data to Anthropic's API for reconstruction analysis (with Controller's explicit initiation)	Anthropic
Operational data storage	Storing OAuth tokens, operation logs, and billing records	Render (database hosting)

2.4 Types of Personal Data

Contact identifiers: names, email addresses, phone numbers, job titles
Company information: names, domains, industry, revenue
Deal information: deal names, amounts, stages
Association metadata: relationships between records
Engagement metadata: notes, tasks, calls, emails, meetings (Emergency Unmerge only)
Snapshot data: compressed JSON representations of the above at point-in-time

2.5 Categories of Data Subjects

CRM contacts stored in the Controller's HubSpot portal
Controller's employees who use the Service (portal administrators)

3. Data Retention Schedule

Data Type	Free	Starter	Growth	Pro	Enterprise
CRM snapshots	7 days	30 days	90 days	180 days	365 days
Snapshot metadata	7 days	30 days	90 days	180 days	365 days
Dedup results	Duration of account + 30 days post-termination
Reconstruction data	30 days after operation
OAuth tokens	Duration of integration; deleted on uninstall
Advanced matching processing (Anthropic)	30 days maximum per Anthropic Commercial Terms
Billing records	7 years (tax/legal compliance)

Upon termination, all data (except billing records required by law) is deleted within 30 days. The Controller may request data export within 14 days of termination.

4. Controller Obligations

The Controller shall:

Ensure it has a lawful basis for the processing of Personal Data and for instructing the Processor to process Personal Data on its behalf.
Ensure it has provided any necessary notices to, and obtained any necessary consents from, data subjects.
Be responsible for the accuracy, quality, and legality of Personal Data provided to the Processor.
Comply with its obligations under applicable Data Protection Laws.
Ensure that snapshot data retention periods are consistent with the Controller's own data retention policies and GDPR obligations.

5. Processor Obligations

The Processor shall:

5.1 Processing Instructions

Process Personal Data only on the documented instructions of the Controller, unless required to do so by applicable law. The Controller's instructions are documented in the Terms of Service and this DPA. The Processor shall inform the Controller if, in its opinion, an instruction infringes Data Protection Laws.

5.2 Confidentiality

Ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures (Article 32)

Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of Personal Data in transit (TLS 1.2+) and at rest (Fernet/AES-128-CBC with HMAC-SHA256 for OAuth tokens)
Ability to ensure ongoing confidentiality, integrity, availability, and resilience of processing systems
Ability to restore the availability and access to Personal Data in a timely manner in the event of an incident
Regular testing and evaluation of the effectiveness of security measures
Access controls restricting database access to the application service only
Error monitoring with PII sending disabled

See our Security page for detailed security documentation.

5.4 Sub-Processors

The Controller provides general authorization for the Processor to engage the Sub-Processors listed on the Sub-Processor List. The Processor shall:

Maintain an up-to-date list of Sub-Processors at /subprocessors
Notify the Controller of any intended addition or replacement of Sub-Processors at least 30 days in advance via the notification mechanism described on the Sub-Processor List page
Impose data protection obligations no less protective than those in this DPA on each Sub-Processor via a written agreement
Remain fully liable to the Controller for the performance of each Sub-Processor's obligations

If the Controller objects to a new Sub-Processor within 30 days of notification, the parties shall discuss the concern in good faith. If the objection cannot be resolved, the Controller may terminate the Service.

5.5 Data Subject Rights

The Processor shall assist the Controller in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) by:

Promptly forwarding any data subject requests received directly to the Controller
Providing the Controller with the ability to access, correct, and delete Personal Data
Implementing HubSpot's contact.privacyDeletion webhook to automatically delete data upon receiving GDPR deletion events
Assisting with deletion of snapshot data containing Personal Data upon Controller request

5.6 Data Protection Impact Assessments

The Processor shall assist the Controller with data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, where required, by providing necessary information about the Processor's processing activities.

5.7 Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach. The notification shall include:

The nature of the breach, including categories and approximate number of data subjects and records affected
Contact details for the Processor's point of contact
Likely consequences of the breach
Measures taken or proposed to address the breach and mitigate adverse effects

5.8 Deletion and Return of Data

Upon termination of the Service or upon the Controller's request:

The Processor shall delete all Personal Data from its systems within 30 days, unless retention is required by applicable law
The Controller may request a data export in machine-readable format (JSON) within 14 days of termination
Supplementary CRM snapshot data stored in HubSpot custom properties remains under the Controller's direct control and is not affected by termination of the Service

5.9 Audits and Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections conducted by the Controller or a mandated auditor. Audits shall be conducted with reasonable advance notice (at least 30 days), during normal business hours, and in a manner that does not unreasonably disrupt the Processor's operations. The Processor may satisfy audit requests through the provision of relevant security certifications, audit reports, or completed security questionnaires.

6. International Data Transfers

Personal Data is transferred to the United States for processing. The following transfer mechanisms apply:

6.1 Standard Contractual Clauses

The parties agree to the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) as follows:

Module 2 (Controller-to-Processor): Applies to transfers of Personal Data from the Controller to the Processor
Module 3 (Processor-to-Processor): Applies to transfers from the Processor to Sub-Processors

The SCCs are incorporated by reference into this DPA. Where there is any conflict between this DPA and the SCCs, the SCCs shall prevail.

6.2 UK International Data Transfer

For transfers from the United Kingdom, the UK Addendum to the EU SCCs (as approved by the UK Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated into this DPA.

6.3 EU-US Data Privacy Framework

Where Sub-Processors are certified under the EU-US Data Privacy Framework, transfers may additionally rely on the DPF adequacy decision.

7. CCPA/CPRA Service Provider Terms

To the extent the CCPA applies, the Processor acts as a "Service Provider" under the CCPA. The Processor certifies that it:

Shall not retain, use, or disclose Personal Information for any purpose other than performing the Service as specified in the Terms of Service, or as otherwise permitted by the CCPA
Shall not sell or share Personal Information as defined by the CCPA
Shall not retain, use, or disclose Personal Information outside the direct business relationship with the Controller
Shall comply with the CCPA and provide the same level of privacy protection as required by the CCPA
Shall notify the Controller if it determines it can no longer meet its CCPA obligations
Shall allow the Controller to take reasonable and appropriate steps to ensure the Processor uses Personal Information in a manner consistent with the Controller's CCPA obligations
Shall impose equivalent restrictions on any sub-contractors that access Personal Information
Shall assist the Controller in responding to verifiable consumer requests

8. Annex: Technical and Organizational Measures

Measure	Implementation
Encryption in transit	TLS 1.2+ for all API communications; HSTS enforced
Encryption at rest	Fernet symmetric encryption (AES-128-CBC + HMAC-SHA256) for OAuth tokens
Access control	Database accessible only by application service; no public endpoints
Authentication	HubSpot OAuth 2.0; Safe Merge never stores user passwords
Data minimization	Full CRM record snapshots stored in our encrypted database for unmerge capability; supplementary copies in HubSpot custom properties where size permits. OAuth tokens (encrypted), billing, and logs also on our infrastructure. All snapshot data subject to plan-tier retention limits and automatic purge.
Monitoring	Sentry error monitoring (PII disabled); application-level logging
Hosting security	Render.com SOC 2 Type II certified infrastructure (Oregon, US)
Incident response	72-hour breach notification; template notifications maintained
Data deletion	Automated via HubSpot privacy webhook; manual upon request within 30 days
Advanced matching processing safeguards	Anthropic Commercial Terms: no model training on API data; 30-day data deletion; SCCs in place

9. General Provisions

9.1. This DPA shall be governed by the same governing law as the Terms of Service.

9.2. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data protection matters.

9.3. This DPA shall automatically terminate upon termination of the Terms of Service.

9.4. This DPA may be updated by the Processor with at least 30 days' notice to the Controller. Material changes that reduce the Controller's protections require the Controller's consent.

Third Space, LLC
Email: joshua@thirdspaced.com
Website: https://safemerge.app