Last Updated: March 26, 2026
​
​

This Data Processing Addendum ("DPA") forms part of the Commonspace Space Owner Agreement ("Agreement") between Commonspace Platforms, Inc. ("Commonspace," "Processor," "we," "us") and the Space Owner ("Controller," "you") and governs Commonspace's processing of Personal Data on your behalf in connection with the Services.
​
This DPA applies where and to the extent Commonspace processes Personal Data that is subject to Applicable Data Protection Law on behalf of the Controller in the course of providing the Services under the Agreement.
​
​ This DPA is incorporated into and subject to the Space Owner Agreement. Capitalized terms not defined here have the meanings given in the Space Owner Agreement.
​
​

"Applicable Data Protection Law" means all applicable laws relating to the processing of Personal Data, including (as applicable): the EU General Data Protection Regulation (GDPR); the UK GDPR and Data Protection Act 2018; the Swiss Federal Act on Data Protection (FADP); the California Consumer Privacy Act and California Privacy Rights Act (CCPA/CPRA); Japan's Act on the Protection of Personal Information (APPI); and any other applicable data protection or privacy laws.
​
​ "Data Subject" means the identified or identifiable natural person to whom Personal Data relates (i.e., your Members).
​
​ "Personal Data" means any information relating to a Data Subject that is processed by Commonspace on your behalf through the Services, as further described in Annex 1.
​
​ "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
​
​ "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Commonspace on your behalf.
​
​ "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914, as may be amended or replaced.
​
​ "Sub-processor" means any third party engaged by Commonspace to process Personal Data on behalf of the Controller.
​
​

You are the Controller of your Members' Personal Data. Commonspace acts as a Processor when processing Personal Data on your behalf through the Services. This DPA does not apply to Personal Data that Commonspace processes as an independent Controller (such as your Account data as a Space Owner, or data collected for platform-wide purposes such as security, fraud prevention, and platform analytics).
​
​

You agree that:
​
(a) You have a lawful basis for the processing of Personal Data and have provided all necessary notices and obtained all necessary consents from Data Subjects
(b) You will comply with your obligations under Applicable Data Protection Law
(c) You will use the Services in accordance with the Agreement and Applicable Data Protection Law
(d) Your instructions to Commonspace for the processing of Personal Data will comply with Applicable Data Protection Law
​
​

Commonspace will process Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such case, Commonspace will inform you of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.
​
Your instructions are documented in this DPA, the Agreement, and your configuration of the Services. You may issue additional reasonable instructions consistent with the Agreement by contacting [email protected].
​
​

Commonspace will process Personal Data solely for the purpose of providing the Services to you under the Agreement and as further documented in Annex 1, and will not process Personal Data for any other purpose unless you provide prior written instructions.
​
​

The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex 1 to this DPA.
​
​

Commonspace will ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
​
​

Commonspace will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as required by Article 32 of the GDPR, including as appropriate:
​
(a) Encryption of Personal Data in transit and at rest
(b) Measures to support the confidentiality, integrity, and availability of processing systems and services, including regular backups and monitoring
(c) The ability to restore the availability and access to Personal Data in a reasonable timeframe in the event of a physical or technical incident
(d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures
​
​

Commonspace's current security measures include: TLS encryption in transit; encryption at rest using Fernet symmetric encryption (AES-128-CBC with HMAC authentication) as a minimum standard; secure password hashing; role-based access controls; regular security assessments; payment data handled exclusively by Stripe in accordance with PCI DSS standards; and access-controlled storage for non-public content using time-limited, authenticated URLs that require valid authorization and expire automatically.
​
​

You provide general written authorization for Commonspace to engage Sub-processors to process Personal Data on your behalf. The current list of Sub-processors is set out in Annex 2.
​
​

Commonspace will:
​
(a) Enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA
(b) Remain fully liable to you for the performance of each Sub-processor's obligations
​
​

Commonspace will notify you at least 30 days before adding or replacing a Sub-processor by updating the Sub-processor list at https://common.space/legal/sub-processors and sending notice to your Space Owner account email. If you have a reasonable objection based on data protection grounds, you may notify us in writing within 15 days. We will work with you in good faith to find a resolution. If no resolution is possible, either party may terminate the Agreement with respect to the affected Services.
​
​

Commonspace will assist you in responding to Data Subject requests to exercise their rights under Applicable Data Protection Law (access, rectification, erasure, restriction, portability, objection), by providing technical measures and tools through the Services where feasible.
​
​

If Commonspace receives a Data Subject request directly regarding your Space, we will promptly redirect the Data Subject to you, unless legally prohibited from doing so.
​
​

Commonspace will notify you without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident affecting Personal Data processed on your behalf. Notification will be sent to the email associated with your Space Owner account.
​
​

The notification will describe, to the extent known:
​
(a) The nature of the Security Incident, including the categories and approximate number of Data Subjects and records affected
(b) The likely consequences of the Security Incident
(c) The measures taken or proposed to address the Security Incident and mitigate its effects
(d) A contact point for further information
​
​

Commonspace will cooperate with you and take reasonable steps to assist in investigating, mitigating, and remediating the Security Incident, and in fulfilling your obligations to notify supervisory authorities and affected Data Subjects.
​
​

Notification of a Security Incident is not an acknowledgment of fault or liability by Commonspace.
​
​

Commonspace will provide reasonable assistance to you with data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Article 35 and 36 of the GDPR, taking into account the nature of the processing and the information available to Commonspace.
​
​

Commonspace will make available to you all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR.
​
​

You (or a qualified third-party auditor) may conduct an audit of Commonspace's processing of Personal Data under this DPA, subject to the following conditions:
​
(a) You provide at least 30 days' prior written notice
(b) Audits are limited to once per 12-month period, unless required by a supervisory authority or following a Security Incident
(c) Audits are conducted during normal business hours with minimal disruption
(d) The auditor is bound by appropriate confidentiality obligations
(e) Audit scope is limited to Commonspace's compliance with this DPA
​
​

To the extent Commonspace maintains third-party certifications or audit reports (such as SOC 2 Type II or ISO 27001), Commonspace may satisfy audit requests by providing such reports upon request.
​
​

Personal Data may be transferred to and processed in the United States. To the extent such transfer is subject to Applicable Data Protection Law requiring appropriate safeguards, the parties agree to rely on the Standard Contractual Clauses (EU Commission Implementing Decision 2021/914), which are hereby incorporated by reference.
​
​

For transfers of Personal Data from you (as Controller in the EEA/UK/Switzerland) to Commonspace (as Processor in the United States), Module Two (Controller to Processor) of the SCCs applies.
​
​

For transfers of Personal Data subject to UK GDPR, the UK International Data Transfer Addendum to the EU SCCs (as issued by the Information Commissioner under Section 119A of the Data Protection Act 2018) is incorporated by reference.
​
​

Commonspace implements supplementary technical and organizational measures to protect transferred Personal Data, including encryption in transit and at rest, access controls, and security monitoring.
​
​

Upon termination or expiry of the Agreement, Commonspace will, at your choice:
​
(a) Return all Personal Data processed on your behalf, in a structured, commonly used, machine-readable format; or
(b) Delete all Personal Data processed on your behalf and certify such deletion in writing
​
​

Commonspace may retain Personal Data to the extent required by applicable law (such as tax and financial record retention requirements), in which case Commonspace will isolate and protect such data and limit processing to the purposes required by law.
​
​

Deletion or return will be completed within 90 days of the effective date of termination, unless otherwise required by applicable law.
​
​

Liability under this DPA is subject to the limitation of liability provisions in the Agreement.
​
​

In the event of any conflict between this DPA and the Agreement, this DPA will prevail with respect to the processing of Personal Data.
​
​

This DPA may be amended by Commonspace with 30 days' notice to reflect changes in Applicable Data Protection Law. Material changes will be communicated via email to your Space Owner account.
​
​

This DPA is governed by the law specified in the Agreement, except that the SCCs will be governed by the law of the EU Member State in which the Controller is established (or, if not established in the EU, the law of the Netherlands).
​
​

Subject matter: Processing of Personal Data in connection with hosting and operating the Controller's Space on the Commonspace platform
​
​ Duration: For the term of the Agreement, plus any applicable retention period
​
​ Nature and purpose: Hosting the Space; storing and displaying Member content; facilitating communications between Controller and Members; processing transactions; delivering notifications; providing analytics about Space activity
​
​ Types of Personal Data: Name; email address; @username; profile information; city/location; answers to Member Questions; Membership and purchase history; activity data within the Space; content posted (text, images, video); IP address; device information
​
​ Categories of Data Subjects: Members of the Controller's Space
​
​ Special categories: None intentionally processed. Controller must not configure the Services to collect special category data (e.g., health, racial/ethnic origin, religious beliefs) through Member Questions without ensuring a lawful basis under Article 9 GDPR
​
​

The following Sub-processors are authorized to process Personal Data on behalf of the Controller as of the date of this DPA:
​
​ Amazon Web Services (AWS) — Cloud infrastructure, data storage (S3, EC2, RDS) — United States (us-west-1) — All Personal Data stored in the Services
​
​ Stripe, Inc. — Payment processing, identity verification — United States — Member payment and transaction data, identity verification data
​
​ Twilio, Inc. — SMS-based two-factor authentication — United States — Phone numbers (for Members who enable SMS 2FA)
​
​ SendGrid (Twilio) — Transactional email delivery — United States — Email addresses, email content
​
​ Google LLC — reCAPTCHA Enterprise, Google Fonts, Google Maps — United States — IP address, interaction data, location data
​
​ Expo (650 Industries) — Mobile app build and push notifications — United States — Push notification tokens, device identifiers
​
​ Google Firebase (Google LLC) — Android push notifications (FCM) — United States — Device tokens, notification payloads
​
​ Apple Inc. — iOS app distribution and push notifications (APNs) — United States — Device tokens, notification payloads
​
​ Optional Space Plugins (activated per-Space by Controller; user opt-in required on first access):
​
​ Zoom Video Communications — Video conferencing for Space events — United States — Display name, meeting metadata, audio/video data
​
​ Discord — Community chat integration — United States — Display name, profile information, messages
​
​ Shopify — E-commerce integration for Space stores — United States — Display name, transaction data, shipping information
​
​ WhatsApp (Meta Platforms) — Messaging integration — United States / EU — Display name, phone number, messages
​
Plugin Sub-processors only process Personal Data for Members who actively opt in to use the Plugin within a Space. The current list of available Plugins is maintained at https://common.space/legal/plugins. This list is maintained at https://common.space/legal/sub-processors and updated in accordance with Section 7.3 of this DPA.