Log in Subscribe

Data Processing Agreement

1. Scope, Order of Precedence, and Term

1.1 This Data Processing Agreement (“DPA”) is an addendum to the Customer Terms of Service (“Agreement”) between stack8s Ltd (“stack8s Ltd”) and the Customer. stack8s Ltd and Customer are individually a “party” and, collectively, the “parties.”

1.2 This DPA applies where and only to the extent that stack8s Ltd processes Personal Data on behalf of the Customer in the course of providing the Services and such Personal Data is subject to Data Protection Laws of the appropriate jurisdiction, including the State of California, the European Union, the European Economic Area and/or its member states, Switzerland and/or the United Kingdom. The parties agree to comply with the terms and conditions in this DPA in connection with such Personal Data.

1.3 The duration of the Processing covered by this DPA shall be in accordance with the duration of the Agreement.

2. Definitions

2.1 The following terms have the meanings set forth below. All capitalized terms not defined in this DPA will have the meanings set forth in the Agreement.

2.2 The following terms have the definitions given to them in the CCPA: “Business,” “Sell,” “Service Provider,” and “Third Party.”

2.3 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. “Controller” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Business” or “Third Party,” as context requires.

2.4 “Data Protection Law” means all data protection and privacy laws applicable to the processing of Personal Data under the Agreement as it relates to the Customer, including Regulation 2016/679 (General Data Protection Regulation) (“GDPR”), and Cal. Civ. Code Title 1.81.5, § 1798.100 et seq. (California Consumer Privacy Act) (“CCPA”).

2.5 “Data Subject” means an identified or identifiable natural person.

2.6 “De-identified Data” means data that cannot be reasonably linked to a person and is excluded from the definition of Personal Data under applicable Data Protection Law. Aggregated data is De-identified Data. To “De-identify” means to create De-identified Data from Personal Data.

2.7 “EEA” means the European Economic Area.

2.8 “Standard Contractual Clauses” means the European Union standard contractual clauses for international transfers from the European Economic Area to third countries, Commission Implementing Decision (EU) 2021/914 of 4 June 2021.

2.9 “Personal Data” means information that identifies, relates to, describes, is reasonably capable of being associated with, or could reasonably be linked, directly or indirectly, with a Data Subject or their household or device in particular by reference to an identifier such as a name, an identification number, location data, an online identifier or to one or more factors specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that natural person. “Personal Data” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Personal Information,” as context requires.

2.10 “Personal Data Breach” means a breach of security of the Services leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

2.11 “Process” or “Processing” means any operation or set of operations which is performed upon Personal Data, whether by automatic means, such as collection, recording, organization, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, blocking, erasure or destruction.

2.12 “Processor” means an entity that processes Personal Data on behalf of another entity. “Processor” includes equivalent terms in other Data Protection Law, such as the CCPA-defined term “Service Provider,” as context requires.

2.13 “Sensitive Data” means the following types and categories of data: data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership; genetic data; biometric data; data concerning health; data concerning a natural person’s sex life or sexual orientation; government identification numbers (e.g., SSNs, driver’s license); payment card information; nonpublic personal information governed by the Gramm Leach Bliley Act; an unencrypted identifier in combination with a password or other access code that would permit access to a data subject’s account; and precise geolocation.

2.14 “Subprocessor” means a Processor engaged by a party who is acting as a Processor.

2.15 “UK Addendum” means the United Kingdom International Data Transfer Agreement Addendum to the EU Standard Contractual Clauses issued by the United Kingdom Information Commissioner on March 21, 2022.

3. Description of the Parties’ Personal Data Processing Activities and Statuses of the Parties

3.1 Schedules 1-3 attached hereto describe the purposes of the parties’ Processing, the types or categories of Personal Data involved in the Processing, and the categories of Data Subjects affected by the Processing.

3.2 Schedules 1-3 list the parties’ statuses under relevant Data Protection Law.

4. International Data Transfer

4.1 If stack8s Ltd processes Personal Data of Data Subjects located in the EEA, Switzerland, or the United Kingdom in a country that has not received an adequacy decision from the European Commission or Swiss or UK authorities, as applicable, such transfer shall take place on the basis of stack8s Ltd’s certification under the EU-U.S. Data Privacy Framework (EU-U.S. DPF), the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF), as applicable.

4.2 If the EU-U.S. DPF, the UK Extension to the EU-U.S. DPF, or the Swiss-U.S. DPF is declared invalid, or if stack8s Ltd fails to re-certify for the EU-U.S. DPF, then the transfer of Personal Data will be subject to the Standard Contractual Clauses or UK Addendum, as applicable, which the parties agree will be incorporated by reference into this DPA. The parties agree that, with respect to the elements of the Standard Contractual Clauses and the UK Addendum that require the parties’ input, Schedules 1-3 contain all the relevant information.

5. Data Protection Generally

5.1 Compliance. The parties will comply with their respective obligations under Data Protection Law and their privacy notices.

5.2 Customer Processing of Personal Data. Customer represents and warrants that it has the consent or other lawful basis necessary to collect Personal Data in connection with the Services.

5.3 Cooperation.

  • 5.3.1 Data Subject Requests. The parties will provide each other with reasonable assistance to enable each to comply with their obligations to respond to Data Subjects’ requests to exercise rights that those Data Subjects may be entitled to under Data Protection Law.
  • 5.3.2 Governmental and Investigatory Requests. Customer will promptly notify stack8s Ltd if Customer receives a complaint or inquiry from a regulatory authority indicating that stack8s Ltd has or is violating Data Protection Law.
  • 5.3.3 Other Requirements of Data Protection Law. Upon request, the parties will provide relevant information to each other to fulfill their respective obligations (if any) under Data Protection law, including, if applicable, to conduct data protection impact assessments or prior consultations with data protection authorities.

5.4 Confidentiality. The parties will ensure that their employees, independent contractors, agents, and representatives are subject to an obligation to keep Personal Data confidential and have received training on data privacy and security that is commensurate with their responsibilities and the nature of the Personal Data.

5.5 De-identified, Anonymized, or Aggregated Data. The parties may create De-identified Data from Personal Data and Process the De-identified Data for any purpose.

6. Data Security

6.1 Security Controls. Each party will maintain a written information security policy that defines security controls that are based on the party’s assessment of risk to Personal Data that the party Processes and the party’s information systems. stack8s Ltd’s security controls are described in Schedule 2.3 and Schedule 3.4.

7. stack8s Ltd’s Obligations as a Processor, Subprocessor, or Service Provider

7.1 stack8s Ltd will have the obligations set forth in this Section 7 if it Processes Personal Data in its capacity as Customer’s Processor or Service Provider; for clarity, these obligations do not apply to stack8s Ltd in its capacity as a Controller, Business, or Third Party.

7.2 Scope of Processing.

  • 7.2.1 stack8s Ltd will Process Personal Data only in accordance with Customer’s instructions, which instructions comprise: (i) to provide Services to Customer under the Agreement and (ii) comply with applicable law. stack8s Ltd will notify Customer if, in stack8s Ltd’s sole discretion (i) Customer’s instruction infringes upon applicable Data Protection Law or (ii) the law changes and those changes cause stack8s Ltd not to be able to comply with the Agreement.

7.3 Data Subjects’ Requests to Exercise Rights. stack8s Ltd will promptly inform Customer if stack8s Ltd receives a request from a Data Subject to exercise their rights with respect to their Personal Data Processed on behalf of Customer under applicable Data Protection Law. Customer will be responsible for responding to such requests. stack8s Ltd will not respond to such Data Subjects except to acknowledge their requests or as otherwise required by applicable law. stack8s Ltd will provide Customer with commercially reasonable assistance, upon request, to help Customer to respond to a Data Subject’s request.

7.4 stack8s Ltd’s Subprocessors.

  • 7.4.1 Existing Subprocessors. Customer agrees that stack8s Ltd may use the Subprocessors listed at Schedule 3.
  • 7.4.2 Use of Subprocessors. Customer grants stack8s Ltd general authorization to engage Subprocessors if stack8s Ltd and a Subprocessor enter into an agreement that requires the Subprocessor to meet obligations that are no less protective than this DPA.
  • 7.4.3 Notification of Additions or Changes to Subprocessors. stack8s Ltd will notify Customer of any additions to or replacements of its Subprocessors via email or other contact methods and make that list available on Customer’s request. stack8s Ltd will provide Customer with at least 30 days to object to the addition or replacement of Subprocessors in connection with stack8s Ltd’s performance under the Agreement, calculated from the date stack8s Ltd provides notice to Customer. If Customer reasonably objects to the addition or replacement of stack8s Ltd’s Subprocessor, stack8s Ltd will immediately cease using that Subprocessor in connection with stack8s Ltd’s Services under the Agreement, and the parties will enter into good faith negotiations to resolve the matter. If the parties are unable to resolve the matter within 15 days of Customer’s reasonable objection (which deadline the parties may extend by written agreement), Customer may terminate the Agreement and/or any statement of work, purchase order, or other written agreements. The parties agree that stack8s Ltd has sole discretion to determine whether Customer’s objection is reasonable; however, the parties agree that Customer’s objection is presumptively reasonable if the Subprocessor is a competitor of Customer and Customer has a reason to believe that competitor could obtain a competitive advantage from the Personal Data stack8s Ltd discloses to it, or Customer anticipates that stack8s Ltd’s use of the Subprocessor would be contrary to law applicable to Customer.
  • 7.4.4 Liability for Subprocessors. stack8s Ltd will be liable for the acts or omissions of its Subprocessors to the same extent as stack8s Ltd would be liable if performing the services of the Subprocessor directly under the DPA, except as otherwise set forth in the Agreement.

7.5 Personal Data Breach. stack8s Ltd will notify Customer without undue delay of a Personal Data Breach affecting Personal Data stack8s Ltd Processes on behalf of Customer in connection with the Services. Upon request, stack8s Ltd will provide reasonable information to Customer about the Personal Data Breach to the extent necessary for Customer to fulfill any obligations it has to investigate or notify authorities under applicable law. Notifications will be delivered to the email address Customer provides in Customer’s account. Customer agrees that email notification of a Personal Data Breach is sufficient. stack8s Ltd agrees that it will notify Customer if it changes its contact information. Customer agrees that stack8s Ltd may not notify Customer of security-related events that do not result in a Personal Data Breach.

7.6 Deletion and Return of Personal Data. Upon deactivation of the Services, all Personal Data shall be deleted (or, upon Customer’s request, returned to Customer), save that this requirement shall not apply to the extent stack8s Ltd is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data stack8s Ltd shall securely isolate and protect from any further processing, except to the extent required by applicable law.

7.7 Audits.

  • 7.7.1 stack8s Ltd shall maintain records of its security standards. Upon Customer’s written request, stack8s Ltd shall provide (on a confidential basis) copies of relevant external ISMS certifications, audit report summaries and/or other documentation reasonably required by Customer to audit stack8s Ltd’s compliance with this DPA. stack8s Ltd shall further provide written responses (on a confidential basis) to all reasonable requests for information made by Customer, including responses to information security and audit questionnaires, that Customer (acting reasonably) considers necessary to audit stack8s Ltd’s compliance with this DPA, provided that Customer shall not exercise this right more than once per year.
  • 7.7.2 To the extent the Standard Contractual Clauses apply and the Customer reasonably argues and establishes that the above documentation and/or other third party audit reports are not sufficient to demonstrate compliance with the obligations laid down in this DPA, the Customer may execute an audit as outlined under Clause 8.9 of the Standard Contractual Clauses accordingly, provided that in such an event, the parties agree: (a) Customer is responsible for all costs and fees relating to such audit (including for time, cost and materials expended by stack8s Ltd); (b) a third party auditor must be mutually agreed upon between the parties to follow industry standard and appropriate audit procedures; (c) such audit must not unreasonably interfere with stack8s Ltd’s business activities, must be reasonable in time and scope, and must not cause stack8s Ltd to breach its confidentiality obligations to other customers; (d) the parties must agree to a specific audit plan, including confidentiality obligations, prior to any such audit, which must be negotiated in good faith between the parties; and (e) Customer keeps all results of the audit confidential. For avoidance of doubt, nothing in this Section 7.7.2 modifies or varies the Standard Contractual Clauses, and to the extent a competent authority finds otherwise or any portion of Section 7.7.2 is otherwise prohibited, unenforceable or inappropriate in view of the Standard Contractual Clauses, the relevant portion shall be severed and the remaining provisions hereof shall not be affected.

Schedule 1: Description of the Processing and Subprocessors

Processing Activity Status of the Parties Categories of Personal Data Processed Categories of Sensitive Data Processed Frequency of Transfer Applicable SCCs Module
Customer discloses Personal Data to stack8s Ltd to provide, operate, and maintain stack8s Ltd Services. Customer is a Controller. stack8s Ltd is a Controller. Account registration, payment information, user content, communications, cookies and other tracking technologies, usage of Services, and third party accounts. None Continuous Module 1
Customer discloses Personal Data to improve, analyze, personalize, and stack8s Ltd Services. Customer is a Controller. stack8s Ltd is a Controller. Account registration, payment information, user content, communications, cookies and other tracking technologies, usage of Services, and third party accounts. None Continuous Module 1
Customer contacts stack8s Ltd for support. Customer is a Controller. stack8s Ltd is a Controller. Account registration, payment information, user content, communications, usage of Services, and third party accounts. None Continuous Module 1
Customer stores end-user data on stack8s Ltd Services. stack8s Ltd is a Processor. Customer is a Controller or processor to a controller. As determined by Customer. As determined by Customer. As determined by Customer. Module 2 or Module 3 (if Customer is a processor to another controller)

Schedule 2: Controller-to-Controller Information for International Data Transfers

  1. Retention Periods

stack8s Ltd retains Personal Data it collects as a Controller for as long as stack8s Ltd has a business purpose for it or for the longest time allowable by applicable law.

  1. Information for International Transfers
  • Clause 7, Module 1: The parties agree that the docking clause shall not apply.
  • Clause 11(a), Module 1: The parties do not select the independent dispute resolution option.
  • Clause 17, Module 1: The parties select Option 1. The Member State is: Netherlands.
  • Clause 18(b), Module 1: The Parties agree that those shall be the courts of the Netherlands.
  • Annex I(A): The data exporter is Customer. The data importer is stack8s Ltd. Contact details for Customer is the email address(s) designated by Customer in Customer’s stack8s Ltd account. Contact detail for stack8s Ltd is: privacy@stack8s.ai.
  • Annex I(B): The parties agree that Schedule 1 describes the transfer.
  • Annex I(C): The competent supervisory authority is the supervisory authority of: The Dutch Data Protection Authority (Autoriteit Persoonsgegevens).
  • Annex II: The parties agree that Schedule 2.3 describes the technical and organizational measures applicable to the transfer.

2.2 For purposes of the UK Addendum:

  • Table 1: The data exporter is Customer. The data importer is stack8s Ltd. Contact details for Customer is the email address(s) designated by Customer in Customer’s stack8s Ltd account. Contact detail for stack8s Ltd is: privacy@stack8s.ai.
  • Table 2: The Parties select the checkbox that reads: “Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”, and the accompanying table shall be deemed completed according to the Parties’ preferences outlined in Schedule 3, Section 2.1 above.
  • Table 3: Table 3 shall be completed with the information set forth in Schedule 3, Section 2.1 above regarding Annex I(A), Annex I(B), and Annex II.
  • Table 4: The Parties agree that the data importer may terminate the UK Addendum as set out in Section 19 of the UK Addendum.

(For definitions of these terms please review our Privacy Policy in Section 1.)

  1. Technical and Organizational Measures

Below is a summary of stack8s Ltd’s technical and organizational security measures as a Controller-to-Controller data recipient:

Technical and Organizational Security Measure Evidence of Technical and Organizational Security Measure
Measures of pseudonymisation and encryption of personal data stack8s Ltd’s databases that store Customer Personal Data are encrypted using the Advanced Encryption Standard (AES). Customer data is encrypted in transit between the Customer’s software application and stack8s Ltd using TLS v1.2.
Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services stack8s Ltd uses a variety of tools and mechanisms to achieve high availability and resiliency (multiple fault-independent availability zones, data center monitoring, orchestration tooling, etc.).
Measures for ensuring the ability to restore the availability and access to personal data in a timely manner stack8s Ltd’s infrastructure can detect and route around issues, employing orchestration tooling capable of regenerating hosts from the latest backup. Specialized monitoring tools manage server performance and data/traffic capacity.
Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures stack8s Ltd has developed and implemented a security control environment designed to protect confidentiality, integrity, and availability of customers’ systems. stack8s Ltd conducts regular internal and external audits.
Measures for user identification and authorization Access control policies require that access be granted based on business justification, with “need-to-know” and “least-privilege” principles. Documented requirements are reviewed during external security certification testing.
Measures for the protection of data during transmission Data is encrypted in transit using TLS v1.2.
Measures for the protection of data during storage Databases storing Customer Personal Data use AES encryption.
Measures for ensuring physical security of locations at which personal data are processed stack8s Ltd data centers are nondescript buildings, physically constructed, managed, and monitored 24/7. All data centers are fenced and use badge-controlled gates. CCTV monitors physical access.
Measures for ensuring event logging Logging of service, user, and security events is enabled and retained centrally. Access to audit logs is restricted and regularly reviewed.
Measures for internal IT and IT security governance and management stack8s Ltd performs an annual internal review of all security management policies and procedures. External auditors perform annual reviews.
Measures for ensuring data minimisation, quality, and limited retention More information is found in stack8s Ltd’s Privacy Policy at: https://stack8s.ai/legal/privacy-policy.
Measures for ensuring accountability stack8s Ltd staff are trained and bound by policies to maintain confidentiality and follow data protection principles.
Measures for allowing data portability and ensuring erasure stack8s Ltd may create De-identified Data. Customer can request deletion/return of Personal Data upon termination.
Technical and organizational measures to be taken by the [sub]-processor Where stack8s Ltd uses a Subprocessor, stack8s Ltd enters an agreement requiring obligations no less protective than those herein, including notifications of personal data breaches, assisting with data subject requests, etc.

Schedule 3: Controller-to-Processor and/or Processor-to-Processor Information for International Data Transfers

  1. Subprocessors

stack8s Ltd uses Subprocessors when it acts as a Processor. Customer authorizes stack8s Ltd to use these Subprocessors consistent with Section 7.4. The list of Subprocessors is available through our Subprocessors Page:
https://stack8s.ai/trust/subprocessors

  1. Retention Periods

stack8s Ltd retains Personal Data it collects or receives from Customer as a Processor for the duration of the Agreement and consistent with its obligations in this DPA.

  1. Information for International Transfers

3.1 For the purposes of the Standard Contractual Clauses:

  • Clause 9, Module 2(a): The parties select Option 2. The time period is 30 days.
  • Clause 11(a): The parties do not select the independent dispute resolution option.
  • Clause 17, Module 2: The parties select Option 2. The Member State of the data exporter is: EU Member State Customer is located in.
  • Clause 18(b), Module 2: The Parties agree that those shall be the courts of the EU Member State Customer is located in.
  • Annex I(A): The data exporter is Customer. The data importer is stack8s Ltd. Contact details for Customer is the email address(s) designated by Customer in Customer’s stack8s Ltd account. Contact detail for stack8s Ltd is: privacy@stack8s.ai.
  • Annex I(B): The parties agree that Schedule 1 describes the transfer.
  • Annex I(C): The competent supervisory authority is the supervisory authority of: Customer who acts as data exporter.
  • Annex II: The parties agree that Schedule 3.4 describes the technical and organizational measures applicable to the transfer.

3.2 For purposes of the UK Addendum:

  • Table 1: The data exporter is Customer. The data importer is stack8s Ltd. Contact details for Customer is the email address(s) designated by Customer in Customer’s stack8s Ltd account. Contact detail for stack8s Ltd is: privacy@stack8s.ai.
  • Table 2: The Parties select the checkbox that reads: “Approved EU SCCs, including the Appendix Information and with only the following modules, clauses or optional provisions of the Approved EU SCCs brought into effect for the purposes of this Addendum”, and the accompanying table shall be deemed completed according to the Parties’ preferences outlined in Schedule 3, Section 3.1 above.
  • Table 3: Table 3 shall be completed with the information set forth in (i) Schedule 3, Section 3.1 above regarding Annex I(A), Annex I(B), Annex II and (ii) Schedule 3, Section 1 above regarding Annex III.
  • Table 4: The Parties agree that data importer may terminate the UK Addendum as set out in Section 19 of the UK Addendum.
  1. Technical and Organizational Measures

Below is a summary of stack8s Ltd’s technical and organizational security measures, specifically for Controller-to-Processor or Processor-to-Processor transfers:

Technical and Organizational Security Measure Evidence of Technical and Organizational Security Measure
Measures of pseudonymisation and encryption of personal data Customer responsibility. stack8s Ltd encrypts data at rest and in transit, but Customers must ensure any supplemental encryption/pseudonymization needed for their specific use cases.
Measures for ensuring ongoing confidentiality, integrity, availability, and resilience Customer responsibility. See stack8s Ltd’s Trust Platform FAQ for details: https://stack8s.ai/trust/faq.
Measures for ensuring the ability to restore the availability and access to personal data Customer responsibility. It is the Customer’s responsibility to back up and utilize redundancy mechanisms for Customer Content.
Processes for regularly testing, assessing, and evaluating the effectiveness of measures stack8s Ltd regularly assesses its security measures via internal and external audits. Customer should also implement testing for any measures under Customer’s control.
Measures for user identification and authorization stack8s Ltd enforces appropriate account-level controls. Customers must manage their users’ permissions to ensure limited access.
Measures for the protection of data during transmission and storage Customer responsibility. stack8s Ltd encrypts Customer data in transit (TLS v1.2) and at rest (AES), but Customers are responsible for encrypting any additional data in object storage or backups, etc.
Measures for ensuring physical security of data centers stack8s Ltd data centers use 24/7 monitoring, fences, badge-controlled gates, and CCTV.
Measures for ensuring events logging stack8s Ltd retains centralized logs; restricted access and regular reviews.
Measures for ensuring data minimisation, quality, and limited retention Customer should manage the types of personal data stored and ensure timely deletion within the stack8s Ltd environment.
Measures for allowing data portability and ensuring erasure Customer can export/delete data via self-service features or by contacting stack8s Ltd.
Technical and organizational measures to be taken by the [sub]-processor Subprocessors are contractually required to adopt measures that are no less protective than those set forth in this Schedule.

Schedule 4: UK IDTA Addendum

For additional documentation, please see the separate UK IDTA Addendum at:
https://stack8s.ai/idta.pdf

Prior Versions of our Data Processing Agreement

  • N/A