DATA PROCESSING ADDENDUM
DRAFT — PENDING LEGAL REVIEW

DPA template.

The terms below form the basis of Stackr's Data Processing Addendum with customers. To request a countersigned PDF for your procurement process, email privacy@stackr.work.

1. SCOPE + ROLES

Customer is the data controller. Stackr is the data processor. This DPA applies to all personal data Stackr processes on Customer's behalf in connection with the Service.

2. PROCESSING DETAILS

Subject matter: AI-generated business intelligence briefings.

Duration: For the term of the customer's subscription, plus a 30-day post-termination retention window for export, after which data is deleted.

Nature + purpose: Ingesting operational signal from Customer's connected tools, persisting events, generating natural-language summaries (briefs), and surfacing them in the Stackr UI and via configured delivery channels.

Categories of data subjects: Customer's employees, customers, and counterparties to the extent their identifiers appear in source systems.

Categories of personal data: Names, email addresses, account identifiers, support conversation summaries (scrubbed), CRM deal metadata, payment metadata, engineering activity logs, calendar entries.

Special categories: Not intended; Customer warrants it will not configure Stackr to ingest special-category data without prior written agreement.

3. SUBPROCESSORS

Stackr's current subprocessors are listed at /subprocessors. Customer is notified at least 30 days before any new subprocessor begins processing.

4. SECURITY MEASURES

Stackr implements the technical and organizational measures described at /security. These include encryption in transit (TLS 1.2+), encryption at rest (AES-256), tenant isolation via row-level security plus application-layer ownership assertions, audit logging, OAuth credential encryption via Supabase Vault, rate limiting, and prompt-injection defenses on LLM pipelines.

5. INTERNATIONAL TRANSFERS

Stackr operates from Almaty, Republic of Kazakhstan. Most subprocessors (Supabase, Netlify, our LLM provider, Inngest, Resend, Upstash) operate from the United States. Customer data therefore flows: Customer → Stackr (Kazakhstan) → US subprocessors. Specific regions per subprocessor are listed at /subprocessors.

For EU / UK / EEA customers, Stackr relies on the EU Standard Contractual Clauses (Commission Implementing Decision 2021/914) and the UK International Data Transfer Addendum issued by the Information Commissioner. Stackr executes SCCs in both directions: with the customer (Module 2: controller-to-processor) and with each US subprocessor (Module 3: processor-to-processor).

For Kazakhstan customers, processing is governed by the Republic of Kazakhstan Law on Personal Data and its Protection (No. 94-V, 21 May 2013). Cross-border transfer consent is collected at signup per Article 12.

6. DATA SUBJECT REQUESTS

Stackr will assist Customer with responses to data-subject requests (access, rectification, erasure, portability) within commercially reasonable timeframes. Requests should be routed through Customer first; Stackr's direct response window to Customer is 30 days.

7. INCIDENT NOTIFICATION

Stackr will notify Customer within 72 hours of becoming aware of a personal data breach affecting Customer's data, with the information then available, and will provide updates as the investigation progresses.

8. AUDIT RIGHTS

Stackr will make available, on Customer's reasonable request, information necessary to demonstrate compliance with this DPA. On-site audits may be permitted with reasonable notice, no more frequently than annually, subject to confidentiality.

9. DELETION + RETURN

On termination, Stackr will delete Customer's personal data within 30 days, except where retention is required by applicable law (in which case the data is segregated and subject to no further processing). Customer may export data at any time during the term and during the 30-day post-termination window.

10. CONFLICT

In the event of conflict between this DPA and the Service Agreement / Terms of Service, this DPA controls with respect to personal data processing.

This template is provided for transparency. The legally binding version is the countersigned PDF Stackr provides on request. Last updated: 2026-07-10.

Data Processing Addendum | Stackr