Data processing agreement
Definitions
This document is the data processing agreement ("DPA") between theStacc Software Pvt. Ltd. ("theStacc", "we", "us") and the customer whose account is subject to this DPA ("you", "Customer", "Controller"). It forms part of the terms of service and applies whenever we process personal data on your behalf.
The terms below carry the meanings given in the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA), and India's Digital Personal Data Protection Act 2023.
- Personal data — any information that identifies or can identify a living person.
- Controller — the party that decides why and how personal data is processed. That is you.
- Processor — the party that processes personal data on the controller's instructions. That is theStacc.
- Sub-processor — a third party that theStacc engages to process personal data on the controller's behalf.
- Data subject — the living person the personal data is about.
- Processing — any action performed on personal data, including storing, organizing, modifying, transmitting, or erasing.
- SCCs — the EU Standard Contractual Clauses for international transfers, version dated 4 June 2021.
Scope of processing
We process personal data only to run the product you have signed up for and to meet our legal obligations. The scope is documented below.
Subject matter
Operating theStacc — writing articles, managing Google Business Profiles, scheduling and publishing social posts, sending transactional emails, processing payments, and providing customer support.
Duration
Processing continues for as long as you have an active account, plus the retention windows described in the privacy policy.
Categories of data subjects
- You — the customer who signed up.
- Your team members invited to the dashboard.
- Visitors to your Google Business Profile or your social channels who interact with content we publish on your behalf.
- People mentioned in source material you upload (existing blog posts, customer testimonials, brand voice samples).
Categories of personal data
- Identity data — name, business name, work email.
- Account data — password hash, OAuth refresh tokens for connected platforms.
- Billing data — billing address, last four digits of the card, Stripe customer ID. We never see the full card number.
- Usage data — IP address, browser, operating system, country, feature engagement.
- Content data — material you upload to brief us on brand voice, product, or audience.
Our obligations
- Process personal data only on your documented instructions, which are these terms.
- Make sure every person who processes personal data on our behalf is bound by confidentiality.
- Implement the security measures described below.
- Help you respond to data subject requests, regulator queries, and data protection impact assessments.
- Notify you within 72 hours of becoming aware of a personal data breach.
- Delete or return personal data at the end of the subscription, according to your choice.
Sub-processors
We use the following sub-processors to run theStacc. Each one has been vetted, has signed a data protection agreement with us, and is subject to the same security obligations we accept towards you.
- Amazon Web Services (AWS) — primary hosting, database, object storage, backups. Region: ap-south-1 (Mumbai). AWS data processing addendum.
- Stripe — payment processing and fraud detection. Region: United States, with EU sub-processors. Stripe DPA.
- SendGrid (Twilio) — transactional email and newsletter delivery. Region: United States. SendGrid DPA.
- PostHog — product analytics. Region: EU-Cloud (Frankfurt). PostHog DPA.
- Anthropic — AI model provider for article generation. Region: United States. Anthropic does not train its models on customer prompts or completions. Anthropic DPA.
- OpenAI — secondary AI model provider used as a fallback. Region: United States. API data is not used for training. OpenAI DPA.
- Google Cloud — integration endpoint for Google Business Profile and Google Search Console. Region: global, the API endpoint is United States. Google Cloud DPA.
If we add, replace, or remove a sub-processor, we will email everyone with an active account at least 30 days before the change takes effect. You can object to a new sub-processor by emailing hello@thestacc.com within those 30 days. If we cannot accommodate the objection, you can cancel the subscription and we will refund the unused portion.
Security measures
We implement the technical and organizational measures listed below. They are designed to align with GDPR Article 32, SOC 2 Trust Services Criteria, and the ISO 27001 control set.
Encryption
- Data in transit is encrypted with TLS 1.2 or higher. Every connection to thestacc.com and to the dashboard is HTTPS-only with HSTS preload.
- Data at rest is encrypted with AES-256 in the primary database (AWS RDS), in object storage (AWS S3), and in nightly backups.
- OAuth refresh tokens, API keys, and other secrets are encrypted with KMS-backed envelope encryption and stored separately from the user record.
Access control
- Production systems are accessed only by named employees who need access to do their job.
- Every access requires single sign-on with a phishing-resistant second factor (hardware key or platform passkey).
- Access is logged. Logs are retained for 12 months and reviewed monthly.
- Access is revoked within 24 hours of an employee leaving the company.
Network and infrastructure
- Production infrastructure runs in private subnets behind a Cloudflare-fronted application gateway. No database is reachable from the public internet.
- We patch operating systems and runtimes within 14 days of a critical CVE.
- We run automated vulnerability scans weekly and a manual penetration test annually.
People and process
- Every employee signs an NDA and a privacy training acknowledgement on day one.
- Annual privacy and security training is mandatory.
- Incident response runs to a written playbook. We rehearse it quarterly.
Compliance roadmap
We are working towards SOC 2 Type II attestation in 2027. We already operate to the SOC 2 control set internally. ISO 27001 certification follows after SOC 2. We will publish each report on the trust page once issued.
Data subject rights
You are responsible for responding to data subject requests against your data. We help in three ways:
- Access and portability — the dashboard exports every piece of data we hold about a user as a JSON or CSV bundle in two clicks.
- Erasure — the dashboard deletes a user record on request. Deletion propagates to backups within 35 days.
- Rectification, restriction, and objection — email hello@thestacc.com with a description of the request. We complete the action within 7 business days.
If a data subject contacts us directly, we forward the request to you within 24 hours and do not act on it ourselves unless you instruct us to.
International transfers
Personal data may be transferred outside the country where it was collected. Specifically, the primary database is in India, while sub-processors operate in the United States and the European Union. For every transfer outside the EEA, the UK, or India we rely on one of the following safeguards:
- Standard Contractual Clauses (SCCs) — Module 2 (controller to processor) and Module 3 (processor to processor) of the EU SCCs version dated 4 June 2021. The SCCs are incorporated into this DPA by reference and apply automatically whenever EEA personal data is transferred to a sub-processor outside the EEA.
- UK International Data Transfer Addendum — for UK personal data, the SCCs are extended by the UK IDTA published by the Information Commissioner's Office.
- India Standard Contractual Clauses — for transfers out of India, we comply with the cross-border transfer requirements of the Digital Personal Data Protection Act 2023.
- Adequacy decisions — where the destination country has an adequacy decision from the European Commission, the decision is the basis for the transfer.
If the legal framework for international transfers changes, we will move data to a compliant region or implement additional safeguards within 90 days.
Audit
You have the right to audit our compliance with this DPA. We support audits in three ways:
- We share the SOC 2 and penetration test reports under NDA, once they are issued.
- We respond to written security questionnaires within 14 days.
- If a regulator requires an on-site audit, we will cooperate fully. The cost of the audit is borne by the party requesting it, unless the audit reveals a material breach of this DPA — in which case we cover the cost.
Audits cannot be more frequent than annually, except where a regulator demands a specific investigation or where a personal data breach has occurred.
Termination
This DPA ends when the underlying subscription ends. Within 30 days of termination you can ask us to export your data. After that 30-day window we delete the data, except for billing records (kept 7 years to meet tax law) and security logs (kept 12 months). Deletion propagates through backups within a further 35 days.
If you want a written certificate of deletion, email hello@thestacc.com after the export window closes.
Liability
Each party's liability under this DPA is governed by the limitation of liability clause in the underlying terms of service. Nothing in this DPA limits liability that cannot be limited under applicable data protection law, including liability for damages to data subjects under GDPR Article 82.
Where we and you are jointly liable to a data subject, you and we will share liability in proportion to each party's responsibility for the damage.
Contact
- Data Protection Officer · hello@thestacc.com
- Privacy · hello@thestacc.com
- Security · hello@thestacc.com
- Postal · theStacc Software Pvt. Ltd., Jaipur, Rajasthan, India
If you need this DPA signed as a standalone document, email the DPO and we will send a counter-signed copy within 5 business days.