Data Processing Addendum (DPA)

Data Processing Addendum

Updated March 2nd, 2024

This Data Processing Addendum ("DPA"), is incorporated into and forms part of the terms and conditions of the Stacksync Terms and Conditions, Service Consumption Tables or other agreement under which Stacksync Inc. ("Stacksync") provides services to Customer ("Agreement") executed between the party identified as the "Customer" and Stacksync. This DPA is supplemental to the Agreement and sets out the roles and obligations that apply when Stacksync processes Personal Data on behalf of Customer in connection with Customer's use of Stacksync’s services ("Services"). If there is any conflict between the Agreement and this DPA, the terms of this DPA will prevail to the extent of such conflict. Any capitalized terms not defined in this DPA will have the meanings given to them in the Agreement.

1. Definitions. For the purpose of this DPA:

1.1 "controller", "processor", "data subject", "personal data" and "processing" (and "process") will have the meanings given in EU/UK Data Protection Law;

1.2 "Applicable Data Protection Law" means all worldwide data protection and privacy laws and regulations applicable to the Personal Data in question, including, where applicable, EU/UK Data Protection Law, US Data Protection Law, Serbian Data Protection Law, Canadian Data Protection Law, and the Swiss DPA;

1.3 “Breach” means an accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access that is in violation of Stacksync’s security obligations under this Agreement by Stacksync or its agents of which Stacksync becomes aware. Breach will not include an unsuccessful Breach, which is one that results in no unauthorized access to Personal Data or to any Stacksync equipment or facilities storing the Personal Data, and could include (without limitation) pings and other broadcast attacks of firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond headers) or similar incidents;

1.4 "Canadian Data Protection Law" means: (i) the Personal Information Protection and Electronic Documents Act S.C. 2000, c. 5; (ii) applicable provincial law; (iii) any and all applicable data protection laws made under, pursuant to or that apply in conjunction with any of (i) or (ii); in each case as may be amended or superseded from time to time;

1.5 “Data Privacy Framework” means the EU-US Data Privacy Framework, the UK extension to the EU-US Data Privacy Framework, and the Swiss-US Data Privacy Framework self-certification program operated by the US Department of Commerce;

1.6 “Data Privacy Principles” means the Data Privacy Framework principles (as supplemented by the Supplemental Principles);

1.7 "EU/UK Data Protection Law" means: (i) Regulation 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the Processing of Personal Data and on the free movement of such data (General Data Protection Regulation) (the "EU GDPR"); (ii) the EU GDPR as saved into United Kingdom law by virtue of section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (the "UK GDPR"); (iii) the EU e-Privacy Directive (Directive 2002/58/EC); and (iv) any and all applicable national data protection laws made under, pursuant to or that apply in conjunction with any of (i), (ii) or (iii); in each case as may be amended or superseded from time to time;

1.8 "US Data Protection Law" means: (i) the California Consumer Privacy Act of 2018, including as amended by the California Privacy Rights Act of 2020, codified at Cal. Civ. Code §1798.100 et seq., upon the CPRA’s enforcement date of July 1, 2023 (together with its implementing regulations) (“CPRA”); (ii) the Virginia Consumer Data Protection Act; (iii) the Colorado Privacy Act; (iv) the Connecticut Personal Data Privacy and Online Monitoring Act; (v) the Utah Consumer Privacy Act; (vi) the Iowa Consumer Data Protection Act; (vii) the Indiana Consumer Data Protection Act; (viii) the Tennessee Information Protection Act; (ix) the Montana Consumer Data Privacy Act; (x) the Texas Data Privacy and Security Act; (xi) the Oregon Consumer Privacy Act; (xii) the Delaware Personal Data Privacy Act; and (xiii) any and all applicable comprehensive state data protection laws and regulations that are or are not yet in effect as of the Effective Date; in each case as may be amended or superseded from time to time;

1.9 "Serbian Data Protection Law" means: Law on Personal Data Protection (Zakon o zaštiti podataka o ličnosti; Official Gazette of the Republic of Serbia, no 87/2018). In the case of a transfer of Personal Data to a Non-Adequate Country, by entering into this DPA, the Customer is entering into the Serbian Standard Contractual Clauses (“Serbian SCCs”) as adopted by the "Serbian Commissioner for Information of Public Importance and Personal Data Protection", published at https://www.poverenik.rs/images/stories/dokumentacija-nova/podzakonski-akti/Klauzulelat.docx to provide an adequate level of protection. References to the Standard Contractual Clauses in this DPA will include the Serbian SCCs. Information required to complete Appendices 1 to 8 of the Serbian SCCs for the purpose of governing the transfer of Personal Data to a Non-Adequate Country can be found in this DPA and accompanying appendices;

1.10 “Supplemental Principles” will have the meaning given in the Data Privacy Framework;

1.11 "Standard Contractual Clauses" means: (i) where the EU GDPR or Swiss DPA applies, the contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council ("EU SCCs"); and (ii) where the UK GDPR applies, standard data protection clauses adopted pursuant to or permitted under Article 46 of the UK GDPR ("UK SCCs"); and (iii) where Serbian Data Protection Law applies, the Serbian SCCs; and

1.12 "Swiss DPA" means the revised Swiss Federal Act on Data Protection enacted on September 25, 2020, and effective on September 1, 2023, as may be amended or superseded from time to time.

2. Relationship of the parties: Customer instructs Stacksync to process the personal data described in Annex I (the "Personal Data") on its behalf. In respect of such processing, Customer will be the controller (or, where Customer is instructing Stacksync on behalf of a third party controller, a processor on behalf of that controller) and Stacksync will be a processor (or, where Customer is a processor on behalf of a third party controller, Stacksync will be a subprocessor to Customer). Each party will comply with the obligations that apply to it under Applicable Data Protection Law.

3. Purpose limitation: Stacksync will process Personal Data for the purposes described in Annex I and strictly in accordance with the documented instructions of Customer (which instructions, where Customer is a processor, will reflect the instructions of its controller) (the "Permitted Purpose"), except where otherwise required by law(s) that are not incompatible with Applicable Data Protection Law. In no event will Stacksync process Personal Data for its own purposes or those of any third party. Stacksync will immediately inform Customer (who, where Customer is a processor, will inform its controller) if it becomes aware that such processing instructions infringe Applicable Data Protection Law.

4. Cross border transfer mechanisms:

4.1 Order of precedence: To the extent Customer’s use of the Services requires an onward transfer mechanism to lawfully transfer personal data from a jurisdiction to Stacksync located outside of that jurisdiction (“Transfer Mechanism”), the terms set forth in this Section 4 will apply. In the event the Services are covered by more than one Transfer Mechanism, the transfer of Personal Data will be subject to a single Transfer Mechanism, as applicable, and in accordance with the following order of precedence: (i) the Data Privacy Framework as set forth in Section 4.2 (Data Privacy Framework) of this DPA; (ii) Standard Contractual Clauses as set forth in Section 4.3 (Standard Contractual Clauses) of this DPA; and, if neither (i) nor (ii) is applicable, then (iii) other applicable data Transfer Mechanisms permitted under Applicable Data Protection Law.

4.2 Data Privacy Framework: To the extent Stacksync processes any Personal Data via the services subject to EU/UK Data Protection Law and/or Swiss DPA, Stacksync represents that it is self-certified under the Data Privacy Framework and complies with the Data Privacy Principles when processing any such Personal Data. To the extent that Customer is either located in the United States of America and is self-certified under the Data Privacy Framework or subject to EU/UK Data Protection Law and/or Swiss DPA, Stacksync further agrees to (i) provide at least the same level of protection to any Personal Data as required by the Data Privacy Principles; (ii) notify Customer in writing, without undue delay, if its self-certification to the Data Privacy Framework is withdrawn, terminated, revoked, or otherwise invalidated; and (iii) upon written notice, work with Customer to take reasonable and appropriate steps to stop and remediate any unauthorized processing of Personal Data.

4.3 Standard Contractual Clauses: For cross border data transfers that are subject to Standard Contractual Clauses, the Standard Contractual Clauses will be deemed entered into, and incorporated into this DPA by this reference, and completed as follows:

4a. in relation to Personal Data that is protected by the EU GDPR, the EU SCCs will apply completed as follows:

(i) Module Two will apply to the extent that Customer is a controller of Personal Data, and Module Three will apply to the extent that Customer is a processor of Personal Data on behalf of a third party controller;

(ii) in Clause 7, the optional docking clause will not apply;

(iii) in Clause 9, Option 2 will apply, and the time period for prior notice of subprocessor changes will be as set out in Clause 8 of this DPA;

(iv) in Clause 11, the optional language will not apply;

(v) in Clause 17, Option 1 will apply, and the EU SCCs will be governed by Republic of Ireland law;

(vi) in Clause 18(b), disputes will be resolved before the courts of the Republic of Ireland;

(vii) Annex I of the EU SCCs will be deemed completed with the information set out in Annex I to this DPA;

(viii) Annex II of the EU SCCs will be deemed completed with the information set out in Annex II to this DPA; and

(ix) Annex III of the EU SCCs will be deemed completed with the information set out in Annex III to this DPA.

4b. in relation to Personal Data that is protected by the UK GDPR, the UK SCCs will apply completed as follows:

(i) for so long as Customer and Stacksync are lawfully permitted to rely on the EU SCCs for transfers of Personal Data from the United Kingdom subject to completion of a “UK Addendum to the EU Standard Contractual Clauses” (“UK Addendum”) issued by the Information Commissioner’s Office under s.119A(1) of the Data Protection Act 2018, then:

A. The EU SCCs, completed as set out above in Section 4.3(a) of this DPA will also apply to transfers of such Personal Data, subject to sub-clauses (B) and (C) below;

B. The UK Addendum will be deemed executed between the transferring Customer and Stacksync, and the EU SCCs will be deemed amended as specified by the UK Addendum in respect of the transfer of such Personal Data; and

C. The optional illustrative indemnification clause will not apply.

(ii) if Customer and Stacksync are no longer permitted to rely on the EU SCCs and the UK Addendum, then the Customer and Stacksync will cooperate in good faith to implement appropriate safeguards for transfers of such Personal Data as required or permitted by the UK GDPR without undue delay;

4c. in relation to Personal Data that is protected by the Swiss DPA, the EU SCCs will apply as set out in 4.3(a), amended as follows:

(i) references to ‘Regulation (EU) 2016/679’ in the EU SCCs will be deemed to refer to the Swiss DPA;

(ii) references to specific articles of ‘Regulation (EU) 2016/679’ will be deemed replaced with the equivalent article or section of the Swiss DPA;

(iii) references to ‘EU’, ‘Union’ and ‘Member State’ will be deemed replaced with ‘Switzerland’;

(iv) references to the ‘competent supervisory authority’ and ‘competent courts’ are replaced with the ‘Swiss Federal Data Protection Information Commissioner’ and ‘applicable courts of Switzerland’ (as applicable);

(v) in Clause 17, the EU SCCs will be governed by the laws of Switzerland; and

(vi) in Clause 18(b), disputes will be resolved before the competent courts of Switzerland.

4d. in the event that any provision of the Agreement (including this DPA) contradicts, directly or indirectly, the Standard Contractual Clauses, the Standard Contractual Clauses will prevail.

5. Onward transfers: Stacksync will not participate in (nor permit any subprocessor to participate in) any other cross border transfers of Personal Data (whether as an exporter or an importer of Personal Data) unless it has taken such measures as are necessary to ensure the transfer is in compliance with Applicable Data Protection Law. Without prejudice to the foregoing, Customer consents to cross border transfers of Personal Data where Stacksync has implemented a transfer solution compliant with Applicable Data Protection Law.

6. Confidentiality of processing: Stacksync will take appropriate measures to ensure the confidentiality of Personal Data as outlined in the Agreement.

7. Security: Stacksync will implement appropriate technical and organisational measures to protect the Personal Data from a Breach. Such measures will have regard to the state of the art, the costs of implementation and the nature, scope, context and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. Such measures will include, as appropriate:

(a) the pseudonymisation and encryption of Personal Data;

(b) the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services;

(c) the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;

(d) a process for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures for ensuring the security of the processing;

(e) at a minimum, such measures will include the measures identified in Annex II.

8. Subprocessing: Stacksync will not subcontract any processing of the Personal Data to a third party subprocessor without the prior written consent of Customer, which consent, where Customer is a processor, will reflect the instructions of its controller. Notwithstanding this, Customer consents to Stacksync engaging third party subprocessors to process the Personal Data provided that: (i) Stacksync provides at least 5 days' prior written notice of the addition or removal of any subprocessor (including details of the processing it performs or will perform), which will also include posting detail of such addition or removal at the following URL: https://docs.stacksync.cloud/security/subprocessors; and (ii) Stacksync imposes data protection terms on any subprocessor it appoints that protect the Personal Data, in substance, to the same standard provided for by this DPA. A list of approved subprocessors as of the date of this DPA is attached at Annex III, and Stacksync will maintain and provide updated copies of this list to Customer when it adds or removes subprocessors in accordance with this Section. If Customer refuses to consent to Stacksync's appointment of a third party subprocessor on reasonable grounds relating to the protection of the Personal Data, then either Stacksync will not appoint the subprocessor or Customer may elect to suspend or terminate the Agreement.

9. Cooperation and data subjects' rights: Stacksync will provide all reasonable and timely assistance to Customer (at Customer's expense) to enable Customer (or, where Customer is a processor, its controller) to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to Stacksync, Stacksync will (unless prohibited by applicable law) promptly inform Customer (who, where Customer is a processor, will in turn inform its controller) providing full details of the same.

10. Data Protection Impact Assessment: Stacksync will provide Customer with all such reasonable and timely assistance (at Customer’s expense) as Customer may require in order to enable it (or, where Customer is a processor, to enable its controller) to conduct a data protection impact assessment in accordance with Applicable Data Protection Law including, if necessary, assistance to Customer (or, where Customer is a processor, its controller) to consult with its relevant data protection authority.

11. Breach notification: Upon becoming aware of a Breach, Stacksync will inform Customer (who, where Customer is a processor, will in turn inform its controller) without undue delay and will provide all such timely information and cooperation as Customer may require in order for Customer (or, where Customer is a processor, its controller) to fulfil its data breach reporting obligations under (and in accordance with the timescales required by) Applicable Data Protection Law. Stacksync will further take all such measures and actions as are necessary to remedy or mitigate the effects of the Breach and will keep Customer informed of all material developments in connection with the Breach.

12. Deletion or return of Data: After a written request by Customer or the termination or expiration of the Agreement, Stacksync will destroy or return to Customer all Personal Data in its possession or control. This requirement will not apply to the extent that Stacksync: (i) is required by any applicable law to retain some or all Personal Data; and/or (ii) retains Personal Data in its backup systems until the backups have been overwritten or expunged in accordance with Stacksync’s backup policy; provided that, in the event of either (i) or (ii), Stacksync will isolate and protect Personal Data from any further processing except to the extent required until deletion is possible. Until Personal Data is deleted or returned, Stacksync will continue to ensure compliance with its security and privacy obligations in the Agreement and this DPA.

13. Audit: Customer (and, where Customer is a processor, its controller) acknowledges that Stacksync is currently undergoing the preparation to obtain certifications and be audited against ISO 27001, and SOC 2 by independent third party auditors. Upon request, Stacksync will supply a summary copy of its audit report(s) to Customer (and, where Customer is a processor, its controller), which report(s) will be subject to the confidentiality provisions of the Agreement. Stacksync will also respond to any written audit questions submitted to it by Customer and meet by teleconference or in person (at Customer’s expense) to address follow up questions (and, where Customer is a processor, its controller), provided that Customer (and, where Customer is a processor, its controller) will not exercise this right more than once per year, except if and when required by instruction of a competent data protection authority.

14. Processing in accordance with US Data Protection law:

14.1 Processing Of Personal Data: Customer appoints Stacksync as a processor (or, where Customer is a processor, Customer appoints Stacksync as a sub-processor) to process Personal Data only for the Business Purposes (as defined by CPRA) listed in Customer’s instructions under Annex I. Processing by Stacksync is outlined in Annex I that sets out the processing instructions to which Stacksync is bound, including the nature and purpose of the processing, the type of Personal Data subject to the processing, and the duration of the processing. Stacksync will adhere to Customer instructions as outlined in Section 3 and Annex I, and Stacksync will assist Customer in meeting its obligations under US Data Protection Law. Stacksync will comply with all applicable sections of US Data Protection Law, including providing the same level of protection for Personal Data as US Data Protection Law requires Customer to provide. Taking into account the nature of processing and the information available to Stacksync, Stacksync will assist Customer by:

(a) taking appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the controller's obligation to respond to data subject rights requests as outlined in Section 9;

(b) helping Customer meet its obligations in relation to the security of processing Personal Data and in relation to the notification of a breach of the security of the system as outlined in Section 7, Section 11, and Annex II;

(c) providing information to Customer necessary to enable Customer to conduct and document any data protection assessments as outlined in Section 10. Customer and Stacksync are each responsible for only the measures allocated to them;

(d) ensuring that each person processing Personal Data is subject to a duty of confidentiality with respect to Personal Data as outlined in Annex II; and

(e) after providing Customer an opportunity to object, engaging any subprocessor pursuant to a written contract in accordance with Section 8 that requires the subprocessor to meet the obligations of Stacksync with respect to Personal Data.

14.2 Security measures: Taking into account the context of processing, Customer and Stacksync will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk and establish a clear allocation of the responsibilities between them to implement the measures as outlined in Annex II.

14.3 Deletion or return of Personal Data: Stacksync will delete or return all Personal Data to Customer at the end of the provision of services as outlined in Section 12.

14.4 Audit rights: Stacksync grants Customer the right to take reasonable and appropriate steps to help ensure that Stacksync uses Personal Data consistent with US Data Protection Law and to stop and remediate unauthorized use of Personal Data. Stacksync will, upon the reasonable request of Customer, make available to Customer all information in its possession necessary to demonstrate Stacksync's compliance as outlined in Section 13. Stacksync will allow an audit of Stacksync's policies and technical and organizational measures in support of the obligations under US Data Protection Law and will provide a report of the audit to Customer upon request as outlined in Section 13.

14.5 Restrictions On Processing Personal Data: Stacksync is prohibited from: (i) processing Personal Data for any purposes but for the Business Purposes unless otherwise expressly permitted by US Data Protection Law; (ii) processing Personal Data for any additional commercial purpose (other than the Business Purposes) including in the servicing of a different business unless otherwise expressly permitted by US Data Protection Law; (iii) processing Personal Data outside the direct business relationship between Customer and Stacksync unless otherwise expressly permitted by US Data Protection Law; (iv) Selling or Sharing (as both are defined by CPRA) Personal Data; (v) combining Personal Data with Personal Data that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a data subject unless otherwise expressly permitted by US Data Protection Law; or (vi) processing the Personal Data for any other purpose except as permitted by this DPA.

14.6 Inability To Comply With US Data Protection Law: Stacksync shall notify Customer after Stacksync determines that it no longer can meet its obligations under this DPA or US Data Protection Law. In the event of Stacksync’s inability to meet its obligations, Customer may, in its discretion; (i) take reasonable and appropriate steps to stop and remediate any unauthorized use of Personal Data; or (ii) terminate the Agreement.

14.7 Certification: Stacksync certifies that it understands and will comply with the restrictions set forth in this Section 14.

15. System Data: Notwithstanding anything to the contrary in this Agreement, Stacksync may collect System Data and use such data internally to develop, improve, support, and operate its products and services. Stacksync’s use of System Data will comply with applicable data protection law. Stacksync may not share any System Data that includes Personal Data with a third party except to the extent the System Data is aggregated and anonymized such that Customer and Customer’s users cannot be identified.

16. Local implementation agreement: If and when necessary to accommodate laws, regulations, and/or local business requirements in a particular country outside the United States, European Union, the European Economic Area and their member states, Switzerland and the United Kingdom, the parties may enter into a Local Implementation Addendum covering additional requirements under such laws that are not already addressed in the Agreement or this DPA.

17. Personnel background checks: Prior to engaging any employee or contractor who may receive access to Personal Data Stacksync will conduct a criminal history background check (modified as appropriate to comply with applicable law in countries outside the United States) covering the three year period prior to the employment commencement date of such employee.

18. Construction; Interpretation: This DPA is not a standalone agreement and is only effective if an Agreement is in effect between Stacksync and Customer. This DPA is part of the Agreement and is governed by its terms and conditions, including limitations of liability set forth therein. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.

19. Severability: If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.

20. Amendment; Enforcement of rights: No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties to this DPA. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party. This DPA may not be construed to create any right or cause of action on behalf of a third party, except to the minimum extent required available to data subjects under Applicable Data Protection Law.

21. Assignment: This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.

22. Governing Law: This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by EU/UK Data Protection Law or Applicable Data Protection Law, in which case this DPA will be governed by the laws outlined in the relevant section of this DPA.

23. Counterparts: This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

24. Supplementary terms to Standard Contractual Clauses

24.1 Documentation and compliance: For the purposes of Clause 8.9 the review and audit provisions in this DPA will apply.

24.2 Notification and transparency:

For purposes of Clause 8.3 – Modules 2 and 3 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Stacksync to make the appropriate communications to data subjects and accordingly, Customer will (following notification by Stacksync) have the option to be the party who makes any communication to the data subject, and Stacksync will provide the level of assistance set out in this DPA.

24.3 Liability: For the purposes of Clause 12(a), the liability of the parties will be limited in accordance with the limitation of liability provisions in the Agreement. 

24.4 Signatories: Notwithstanding the fact that the Standard Contractual Clauses are incorporated herein by reference without being signed directly, Stacksync and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the Standard Contractual Clauses, and that it is duly authorized to do so on behalf of, and to contractually bind, the data exporter or data importer (as applicable) accordingly.

Annex I

Data Processing Description

This Annex I forms part of the DPA and describes the processing that the processor will perform on behalf of the controller.

A. LIST OF PARTIES

Controller(s) / Data exporter(s): [Identity and contact details of the controller(s) /data exporter(s) and, where applicable, of its/their data protection officer and/or representative in the European Union]

1.

Name:

As provided by the Customer

Address:

As provided by the Customer

Contact person’s name, position and contact details:

As provided by the Customer

Activities relevant to the data transferred under these Clauses:

Stacksync will process Customer personal data in order to facilitate the data transfer and synchronization of data between Customer’s data sources such as databases, data warehouses and business apps in a unidirectional or bidirectional data flow. The frequency and retention periods for which personal data may be stored will vary depending on Customer’s configuration of Stacksync’s Service and are described at https://docs.stacksync.cloud/security/overview

Role (controller/processor):

Controller/processor

Processor(s) / Data importer(s): [Identity and contact details of the processor(s) /data importer(s), including any contact person with responsibility for data protection]

1.

Name:

Stacksync Inc.

Address:

2611, 1007 N Orange St. 4th Floor , Wilmington, DE, New Castle, US, 19801

Contact person’s name, position and contact details:

Data Protection Officer (DPO): Ruben Burdin; privacy@stacksync.cloud; DPO@stacksync.cloud

Activities relevant to the data transferred under these Clauses:

Stacksync will process Customer personal data in order to facilitate the data transfer and synchronization of data between Customer’s data sources such as databases, data warehouses and business apps in a unidirectional or bidirectional data flow. The frequency and retention periods for which personal data may be stored will vary depending on Customer’s configuration of Stacksync’s Service and are described at https://docs.stacksync.cloud/

Role (controller/processor):

Processor/Sub-processor

В. DESCRIPTION OF TRANSFER

Categories of data subjects whose Personal Data is transferred:

Customer’s employees and consultants who use Stacksync’s Service.

Individuals whose Personal Data is stored in Customer’s data sources and processed by Stacksync.

Categories of Personal Data transferred:

Stacksync may have access to Personal Data of Customer’s employees and consultants who use Stacksync’s Service.

Stacksync may have access to Personal Data of individuals whose Personal Data is stored in Customer’s data sources.

The types of Personal Data processed are determined by Customer and may include without limitation: Name, Email address, Physical address, IP-address and other online identifiers, Date of birth, Telephone/mobile number, Location Data.

Sensitive data transferred (if applicable) and applied restrictions or safeguards that fully take into consideration the nature of the data and the risks involved, such as for instance strict purpose limitation, access restrictions (including access only for staff having followed specialised training), keeping a record of access to the data, restrictions for onward transfers or additional security measures:

As above

The frequency of the transfer (e.g. whether the data is transferred on a one-off or continuous basis):

Duration of account/agreement life-cycle

Nature of the processing:

The data processing activities carried out by Stacksync under the Agreement

Purpose(s) of the data transfer and further processing:

Stacksync will process Customer Personal Data in order to facilitate migration of data from Customer’s data sources into Customer’s data warehouse.

The period for which the Personal Data will be retained, or, if that is not possible, the criteria used to determine that period:

The frequency and retention periods for which Personal Data may be stored will vary depending on Customer’s configuration of Stacksync’s Service and are described at https://docs.stacksync.cloud/

For transfers to (sub-) processors, also specify subject matter, nature and duration of the processing:

C. COMPETENT SUPERVISORY AUTHORITY

Identify the competent supervisory authority/ies in accordance (e.g. in accordance with Clause 13 SCCs)

Irish Supervisory Authority (DPC)

Annex II

Technical and Organisational Security Measures

Description of the technical and organisational measures implemented by the processor(s) / data importer(s) (including any relevant certifications) to ensure an appropriate level of security, taking into account the nature, scope, context and purpose of the processing, and the risks for the rights and freedoms of natural persons.

Measure

Description

Measures of pseudonymisation and encryption of Personal Data

Technical and Organizational Security Measures

Description of the technical and organisational security measures implemented by Stacksync in accordance with Applicable Data Protection Law:

Stacksync security measures can be found on Stacksync's website at https://docs.stacksync.cloud/security/overview

Security measures include:

Transport layer security

  • All data is transmitted to or from Stacksync over an encrypted protocol using industry-standard cryptographic protocols (TLS 1.2+)

  • Stacksync redirects unencrypted requests (HTTP) to an encrypted protocol (HTTPS)

Physical & Environmental Security

The Stacksync services are hosted in Microsoft Azure, Google Cloud Platform (GCP), and Amazon Web Services (AWS), OVH and Scaleway. Hosting providers maintain physical & environmental security protections including:

  • Physical access is restricted to approved employees based on the principle of least privilege

  • Multi-factor authentication when approved personnel access facilities

  • Closed Circuit Television Camera (CCTV) video recording of access points

  • Fire detection and suppression systems

  • Redundant infrastructure for power, networking, and cooling

Logical Access controls

Logical access to the Stacksync services is restricted to employees based on the principle of least privilege. All access is formally approved and requires multi-factor authentication.

Access is removed in the event of employee termination or if the employee changes roles and no longer requires access, as well as being reviewed on a quarterly basis.

Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

See previous section that outlines our controls

Measures for ensuring the ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident

See previous section that outlines our controls

Processes for regularly testing, assessing and evaluating the effectiveness of technical and organisational measures in order to ensure the security of the processing

Stacksync is currently undergoing the preparation to obtain certifications and be audited against ISO 27001, and SOC 2 by independent third party auditors. Upon request, Stacksync will supply a summary copy of its audit report(s) to Customer.

Measures for user identification and authorisation

See the previous sections that outline our controls

Measures for the protection of data during transmission

See the previous sections that outline our controls

Measures for the protection of data during storage

See the previous sections that outline our controls

Measures for ensuring physical security of locations at which Personal Data are processed

See the previous sections that outline our controls

Measures for ensuring events logging

See the previous sections that outline our controls

Measures for ensuring system configuration, including default configuration

See the previous sections that outline our controls

Measures for internal IT and IT security governance and management

Stacksync is currently undergoing the preparation to obtain certifications and be audited against ISO 27001, and SOC 2 by independent third party auditors. Upon request, Stacksync will supply a summary copy of its audit report(s) to Customer.

Measures for certification/assurance of processes and products

Stacksync is currently undergoing the preparation to obtain certifications and be audited against ISO 27001, and SOC 2 by independent third party auditors. Upon request, Stacksync will supply a summary copy of its audit report(s) to Customer.

Measures for ensuring data minimisation

Processing of Customer Data

Data pipes for each customer are managed separately within the host environment. Stacksync does not store Customer Data, other than while in transit, except as described in https://docs.stacksync.cloud/security/overview.

Stacksync does not control the host physical infrastructure. Stacksync relies on the fault-tolerant nature of Microsoft Azure, GCP and AWS across multiple availability zones, and can redeploy the platform to another region in case of catastrophic failure.

Except as described at https://docs.stacksync.cloud/security/overview, Stacksync will process Customer Data within the region specified by Customer during configuration of the data pipe. Current geographic regions supported by Stacksync are found here: https://docs.stacksync.cloud/security/overview

Measures for ensuring data quality

Based on the nature of the Stacksync services, Stacksync is a data pipeline, so the accuracy of the Personal Data depends on whether or not Customer has provided accurate information

Measures for ensuring limited data retention

Except as described at https://docs.stacksync.cloud/security/overview Stacksync does not store Customer Data, other than while in transit.

Measures for ensuring accountability

Stacksync has a Data Protection Officer and a Chief Information Security Officer (the CTO, if CISO is not appointed).

Measures for allowing data portability and ensuring erasure

Except as described at https://docs.stacksync.cloud/security/overview Stacksync does not store Customer Data, other than while in transit.

For transfers to (sub-) processors, also describe the specific technical and organisational measures to be taken by the (sub-) processor to be able to provide assistance to the controller (and, for transfers from a processor to a sub-processor, to the data exporter).

Measure

Description

Contractual language

Stacksync ensures that its subprocessors are subject to equivalent terms

Due Diligence

Stacksync conducts due diligence on third parties, including necessary privacy and security reviews, such as privacy threshold and privacy impact assessments

Annex III

List of Subprocessors

Stacksync’s current list of subprocessors may be found at https://docs.stacksync.cloud/security/subprocessors

Last updated