This Data Processing Agreement ("DPA") forms part of the agreement for services ("Agreement") between [STACKV LEGAL ENTITY NAME — e.g. “Lakshya [Surname], trading as StackV” until a company is registered], of [REGISTERED ADDRESS, Pune, Maharashtra, India] ("StackV", the "Processor"), and the client identified in the applicable Statement of Work (the "Client", the "Controller"). It applies whenever StackV processes personal data on the Client's behalf, and is drafted to satisfy Article 28(3) GDPR, the Swiss FADP/nDSG, and India's DPDP Act, 2023.
1. Definitions
“Personal data”, “processing”, “controller”, “processor”, “data subject”, “supervisory authority” and “personal data breach” have the meanings in the GDPR. “Data Protection Laws” means all laws applicable to the processing, including the GDPR, UK GDPR, Swiss FADP, and the DPDP Act. “SCCs” means the EU Commission's Standard Contractual Clauses (Decision 2021/914).
2. Roles, scope, and instructions
The Client is the controller; StackV is the processor. Annex 1 describes the subject matter, duration, nature and purpose of processing, data categories, and data subjects.
StackV processes personal data only on the Client's documented instructions (including this DPA, the SOW, and configuration choices the Client makes), unless required to do otherwise by law — in which case StackV will inform the Client before processing, unless the law prohibits this.
StackV will immediately inform the Client if, in its opinion, an instruction infringes Data Protection Laws. StackV may suspend execution of such an instruction without breach of the Agreement.
The Client warrants that it has a lawful basis, all required consents and notices, and the right to instruct the processing — including for any lead lists, scraped data, or outreach targets it supplies or directs. The Client is solely responsible for the lawfulness of its campaigns and instructions.
3. Confidentiality and personnel
StackV ensures that all persons authorised to process the personal data are bound by confidentiality obligations (contractual or statutory) and receive appropriate data-protection training, and that access is limited to what each person needs for the engagement.
4. Security (Art. 32 GDPR)
StackV implements and maintains the technical and organisational measures described in Annex 3 (TOMs), appropriate to the risk, including encryption, access control, pseudonymisation where feasible, resilience, and regular testing. StackV may update the TOMs provided security is not materially reduced.
5. Sub-processors
The Client gives general written authorisation for the sub-processors listed in Annex 2.
StackV will notify the Client at least 14 days before adding or replacing a sub-processor. The Client may object on reasonable data-protection grounds within that period; if no resolution is found, either party may terminate the affected services, with payment due for work performed.
StackV imposes data-protection obligations on each sub-processor that are materially equivalent to this DPA, and remains liable to the Client for the sub-processor's performance.
6. Data-subject rights and assistance
Taking into account the nature of the processing, StackV will assist the Client with appropriate technical and organisational measures, insofar as possible, in fulfilling the Client's obligations to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection). StackV will forward to the Client without undue delay any request it receives directly, and will not respond to it except on the Client's instruction. StackV will also assist the Client, as reasonably required, with Articles 32–36 GDPR (security, breach notification, DPIAs, prior consultation). Assistance beyond a reasonable level is chargeable at StackV's standard rates.
7. Personal data breach
StackV will notify the Client without undue delay, and in any event within 48 hours, after becoming aware of a personal data breach affecting the Client's personal data, providing the information reasonably available (nature, categories and approximate numbers, likely consequences, measures taken or proposed). StackV will cooperate with the Client's investigation and remediation. Notification is not an admission of fault. The Client is responsible for notifying authorities and data subjects.
8. International transfers
StackV processes data primarily from India. For personal data subject to the GDPR transferred to StackV, the SCCs, Module Two (controller-to-processor), are incorporated into this DPA by reference, with the Client as data exporter and StackV as data importer; Annexes 1–3 of this DPA serve as the SCC Annexes; clause 17 option: law of Ireland; clause 18: courts of Ireland. For Swiss data, the SCCs apply as adapted per FDPIC guidance (references to the GDPR include the FADP; competent authority: FDPIC; Swiss law applies for Swiss-only transfers). Onward transfers to sub-processors occur only with equivalent safeguards.
9. Audits
StackV will make available to the Client all information reasonably necessary to demonstrate compliance with Article 28 GDPR, and will allow and contribute to audits, including inspections, conducted by the Client or its mandated auditor — no more than once per 12 months (except after a breach or where required by a supervisory authority), on at least 14 days' notice, during business hours, without disrupting operations, and subject to confidentiality. The Client may first be offered StackV's most recent security documentation or third-party attestations in satisfaction of an audit request. The Client bears its own audit costs and StackV's reasonable time beyond one business day per audit.
10. Return and deletion
At the end of the services, at the Client's choice, StackV will delete or return all personal data processed on the Client's behalf and delete existing copies within 30 days, unless law requires storage — in which case the data remains protected under this DPA and is isolated from further processing. Deletion from backups occurs in the ordinary backup-rotation cycle (maximum 90 days). On request, StackV will confirm deletion in writing.
11. Liability, term, and order of precedence
This DPA takes effect with the Agreement and lasts as long as StackV processes personal data for the Client. Liability under this DPA is subject to the limitations and exclusions in the Agreement, to the extent permitted by Data Protection Laws; nothing limits a data subject's rights against either party under law. If this DPA conflicts with the Agreement, this DPA prevails for data-protection matters; the SCCs prevail over both where they apply. This DPA is governed by the law governing the Agreement, except where the SCCs require otherwise.
Annex 1 — Description of processing
Subject matter: provision of AI, automation, lead-generation, CRM, web/app, and related services described in the SOW.
Duration: the term of the Agreement plus the deletion period in Section 10.
Nature and purpose: hosting, structuring, enrichment, scoring, routing, generation of communications drafts, support automation, analytics, and related operations as instructed.
Categories of data subjects: the Client's leads, prospects, customers, end users, suppliers, and personnel, as determined by the Client.
Categories of personal data: business contact details (name, role, company, email, phone), communication content (emails, tickets, call transcripts where instructed), CRM records, usage data. No special-category data unless expressly agreed in the SOW with additional safeguards.
Frequency: continuous for the duration of the services.
Annex 2 — Authorised sub-processors (as of the effective date)
Anthropic (US/EU) — LLM inference (Claude) — model processing of project data where used.
OpenAI (US/EU) — LLM inference (GPT) — model processing of project data where used.
Supabase (US/EU regions as configured) — managed PostgreSQL database and authentication.
n8n (self-hosted by StackV, or n8n GmbH cloud, Germany — per SOW) — workflow orchestration.
Google (Workspace / Cloud, US/EU) — email, documents, and cloud infrastructure.
Apify (Czech Republic/EU) — web data collection, where instructed.
Slack Technologies (US) — operational notifications and escalation, where used.
GitHub (US) — code repositories (no production personal data by design).
Sentry (US/EU) — error monitoring (personal data scrubbed where feasible).
[Adjust this list per engagement — strike out providers not used; add Clearbit/Apollo/HubSpot or others only where the SOW includes them.]
Annex 3 — Technical and organisational measures (TOMs)
Access control: unique accounts, MFA on production systems, role-based least privilege, prompt revocation on offboarding, no shared credentials; client credentials stored in a secrets manager, never in code.
Encryption: TLS 1.2+ in transit; AES-256 (or provider-equivalent) at rest for databases and backups.
Environment separation: development, staging, and production isolated; production personal data not used in development without anonymisation or written instruction.
Logging and monitoring: audit logs on production access and workflow runs; error and uptime monitoring with alerting; kill switches on automated pipelines.
Data minimisation: only fields needed for the instructed purpose are collected and retained; retention and deletion per Section 10.
Vendor management: sub-processors assessed for security posture and bound by data-protection terms; transfers safeguarded per Section 8.
Resilience and recovery: automated backups with defined rotation; documented restore procedure; incident-response runbook with 48-hour client notification commitment.
Organisational: confidentiality undertakings for all personnel and contractors; security and privacy training; documented SDLC with code review; principle of human oversight for consequential automated actions.
Signed by execution of the Agreement / SOW that references this DPA. Counter-signature copies available on request: stackv@stackv.online