Effective Date: August 09, 2024
This Data Processing Addendum (“DPA”) is a supplement to our Master SaaS Agreement and details our commitments as a data processor for the personal data you entrust to us. It defines our respective roles (you as the Controller, StackBooster as the Processor) and governs how we process data on your behalf. This DPA incorporates standard contractual clauses for international data transfers (like EU SCCs) and outlines our security measures, breach notification procedures, and how we assist you with data subject rights requests. We clarify how we handle the necessary operational telemetry (Service Data) to run the service, confirming it is processed for limited, specific purposes and is subject to strict security and confidentiality.
This Data Processing Addendum (“DPA”) is incorporated into and forms part of the Master SaaS Agreement (“Agreement”) between StackBooster Corporation (“StackBooster”) and the customer entity that has executed the Agreement (“Customer”).
1.1. The terms “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” shall have the meanings given in the GDPR.
1.2. “Data Protection Laws” means all applicable data protection and privacy laws, including the GDPR, the UK GDPR, the CCPA, and any other laws referenced herein.
1.3. “GDPR” means the General Data Protection Regulation (EU) 2016/679.
1.4. “Service Data” has the meaning given in the Agreement and refers to the operational telemetry collected by the StackBooster Agent. For the purposes of this DPA, Service Data is processed for the limited purposes of providing the core functionality of the Platform, security monitoring, troubleshooting, and capacity planning. It is subject to the same security and confidentiality obligations as other data processed under this DPA.
1.5. “SCCs” means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914.
2.1. Roles. The parties agree that with regard to the Processing of Personal Data, Customer is the Controller and StackBooster is the Processor.
2.2. Processing Instructions. StackBooster will Process Personal Data only in accordance with Customer’s lawful instructions, as set forth in the Agreement and this DPA. The details of the Processing are described in Annex I.
3.1. Security Measures. StackBooster will implement and maintain appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. These measures are detailed in Annex II (“Security Measures”) and are tailored to the risks of processing, including considerations for Kubernetes agents, least-privilege RBAC, secrets handling, and access logging.
4.1. General Authorization. Customer provides a general authorization for StackBooster to engage third-party subprocessors to Process Personal Data on Customer’s behalf.
4.2. Subprocessor List and Notification. StackBooster shall maintain a list of its current subprocessors, which is available at [URL for subprocessor list]. StackBooster will notify Customer of any intended changes to this list, thereby giving Customer the opportunity to object.
5.1. Transfer Mechanisms. For any transfers of Personal Data from the European Economic Area (EEA), the UK, or Switzerland to countries which do not ensure an adequate level of data protection, the parties agree that the SCCs will apply.
5.2. Annexes. The information required by the annexes to the SCCs is completed in Annex I, II, and III of this DPA.
6.1. DSR Assistance. StackBooster will provide reasonable assistance to Customer to enable Customer to respond to Data Subject Requests (DSRs).
6.2. Audit Rights. Upon reasonable request, StackBooster will make available to Customer information necessary to demonstrate compliance with this DPA. Customer may conduct an audit, at its own expense, no more than once per year, to verify compliance, subject to a reasonable scope and frequency.
7.1. Notification. In the event of a Personal Data Breach, StackBooster will notify Customer without undue delay, and where feasible, within 72 hours of becoming aware of the breach.
8.1. Upon termination of the Agreement, StackBooster will delete or return all Personal Data to Customer, in accordance with the procedures set out in the Agreement.
9.1. For the purposes of the California Privacy Rights Act (“CPRA”), StackBooster is a “Service Provider.” StackBooster will not “sell” or “share” Personal Data (as those terms are defined in the CPRA). StackBooster will not retain, use, or disclose Personal Data for any purpose other than for the specific purpose of performing the services specified in the Agreement.
A. List of Parties
B. Description of Transfer
C. Competent Supervisory Authority: The competent supervisory authority will be determined in accordance with the GDPR.
(This Annex will reference the full Security Documentation, to be drafted separately. Key measures to be listed here will include:)
A current list of subprocessors is maintained at [URL for subprocessor list].
This DPA is structured to be clear and concise, directly incorporating the EU SCCs by reference, which is a common and efficient practice. Unlike some competitor documents that are vague about telemetry, this DPA explicitly classifies “Service Data” and defines its processing purpose, providing greater transparency. The security measures in Annex II are specifically tailored to the context of a Kubernetes agent, mentioning RBAC and secrets handling, which is a level of detail not always present in generic DPAs. The CPRA clause is included to directly address US privacy law requirements for service providers.
