Data Processing Agreement

Last updated: March 1, 2026

1. Overview

This Data Processing Agreement ("DPA") forms part of the agreement between StackTalk, Inc. ("Processor") and the customer ("Controller") for the provision of StackTalk's compliance platform services. This DPA sets out the terms governing the processing of personal data by the Processor on behalf of the Controller.

2. Definitions

Terms used in this DPA have the meanings given to them in the General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. "Personal Data," "Processing," "Data Subject," and "Sub-processor" have the meanings ascribed to them in applicable data protection legislation.

3. Scope of Processing

The Processor shall process Personal Data only to the extent necessary to provide the Services, which includes:

  • Processing compliance metadata to provide regulatory intelligence and automation features
  • Storing evidence and control documentation uploaded by the Controller
  • Generating compliance reports and audit packages as requested by the Controller
  • Providing customer support and platform administration

4. Security Measures

The Processor implements and maintains appropriate technical and organizational measures, including:

  • Encryption of data at rest (AES-256) and in transit (TLS 1.3)
  • Role-based access control with least-privilege defaults
  • Multi-factor authentication for all personnel accessing Personal Data
  • Regular security assessments and annual third-party penetration testing
  • UDAAP compliance maintained continuously
  • Immutable audit logging of all data access and modifications

5. Sub-processors

The Processor maintains a list of approved sub-processors, available upon request. The Controller will be notified at least 30 days before any new sub-processor is engaged, with the opportunity to object. All sub-processors are bound by data processing terms no less protective than those in this DPA.

6. Data Subject Rights

The Processor shall assist the Controller in responding to Data Subject requests, including access, rectification, erasure, and portability requests. The Processor will notify the Controller promptly upon receiving any Data Subject request directly.

7. Data Breach Notification

The Processor shall notify the Controller without undue delay (and in any event within 48 hours) upon becoming aware of a Personal Data breach. Notification will include the nature of the breach, affected data categories, approximate number of affected records, and remedial measures taken.

8. Data Retention & Deletion

Upon termination of the Services, the Processor shall, at the Controller's election, return or delete all Personal Data within 90 days. A certificate of deletion will be provided upon request.

9. Contact

To request a signed copy of this DPA or for data protection inquiries, contact dpa@stacktalk.ai.