Data Processing Agreement - StudioStack

1. Definitions

In this DPA, the following terms have the following meanings:

"Data Protection Laws" means the UK General Data Protection Regulation (UK GDPR), the Data Protection Act 2018, and any other applicable data protection legislation in the UK.
"Personal Data" means any information relating to an identified or identifiable natural person that is processed by StudioStack on your behalf.
"Processing" means any operation performed on Personal Data, such as collection, storage, use, disclosure, or deletion.
"Controller" means the natural or legal person that determines the purposes and means of processing Personal Data.
"Processor" means the natural or legal person that processes Personal Data on behalf of the Controller.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Subject" means the individual whose Personal Data is processed.
"Customer Data" means the Personal Data you upload to StudioStack about your clients and contacts.

2. Scope and Roles

2.1 Your Role as Controller

When you use StudioStack, you act as the Data Controller for Customer Data. This means you:

Determine what Personal Data to collect from your clients
Decide the purposes for which Customer Data is processed
Are responsible for having a lawful basis to process the data
Must comply with your obligations under Data Protection Laws
Are responsible for responding to Data Subject rights requests

2.2 Our Role as Processor

StudioStack acts as a Data Processor for Customer Data. This means we:

Process Customer Data only on your documented instructions
Implement appropriate technical and organisational security measures
Assist you in responding to Data Subject requests
Notify you of any Personal Data breaches
Delete or return Customer Data upon termination

2.3 Categories of Data Processed

The Customer Data we process on your behalf may include:

Contact information: Names, email addresses, phone numbers, addresses
Business information: Company names, business numbers, billing details
Job information: Dates, locations, descriptions, pricing
Financial information: Invoice details, payment records
Visual content: Photographs and images you upload
Communication preferences: Notification settings

3. Processing Instructions

3.1 Your Instructions

We will only process Customer Data in accordance with your documented instructions, which include:

The processing necessary to provide the StudioStack service as described in our Terms of Service
Your configuration and settings within the Service
Any additional written instructions you provide

3.2 Purpose of Processing

We process Customer Data solely to:

Provide, maintain, and improve the StudioStack service
Store, host, and back up your data
Display data in the client portal as you direct
Send email notifications as configured by you
Synchronise data with third-party integrations you connect
Comply with applicable legal requirements

3.3 Lawfulness of Instructions

If we believe that any instruction you give us would infringe Data Protection Laws, we will promptly notify you. We will not process Customer Data in a manner that we believe would violate applicable law.

4. Security Measures

4.1 Technical Measures

We implement appropriate technical security measures, including:

Encryption of data in transit using TLS 1.2 or higher
Encryption of data at rest where technically feasible
Secure password hashing using industry-standard algorithms
Regular security testing and vulnerability assessments
Automated security monitoring and alerting
Access controls and authentication requirements
Regular backups and disaster recovery procedures

4.2 Organisational Measures

We implement appropriate organisational security measures, including:

Limiting access to Customer Data to authorised personnel only
Ensuring personnel are bound by confidentiality obligations
Security awareness and training for personnel
Incident response and breach notification procedures
Regular review and updating of security measures

4.3 Your Security Responsibilities

You are responsible for:

Maintaining the security of your account credentials
Enabling multi-factor authentication when available
Ensuring your devices and networks are secure
Training your staff on data protection practices
Reporting any suspected security incidents promptly

5. Sub-processors

5.1 Authorisation

You authorise us to engage sub-processors to process Customer Data on your behalf. We will ensure that sub-processors are bound by data protection obligations no less protective than those in this DPA.

5.2 Current Sub-processors

Our current sub-processors include:

Sub-processor	Purpose	Location
Vercel Inc.	Frontend hosting	United States
Render Services, Inc.	Backend hosting	United States
Neon Inc.	Database hosting	United States
Cloudflare, Inc.	CDN, storage, security	Global
Resend, Inc.	Email delivery	United States
Upstash, Inc.	Queue management (Redis)	United States
Sentry (Functional Software)	Error tracking	United States
Xero Limited*	Accounting integration	New Zealand/Global

* Only processes data when you connect the integration

5.3 Changes to Sub-processors

We may add or change sub-processors from time to time. We will update this list when significant changes occur. If you object to a new sub-processor, you may terminate your account by providing written notice within 30 days of the change.

6. International Data Transfers

Some of our sub-processors are located outside the United Kingdom. Where Customer Data is transferred outside the UK, we ensure appropriate safeguards are in place:

UK Adequacy Decisions: Transfers to countries with UK adequacy decisions
Standard Contractual Clauses: UK International Data Transfer Agreement (IDTA) or EU SCCs approved for UK transfers
Supplementary Measures: Additional technical and organisational measures where required

Upon request, we can provide copies of the transfer mechanisms in place with our sub-processors.

7. Data Subject Rights

7.1 Your Responsibility

As the Controller, you are responsible for responding to requests from Data Subjects (your clients) to exercise their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

7.2 Our Assistance

We will assist you in responding to Data Subject requests by:

Providing tools in the Service to access, export, correct, and delete Customer Data
Promptly forwarding any requests we receive directly from Data Subjects to you
Providing reasonable technical assistance where requested

7.3 Direct Requests

If a Data Subject contacts us directly regarding their data in your account, we will refer them to you as the Controller, unless we are legally required to respond directly.

8. Data Breaches

8.1 Notification

We will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting Customer Data. Our notification will include:

A description of the nature of the breach
The categories and approximate number of Data Subjects affected
The likely consequences of the breach
Measures taken or proposed to address the breach

8.2 Your Obligations

As Controller, you are responsible for determining whether to notify the Information Commissioner's Office (ICO) and/or affected Data Subjects. We will provide reasonable cooperation and information to assist with your breach response.

9. Data Retention and Deletion

9.1 During the Agreement

We will retain Customer Data for as long as necessary to provide the Service and as required by applicable law. You can delete specific Customer Data at any time through the Service interface.

9.2 Upon Termination

Upon termination of your account:

We will delete or anonymise Customer Data within 90 days
You may export your data before account closure using our export tools
Backups may contain Customer Data for up to 90 days after deletion
We may retain data as required by law (e.g., financial records for 7 years)

9.3 Certification

Upon request, we will certify in writing that we have deleted Customer Data in accordance with this DPA, subject to any legal retention requirements.

10. Audits and Compliance

10.1 Information

We will make available to you information necessary to demonstrate compliance with our obligations under this DPA and Data Protection Laws. This may include security certifications, audit reports, or responses to security questionnaires.

10.2 Audits

We will allow for and contribute to audits conducted by you or a third-party auditor, subject to reasonable advance notice, confidentiality obligations, and scope limitations to protect other customers' data and our proprietary information.

11. Your Obligations as Controller

You represent and warrant that:

You have a lawful basis for processing Customer Data
You have provided appropriate privacy notices to Data Subjects
You have obtained any necessary consents where required
Your instructions to us comply with Data Protection Laws
You will respond to Data Subject requests in a timely manner
You will notify us of any changes affecting this DPA

12. General

12.1 Conflict

In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

12.2 Changes

We may update this DPA from time to time to reflect changes in our practices or legal requirements. Material changes will be communicated to you via email or through the Service.

12.3 Governing Law

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

13. Contact

For questions about this DPA or our data processing practices, please contact us:

Email: hello@studiostack.co.uk

StudioStack Ltd
Registered in England and Wales