Data Processing Agreement (DPA)

Last updated: April 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between StackSerp Inc. (“Processor”) and the customer (“Controller”) and governs the processing of personal data as defined under applicable data protection legislation, including the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1. Definitions

  • Personal Data — any information relating to an identified or identifiable natural person.
  • Processing — any operation performed on personal data, including collection, storage, use, or deletion.
  • Controller — the customer who determines the purposes and means of data processing.
  • Processor — StackSerp Inc., which processes data on behalf of the Controller.
  • Sub-processor — third parties engaged by StackSerp to assist in data processing.

2. Scope and Purpose of Processing

StackSerp processes personal data solely as necessary to provide the services described in our Terms of Service. This includes storing account information, processing payments via Stripe, and transmitting content generation prompts to AI sub-processors (such as Google AI and Perplexity) to fulfill service requests.

3. Controller Obligations

The Controller agrees to:

  • Ensure a lawful basis exists for all personal data provided to StackSerp for processing
  • Provide appropriate notice to data subjects about StackSerp's role as a processor
  • Not instruct StackSerp to process personal data in violation of applicable laws

4. Processor Obligations

StackSerp agrees to:

  • Process personal data only on documented instructions from the Controller
  • Ensure personnel authorized to process personal data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in fulfilling data subject rights requests
  • Delete or return all personal data upon termination of the services agreement
  • Provide all information necessary to demonstrate compliance with this DPA

5. Sub-Processors

StackSerp currently uses the following categories of sub-processors:

  • Cloud Infrastructure — Vercel, DigitalOcean (hosting and database)
  • Payment Processing — Stripe (billing and subscription management)
  • AI Services — Google AI Studio / Gemini (content generation), Perplexity AI (research)
  • File Storage — Backblaze B2 (image storage)

StackSerp will notify the Controller of any intended changes to sub-processors with reasonable advance notice. The Controller may object to new sub-processors by providing written notice within 14 days.

6. International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). StackSerp ensures such transfers are subject to appropriate safeguards, including Standard Contractual Clauses (SCCs) where required.

7. Security Measures

StackSerp implements the following technical and organizational measures:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256)
  • Access controls and authentication requirements for all personnel
  • Regular security assessments and vulnerability management
  • Incident response procedures with breach notification timelines
  • Logical separation of customer data in multi-tenant environments

8. Data Subject Rights

StackSerp will assist the Controller in responding to data subject requests for access, rectification, erasure, restriction, portability, or objection within applicable timeframes. Requests can be submitted to privacy@stackserp.com.

9. Data Breach Notification

In the event of a personal data breach, StackSerp will notify the Controller without undue delay and within 72 hours of becoming aware, providing sufficient information to allow the Controller to meet its own notification obligations.

10. Data Retention and Deletion

Upon termination of the services agreement, StackSerp will delete or return all personal data within 30 days, unless longer retention is required by law. Anonymized or aggregated data may be retained for analytics purposes.

11. Governing Law

This DPA is governed by the laws applicable to the main Terms of Service agreement between the parties.

For DPA-related inquiries, contact: privacy@stackserp.com