Data Processing Agreement
Last updated: 8/29/2025
Version: 1.0
Effective date: 8/29/2025
This Data Processing Agreement ("DPA") forms part of the Terms of Service between SwapStack, Inc. ("Data Processor" or "SwapStack") and the Customer ("Data Controller") using SwapStack's services, to reflect our mutual agreement with regard to the processing of personal data in accordance with the requirements of applicable data protection laws including the GDPR.
1. Definitions
- "Personal Data"
- Any information relating to an identified or identifiable natural person as defined under applicable data protection laws.
- "Processing"
- Any operation performed on personal data, including collection, recording, storage, alteration, retrieval, use, disclosure, or deletion.
- "Data Subject"
- An identifiable natural person whose personal data is processed.
- "Sub-processor"
- Any third party appointed by SwapStack to process personal data on behalf of the Customer.
- "Data Breach"
- A breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal data.
2. Scope and Roles
2.1 Scope of Processing
This DPA applies to all personal data processed by SwapStack on behalf of the Customer in connection with the provision of SwapStack's services as described in our Terms of Service.
2.2 Role of the Parties
- Customer as Controller: Determines the purposes and means of processing personal data
- SwapStack as Processor: Processes personal data only on documented instructions from the Customer
- Joint Controller Scenarios: Where both parties determine purposes and means, a separate agreement will govern
3. Categories of Data and Data Subjects
3.1 Categories of Data Subjects
- Customer's employees and contractors
- Customer's clients and prospects
- Business owners and representatives
- End users of Customer's services
- Other individuals whose data Customer provides
3.2 Categories of Personal Data
- Contact information (names, email addresses, phone numbers)
- Business information (company names, roles, titles)
- Financial information (transaction data, payment details)
- Communication data (messages, inquiries, support tickets)
- Technical data (IP addresses, browser information, usage logs)
- Any other data Customer chooses to process using our services
4. SwapStack's Obligations
4.1 Compliance with Instructions
SwapStack shall process personal data only in accordance with documented instructions from the Customer, unless required by applicable laws to do otherwise. If such legal requirement exists, SwapStack shall inform the Customer unless prohibited by law.
4.2 Confidentiality
SwapStack ensures that persons authorized to process personal data have committed themselves to confidentiality or are under appropriate statutory obligation of confidentiality.
4.3 Security Measures
SwapStack shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption of personal data in transit and at rest
- Ongoing confidentiality, integrity, availability, and resilience of systems
- Ability to restore access to personal data in a timely manner
- Regular testing and evaluation of security measures
4.4 Assistance with Data Subject Rights
SwapStack shall assist the Customer by appropriate technical and organizational measures in fulfilling obligations to respond to data subject requests for exercising their rights under applicable data protection laws.
5. Sub-processing
5.1 Authorized Sub-processors
The Customer provides general authorization for SwapStack to engage sub-processors to assist in providing the services. Current sub-processors include:
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting | United States |
| Stripe | Payment processing | United States |
| SendGrid | Email services | United States |
| Google Analytics | Analytics | United States |
5.2 Sub-processor Requirements
SwapStack shall:
- Impose data protection obligations on sub-processors substantially similar to those in this DPA
- Remain fully liable for sub-processor performance
- Notify Customer of intended changes concerning sub-processors
- Provide Customer opportunity to object to new sub-processors
6. Data Breach Notification
Breach Response Procedures
SwapStack shall notify the Customer without undue delay after becoming aware of a personal data breach, providing:
- Nature of the breach and categories of data affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
- Contact details for more information
- Estimated number of affected data subjects and records
SwapStack shall cooperate with the Customer and take reasonable commercial steps as directed by the Customer to assist in the investigation, mitigation, and remediation of each personal data breach.
7. Audits and Compliance
7.1 Right to Audit
SwapStack shall make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, by the Customer or an auditor mandated by the Customer.
7.2 Audit Procedures
- Customer must provide at least 30 days written notice
- Audits shall be conducted during regular business hours
- Customer bears all costs of audits unless material non-compliance is found
- SwapStack may provide recent third-party audit reports instead
- All audit findings are confidential
8. International Data Transfers
For transfers of personal data outside the EEA, SwapStack shall ensure appropriate safeguards are in place:
Transfer Mechanisms
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Adequacy decisions where applicable
- Other legally approved transfer mechanisms
- Supplementary measures where required by law
9. Data Return and Deletion
Upon termination of the services or upon Customer's request, SwapStack shall:
- Return all personal data to the Customer in a commonly used format
- Delete all copies of personal data in its possession
- Certify in writing that deletion has been completed
- Retain data only if required by applicable law
Note: Data deletion requests will be processed within 30 days, excluding data in backup systems which will be deleted according to standard backup rotation schedules.
10. Liability and Indemnification
Each party's liability arising out of or related to this DPA shall be subject to the exclusions and limitations of liability set forth in the Terms of Service.
The Customer shall indemnify SwapStack against all claims, actions, third party claims, losses, damages and expenses incurred by SwapStack in connection with the Customer's failure to comply with applicable data protection laws.
11. Term and Termination
This DPA shall remain in effect for the duration of the Terms of Service. Termination of the Terms of Service shall automatically terminate this DPA.
Obligations regarding confidentiality, data deletion, and any provisions intended to survive termination shall continue after termination of this DPA.
12. Governing Law and Jurisdiction
This DPA shall be governed by the same law and jurisdiction provisions as specified in the Terms of Service, except where data protection laws require otherwise.
13. Contact Information
Data Protection Contact
SwapStack Data Protection Officer
Email: dpo@swapstack.ai
Privacy Inquiries: privacy@swapstack.ai
Address: SwapStack, Inc.
548 Market St #14966
San Francisco, CA 94104
United States
For general support inquiries not related to data protection, please contact: support@swapstack.ai
GDPR-Compliant Data Processing
This DPA ensures your data processing activities comply with GDPR and other applicable data protection regulations.