Data Processing Agreement (DPA)

DATA PROCESSING AGREEMENT
‍This Data Processing Agreement ("DPA") is entered into between Stiddle Inc., a company registered in the state of Delaware, USA ("Data Processor"), and the entity identified as the Customer in the applicable service agreement ("Data Controller").

‍1. Definitions"Data Protection Legislation" means all applicable laws and regulations relating to the processing of personal data and privacy, including but not limited to the General Data Protection Regulation (GDPR) (EU 2016/679), UK GDPR, the California Consumer Privacy Act (CCPA), and any other applicable privacy laws.

"Personal Data" means any data that relates to an identified or identifiable natural person, including customer profiles, behavioral data, and marketing analytics collected through Stiddle’s platform.

‍"Processing" means any operation or set of operations performed on Personal Data, such as collection, recording, structuring, storage, retrieval, use, disclosure, or deletion.

‍"Sub-Processor" means any third party engaged by Stiddle to assist in processing Personal Data.

‍2. Scope and Role of the Parties

‍2.1 The Customer is the Data Controller, and Stiddle acts as a Data Processor processing Personal Data on behalf of the Customer in providing its customer intelligence and marketing optimization services.

2.2 Stiddle will process Personal Data solely for the purpose of providing the Services as described in the agreement between the parties and shall not use Personal Data for any other purpose.

‍3. Obligations of Stiddle

‍3.1 Compliance with Laws: Stiddle shall comply with all applicable Data Protection Legislation.

3.2 Confidentiality: Stiddle ensures that its employees, contractors, and Sub-Processors handling Personal Data are bound by confidentiality obligations.

3.3 Security Measures: Stiddle implements industry-standard security measures, including:
Access Controls: Role-based access control (RBAC) and multi-factor authentication (MFA).
‍Data Encryption: Encryption of Personal Data in transit and at rest.
‍Incident Management: 24/7 monitoring, breach detection, and a structured response plan.
‍Data Minimization: Collection of only necessary data and prompt deletion upon request.

3.4 Data Breach Notification: In case of a Personal Data Breach, Stiddle will notify the Data Controller without undue delay and provide necessary assistance in investigating and mitigating the breach.

‍4. Obligations of the Customer

‍4.1 The Customer shall ensure that the Personal Data provided to Stiddle is collected and shared in compliance with applicable Data Protection Legislation.

4.2 The Customer is responsible for responding to Data Subject Requests (DSRs) and will provide Stiddle with reasonable assistance to fulfill such requests when necessary.

‍5. Sub-Processors

‍5.1 Stiddle may engage third-party Sub-Processors to assist in providing the Services. The list of current Sub-Processors includes:
‍Amazon Web Services (AWS) – Cloud hosting and storage.
‍Google Cloud Platform – Data processing and analytics.
‍Meta Ads & Google Ads – Advertising and campaign management.
‍Shopify, WooCommerce - Ecommerce CMS.
‍IP Info – IP location services.
‍Slack – Internal team communications.
‍PostHog - Customer Analytics.
‍Open AI - AI Models.

5.2 Stiddle will inform the Customer of any new Sub-Processor and provide an opportunity to object within 7 days before the change takes effect.

‍6. Data Subject Rights & Assistance

‍6.1 Stiddle shall assist the Customer in fulfilling Data Subject Requests, including access, rectification, deletion, and data portability rights, as applicable under GDPR, CCPA, or other relevant laws.

6.2 If Stiddle receives a request directly from a Data Subject, it shall not respond and shall promptly notify the Customer.

‍7. International Data Transfers

‍7.1 If Personal Data is transferred outside the European Economic Area (EEA), UK, or other jurisdictions requiring specific safeguards, such transfers will be conducted using one of the following mechanisms:
‍Adequacy Decision: If the recipient country has been deemed adequate by the relevant regulatory body.
‍Standard Contractual Clauses (SCCs): In the absence of an adequacy decision.
‍Binding Corporate Rules (BCRs): Where applicable.

7.2 Stiddle shall implement additional security measures, such as pseudonymization and encryption, where necessary for international transfers.

‍8. Data Retention & Deletion

‍8.1 Stiddle shall retain Personal Data only for as long as necessary to fulfill its contractual obligations or as required by law.

8.2 Upon termination of the agreement, Stiddle shall, at the Customer’s instruction, either delete or return all Personal Data, except where retention is required by law.

‍9. Data Processing DetailsData Controller: [Customer Name]

Data Processor: Stiddle Inc.

Subject Matter of Processing: Processing of marketing and customer engagement data for analytics and enrichment.

Nature & Purpose of Processing: Collection, analysis, and reporting of customer engagement data to optimize digital experiences.

‍Duration of Processing: The duration of processing shall be limited to the term of the agreement unless otherwise required by law.

Data Subjects: Customers and potential customers of the Customer who interact with the Customer’s website and digital advertising campaigns.

Categories of Personal Data:

‍Behavioral Data (e.g., user engagement, session data)
Contact Details (e.g., email, phone number)
Transaction Data (e.g., purchases, conversion metrics)
Metadata and Analytics (e.g., IP address, device identifiers)

‍Processing Operations: Data collection, segmentation, analytics, reporting, and campaign performance optimization.

‍Data Retention: Personal Data shall be deleted immediately once processing is complete, unless otherwise required by law.

Processing Locations: UK, EU, USA.

10. Governing Law & Jurisdiction

‍This DPA shall be governed by and construed in accordance with the laws of the USA, and any disputes arising shall be subject to the exclusive jurisdiction of Delaware, USA.

IN WITNESS WHEREOF, the parties have executed this DPA as of the Effective Date.