# Data Processing Addendum (DPA) **Stelvox Technologies** · data-processing-addendum · v1.1 · 2026 > Attached to and forms part of the Master Services Agreement (MSA). Where > Stelvox processes personal data on behalf of the Client, this DPA governs. --- ## 1. Definitions Terms used here have the meanings given in the UK GDPR and the EU GDPR. "Client Personal Data" means any personal data that Stelvox processes on behalf of the Client under the MSA or a SOW. ## 2. Roles The Client is the **controller** of Client Personal Data. Stelvox is the **processor**, acting only on documented instructions from the Client. ## 3. Subject matter, duration, nature, and purpose | | | |---|---| | Subject matter | Engineering services described in the SOW | | Duration | The term of the relevant SOW | | Nature and purpose | Software design, development, testing, deployment, and support | | Categories of data subjects | The Client's end users, employees, and contractors | | Categories of personal data | As described in the SOW; typically contact details, account identifiers, application telemetry | | Special categories | Only if expressly listed in the SOW. None by default. | ## 4. Sub-processors Stelvox uses the following sub-processors. The Client consents to these on signature; Stelvox will give **14 days** notice of any addition, and the Client may object on reasonable grounds, in which case the parties will negotiate a resolution in good faith. | Sub-processor | Service | Location | |---|---|---| | Vercel Inc. | Application hosting | US / EU multi-region | | Hostinger | VPS hosting | EU (Frankfurt, Lithuania) | | Lemon Squeezy / Stripe | Payment processing & merchant of record | US, EU | | Anthropic PBC | LLM inference (where AI features are in scope) | US | | Resend / Postmark | Transactional email | US | | GitHub Inc. | Source code hosting | US | If the SOW includes additional third parties, they will be listed in the SOW's data-processing appendix. ## 5. International transfers Where personal data is transferred outside the UK/EEA, transfers rely on: - UK addendum to the EU Standard Contractual Clauses; or - Equivalent transfer mechanism approved under UK GDPR and EU GDPR. A copy of executed SCCs is available on request. ## 6. Security measures Stelvox implements appropriate technical and organisational measures, including but not limited to: - Encryption of data in transit (TLS 1.2+) and at rest (AES-256 or equivalent). - Role-based access controls; least-privilege defaults. - Centralised secret management; no plaintext credentials in source. - Audit logging on production systems with 90-day minimum retention. - Endpoint device encryption and screen-lock enforcement for all staff. - Annual security awareness training and incident-response tabletop. - Vulnerability scanning and dependency monitoring (Dependabot or equivalent). - Backup and recovery procedures with documented RPO and RTO targets. Full security overview: `security-overview.md`. ## 7. Confidentiality All Stelvox personnel with access to Client Personal Data are bound by written confidentiality obligations no less protective than those in §7 of the MSA. ## 8. Data subject requests Stelvox will, on reasonable notice and without charging the Client for ordinary requests, assist the Client in responding to data-subject requests (access, rectification, erasure, portability, restriction of processing, objection). ## 9. Personal data breaches Stelvox will notify the Client **without undue delay and in any event within 48 hours** of becoming aware of a personal data breach affecting Client Personal Data. The notification will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address it. ## 10. Audits Stelvox will make available all information necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits conducted by the Client or an auditor mandated by the Client, no more than **once per twelve-month period** (except following a personal data breach), on reasonable notice and during normal business hours, subject to reasonable confidentiality obligations. In lieu of a Client-led audit, the Client may accept a current third-party attestation or report Stelvox makes available (e.g. SOC 2 Type II or ISO 27001) when those certifications are completed and in force. ## 11. Deletion or return of data At the end of the SOW, Stelvox will, at the Client's election, return or delete all Client Personal Data and copies, save where retention is required by applicable law (e.g. statutory record-keeping). Certification of deletion provided on request. ## 12. Liability The liability provisions of the MSA (§10) apply to this DPA. To the extent applicable law requires direct controller-to-processor liability, this DPA is read accordingly. ## 13. Governing law This DPA is governed by the law of the MSA. Where the EU GDPR applies, the law of the EU member state with which the Client has the strongest connection applies for the purpose of EU GDPR enforcement, without affecting MSA jurisdiction otherwise. --- *Last revision: 2026-Q1. Material updates are versioned and announced to the named billing contact at least 30 days in advance.*