Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") describes how Stackmint, Inc. processes personal data on behalf of its customers when providing the Stackmint platform and related services.

Last updated: November 30, 2025. This DPA is provided for information purposes and will form part of the agreement between Stackmint and a customer where expressly incorporated by reference.

1. Parties and Roles

This DPA is between the customer entity that has entered into an agreement for the use of the Stackmint platform ("Customer" or "Controller") and Stackmint, Inc. ("Stackmint" or "Processor").

For the purposes of applicable data protection laws, Customer is the controller of personal data, and Stackmint processes personal data as Customer's processor.

2. Subject Matter and Duration

This DPA applies to Stackmint's processing of personal data in connection with Customer's use of the Stackmint platform, including Buds, Branches, runtime execution, integrations, audit logs, and related services (the "Services").

This DPA remains in effect for as long as Stackmint processes personal data on behalf of Customer under the main agreement between the parties.

3. Processing Instructions

Stackmint will process personal data only:

• To provide, maintain, and improve the Services;
• To comply with documented instructions from Customer;
• To comply with applicable laws;
• For security, logging, monitoring, and incident response purposes.

Customer's instructions are primarily given through configuration of its Stackmint account, including the creation of Branches and Buds, configuration of integrations, and API calls.

4. Categories of Data and Data Subjects

The types of personal data processed depend on how Customer uses the Services and may include:

• Business contact details (e.g., names, emails, roles);
• CRM or HR records connected by Customer (e.g., opportunity owners, account managers);
• Content or metadata supplied by Customer in the course of running Branches and Buds.

Data subjects may include Customer's employees, contractors, customers, and other individuals whose data is processed via systems integrated into Stackmint.

5. Security Measures

Stackmint implements appropriate technical and organizational measures designed to protect personal data, including:

• Encryption in transit (TLS) and at rest;
• Role-based access controls and least-privilege access;
• Secrets management for integration credentials;
• Audit logs and execution-level tracing;
• Vulnerability management and security monitoring;
• Regular backups and disaster recovery procedures.

Additional details may be provided in a separate security overview upon request.

6. Confidentiality

Stackmint ensures that persons authorized to process personal data are bound by confidentiality obligations and receive appropriate training on data protection and security.

7. Sub-processors

Stackmint may engage third-party sub-processors to support the Services (for example, cloud hosting providers, logging and monitoring services, email infrastructure, payment processors, and AI model or integration providers).

Stackmint will enter into written agreements with sub-processors requiring data protection obligations no less protective than those set out in this DPA, and will remain responsible for the performance of sub-processors. A list of current sub-processors is available upon request and may be published separately.

8. International Transfers

To the extent Stackmint processes personal data subject to EU, UK, or Swiss data protection laws and transfers such data to a third country, it will implement appropriate transfer mechanisms, such as Standard Contractual Clauses or other legally recognized safeguards.

9. Data Subject Rights

Taking into account the nature of the processing, Stackmint will provide reasonable assistance to Customer in responding to requests from data subjects to exercise their rights under applicable data protection laws (such as access, rectification, deletion, restriction, or portability), where such requests relate to personal data processed via the Services.

Stackmint will not respond directly to data subjects on Customer's behalf unless explicitly authorized in writing.

10. Personal Data Breach Notification

In the event of a personal data breach affecting personal data processed on behalf of Customer, Stackmint will notify Customer without undue delay after becoming aware of the breach and will provide information reasonably required for Customer to meet its legal obligations.

11. Audit, Reports, and Information

Upon reasonable request, Stackmint will make available information necessary to demonstrate compliance with this DPA and applicable data protection laws, which may include security documentation, summaries of third-party audits, or certifications.

Where additional audits are required by law or by a regulator, Customer may conduct (or appoint a third party to conduct) an audit, subject to reasonable notice, scope, and confidentiality obligations.

12. Return or Deletion of Personal Data

Upon termination or expiry of the Services, or upon Customer's written request, Stackmint will delete or return personal data processed on behalf of Customer, unless retention is required by applicable law or for legitimate business record-keeping (e.g., limited back-ups during a defined retention period).

13. Limitation of Liability and Precedence

The limitations of liability agreed between the parties in the main agreement apply equally to this DPA. In the event of a conflict between this DPA and the main agreement, this DPA will prevail with respect to the subject matter of data protection and privacy.