Data Processing Agreement
Standard DPA with Standard Contractual Clauses for enterprise and compliance-conscious customers.
Contact mail@stak.pe to receive the DPA as a downloadable PDF. We will respond within 1 business day.
This Data Processing Agreement ("DPA") forms part of the Terms of Service between the Customer ("Data Controller") and Adamas Group SA ("Data Processor"), registered at Route des Acacias 43, 1227 Geneva, Switzerland.
1. Scope & Subject Matter
This DPA governs the processing of personal data by the Data Processor on behalf of the Data Controller in connection with the provision of the Stak platform.
- Categories of data: Investor personal data (name, email, address, nationality), investment data (commitments, values), partner data
- Data subjects: Investors, partners, and team members of the Data Controller
- Purpose: Providing the Stak deal management platform
- Duration: For the term of the SaaS subscription
2. Processor Obligations
The Data Processor shall:
- Process personal data only on documented instructions from the Data Controller
- Ensure all personnel processing data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Data Controller in responding to data subject rights requests
- Notify the Data Controller of any personal data breach without undue delay (within 72 hours)
- Delete or return all personal data upon termination, at the Controller's choice
- Make available information necessary to demonstrate compliance
3. Security Measures
The Data Processor implements the following security measures:
- 256-bit TLS encryption for data in transit
- AES-256 encryption for data at rest
- Two-factor authentication (2FA/TOTP)
- Role-based access control (RBAC) with principle of least privilege
- Full audit logging of all data access and modifications
- Rate limiting and DDoS protection
- Regular security assessments and penetration testing
- Incident response procedures and breach notification protocols
4. Sub-processors
The Data Processor uses the following sub-processors:
| Sub-processor | Service | Location |
|---|---|---|
| Vercel Inc. | Hosting & CDN | United States / EU |
| MongoDB Inc. | Database hosting | EU (Frankfurt) |
| Upstash Inc. | Rate limiting & caching | EU |
| Resend Inc. | Transactional email | United States |
| Functional Software (Sentry) | Error monitoring | United States |
The Data Controller will be notified at least 30 days before any new sub-processor is engaged. The Data Controller may object to the appointment of a new sub-processor on reasonable grounds.
5. International Data Transfers
For transfers of personal data outside the EEA/Switzerland, the Data Processor relies on:
- Standard Contractual Clauses (SCCs) per GDPR Art. 46(2)(c)
- Switzerland's adequacy status under GDPR
- Additional safeguards including encryption and access controls
The Data Processor also complies with the Swiss Federal Act on Data Protection (nFADP) requirements for cross-border data transfers.
6. Data Subject Rights Assistance
The Data Processor will assist the Data Controller in fulfilling data subject rights requests, including access, rectification, erasure, and portability. The Processor will respond to Controller instructions regarding data subject requests within 5 business days.
7. Term & Termination
This DPA is effective for the duration of the SaaS subscription and automatically renews with each contract renewal.
Upon termination, the Data Processor will, at the Data Controller's election, return all personal data or delete it within 30 days. Backup copies will be permanently purged within 90 days of termination.
8. Liability
Each party is liable for damages caused by its own breach of this DPA or applicable data protection laws. Liability is subject to the limitations set forth in the main Terms of Service.
9. Contact
For DPA-related inquiries or to request a signed copy:
Adamas Group SA
Route des Acacias 43
1227 Geneva, Switzerland
Email: mail@stak.pe