StackTidy

Data Processing Agreement

Last updated: February 24, 2026

To execute this DPA, please contact legal@stacktidy.com.

1. Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Customer ("Controller"): The entity that has agreed to the StackTidy Terms of Service and uses the Service on behalf of its organization.
  • Poverud IT ("Processor"): Organization number 933 572 781, registered in Norway, operating as StackTidy.

This DPA supplements and forms part of the StackTidy Terms of Service ("Agreement") between the Controller and the Processor.

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
  • Processing: Any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, combination, restriction, erasure, or destruction.
  • Controller: The natural or legal person which determines the purposes and means of the Processing of Personal Data.
  • Processor: The natural or legal person which processes Personal Data on behalf of the Controller.
  • Sub-processor: Any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • Data Subject: The identified or identifiable natural person to whom Personal Data relates.
  • Supervisory Authority: An independent public authority established by an EU/EEA Member State pursuant to the GDPR.

3. Scope and Purpose

The Processor processes Personal Data solely for the purpose of providing the StackTidy Service ("Service") to the Controller as described in the Agreement. This includes:

  • Automatic subscription detection from email content
  • Subscription tracking, analytics, and spend reporting
  • Renewal reminders and notification delivery
  • AI-powered overlap detection and chat assistance
  • Team management and multi-organization collaboration
  • Data import and export functionality

The categories of Personal Data processed may include: names, email addresses, subscription and billing information, usage data, and email metadata. The categories of Data Subjects may include: the Controller's employees, contractors, and authorized users of the Service.

4. Obligations of the Processor

The Processor shall:

  • Process on instructions: Process Personal Data only on documented instructions from the Controller, including with respect to transfers of Personal Data to a third country or international organization, unless required to do so by Union or Member State law. In such a case, the Processor shall inform the Controller of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest.
  • Confidentiality: Ensure that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  • Security measures: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, as further described in Section 7 of this DPA.
  • Sub-processors: Not engage another processor without prior specific or general written authorization of the Controller, in accordance with Section 5 of this DPA.
  • Data Subject requests: Assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the Data Subject's rights under the GDPR.
  • Assistance with obligations: Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to the Processor.
  • Deletion or return: At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to Processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data.
  • Audit: Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.

5. Sub-processors

The Controller grants the Processor general written authorization to engage Sub-processors for the Processing of Personal Data. The current list of Sub-processors is maintained at /subprocessors.

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes.

If the Controller objects to the engagement of a new Sub-processor on reasonable grounds relating to the protection of Personal Data, the Processor shall use reasonable efforts to make available to the Controller a change in the Service or recommend a commercially reasonable change to the Controller's configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Sub-processor.

Where the Processor engages a Sub-processor for carrying out specific Processing activities on behalf of the Controller, the same data protection obligations as set out in this DPA shall be imposed on that Sub-processor by way of a contract, in particular providing sufficient guarantees to implement appropriate technical and organizational measures.

6. Data Transfers

Where Personal Data is transferred to countries outside the European Economic Area (EEA) that have not been deemed to provide an adequate level of data protection by the European Commission, the Processor shall ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs): The Processor and its Sub-processors rely on the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor, and Module 3: Processor to Processor) for transfers of Personal Data outside the EEA where no adequacy decision exists.
  • EU-US Data Privacy Framework: Where applicable, transfers to the United States may rely on the EU-US Data Privacy Framework for Sub-processors that have self-certified under the framework.
  • Supplementary measures: The Processor shall implement supplementary technical and organizational measures as necessary to ensure that the level of protection of Personal Data is not undermined by the transfer.

7. Security Measures

In accordance with Article 32 of the GDPR, the Processor implements and maintains the following technical and organizational measures to protect Personal Data:

  • Encryption at rest: Application-level encryption using AES-256-GCM for sensitive data including OAuth credentials and access tokens, in addition to infrastructure-level encryption provided by hosting providers.
  • Encryption in transit: All data transmitted between the Service and its users, as well as between the Service and Sub-processors, is encrypted using TLS 1.2 or higher.
  • Access controls: Role-based access controls, multi-factor authentication for administrative access, and principle of least privilege for all system access.
  • Audit logging: Structured, enterprise-ready logging of all significant system events, data access, and administrative actions. Logs include request correlation IDs and automatic sensitive data sanitization.
  • Incident response: Documented incident response procedures including detection, containment, eradication, recovery, and post-incident review.
  • Data minimization: Email content is processed transiently for subscription detection; only extracted subscription metadata is stored. Raw email bodies and bank statement files are not retained.
  • Network security: Rate limiting and abuse prevention via Upstash Redis, DDoS protection via hosting provider (Vercel), and secure webhook verification for all inbound integrations.

8. Data Breach Notification

In the event of a Personal Data breach, the Processor shall:

  • Notify the Controller without undue delay, and no later than 48 hours after becoming aware of the breach.
  • Provide the Controller with sufficient information to allow the Controller to meet any obligations to report or inform Data Subjects of the breach under the GDPR.
  • Include in the notification, to the extent available: the nature of the Personal Data breach including the categories and approximate number of Data Subjects and Personal Data records concerned; the name and contact details of a point of contact; a description of the likely consequences; and a description of the measures taken or proposed to address the breach and mitigate its possible adverse effects.
  • Cooperate with the Controller and take reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation, and remediation of the breach.
  • Document the breach including its effects and the remedial action taken.

9. Data Subject Rights

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including:

  • Right of access (Article 15): Providing copies of Personal Data processed.
  • Right to rectification (Article 16): Correcting inaccurate Personal Data.
  • Right to erasure (Article 17): Deleting Personal Data where applicable.
  • Right to data portability (Article 20): Providing Personal Data in a structured, commonly used, and machine-readable format.
  • Right to restriction of processing (Article 18): Restricting the Processing of Personal Data where applicable.
  • Right to object (Article 21): Ceasing Processing where the Data Subject objects.

The Service provides self-service tools for data export and account deletion accessible from Settings. The Processor shall respond to Controller requests regarding Data Subject rights within a reasonable timeframe and in any event within the timeframes required by the GDPR.

10. Duration and Termination

This DPA shall be effective for the duration of the Agreement between the Controller and the Processor. Upon termination of the Agreement:

  • The Processor shall, at the Controller's choice, delete or return all Personal Data within 30 days of termination, unless Union or Member State law requires further storage.
  • The Processor shall provide the Controller with the ability to export their data prior to deletion through the Service's built-in export functionality.
  • Upon completion of deletion, the Processor shall certify the deletion to the Controller upon request.

Provisions of this DPA that by their nature should survive termination shall survive, including but not limited to obligations relating to confidentiality and data breach notification.

11. Governing Law

This DPA shall be governed by and construed in accordance with the laws of Norway, without regard to its conflict of law provisions. Any disputes arising from this DPA shall be resolved in the courts of Norway.

Where there is any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the Processing of Personal Data.

12. Contact

For questions about this DPA or to execute a signed copy, please contact us at:

Email: legal@stacktidy.com

Privacy PolicyTerms of ServiceSub-processors