Data Processing Addendum

Last Updated: October 10th, 2025

Between: Stackby  (“Processor”) and Customer (“Controller”)

This Data Processing Addendum (“DPA”) is made as of the date it is fully executed (“Effective Date”) by and between Relytree Technologies. Stackby (“Stackby”) and the organization agreeing to these terms (“Customer”). Stackby and Customer may each be referred to as a “Party” and collectively referred to as the “Parties” herein. This DPA is incorporated by reference into the agreement between Customer and Stackby that governs Customer’s use of the Services (“Agreement”). All capitalized terms used but not defined in this DPA will have the meaning set forth in the Agreement.

This DPA sets out the terms that apply when Customer Personal Data is Processed by Stackby under the Agreement. The purpose of the DPA is to ensure such Processing is conducted in accordance with Applicable Law and respects the rights of individuals whose Personal Data is Processed under the Agreement.

This DPA will not become binding and enforceable unless and until it has been validly executed by the Parties. We only execute DPAs with enterprise customers, not other customers.

1. Purpose and Scope

This Data Processing Agreement (“Agreement”) forms part of the Stackby Terms of Service (or other written agreement) between the Customer and Stackby for the provision of Stackby’s database collaboration and automation platform (“Services”).

The Agreement governs Stackby’s processing of Personal Data on behalf of the Customer in connection with the Services, in accordance with applicable Data Protection Laws, including the GDPR, UK GDPR, and CCPA where applicable.

2. Definitions

  1. “Controller”: The entity determining the purposes and means of the processing of Personal Data.
  2. “Processor”: The entity processing Personal Data on behalf of the Controller.
  3. “Customer Personal Data”: Any information relating to an identified or identifiable natural person, except for Business Contact data.
  4. “Data Protection Laws”: All applicable privacy laws, including the EU GDPR, UK GDPR, and CCPA.
  5. “Sub-Processor”: Any third party engaged by Stackby to process Personal Data on behalf of the Customer.
  6. “Services”: the products and services provided by Stackby to Customer as specified in the Agreement.
  7. “Business Contact Data”:  means business contact information and Stackby account log-in data of Customer’s employees and Permitted Users of the Services.
  8. “EEA”: means, for purposes of this DPA, the European Economic Area (which is composed of the member states of the European Union), Norway, Iceland, Liechtenstein, and Switzerland.
  9. “EU SCCs”: means the Standard Contractual Clauses issued pursuant to the EU Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679 of the European Parliament and of the Council, available at http://data.europa.eu/eli/dec_impl/2021/914/oj and completed as described in Section 9 (International Data Transfers).
  10. “Personal Data Breach”: means the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Customer Personal Data.
  11. “Personal Data”: includes “personal data,” “personal information,” and “personally identifiable information,” each as defined by Applicable Law.
  12. “Process” and “Processing”: mean any operation or set of operations performed on Personal Data, or on sets of Personal Data, whether or not by automated means, such as collecting, recording, organizing, creating, structuring, storing, adapting or altering, retrieving, consulting, using, disclosing (by transmission, dissemination or otherwise making such data available), aligning or combining, restricting, erasing, or destroying such Personal Data.
  13. “Standard Contractual Clauses”: means the EU SCCs or the UK SCCs, as applicable.
  14. “UK SCCs”: means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, available as of the Effective Date at https://ico.org.uk/for-organisations/guide-to-data-protection/guide-to-the-general-data-protection-regulation-gdpr/international-data-transfer-agreement-and-guidance/ and completed as described in Section 9 (International Data Transfers).

3. Roles of the Parties

The Customer acts as the Data Controller.

Stackby acts as the Data Processor, processing Personal Data solely on documented instructions from the Customer.

3.1 Customer is the Controller and Business as defined under Applicable Laws, and Customer determines the means and purposes for which Customer Personal Data is Processed by Stackby. To the extent Stackby Processes Customer Personal Data subject to Applicable Laws, Stackby is a Processor and Service Provider as defined under Applicable Laws, and Stackby will Process the Customer Personal Data according to the instructions set forth in this DPA, the Agreement, and as required under Applicable Laws. Customer and Stackby are independent Controllers and Businesses, as defined under Applicable Laws, with respect to Business Contact Data. Either Party may Process Business Contact Data as necessary for the purpose of (i) carrying out its obligations under the Agreement, (ii) applicable legal or regulatory requirements, (iii) requests and communications with the other Party, (iv) administrative, business, and marketing purposes, and (v) to protect its respective rights in accordance with applicable law and, in the case of Stackby, maintaining the security and integrity of the Services.

3.2. Stackby hereby certifies that it understands the restrictions and obligations set forth in this DPA in relation to its role as a Processor and Service Provider, and that it will comply with them.

4. Customer’s Instructions to Stackby

4.1. Purpose Limitation:

Stackby will not (a) sell or share Customer Personal Data, (b) Process Customer Personal Data for any purpose other than for the specific purposes set forth in the Agreement, and as specifically stated in Exhibit A, (c) retain, use, or disclose any such data outside of the direct business relationship between the Parties, (d) combine any Customer Personal Data with personal information that it receives from, or on behalf of, another person or persons, or collects from its own interaction with a consumer, except as otherwise permitted by Applicable Law, or (e) otherwise engage in any Processing of Customer Personal Data beyond that in which a Processor may engage under the Applicable Law or in which a Service Provider may engage under the Applicable Law, unless obligated to do otherwise by Applicable Law. In such a case, Stackby will inform Customer of the applicable legal obligation before engaging in the Processing, unless legally prohibited from doing so.. To the extent Customer discloses or makes available de-identified data (as such term is defined under Applicable Law) within the Customer Data to Stackby, Stackby shall not attempt to re-identify such data.

4.2. Lawful Instructions:

Customer will not instruct Stackby to Process Customer Personal Data in violation of Applicable Law. Stackby will without undue delay inform Customer if, in Stackby’s opinion, an instruction from Customer infringes Applicable Law. The Agreement, including this DPA, constitutes Customer’s complete and final instructions to Stackby regarding the Processing of Customer Personal Data, including for purposes of the Standard Contractual Clauses. Customer shall also have the right to take reasonable and appropriate steps to stop or remediate any unauthorized Processing of Customer Personal Data by Stackby.

5. Limitations on Disclosure


Stackby will not disclose Customer Personal Data to any third party without first obtaining Customer’s written consent, except as provided in Section 12 (Subcontracting), Section 9 (Responding to Individuals Exercising Their Rights Under Applicable Law) or Section 15 (Data Transfers), except as required by law. Stackby will require all employees, contractors, and agents who Process Customer Personal Data on Stackby’s behalf to protect the confidentiality of the Customer Personal Data and to comply with the other relevant requirements of this DPA.

6. Nature and Purpose of Processing

Stackby processes Personal Data to provide its no-code database, collaboration, and workflow automation platform, including:

  • Account creation and management.
  • Data storage, access, and sharing within workspaces.
  • Execution of automations, integrations, and AI field processing.
  • Product improvement, support, and security monitoring.

7. Types of Data and Data Subjects

Data Subjects:

  • Customer’s employees, contractors, clients, and end users.

Types of Personal Data:

  • Names, email addresses, contact details.
  • Workspace and table content containing user-entered data.
  • Usage logs, IP addresses, and device identifiers.
  • Optional: data processed through third-party integrations (if authorized by Customer).

8. Duration of Processing

Processing continues for the duration of the Customer’s active account and until all Personal Data is deleted or returned upon termination of the Services.

9. Data Subject Requests


To the extent legally permitted, Stackby will without undue delay notify Customer if Stackby receives any request from an individual seeking to exercise any right afforded to them under Applicable Law regarding their Personal Data (a “Data Subject Request”). To the extent Customer, in its use of the Services, does not have the ability to address a Data Subject Request, Stackby will, upon Customer’s request, take commercially reasonable efforts to assist Customer in responding to such Data Subject Request, to the extent Stackby is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law.


10. Processor Obligations

Stackby shall:

  • Process Personal Data only as per the terms of service and customer’s permissions.
  • Ensure personnel handling Personal Data are bound by confidentiality.
  • Maintain records of processing activities.
  • Implement appropriate technical and organizational measures (TOMs) to protect data.

11. Technical and Organizational Measures (TOMs)

Stackby maintains industry-standard security practices, including:

  • Encryption of data in transit and at rest (TLS, AES-256).
  • Access control and least-privilege principles.
  • Regular security testing and audits.
  • Data redundancy and backups in secure cloud environments.
  • Incident response plan and logging of security events.

12. Sub-Processors

  • Stackby may engage Sub-Processors for hosting, analytics, or support services.
  • A current list of Sub-Processors is available at: stackby.com/company/subprocessors
  • Stackby ensures Sub-Processors are bound by contracts providing equivalent data protection obligations.
  • The Customer will be notified of any intended changes to Sub-Processors and may object on reasonable grounds.


Customer may object to Stackby’s use of a new sub-processor on reasonable grounds relating to the protection of Customer Personal Data by notifying Stackby promptly in writing at support@stackby.com within ten (10) business days after receipt of Stackby’s notice. In its notification, Customer will explain its reasonable grounds for objection. In the event Customer objects to a new sub-processor, Stackby will use commercially reasonable efforts to make available to Customer a change in the Services or recommend a commercially reasonable change to Customer’s configuration or use of the Services to avoid Processing of Customer Personal Data by the objected-to new sub-processor without unreasonably burdening Customer. If Stackby is unable to make available such change within a reasonable period of time, which will not exceed thirty (30) days, either Party may terminate without penalty the Processing of Customer Personal Data and/or the Agreement with respect only to those services which cannot be provided by Stackby without the use of the objected-to new sub-processor by providing written notice to the other Party.


13. Data Breach Notification

In the event of a Personal Data Breach, Stackby will:

  • Notify the Customer without much delay after becoming aware of the breach within 72 hours.
  • Provide all relevant details including the nature, scope, and mitigation steps.
  • Cooperate with Customers to comply with notification obligations under applicable law.


14. Assistance to Controller

  • Responding to data subject requests (access, rectification, erasure, portability).
  • Conducting data protection impact assessments (DPIAs): Upon Customer’s written request, Stackby will provide Customer with reasonable cooperation and assistance as needed and appropriate to fulfill Customer’s obligations under Applicable Law to carry out a data protection impact assessment related to Customer’s use of the Services. Stackby will provide reasonable assistance to Customer in the cooperation or prior consultation with the Supervisory Authority (as defined under the GDPR) in the performance of its tasks relating to the data protection impact assessment, and to the extent required under the Applicable Law.


15. International Data Transfers

  • Stackby may transfer and process Personal Data globally in compliance with Data Protection Laws.
  • For transfers outside the EEA/UK, Stackby uses EU Standard Contractual Clauses (SCCs) or equivalent lawful mechanisms.


16. Return or Deletion of Data

Upon termination or expiration of the Services:

  • Stackby will, at the Customer’s choice, return or securely delete all Personal Data, unless retention is required by law.
  • Deletion logs will be made available upon request (if it's not automatically deleted).


17. Audits and Compliance

  • Stackby shall provide audit reports and certifications (e.g., SOC 2, ISO 27001) upon request, once available. Currently, the certifications are in progress and it's not yet available.
  • The Customer may perform a reasonable audit or inspection under confidentiality conditions, once annually, with prior 60 days prior notice.


18. Liability and Indemnification

Each party shall be liable for damages and losses resulting from its own non-compliance with Data Protection Laws or this Agreement.


19. Governing Law and Jurisdiction

This Agreement is governed by the laws of Gujarat, India, unless otherwise required by applicable law. Disputes will be resolved in the competent courts of that jurisdiction.


20. Miscellaneous

  • This DPA supersedes all previous data processing terms between the parties.
  • If any provision is invalid, the remainder shall remain enforceable.
  • Updates to this DPA will be communicated via Stackby’s website or email notice.


Exhibit A:


Data exporter(s):

  • Name: The exporter is the Customer specified in the Agreement.
  • Address: specified in the Agreement.
  • Contact person’s name, position and contact details: specified in the Agreement.
  • Activities relevant to the data transferred under these Clauses: Obtaining the Services from data importer.
  • Role (Controller/Processor): Controller


Data importer(s):

  • Name: Relytree Technologies Private Limited
  • Address: 702, Empire State Building, Ring Road, Surat - Gujarat, 395007, India.
  • Contact person’s name, position and contact details: Legal Department, legal@stackby.com
  • Activities relevant to the data transferred under these Clauses: Providing the Services to data exporter.
  • Role (Controller/Processor): Processor


Please see our security guide, which describes technical and organizational measures implemented by Stackby.

STACKBY
PRODUCT
SOLUTIONS
RESOURCES
COMPARE
Stackby logo Stackby logo
Stackby logo
© Relytree Technologies & Relytree Inc.
| Terms | Privacy | GDPR | Sitemap