DRAFT — review required
pnpm generate:legal. Have qualified counsel review before removing this banner. Customers requiring a counter-signed DPA should contact privacy@faststaq.com.Data Processing Addendum
Last updated: May 16, 2026
1. Parties
This Data Processing Addendum (the "DPA") is entered into between the Customer (the "Controller") and FastStaq(the "Processor"). It supplements the terms of service governing Customer's use of faststaq.comand applies whenever Processor processes Personal Data on Customer's behalf.
2. Subject matter and duration
The subject matter of the processing is the Customer-supplied Personal Data described in the data map at /legal/privacy. Processing lasts for the duration of the underlying agreement and ends with the deletion or return of Personal Data described in Section 9.
3. Nature, purpose, and categories of data
- Nature: hosting, transmission, storage, security monitoring, support.
- Purpose: providing the Service to Controller and authorised end users.
- Categories of data subjects:Controller's employees, customers, prospects, contractors, and any individual whose data Controller chooses to upload.
- Categories of Personal Data: identifiers (email, name), authentication data, billing metadata, support content, usage telemetry, and any data Controller voluntarily uploads.
4. Processor obligations
- Process Personal Data only on Controller's documented instructions, including with regard to international transfers.
- Ensure personnel authorised to process Personal Data are bound by confidentiality.
- Implement appropriate technical and organisational measures (Section 6) to ensure a level of security appropriate to the risk.
- Assist Controller in responding to data subject rights requests (Section 7) and in meeting Articles 32–36 obligations.
- Notify Controller without undue delay after becoming aware of a Personal Data breach (Section 8).
5. Subprocessors
Controller authorises FastStaq to engage the subprocessors listed at /legal/subprocessors. FastStaqwill give at least 30 days' notice before adding or replacing a subprocessor; Controller may object in writing for legitimate data-protection reasons.
6. Technical and organisational measures
FastStaq maintains TLS in transit, AES-256 at rest, strong authentication, role-based access control, append-only audit logging, periodic vulnerability scanning, and least-privilege internal access. The full list of controls is available on request.
7. Data subject rights
FastStaq provides self-service export and deletion tooling at /dashboard/privacy. Where Controller receives a request directly, FastStaq will assist within 30 days at no additional cost.
8. Breach notification
FastStaq will notify Controller of a confirmed Personal Data breach without undue delay and in any event within 72 hours of confirmation. Notice will include the nature of the breach, approximate categories and numbers of records, likely consequences, and remediation steps.
9. Return or deletion at end of services
On termination of the underlying agreement, FastStaqwill, at Controller's choice, return or delete all Personal Data, including all copies, within 30 days, unless retention is required by applicable law.
10. Audits
FastStaqprovides Controller with the documents necessary to demonstrate compliance with this DPA, including SOC 2 reports where available. Reasonable on-site audits are permitted on 30 days' notice during business hours.
11. International transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland, the Standard Contractual Clauses (Module 2 — Controller to Processor) are incorporated by reference and shall govern such transfers. Module 3 applies between FastStaq and any subprocessor.
12. Contact
FastStaq · privacy@faststaq.com