OverviewOmnichannel CommunicationVirtual WorkerKnowledge LibraryAPI Automation
|
OverviewAI Sales AgentCustomer Support AgentWhatsApp Engagement Platform
|
OverviewBlogEventsLegal
Documentation
Login | Request a demo
Request a demo

Data Privacy Agreement

This Data Privacy Agreement ("DPA") is an integral part of the Stubber.com Terms (including the MSA) and reflects the parties' agreement on the processing of personal data in connection with your use of the Stubber Services. This DPA is designed to meet the requirements of applicable data protection laws, including the EU General Data Protection Regulation (GDPR) and South Africa's Protection of Personal Information Act (POPIA), and to ensure appropriate safeguards for the handling of Personal Data. It is written in clear language to be understandable even if you are not a legal expert.

By creating an Org and using Stubber's Services, you (the Client) are deemed to have accepted this DPA. This DPA is governed by South African law (as is the MSA), and any disputes will be handled as per the MSA's dispute resolution terms. In case of any conflict between this DPA and the MSA on matters of data privacy, this DPA will prevail.

1. Definitions

For purposes of this DPA:

  • Personal Data (also referred to as "Personal Information" under POPIA) means any information relating to an identified or identifiable natural person (data subject); an identifiable person is one who can be identified, directly or indirectly, by reference to such data. This includes, for example, names, contact details, identifiers, as well as information about an individual's transactions, behaviors, or characteristics. Under POPIA, this term can also include information about juristic persons (companies) in some contexts.

  • Processing (and its variants like "Process") means any operation performed on Personal Data, whether by automated means or not, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission/dissemination, alignment or combination, restriction, erasure, or destruction. In short, if something is done to Personal Data, it's considered "processing."

  • Data Controller means the entity that determines the purposes and means of the processing of Personal Data. For this Agreement, the Client is the Data Controller (GDPR term) or "Responsible Party" (POPIA term) for any Personal Data that you or your end-users input into the Stubber Services. You decide what data to upload and how it should be used in the context of the Services.

  • Data Processor means the entity that processes Personal Data on behalf of the Controller. Stubber.com acts as the Data Processor (GDPR term) or "Operator" (POPIA term) when processing Personal Data on your behalf as part of providing the Services. This means Stubber follows your instructions on what to do with the data.

  • Data Subject means the individual to whom Personal Data relates. For example, if you upload a list of your customers into Stubber (with names and emails), those customers are data subjects. Data subjects could include your employees, customers, contractors, or any individuals whose Personal Data you decide to use within the Stubber platform.

  • Sub-processor means any third-party engaged by Stubber to help it Process Personal Data on behalf of the Client. Sub-processors can include hosting providers, cloud infrastructure, and integrated AI service providers that handle data to deliver the output (such as OpenAI, Anthropic, etc., when they receive a prompt containing Personal Data and return an AI result). We list our major Sub-processors in Annex 1 of this DPA (and will keep that list updated as required in Section 5).

  • Applicable Data Protection Law means all data protection and privacy laws and regulations that apply to the processing of Personal Data under this DPA. This includes, where applicable, the GDPR (and any country-specific implementations, like UK GDPR), POPIA, and potentially other laws if relevant (for example, if you are processing data of individuals in other jurisdictions).

  • Services has the same meaning as in the MSA -- the Stubber AI orchestration platform and related services that Stubber provides to Client. In the context of this DPA, "Services" involve the Processing of Personal Data that you or your users upload or that may be generated through use of the platform.

Any capitalized terms not defined in this DPA have the meanings given to them in the MSA.

2. Details of Data Processing

This section describes the key aspects of how and why Stubber processes Personal Data on your behalf, as required by GDPR Article 28 and POPIA. Generally: Stubber will only process Personal Data as necessary to provide the Services, in accordance with your documented instructions, and in compliance with Applicable Data Protection Law.

2.1 Subject Matter: The subject matter of the processing is the Personal Data that you (the Client) submit to the Stubber platform or that is collected through your use of the Services. This may include data you upload to the knowledge library, data entered into forms on the platform, data contained in prompts or tasks given to Stubs, and metadata like usage logs that may include Personal Data.

2.2 Duration of Processing: Stubber will process Personal Data for the duration of the MSA -- in other words, as long as you maintain an active Org and use the Services, and until deletion of all Personal Data as described in Section 8 (Deletion). Some minimal data may be retained after termination as required by law or for legitimate interests (see Section 8.3), but active processing stops when the Services are terminated or upon earlier deletion request.

2.3 Nature and Purpose of Processing: The nature of processing is cloud-based storage, analysis, and transformation of data as needed to fulfill the functionality of the Stubber Services. The primary purpose is to enable you to create AI-driven "Stubs" (digital employees) to automate your business processes. This involves tasks such as: hosting the data you input, feeding certain data into AI models to generate outputs, storing outputs and logs for your review, and performing computations or manipulations of data (for example, a Stub might take a piece of Personal Data like a customer's name and address and use it to fill out a form or compose an email). We process data only under your instructions -- effectively, whenever your Stub is triggered or you upload information, that is your instruction for us to process it to deliver the result.

Stubber does not make independent decisions about the use of your Personal Data beyond what is necessary to provide the service. We do not process your data for marketing or advertising (unless you separately consent to such use in our marketing communications, which is outside this DPA). We do not sell or share Personal Data with third parties for their own purposes. Any processing of Personal Data for analytics on our side is done on an aggregated or anonymized basis, not to identify individuals.

2.4 Types of Personal Data: The types of Personal Data processed depend on what you or your users decide to input into the platform. Since Stubber is a general-purpose automation/orchestration tool, it could potentially be used with various data. Common categories might include:

  • Basic contact information: names, email addresses, phone numbers (e.g., if a Stub is helping automate communications).

  • Employment information: if used internally, maybe employee IDs, job titles, departments.

  • Customer data: if automating customer service, possibly customer support tickets, chat logs, order numbers, etc., which could contain personal details.

  • Files and free-form data: any documents or text you upload to the knowledge base might contain personal data (for example, a PDF of a contract with names and signatures).

  • System metadata: IP addresses of users interacting with the platform, time stamps of actions (these could indirectly be considered personal data, especially an IP which can identify a device).
    Stubber does not inherently require any special categories of personal data (such as data about health, biometrics, racial or ethnic origin, political opinions, etc.) for its functioning, and generally we advise against uploading sensitive personal data unless necessary. However, the platform does not prevent you from doing so. If you choose to process special category data or children's personal data via Stubber, you are responsible for ensuring you have the appropriate legal basis and consents required by law, and you should inform us if any special protective measures are needed. We treat all personal data with care, but you should be aware that, for example, sending health-related data to third-party AI APIs might require specific consent under GDPR/POPIA.

2.5 Categories of Data Subjects: Data subjects could include (depending on your use case):

  • Your employees or team members (if their data is entered into Stubs, e.g., to automate HR processes or internal workflows).

  • Your customers or end-users (if you use Stubs for customer-facing processes or to handle customer data, e.g., a Stub that answers customer support queries using a knowledge base that includes customer records).

  • Partners or contractors (if you store info about business partners, vendors, etc., in the platform).

  • Website visitors or other individuals whose data you might process (for instance, if you use a Stub to process leads from a web form, the individuals filling out the form are data subjects).
    In summary, any individual whose Personal Data you load into the system or whose information is part of the processes you are automating will be a data subject covered by this DPA.

2.6 Instructions from Client: By entering this DPA, you instruct Stubber to process Personal Data in accordance with the terms of this DPA, the MSA, and any configurations or uses you initiate through the Service. Each time you (or an authorized user in your Org) use the Services to submit, retrieve, or manipulate data, you are issuing an instruction to Stubber to process that data in the manner required to provide the Service. Stubber will not process the Personal Data for any purpose other than as instructed by you and as needed to comply with applicable law. If Stubber believes an instruction violates data protection law, we will inform you (unless the law prohibits such notice).

Example: If you configure a Stub to read entries from your "Knowledge Library" (which may contain personal data) and answer questions, our system will take that data, possibly send portions to an AI API to generate an answer, and give you the answer. All of that is within the scope of "processing to provide the Services according to your instructions."

3. Stubber's Obligations as Data Processor

Stubber agrees to the following with respect to any Personal Data it processes on your behalf:

3.1 Compliance with Laws: We will process Personal Data in compliance with Applicable Data Protection Law, including GDPR and POPIA, as well as any other laws identified by you in writing that apply to your data (to the extent those laws impose obligations on processors). We will also help you (the Controller) comply with your obligations under those laws to the extent required of us (this includes assistance with responding to data subject requests, data protection impact assessments, etc., which is covered later in Section 6).

3.2 Limitations on Use: We will only process Personal Data on your documented instructions. The MSA and this DPA (and any settings or configuration in the Services by you) are considered your initial instructions to us. If you need us to do something outside of those terms, you should provide additional written instructions. We'll let you know if we can't follow an instruction (for example, if you ask us to do something that a sub-processor's system doesn't support, or if it would violate the law). If we are ever required by law enforcement or another legal authority to process data in a way not permitted by your instructions, we will notify you in advance (if legally allowed) so you have a chance to object or seek a protective order. Stubber will not "sell" or "share" personal data for third-party marketing -- in fact, we will not process or use Personal Data for any purpose other than to provide services to you, as per your instructions, and as otherwise permitted by this DPA.

3.3 Confidentiality of Processing: We ensure that any personnel (employees or contractors) who are authorized to process Personal Data under this DPA are bound by appropriate confidentiality obligations. In practice, every Stubber team member with access to production systems signs a confidentiality and non-disclosure agreement. Access to Personal Data is limited to individuals who need it to perform their job duties (principle of least privilege). We train our staff on privacy and security to handle data properly. We will not disclose Personal Data to any third party except as expressly permitted by this DPA or as you instruct.

3.4 Security Measures: Stubber will implement and maintain technical and organizational security measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, theft, alteration, or disclosure. These measures are outlined in Section 6.2 of the MSA (Security Measures) and are hereby incorporated into this DPA. Key measures include encryption in transit and at rest, access controls, intrusion detection, regular security testing, and physical security of data centers. We also maintain a security policy that aligns with industry standards (we aim to meet the standards of frameworks like ISO 27001 and SOC 2, even if we have not yet sought certification). Annex 2 of this DPA provides a summary of our current technical and organizational measures (TOMs) in compliance with GDPR Article 32. Stubber will periodically review and update its security measures to adapt to new risks and best practices, but at a minimum, the level of security will not be less protective than what is described at the time of entering this DPA.

3.5 Data Breach Notification: In the event Stubber becomes aware of a Personal Data Breach (meaning a confirmed security breach leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored or otherwise processed by Stubber), we will notify you without undue delay, and in any case aim to notify within 72 hours of discovering the breach​

We will provide you with sufficient information about the breach to help you meet any obligations to notify affected data subjects or regulators. Specifically, we will describe (to the extent known): the nature of the breach, the categories and approximate volume of data and individuals affected, likely consequences, and the measures we have taken or plan to take to address the breach (including efforts to mitigate harm). We will coordinate with you on public communication or notifications to authorities, except where doing so would cause further delay or hamper containment. Our notification of a breach to you is not an acknowledgment of fault or liability, but an obligation under data protection law. We will also take all reasonably necessary steps to contain, investigate, and remediate the breach, and keep you informed of updates. You (as Controller) are responsible for determining whether to notify supervisory authorities or data subjects, and for making any required notifications, but we will assist you as needed (for example, by providing you with info and a root cause analysis, or templates for notification).

3.6 Data Minimization and Retention: Stubber will not keep Personal Data longer than necessary for the purposes of processing. We follow the retention rules described in the MSA (Section 9.4 on post-termination deletion). During the term of service, we retain data to provide the service (which often means data persists until you delete it or terminate your account, since part of the value is keeping knowledge accessible for your Stubs). We also implement measures to delete or anonymize data that is no longer needed. For instance, if you delete a specific record or instruct a Stub to delete something, we remove it from active databases (though backup copies might exist for a time as noted). Logs and backups that contain Personal Data are rotated and eventually deleted as per our internal retention schedule (generally, routine logs are kept for a few weeks, backups for a few weeks to a couple of months unless otherwise required). If you need any specific data purged sooner, you can request that, and we will do our best to accommodate (unless it's data we are required to keep by law or for security).

3.7 Assistance with Data Subject Rights: If you receive a request from a data subject to exercise their rights under GDPR (access, rectification, erasure, restriction, data portability, objection, etc.) or POPIA (access or correction, etc.), and the relevant Personal Data is processed by Stubber, you can submit a request to us for assistance. Stubber will promptly assist you by providing the necessary information or performing the relevant actions to fulfill the request, to the extent you cannot do so through the platform's self-service features. For example, if a user asks you to delete their data, you can remove that data from our platform yourself (and we then propagate the deletion in our systems). If you need logs or archives cleared, we can do that on request (except in limited cases where we need to retain data). If a data subject requests info from Stubber directly (and we can tell they are associated with your Org), we will inform them to contact you (the Controller) or we will forward the request to you, and not respond directly without your instruction. We won't give out Personal Data to third parties unless required by law or allowed by you.

3.8 Assistance with Compliance: We will assist you in ensuring compliance with your obligations under Articles 32 to 36 of GDPR (security, breach notifications, data protection impact assessments (DPIAs), and prior consultation obligations) and similar sections of POPIA, taking into account the nature of processing and the information available to us. This includes providing you with information about our security measures (for DPIA purposes), and giving you breach info as stated. If you believe a DPIA is required for your use of Stubber (perhaps if you're processing highly sensitive data or systematically monitoring individuals using our platform), we will provide input as needed. If a regulator or the Information Regulator in South Africa requires information from you about the processing we do, we'll cooperate in providing that too.

3.9 Training and Compliance: Stubber ensures that its personnel engaged in processing are trained in privacy and security. We have appointed a data protection lead or officer internally who oversees compliance with this DPA and data protection law (especially GDPR/POPIA requirements). We also commit to maintain any required documentation of processing activities to satisfy legal requirements. If under GDPR Article 30 or POPIA it's required for us to maintain a record of categories of processing done on behalf of each client, we do so.

4. Client (Controller) Obligations

For completeness, and to ensure the proper functioning of this partnership, you (the Client, as Controller/Responsible Party) agree to:

4.1 Lawful Use of Services: You will ensure that you have all necessary rights and a valid legal basis (e.g., consent, contractual necessity, legitimate interest, etc., under GDPR; or justification under POPIA) to collect and upload Personal Data to the Stubber platform and to instruct Stubber to process it. Any international transfer of Personal Data to Stubber (since we operate in the UK and may use U.S.-based AI APIs) that is initiated by you is deemed authorized by you, and you will ensure such transfer is lawful (for example, if you are in the EU or South Africa, you might rely on this DPA's terms, which include appropriate safeguards, as the basis for transfer -- see Section 7). You are responsible for providing any necessary privacy notices to data subjects and for obtaining any necessary consents or authorizations for the processing of their data via the Services. For example, if you plan to upload your customers' data into Stubber to have a Stub process it, you should have told those customers in your privacy policy that you use service providers like us for automation and possibly AI, and have obtained consent if required.

4.2 Data Quality and Proportionality: You should only upload Personal Data that is relevant and limited to what is necessary for your use of the Services (data minimization principle). Avoid over-collecting or unnecessarily storing personal information in the platform. Where possible, use anonymization or pseudonymization for sensitive data. For instance, if you want to train a Stub on a knowledge base of policies, perhaps remove any employee names in those documents if they aren't needed for the Stub's function.

4.3 Compliance and Instructions: You will comply with all laws applicable to you as a Controller. This DPA is not a substitute for your own compliance obligations regarding the data you process. It's your responsibility to assess Stubber's Services and security to ensure they meet any specific compliance needs you have (for example, if you are in a highly regulated sector like finance or healthcare and have specific legal requirements). You are responsible for your configurations and use of the Services (including making sure that you do not use the Service to process data in a way that violates someone's rights or any law). If you provide additional instructions to Stubber, they must be lawful and reasonable. If you ask Stubber to do something that is outside the scope of the Services or poses a serious compliance risk, Stubber may refuse or require an amendment to this DPA.

4.4 Data Subject Requests and Communications: You will be responsible for responding to any request from a data subject under applicable data protection laws (such as requests for access, correction, deletion, or data export) for Personal Data that you control and which is processed by Stubber. While Stubber will assist as described, you should maintain a method for individuals to contact you regarding their data (for example, an email address in your privacy notice). If Stubber receives a complaint or inquiry from a data subject or a supervisory authority regarding data that falls under this DPA, we will promptly inform you and await your instructions (except where the law requires us to respond directly, in which case we will do so in a limited way and still inform you if possible).

4.5 Special Categories and Children: If you intend to upload any Special Category Personal Data (as defined by GDPR Article 9 -- e.g., health data, data revealing racial or ethnic origin, political opinions, etc.) or information about children, you should inform Stubber beforehand, and ensure you have obtained explicit consent from the data subjects or have another valid legal basis and that you follow any additional safeguards required by law. Stubber does not specifically monitor for or separate such data, so it will be treated like any other Personal Data in our systems. You might consider using extra encryption or anonymization for such data before putting it into our platform, if feasible.

4.6 Accuracy: You should make reasonable efforts to keep the Personal Data you store in Stubber accurate and up-to-date. If we become aware that data you provided is obviously inaccurate (like an email address in the wrong field, etc.), we may let you know, but generally we don't interfere with your data. The accuracy principle is mainly your responsibility as the Controller.

4.7 Breach Notifications on Your Side: In case of a security incident on your systems that may involve the Stubber Services or data therein (for example, if your admin credentials to Stubber are compromised on your side, or your systems that interface with Stubber get breached and that could affect data stored with us), you should notify Stubber as well, so we can cooperate in securing the data and accounts.

5. Sub-processors

5.1 Authorized Sub-processors: The Client agrees that Stubber may engage third-party Sub-processors to assist in the provision of the Services. We have three main types of Sub-processors: (a) Infrastructure providers (for data hosting and backup, e.g., Vultr, which operates the London data center where our servers reside), (b) Integrated AI service providers (e.g., OpenAI, Anthropic, DeepSeek, whose models process data to generate outputs for your Stubs), and (c) Service tools that might incidentally process data (for example, an email service for sending notifications to you, which might include personal data like your name/email, or a support ticket system if you share data in a support request).

We maintain an up-to-date list of Sub-processors in Annex 1 of this DPA (including the identities of Sub-processors and their locations and purpose of processing). By using our Services, you give general authorization for Stubber to engage these Sub-processors listed in Annex 1 and others of a similar nature as needed to operate and improve the Service.

5.2 Sub-processor Obligations: Whenever we engage a Sub-processor to process Personal Data on our behalf, we will do so via a written agreement that imposes data protection obligations equivalent to those set out in this DPA​ ,particularly with respect to implementing adequate security measures, respecting limits on data use, and cooperating on data subject rights. We remain fully liable to you for any acts or omissions of our Sub-processors in relation to the processing of Personal Data, as if those acts or omissions were our own. In essence, if a Sub-processor fails to protect your data or otherwise causes a breach of this DPA, Stubber is responsible to you for that failure.

5.3 Notice of New Sub-processors: We will inform you (for instance, via email or via a notification in the platform's Manage section) of any intended addition or replacement of Sub-processors that will process Personal Data, providing you with at least 30 days' notice, except in cases of emergency or where the new Sub-processor is replacing one with identical or similar processing (like switching to a similar hosting facility). If you have a legitimate objection to a new Sub-processor (for reasons related to data protection, for example, if adding a Sub-processor in a country that has inadequate data protection standards in your view, and no safeguards are provided), you may object in writing within the notice period. We will then work with you in good faith to address the objection, which may include reviewing the Sub-processor's safeguards, offering an alternative solution, or if no resolution is possible, giving you the option to terminate the Services (with a pro-rata refund of any prepaid fees for the period after termination). If you do not object within the notice period, the new Sub-processor will be deemed accepted.

5.4 Current Sub-processors (Annex 1):
(For transparency, we list our current Sub-processors here. This list may be updated as per the notice process above.)

  • Vultr (Choopa, LLC) -- Infrastructure/Hosting. Location: London, United Kingdom (with backups possibly in secondary EU/EEA locations). Purpose: Hosting of all application servers, databases, and data storage on single-tenant bare metal servers. Vultr provides the physical data center, network, and hardware; Stubber manages the software stack. Vultr's role means they could theoretically access data on the servers (as any infrastructure host could), but in practice they do not access customer data and only maintain hardware/network. They are under contract to provide security and not to access or use data except as needed for maintenance.

  • OpenAI, LLC -- Integrated AI Service. Location: United States (with global infrastructure). Purpose: Large Language Model (LLM) API provider. When Clients use Stubs that require natural language processing or completion, the Stubber platform may send prompts or data to OpenAI's API (e.g., GPT-4 or similar models) and receive generated text as output. Data sent could include portions of Client Data (for example, if a user asks a Stub a question, the question and some relevant knowledge base content might be sent as context). OpenAI is committed (via their API terms) not to use API data to train their models and to maintain confidentiality.

  • Anthropic, PBC -- Integrated AI Service. Location: United States. Purpose: Another LLM provider (e.g., Claude model). Functions similarly to OpenAI in that data may be sent to Anthropic's AI model to get results. Also under agreements to not retain or use data beyond providing the result.

  • DeepSeek (Hypothetical Provider) -- Integrated AI/Tool Service. Location: United States (hypothetical). Purpose: Specialized AI service integrated into Stubber, possibly for search or data analysis tasks. Data shared as needed for the functionality (again under no-training commitments).

  • [Other Sub-processors] -- We may use additional processors for ancillary services: for example, an email delivery service like SendGrid or Amazon SES for sending system emails (these would handle user email addresses and notification content), a customer support CRM (if you share data with us via support), and analytics tools (though we aim to use anonymized analytics). We ensure all such providers are held to confidentiality and data protection standards. (The full up-to-date list can be obtained via the Manage section or by contacting privacy@stubber.com.)

6. Data Subject Rights and Cooperation

As covered earlier, but to consolidate: If you need assistance in dealing with data subject rights or regulatory matters, Stubber will cooperate as follows:

  • Access & Portability: Upon request, Stubber can export your Client Data (including Personal Data) in a common format so you can provide it to the data subject or another controller, or we'll allow you to directly export such data through the platform. We can provide log data (like records of who accessed what, if available) if needed for an access request. We won't directly send data to data subjects unless legally compelled or agreed.

  • Rectification: You and your users have the ability to edit or update Personal Data stored in the platform (e.g., you can update records in the knowledge base or correct a user's information). If something needs changing that you cannot do, let us know and we'll do it (assuming we can verify the correct new data).

  • Erasure: You can delete data within the platform (delete a document, remove an entry, etc.), which will remove it from active use. If a data subject invokes the right to erasure, you should delete their data from Stubber (if it's in your content). If something remains (like in backups or logs), we'll purge it upon request unless forbidden by law to do so. If a user wants to be "forgotten" and you need confirmation, we can certify that their data has been deleted from our systems.

  • Restriction of Processing: If a dispute arises about the accuracy or legality of processing certain data, you can ask us to restrict processing (meaning we'll mark it and stop doing anything with it) until resolved. We can isolate the data so no Stub uses it, for example.

  • Objection and Automated Decision-Making: In general, Stubber does not engage in any separate profiling or automated decision-making about individuals that has legal effects (that's something you might do with outputs, but that's under your control). If an individual objects to processing (say one of your customers doesn't want you to use their data in a Stub), that's for you to handle, but we'll support by excluding that person's data if directed (like not processing their info in any future tasks).

  • Regulator Inquiries: If a data protection authority contacts Stubber about the processing of your Personal Data, we will (unless prohibited) promptly inform you and consult on how to respond. We will cooperate with both you and the authority in good faith. However, you as Controller are typically the primary party they'll want to talk to, so we'll likely direct them to you (with your contact info) after coordinating.

7. International Data Transfers

7.1 Transfer Mechanisms: As described, Stubber is based in South Africa, but all platform data is currently hosted in the United Kingdom (which, as of the date of this DPA, is considered to provide an adequate level of data protection under both EU and South African perspectives -- the UK has its own GDPR and is deemed adequate by the EU, and likely meets adequacy under POPIA Section 72). However, some Sub-processors (like OpenAI or Anthropic) are in the United States, and thus Personal Data may flow from the UK to the US when using those features. To ensure compliance with the GDPR transfer requirements, Stubber adheres to the European Commission's Standard Contractual Clauses (SCCs) for transfers of personal data to third countries, as applicable. By signing this DPA, the parties are deemed to incorporate the SCCs (2021 EU SCCs as per Commission Decision 2021/914) in module 2 (controller to processor) for transfers from you (if you're in the EEA) to us (in UK or SA if considered third country) and module 3 (processor to processor) for transfers from us to sub-processors (like U.S. AI providers). In these SCCs, you are "data exporter" and Stubber is "data importer". We have filled Annex I and II of the SCCs consistent with the information in this DPA (processing details and security measures). Where the UK or Switzerland's laws apply, the SCCs are adapted accordingly (using the UK International Data Transfer Addendum, etc.). We also commit to adhere to the principles of the EU-U.S. Data Privacy Framework for any relevant data if we ever transfer data to a U.S. entity under that framework (though primarily we rely on SCCs).

For POPIA cross-border requirements: Section 72 of POPIA allows transfers if certain conditions are met, such as: the recipient (Stubber or our sub-processor) is in a jurisdiction with adequate laws, or we have a binding agreement ensuring "an adequate level of protection"that is essentially equivalent to POPIA. This DPA and our agreements with sub-processors serve as those binding agreements. Also, by entering this DPA, you (as Responsible Party) are confirming that either (a) you have the data subject's consent for transfers of their data out of South Africa to the UK/US as needed, or (b) that one of the other allowed grounds in POPIA Section 72 applies (like the transfer is necessary for performing a contract with the data subject, etc.)​

In simpler terms: we ensure all international transfers are done lawfully -- either the destination country is recognized for adequate protection or we have the proper contractual safeguards in place. We also will cooperate with you if you need to demonstrate compliance, such as providing a copy of our SCCs or describing how data is handled by foreign sub-processors.

7.2 Onward Transfers: Whenever Stubber engages a Sub-processor in a country that is not considered to have adequate data protection (e.g., U.S.), Stubber will either (i) ensure that the Sub-processor has certified under an approved framework (like if any provider is certified under Privacy Shield's successor or similar) or (ii) include the relevant SCCs or equivalent in its contract with that Sub-processor. For example, our contracts with OpenAI/Anthropic include commitments around data use (no secondary use) and if needed, we would incorporate SCCs for EU personal data if they process any. We also assess the risks of government access in those countries and implement additional measures if needed (such as encryption such that the provider cannot read the content of personal data, where feasible).

7.3 Data Localization: If at any time you require that Personal Data not leave a certain geography (for instance, you prefer all data stay in South Africa or within the EEA), please discuss with us. We may offer options like EU-only processing by disabling certain U.S. sub-processors or hosting in a different region, albeit that's subject to our infrastructure capabilities. By default, our service uses the UK location and U.S. AI APIs; if that's not acceptable, you should not input personal data until we arrange an alternative or until your policies allow the transfer under this section.

8. Return or Deletion of Data

8.1 During the Agreement: You have control of your data through the platform. You can typically download or delete your content at will. We encourage you to regularly back up any critical data offline as well.

8.2 Upon Termination: Upon termination or expiration of the MSA (and thereby this DPA) and upon your written request, Stubber will either delete or return all Personal Data in its possession that was processed on your behalf, except to the extent applicable law requires continued retention. By default, our practice (as stated in the MSA) is to delete Client Data within ~30 days after termination. If you prefer the data to be returned to you instead (for example, exported and provided to you), you should let us know at or prior to termination, and we will arrange a secure transfer of a complete data export. After confirming that you have received any returned data, we will proceed to purge the data from our systems.

8.3 Retention Required by Law: If we are required by law to retain certain data for a longer period (for instance, some transaction logs for financial reporting, or if the data was part of an investigation), we will securely isolate that data from active processing and ensure it is only retained and used for the required purpose, under appropriate protections. We will inform you of any such retention (unless informing you is prohibited, e.g., a non-disclosure obligation related to a legal hold). Once the retention requirement expires, we will promptly delete the data.

8.4 Certification of Deletion: Upon your request, Stubber will certify in writing (email is sufficient) that we have deleted or destroyed the Personal Data as per the above requirements. Our deletion process involves removing data from databases, and rendering data on backups unrecoverable either by deletion or through expiration/overwriting. Note that due to the nature of some backups, complete immediate deletion might not be feasible, but we ensure that any data on backup media is not readily accessible and is deleted as soon as the media is overwritten or destroyed on schedule.

8.5 Continuing Obligations: Even after deletion, Stubber and its sub-processors will continue to be bound to maintain the confidentiality of any residual information until it is destroyed, and the obligations under this DPA (like confidentiality, and restrictions on use) continue to apply to any data retained under Section 8.3 until it is fully deleted.

9. Audits and Certifications

9.1 Audit Rights: You have the right to audit Stubber's compliance with this DPA, including our security measures and data processing practices, up to once per year (and additionally in the event of a confirmed material breach of this DPA by Stubber). We ask that you provide at least 30 days' advance notice of a requested audit, and we will work in good faith to accommodate it. Before the audit, we can mutually agree on a scope and schedule that minimizes disruption to our other clients and ensures no sensitive info of others is compromised. Audits shall be conducted during normal business hours, in a manner that doesn't interfere with business operations.

9.2 Third-Party Auditors: If you are not able or do not wish to conduct the audit yourself, you may engage an independent third-party auditor (subject to Stubber's approval, not to be unreasonably withheld) who is not a competitor of Stubber. The auditor must sign a confidentiality agreement with us. Alternatively, if we have recent audit reports or certifications (for instance, if in future Stubber obtains a SOC 2 Type II report or ISO 27001 certificate), we can share those with you, and if they suffice for your requirements, that can satisfy the audit request without you needing to send someone.

9.3 Information and Results: During an audit, Stubber will make available relevant documentation, and access to systems (to the extent legally and contractually allowed -- we won't violate other customers' confidentiality). You may inspect our technical and organizational measures in practice. If an on-site visit is part of the audit, the auditor might visit our offices or data center (though data centers might have their own restrictions). Typically, much can be done via documentation review and interviews. We consider some information about our security setup to be highly confidential (to protect security), so we might choose to only show certain sensitive info to an independent auditor rather than give copies, etc. The results or reports from the audit must be shared with Stubber, and are considered Stubber's Confidential Information. You can use them to verify our compliance, and of course share with your own regulators if needed, but you should not disclose them to unrelated third parties (except advisors bound by confidentiality).

9.4 Remediation: If any audit reveals a material vulnerability or non-compliance, Stubber will promptly take steps to address it. We will discuss findings with you and take your input on priority of fixes. If something cannot be fixed in a reasonable timeframe, and it significantly affects the protection of Personal Data, you may have the right to terminate the Services and this DPA (with a refund of any prepaid fees for unused services) -- but we anticipate being able to resolve issues cooperatively.

9.5 Certifications: Currently, Stubber may not have formal third-party certifications (as we are a growing service), but we model our program on industry standards. In the future, as we obtain any such certifications (security or privacy seals, etc.), we will notify you or list them in Annex 2. You can request evidence of our compliance, and we will provide what we have, such as summaries of penetration test results, internal compliance checklists, etc.

10. Liability and Indemnity under this DPA

10.1 Liability Cap: The liability of each party under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the MSA (see MSA Section 8), except that these limitations shall not apply to any breaches of this DPA caused by a party's gross negligence or willful misconduct, or to any fines issued to the Controller that are directly caused by the Processor's breach of this DPA (in which case the Processor may be liable for those fines to the extent the law permits shifting of fines). For clarity: neither party will be liable for indirect or consequential losses arising from breach of this DPA, and Stubber's total liability for breaches of this DPA will generally be capped by the MSA's cap (e.g., what you paid in the last 12 months). However, if a data breach or violation by Stubber causes you to incur regulatory fines or third-party claims, those may be considered direct damages or be subject to indemnification as per Section 10.2 below.

10.2 Indemnification: Each party shall indemnify and hold the other harmless from claims and losses to the extent arising from its own violation of this DPA or Applicable Data Protection Law. For example, if Stubber fails to meet its obligations and that leads to a third-party claim or regulator action against you, Stubber will defend and indemnify you (including covering reasonable legal fees and any damages/fines) for those claims, except to the extent that the issue was caused by your actions or instructions. Conversely, if you (as Controller) violate the law (e.g., you collected data illegally or misused the Service) and Stubber is sued or fined as a result, you will indemnify Stubber. The indemnification process would follow the similar procedure as described in the MSA indemnities: prompt notice, control of defense, cooperation, etc.

10.3 Consideration of Fines: We both acknowledge that data protection authorities can impose fines that potentially exceed contractual caps. While this DPA largely keeps the MSA cap, we intend to work together to avoid such fines entirely. If a fine is threatened or levied, we should communicate and see if there's any recourse or mitigation (like demonstrating due diligence or adherence to this DPA). If Stubber is fully at fault for a fine imposed on you, we will not hide behind the cap to shirk responsibility -- rather, we'd negotiate in good faith how to address it, which could include coverage beyond the cap if appropriate under law (some jurisdictions do not allow a processor to contractually avoid liability for fines in cases of its own non-compliance).

10.4 Insurance: Stubber maintains liability insurance that covers data breaches and cyber incidents. If needed, we can provide proof of insurance coverage upon request (subject to confidentiality). This means that in the event of a major incident, there are resources to cover certain damages.

11. Term and Termination of DPA

This DPA shall remain in effect as long as Stubber is processing Personal Data on behalf of the Client under the MSA. Termination of the MSA will trigger termination of this DPA, except that the sections needed for post-termination obligations (such as data deletion, confidentiality, etc.) will continue. You cannot terminate this DPA separately from the MSA without terminating the MSA, as the Services cannot be provided without data processing. However, if you need to temporarily stop data processing (for instance, to suspend use of the service due to a legal hold), we can accommodate that operationally without terminating the whole agreement.

If either party is in material breach of this DPA, the other party may terminate the MSA/DPA if such breach is not cured within 30 days of notice. A material breach could include Stubber violating a fundamental privacy obligation (like using data beyond instructions) or you (Client) repeatedly providing data to Stubber in violation of law that causes Stubber compliance issues. Before termination, we should attempt to resolve issues amicably.

Upon termination, refer to Section 8 for data return/deletion procedures. The liability and indemnity clauses survive termination for any incidents that occurred during the term.

12. General Provisions

12.1 Amendments: With the evolution of data protection laws and the Services, the parties may update this DPA by mutual written agreement. Stubber may also propose updates (for example, to align with new standard contractual clauses or new legal requirements). If an update is required due to a change in law or by a regulator, Stubber will notify the Client and the parties will work together in good faith to execute an amendment or new DPA. In absence of objection within a reasonable time (say 30 days) to a change that is required by law, Stubber's new standard DPA terms may be deemed accepted. We will notify via the Manage section for any such updates.

12.2 Severability: If any provision of this DPA is found to be invalid or unenforceable, the remainder of this DPA will remain in full effect. We would negotiate in good faith to replace the invalid provision with a valid one that as closely as possible achieves the original intent and economic effect.

12.3 Governing Law: This DPA is governed by the same law as the MSA (South African law), and any disputes will be handled in the same courts or dispute resolution framework as provided in the MSA, unless required otherwise by applicable data protection law (for instance, GDPR might give certain jurisdiction to EU courts for certain matters -- but primarily, disputes between us follow the chosen law).

12.4 Order of Precedence: In case of conflict between the MSA and this DPA regarding data protection, this DPA prevails. In case of conflict between this DPA and the Standard Contractual Clauses (if they apply), the SCCs will prevail to the extent of the conflict (as they are required by law for international transfers). With annexes and main body, the main body of the DPA prevails over annexes unless the annex explicitly states otherwise.

12.5 Counterparts / Execution: This DPA may not require a separate signature if the MSA is signed or accepted electronically and refers to this DPA. If a signature is required, it can be executed electronically or in counterparts. In practice, your acceptance of the Terms of Service (which incorporate this DPA) is sufficient to make it binding.

12.6 No Third-Party Rights: This DPA does not grant any rights to any third parties (like data subjects) to enforce its terms directly between us, except as provided by law or the Standard Contractual Clauses where applicable (e.g., data subjects can sometimes enforce certain SCC provisions as third-party beneficiaries).

12.7 Communication: All communications regarding this DPA should be directed to the appropriate privacy contact of each party. For Stubber, you can use privacy@stubber.com or your account representative for any data protection issues. For you, we will use the contact info on file (or if you have a Data Protection Officer, you can provide us their contact).

12.8 Language: This DPA is in English. If it is translated into another language, the English version controls in case of differences.

Annex 1: Sub-processor List
(As referenced in Section 5.4, list of current Sub-processors including name, location, and purpose.)

  1. Vultr (Choopa, LLC) -- Location: London, UK (and other backup locations as applicable). Purpose: Cloud infrastructure and bare-metal server hosting for the Stubber platform.

  2. OpenAI, LLC -- Location: USA. Purpose: Large Language Model API provider for natural language generation and understanding as used by Stubs (no training on Client data).

  3. Anthropic, PBC -- Location: USA. Purpose: Large Language Model API provider (Claude) for AI completions and chat as used by Stubs (no training on Client data).

  4. DeepSeek, Inc. -- Location: USA. Purpose: (Hypothetical example) AI search/model provider integrated for specialized AI tasks within Stubs (e.g., semantic search).

  5. SendGrid (Twilio Inc.) -- Location: USA. Purpose: Outbound email service for sending notifications or system emails to users (such emails may include user names, addresses, or content you direct us to send).

  6. Zendesk, Inc. -- Location: USA/EU. Purpose: Customer support ticketing system (used if you email our support and include data, which might contain personal data related to your issue).

  7. [Any additional analytics or monitoring sub-processor] -- e.g., Cloudflare (if used for DDoS protection, which might incidentally process IP addresses of users).

(Stubber will update this Annex as needed; refer to our website's "Sub-processors" page or the Manage section for the latest list.)

Annex 2: Summary of Security Measures
(As referenced in Section 3.4, summary of Stubber's Technical and Organizational Measures for security.)

  • Organizational Control: Dedicated security personnel (even if part-time role). All staff with access to Personal Data are under NDAs and receive privacy/security training. Access to systems is granted on a least-privilege basis and reviewed periodically. Incident response plans and data breach response procedures are documented.

  • Physical Security: Our servers are in a secure data center (Vultr London) which has 24/7 monitoring, access control (badges/biometrics), CCTV, and redundant power/HVAC. Stubber personnel typically do not have physical access; physical maintenance is by authorized data center staff.

  • Access Control: Strong authentication for server access (SSH keys, VPN, MFA). Different environments (development, staging, production) are separated to reduce risk. Within production, data is segregated logically by Org.

  • Encryption: All web access uses TLS (HTTPS) with up-to-date protocols to encrypt data in transit. For data at rest, we use full disk encryption and/or database encryption. Backups are encrypted. If data is sent to sub-processors like OpenAI, it goes over encrypted channels.

  • Network Security: Firewalls restrict inbound and outbound traffic to only necessary ports/services. We employ network monitoring to detect suspicious traffic patterns.

  • Application Security: Coding best practices are followed to prevent common vulnerabilities (OWASP Top 10). We conduct code reviews and utilize automated security scanning tools. Regular penetration tests are performed by third parties on the Stubber application and infrastructure.

  • Data Isolation: Each Client's data is logically separated. Authentication tokens ensure one Org cannot access another's data. Unique identifiers and access control lists are implemented at the application level.

  • Monitoring & Logging: We log access to systems and data (who accessed what, and when) to provide an audit trail. Logs are protected and monitored for anomalies. Critical alerts (like multiple failed logins, or unusual data access patterns) are set to notify our security team.

  • Backup & Recovery: Regular backups are taken and stored securely (with encryption). We periodically test restoration procedures to ensure data can be recovered. Our disaster recovery plan covers scenarios of data center loss; we can restore in a new environment to minimize downtime.

  • Endpoint Security: Any Stubber staff devices accessing admin systems have full disk encryption, antivirus/EDR solutions, and are kept up-to-date.

  • Development Processes: We maintain separate environments for testing with either anonymized data or minimal personal data. Changes are tested and peer-reviewed before deployment to production.

  • Vendor Risk Management: We evaluate sub-processors for their security posture (reviewing their documentation/certifications) and ensure contracts have appropriate security and privacy clauses. For instance, our AI providers have to certify they won't misuse data.

  • Certifications: (If any specific certification) e.g., "We align with ISO 27001 controls and are working towards certification." (This annex will note any actual certifications or audit reports available).

  • Continuous Improvement: We regularly review and update our security measures in light of new risks, technological developments, and guidance from standards/regulators. We also maintain cyber insurance as a risk mitigation measure.

Loading footer...