Home / Legal / Data Processing Addendum

Legal

Data Processing Addendum

This addendum sets out how Stelaah processes personal data on your behalf when you use the Services. It is written for customers with obligations under the GDPR, UK GDPR, the Swiss FADP, the CCPA/CPRA, the LGPD, and similar data protection laws.

Last updated June 28, 2026 · Version 2.0 Request signed copy
EU GDPR UK GDPR Swiss FADP CCPA / CPRA LGPD
In plain terms. For the data inside your workspace, you are the controller and Stelaah is the processor. We process it only on your documented instructions, isolate every workspace at the database with row-level security, never sell it, and give you the tools to meet your own obligations to the people whose data you store.

This Data Processing Addendum (the "DPA") forms part of the agreement between you (the "Customer") and the Stelaah entity providing the Services ("Stelaah", "we", "us") under which we make the Stelaah workspace and related services available to you (the "Agreement"). It applies only to the extent that we process Customer Personal Data on your behalf. Where it conflicts with other data protection terms in the Agreement, this DPA prevails. Capitalized terms that are not defined here have the meaning given to them in the Agreement. For a countersigned copy, email privacy@stelaah.com.

1 Definitions

The terms "controller", "processor", "data subject", "personal data", "processing", and "supervisory authority" have the meanings given in the GDPR; "business", "service provider", "sell", and "share" have the meanings given in the CCPA. In addition:

1.1

"Customer Personal Data" means any personal data contained in the Customer Content that Stelaah processes on the Customer's behalf in providing the Services.

1.2

"Customer Content" means the data that the Customer and its authorized users submit to, store in, or generate within their Stelaah workspace.

1.3

"Data Protection Law" means each law relating to data protection or privacy that applies to the processing of Customer Personal Data under the Agreement, including the EU GDPR, the UK GDPR, the Swiss FADP, the CCPA/CPRA, and the LGPD.

1.4

"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, or unauthorized disclosure of or access to Customer Personal Data in our possession or control. It does not include unsuccessful attempts that do not compromise the security of Customer Personal Data, such as failed log-in attempts, pings, or port scans.

1.5

"Services" means the Stelaah workspace and the products and features we provide under the Agreement, including the Aria AI assistant.

1.6

"Standard Contractual Clauses" or "SCCs" means the clauses described in Appendix 3 that provide a lawful mechanism for transferring personal data to a third country.

1.7

"Subprocessor" means a third party we engage to process Customer Personal Data in connection with the Services.

1.8

"Term" means the period from the date this DPA takes effect until we have ceased providing the Services and deleted all Customer Personal Data in accordance with this DPA.

2 Roles and scope of processing

2.1

For Customer Personal Data, the Customer acts as the controller (or, where the Customer is itself a processor for a third party, as a processor) and Stelaah acts as the processor (or, under the CCPA, as a service provider). The subject matter and details of the processing are set out in Appendix 1.

2.2

Each party will comply with its own obligations under Data Protection Law in respect of the processing of Customer Personal Data. The Customer is responsible for the lawfulness of the Customer Content it submits and for having a valid legal basis to provide it to us.

2.3

Where the Customer is a processor acting for a separate controller, the Customer warrants that its instructions and authorizations to us, including its consent to our use of Subprocessors and onward transfers, have been authorized by that controller.

3 Your instructions and our compliance

3.1

By entering into this DPA, the Customer instructs Stelaah to process Customer Personal Data only: (a) to provide and maintain the Services; (b) as set out in the Agreement, this DPA, and our Privacy Policy; and (c) as further documented in any other written instruction the Customer gives and that we acknowledge in writing.

3.2

We will process Customer Personal Data only on those instructions unless Data Protection Law requires otherwise, in which case we will tell the Customer before processing, unless that law prohibits us from doing so on important grounds of public interest. We will inform the Customer if, in our opinion, an instruction infringes Data Protection Law.

3.3

Purpose limitation. We will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose it for any purpose other than providing the Services or as otherwise permitted by Data Protection Law; (c) process it outside the direct business relationship between the parties; or (d) combine it with personal data from other sources except as permitted for a service provider under the CCPA.

3.4

Aria AI. The Aria assistant processes Customer Content to generate responses and take actions inside the workspace at the Customer's direction. Customer Content is not used to train third-party foundation models. AI requests are routed to the model providers listed as Subprocessors, and the Customer can choose its AI provider in workspace settings.

4 Confidentiality of personnel

We grant access to Customer Personal Data only to personnel and Subprocessors who need it to perform the Agreement, and only to the extent needed. Those people are bound by written confidentiality obligations and are trained on their responsibilities for protecting personal data.

5 Security measures

5.1

We implement and maintain the technical and organizational measures described in Appendix 2 to protect Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, and purposes of the processing, as well as the risk to data subjects. We may update these measures provided the overall level of security is not materially reduced.

5.2

Central to our model is tenant isolation enforced at the database: every record is scoped to a single workspace and protected by row-level security, on a default-deny basis, so one workspace can never reach another's data. Access additionally follows each user's plan, workspace, and membership.

5.3

The Customer is responsible for its own use of the Services, including configuring access for its users, securing its account credentials and devices, and deciding what Customer Content to store. We are not responsible for data the Customer chooses to store or transfer outside the Services.

6 Personal data breaches

6.1

If we become aware of a Personal Data Breach affecting Customer Personal Data, we will notify the Customer without undue delay and take reasonable steps to identify the cause, contain it, and prevent recurrence.

6.2

Our notification will describe, to the extent known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, the measures taken or proposed, and a contact point for more information. We will provide further detail as it becomes available.

6.3

The Customer is responsible for any notifications it must make to supervisory authorities or data subjects. Our notice or assistance is not an acknowledgement of fault or liability.

7 Subprocessors

7.1

The Customer gives a general authorization for us to engage Subprocessors to process Customer Personal Data. A current list of Subprocessors, including their function and location, is at stelaah.com/legal/subprocessors.

7.2

Before a Subprocessor processes Customer Personal Data, we enter into a written contract imposing data protection obligations no less protective than those in this DPA, to the extent applicable to the services it provides. We remain responsible for each Subprocessor's performance of its obligations.

7.3

We will give at least 30 days' notice before a new Subprocessor begins processing Customer Personal Data, by updating the Subprocessors page and, where the Customer has subscribed, by email. The Customer may object on reasonable, data protection–related grounds within that period; we will work in good faith to address the objection, and if we cannot, the Customer may, as its sole remedy, terminate the affected Services.

8 Data subject rights

8.1

The Services give the Customer self-service tools to access, correct, export, and delete Customer Personal Data, so the Customer can respond to requests from data subjects to exercise their rights.

8.2

If we receive a request from a data subject relating to Customer Personal Data, we will, where legally permitted, direct the data subject to the Customer rather than respond directly, and let the Customer know. Taking into account the nature of the processing, we will provide reasonable assistance for the Customer to meet its obligations to respond.

9 Impact assessments and consultation

Taking into account the nature of the processing and the information available to us, we will provide reasonable assistance for the Customer to carry out data protection impact assessments and prior consultations with supervisory authorities, including by making available the information in this DPA, the security overview, and the documentation referenced in Appendix 2.

10 International data transfers

10.1

We and our Subprocessors may store and process Customer Personal Data in any country where we or they maintain facilities, subject to this Section.

10.2

Where a transfer of Customer Personal Data from the EEA, the United Kingdom, or Switzerland to a country without an adequacy decision is subject to Data Protection Law, we will make that transfer under an appropriate safeguard. The transfer mechanisms in Appendix 3 (including the EU SCCs and the UK IDTA) apply to those transfers and are incorporated into this DPA by reference.

11 Return and deletion of data

11.1

Throughout the Term the Customer can export its Customer Content from the Services at any time in a structured, commonly used format.

11.2

On expiry or termination, the Customer may retrieve its Customer Content for 30 days. After that period, the Customer instructs us to delete Customer Personal Data. Consistent with our local-first, recoverable model, deletions are first soft-deleted and recoverable for a limited window before permanent removal, and residual copies in encrypted backups are deleted on our standard backup cycle. We may retain data where Data Protection Law requires.

12 Audits and information

12.1

We will make available the information reasonably necessary to demonstrate our compliance with this DPA, including the documentation referenced in Appendix 2 and any audit reports or certifications we hold from time to time.

12.2

Where Data Protection Law gives the Customer a right to audit, the Customer may audit our compliance no more than once per year (and as a supervisory authority requires) on reasonable prior notice, during business hours, in a way that does not unreasonably disrupt our operations and subject to confidentiality. Where the requested scope is covered by a current independent audit report or certification, the Customer agrees to accept that report in place of an on-site audit. Each party bears its own costs.

13 Aggregated and de-identified data

We may create aggregated or de-identified data that does not identify the Customer or any individual, and use it to operate, secure, and improve the Services. We maintain such data in de-identified form and do not attempt to re-identify it.

14 Liability

Each party's liability under this DPA and any SCCs is subject to the limitations and exclusions of liability in the Agreement, except where Data Protection Law does not permit those limits to apply, such as the rights of data subjects as third-party beneficiaries under the SCCs.

15 Term and order of precedence

15.1

This DPA takes effect when the Customer accepts the Agreement or this DPA and remains in effect for the Term, after which it expires automatically once all Customer Personal Data has been deleted.

15.2

If there is any conflict, the SCCs prevail over the rest of this DPA, this DPA prevails over the rest of the Agreement, and the Agreement prevails over the Privacy Policy, in each case only on the conflicting point.

15.3

Contact. Questions about this DPA or to request a countersigned copy: privacy@stelaah.com.

Appendix 1

Details of the processing

This Appendix forms part of this DPA and, where the SCCs apply, completes Annex I of the SCCs.

Data exporter / controllerThe Customer that is party to the Agreement, on its own behalf and on behalf of its authorized users.
Data importer / processorThe Stelaah entity providing the Services, a provider of an all-in-one workspace for client work powered by the Aria AI assistant.
Subject matterOur provision of the Services to the Customer under the Agreement and this DPA.
DurationThe Term, plus the period from expiry of the Term until deletion of all Customer Personal Data in line with Section 11.
Nature and purposeHosting, storing, and processing Customer Content to provide the Services — including projects, tasks, CRM, client portals, documents, files, contracts, invoicing, time tracking, scheduling, and the Aria assistant — together with customer support, security, and maintaining and improving the Services.
Frequency of transferContinuous, for the duration of the Agreement.
Categories of data subjects
  • The Customer's owners, team members, and authorized users
  • The Customer's clients, leads, vendors, and contacts
  • Any other individuals whose personal data the Customer or its users choose to store in the workspace
Categories of personal data
  • Identity and contact details (name, email, phone, business address, role)
  • Account and authentication data
  • Client, lead, and vendor records and communications
  • Billing, estimate, and invoice information
  • Usage and log data generated through the Services
  • Any other personal data contained in Customer Content the Customer chooses to upload
Special categoriesNot requested or required by the Services. Such data may be processed only if the Customer or its users choose to include it in Customer Content; the Customer is responsible for ensuring appropriate safeguards before doing so.
SubprocessorsAs listed at stelaah.com/legal/subprocessors, including managed hosting and database infrastructure, file and blob storage, email delivery, payment processing, and AI model providers for Aria.

Appendix 2

Technical and organizational security measures

We implement and maintain at least the following measures. Where the SCCs apply, this Appendix serves as Annex II. We may update these measures provided the overall level of security is not materially reduced. More detail is in our security overview.

MeasureHow Stelaah implements it
EncryptionCustomer Personal Data is encrypted in transit over TLS and encrypted at rest in our managed Postgres database and object storage. Application secrets and third-party keys are held server-side and never exposed to the browser.
Tenant isolation & access controlRow-level security on every table, scoped by workspace, on a default-deny basis. Access additionally follows each user's plan, workspace, and membership. One workspace can never query another's data.
Identity & authorizationAuthenticated sign-in, per-member roles and permissions, and workspace-scoped sessions. Administrative actions resolve to an identified user.
Confidentiality, integrity & resilienceManaged Postgres with replication and realtime change capture; transactional, all-or-nothing writes; optimistic local-first updates reconciled with the server to avoid half-written state.
Availability & recoveryAutomated backups with point-in-time recovery operated by our infrastructure provider. User data is soft-deleted and recoverable before permanent removal, with restore points.
Protection during storage & transmissionEncryption at rest and in transit; content-addressed blob storage with workspace-scoped storage policies mirroring the database row-level security.
Logging & auditabilityState changes are recorded with actor, timestamp, and before/after values in tenant-scoped, append-only audit logs.
Secure development & change managementA documented implementation protocol and security gate are applied before changes ship; schema and migrations are idempotent and version-controlled; dependencies are reviewed.
Physical securityHosting and data-center physical security are delegated to our infrastructure provider's certified facilities.
Data minimization, quality & retentionWe collect only what the Services require; retention and deletion practices are described in this DPA and the Privacy Policy.
Portability & erasureCustomers can export their data at any time and delete it, with deletions becoming permanent after the recovery window.
Subprocessor measuresSubprocessors are bound by written terms no less protective than this DPA, must report security incidents to us, and must act only on our instructions.

Appendix 3

Cross-border transfer mechanisms

1

EU Standard Contractual Clauses. The SCCs approved by the European Commission in decision 2021/914 apply to transfers of Customer Personal Data from the EEA to a country without an adequacy decision, and are incorporated by reference and completed as follows:

  • Module Two (controller to processor) applies where the Customer is a controller; Module Three (processor to processor) applies where the Customer is a processor.
  • In Clause 7, the docking clause does not apply.
  • In Clause 9, Option 2 (general written authorization) applies, with the notice period in Section 7.3 of this DPA.
  • In Clause 11, the optional independent dispute-resolution language does not apply.
  • In Clause 17, the SCCs are governed by the law of the EU member state designated in the Agreement, defaulting to the Republic of Ireland; in Clause 18(b), disputes are resolved before the courts of that member state.
  • Annex I is completed by Appendix 1; Annex II is completed by Appendix 2. The competent supervisory authority is the lead authority determined under Clause 13.
2

UK transfers. The UK International Data Transfer Addendum (IDTA) to the EU SCCs, issued by the UK Information Commissioner, applies to transfers subject to the UK GDPR, appended to and completing the EU SCCs above.

3

Swiss transfers. For transfers subject to the Swiss FADP, the EU SCCs apply with the following adaptations: references to the GDPR are read as references to the FADP; the Swiss Federal Data Protection and Information Commissioner is the competent authority for FADP-only transfers; the SCCs are governed by Swiss law and disputes resolved in the Swiss courts where the transfer is governed solely by the FADP; and the SCCs also protect the data of legal entities until the revised FADP applies.

4

Conflict. If there is any conflict between the SCCs and the rest of this DPA, the Agreement, or the Privacy Policy, the SCCs prevail to the extent of the conflict.

Looking for something else? See the Subprocessors list, Privacy Policy, or security overview.

Back to top