Data Processing Agreement

1. Definitions

• "Personal Data" — any information relating to an identified or identifiable natural person, as defined in applicable data protection law, including the EU General Data Protection Regulation (GDPR) and the UK GDPR.
• "Processing" — any operation performed on Personal Data, whether or not by automated means.
• "Controller" — the entity that determines the purposes and means of processing Personal Data (you, the customer).
• "Processor" — the entity that processes Personal Data on behalf of the Controller (Ustack AI Inc.).
• "Sub-processor" — any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Data Subject" — an identified or identifiable natural person whose Personal Data is processed.
• "Supervisory Authority" — a competent data protection authority under applicable law.

2. Roles and scope

With respect to Personal Data that you upload, import, or generate through the Service (contact lists, prospect information, email content, and reply data), you are the Controller and Ustack AI Inc. is the Processor. We process that Personal Data only on your documented instructions and in accordance with this DPA.

Personal Data we collect directly from you as part of account registration and billing (your name, email address, payment information) is processed by us as an independent Controller, governed by our Privacy Policy.

3. Processor obligations (GDPR Art. 28)

As Processor, Ustack AI Inc. agrees to:

• Process Personal Data only on your documented instructions, including with regard to transfers of Personal Data to a third country or an international organization, unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
• Implement appropriate technical and organizational security measures as required by GDPR Article 32 (see section 7 of this DPA and our Security page).
• Respect the conditions for engaging Sub-processors set out in section 5 of this DPA.
• Assist you, insofar as possible, to fulfill your obligations to respond to Data Subject requests (section 6).
• Assist you in ensuring compliance with GDPR Articles 32–36 (security, breach notification, DPIA, prior consultation).
• At your choice, delete or return all Personal Data upon termination of the Service and delete existing copies unless applicable law requires otherwise.
• Make available to you all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

4. Instructions and purpose limitation

Your primary documented instructions are the actions you take through the Service — uploading contact lists, triggering draft generation, approving and sending emails, and reviewing replies. We will not process Personal Data for any other purpose unless required by applicable EU or Member State law.

If we believe an instruction infringes GDPR or other applicable data protection law, we will promptly inform you without being required to follow that instruction.

4.1 Subject matter and duration

Subject matter: AI-assisted sales outreach — researching prospects, generating personalized email drafts, sending email through your connected mailbox, and ingesting replies. Duration: for as long as your organization is active on the Service, plus any retention periods described in our Privacy Policy.

4.2 Nature of processing

Storage, retrieval, structuring, use (AI inference), disclosure by transmission (email send), combination (prospect research + seller context), and erasure of Personal Data.

4.3 Types of Personal Data

Contact information (name, email, company, job title, LinkedIn URL, phone) and contextual data (company news, pain points, research extracts). For email mailbox integrations: message headers and body text of replies to Outbound-sent messages.

4.4 Categories of Data Subjects

Prospects and leads in your contact lists (third parties). Your organization's sales representatives (your employees/contractors who use the Service).

5. Sub-processors

You provide general authorization for us to engage the Sub-processors listed below. We will notify you of any intended changes (additions or replacements) at least 30 days in advance by email or in-app notification, giving you the opportunity to object on legitimate grounds.

Each Sub-processor is bound by contractual obligations at least as protective as those in this DPA.

6. Data Subject rights

We will provide you with reasonable assistance to fulfill your obligations to respond to Data Subject requests. If a Data Subject contacts us directly to exercise rights (access, rectification, erasure, restriction, portability, or objection), we will promptly redirect that request to you unless we are required by law to respond directly.

To submit a Data Subject rights request, email privacy@ustack.ai. We respond within 30 days.

7. Security measures

We implement and maintain appropriate technical and organizational measures to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access. Current measures include those described on our Security page. Key controls:

• TLS 1.2+ encryption for all data in transit
• Encryption at rest for OAuth credentials and provider API keys
• Role-based access control with audit logging
• Multi-tenant isolation enforced at the database query layer
• Suppression list enforcement to prevent re-contacting opted-out Data Subjects
• Access to production systems restricted to authorized personnel only

8. Personal data breach notification

In the event of a Personal Data breach, we will notify you without undue delay and in any case within 72 hours of becoming aware of it. The notification will include:

• A description of the nature of the breach
• The categories and approximate number of Data Subjects and records concerned
• The likely consequences of the breach
• Measures taken or proposed to address the breach

Breach notifications go to the email address on file for your organization's Owner. We will assist you in notifying the relevant Supervisory Authority and affected Data Subjects where required.

9. International transfers

Our primary infrastructure is in the United States. When Personal Data originating in the EEA, UK, or Switzerland is transferred to us or our Sub-processors in the US, the transfer is governed by Standard Contractual Clauses (SCCs) as adopted by the European Commission (Commission Decision 2021/914 for Controller-to-Processor transfers under Module 2). By entering into this DPA you are entering into those SCCs.

For UK residents, we rely on the UK International Data Transfer Agreement (IDTA) as the transfer mechanism. Copies of applicable SCCs or IDTA are available on request at privacy@ustack.ai.

10. Audit rights

You may, upon reasonable prior written notice (not less than 30 days) and no more than once per calendar year, request an audit of our data processing activities related to this DPA. We may fulfill such requests by providing a current SOC 2 Type II report or equivalent third-party audit report, or by responding to a written security questionnaire. On-site audits are available for Enterprise customers per a separately negotiated agreement.

11. Term and termination

This DPA is effective for the duration of your use of the Service and terminates automatically when you close your account. Upon termination, at your written request we will delete or return all Personal Data (other than data we are required to retain by law) within 30 days.

12. Governing law

This DPA is governed by the laws of the State of Delaware, USA, consistent with the Terms of Service, except to the extent that applicable data protection law requires otherwise.

13. Contact

For DPA-related inquiries, data subject rights requests, or to request a signed copy of this DPA:

Ustack AI Inc.
Data Protection: privacy@ustack.ai
Legal: legal@ustack.ai