Productstack
Log inStart free
Draft, pending legal review.

This document is a working scaffold and not yet binding. Counsel must review every section before this page goes live or is linked from any sign-up flow.

Data Processing Addendum

Effective 2026-06-01

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (“Customer”, “Controller”) and Productstack, Inc. (“Productstack”, “Processor”) and governs the processing of Customer Personal Data by Productstack in connection with the Service.

In the event of any conflict between this DPA and the Terms of Service, this DPA controls with respect to data protection matters.

1. Definitions

Terms not defined here have the meaning given in the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) or applicable equivalent. “Customer Personal Data” means personal data processed by Productstack on Customer's behalf through the Service.

2. Roles

Customer is the Controller of Customer Personal Data; Productstack acts as Processor. Where Customer acts as a Processor on behalf of another Controller, Productstack acts as a sub-Processor.

3. Scope and instructions

Productstack will process Customer Personal Data only on documented instructions from Customer, including for the provision of the Service, to comply with Customer's configuration, and as required by applicable law. Productstack will inform Customer if it believes an instruction infringes data protection law.

4. Subject matter and duration

The subject matter of processing is the operation of the Service. The duration is the term of the Terms of Service plus any retention period required by law or specified in the Privacy Policy.

5. Nature and purpose

Productstack processes Customer Personal Data to host, transmit, secure, support, and improve the Service, including providing AI suggestions inside the Customer workspace.

6. Categories of data subjects

  • Customer's personnel and invited workspace users.
  • End users who interact with Customer's public pages or embedded widgets.
  • Any other individuals whose personal data Customer chooses to upload to the Service.

7. Categories of personal data

  • Identifiers (name, email, profile data, IP address).
  • Workspace content submitted by Customer or its end users (objectives, cards, ideas, feedback, comments).
  • Usage, log, and device data.

8. Confidentiality

Productstack will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations.

9. Security

Productstack will implement appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage, including encryption in transit, access controls, logging, and regular review of safeguards.

10. Subprocessors

Customer authorizes Productstack to engage subprocessors to provide the Service. A current list is available at privacy@productstack.io on request. Productstack will impose data protection obligations on each subprocessor that are no less protective than those in this DPA and will remain liable for their acts and omissions.

Productstack will notify Customer of any intended addition or replacement of subprocessors with at least 30 days' notice, during which Customer may object on reasonable grounds.

11. International transfers

Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country without an adequacy decision, the parties agree that the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) , Module Two (Controller-to-Processor), are incorporated into this DPA by reference, completed as described in the appendix. Equivalent UK and Swiss addenda apply where relevant.

12. Data subject rights

Productstack will, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures in responding to data subject requests under applicable law.

13. Data breach notification

Productstack will notify Customer without undue delay upon becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to assist Customer in meeting its obligations to notify supervisory authorities and data subjects.

14. Data protection impact assessments

Productstack will provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities.

15. Deletion and return

On termination of the Service, Productstack will delete or return Customer Personal Data within 30 days, except to the extent retention is required by law.

16. Audit

Customer may, no more than once per year and subject to reasonable confidentiality obligations, request information reasonably necessary to demonstrate Productstack's compliance with this DPA, including the most recent third-party security report.

17. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions set forth in the Terms of Service.

18. Contact

Privacy and data-protection enquiries can be sent to privacy@productstack.io.