Effective: June 1, 2026

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between Quackstack, Inc. ("Processor") and the customer ("Controller") for the use of Quackstack's services.

1. Definitions

Terms used here have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR").

2. Subject matter and duration

Processor will process Personal Data on behalf of Controller for the duration of the underlying agreement and as needed to provide the services.

3. Nature and purpose

Processing is limited to providing AI-assisted debugging services, including session storage, analytics, billing, and customer support.

4. Sub-processors

Processor uses the following sub-processors. A current list is maintained at /legal/dpa:

• Amazon Web Services (US, EU) — infrastructure
• Stripe (US) — payment processing
• Postmark (US) — transactional email
• Anthropic / OpenAI (US) — model inference (optional, BYO model available)

5. Security measures

Processor maintains a written information security program including encryption (TLS in transit, AES-256 at rest), access controls, vulnerability management, and SOC 2 Type II auditing.

6. International transfers

For transfers of Personal Data outside the EEA/UK, Processor relies on the Standard Contractual Clauses (2021/914).

7. Data subject requests

Processor will assist Controller in responding to data subject requests within reasonable timelines.

8. Audit rights

Controller may request Processor's most recent SOC 2 report no more than once per 12-month period.

9. Deletion

Upon termination, Processor will delete or return Personal Data within 30 days unless otherwise required by law.

10. Contact

Data Protection Officer: [email protected]