Data processing addendum (DPA)
This DPA forms part of the agreement between Stafff (the Processor) and the Customer (the Controller) for the processing of personal data. It applies when a Customer's use of Stafff involves personal data of EU, UK, or Swiss data subjects.
Draft for the pre-launch period. The published version (signed off by counsel) will replace this before the first paying customer is onboarded. If you need a signed DPA or BAA today, email adminstafffai@gmail.com.
1. Roles
For data the Customer brings to Stafff (knowledge sources, conversation history, end-user details), the Customer is the Controller and Stafff is the Processor. For Customer account data (Customer's own employees), Stafff acts as a separate Controller for limited account-administration purposes.
2. Scope of processing
Stafff processes personal data only on the documented instructions of the Customer (as expressed via configuration in the Stafff dashboard), except where required by law.
3. Sub-processors
The Customer authorises Stafff to engage the sub-processors listed in our Privacy policy. We will provide 30 days' advance notice (via email or dashboard banner) of any new sub-processor and offer the Customer the right to object.
4. Security
Stafff implements appropriate technical and organisational measures, including encryption in transit (TLS 1.2+) and at rest, row-level security for tenant isolation, secret encryption (pgsodium), least-privilege access, and audit logging.
5. International transfers
EU/UK personal data is stored and processed in EU regions by default. Where international transfer is required (e.g., to a US-based LLM sub-processor), the Standard Contractual Clauses (SCCs) apply, supplemented by the transfer impact assessments published with the relevant sub-processor.
6. Data subject requests
Stafff provides Customer-side tooling to export, rectify, and delete personal data. We will assist the Customer with data-subject requests within a reasonable timeframe.
7. Audits
On reasonable request and no more than once per year, the Customer may audit Stafff's compliance with this DPA, subject to confidentiality and reasonable cooperation. SOC 2 / penetration test reports satisfy the audit right when available.
8. Breach notification
Stafff will notify the Customer without undue delay (and in any event within 72 hours of awareness) of any personal data breach affecting Customer data, with the information required to fulfil GDPR Article 33 notifications.
9. Return + deletion
On termination, Stafff will delete or return Customer personal data within 30 days, except where storage is required by law.
10. Signature
For a counter-signed DPA, email adminstafffai@gmail.com with your entity name and we'll issue a signed copy in PDF.
Questions? Email adminstafffai@gmail.com.