stn.
Get Started Free

Data Processing Agreement (DPA)

Last updated: June 7, 2026 · Effective: June 7, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between the customer ("Controller", "you") and stndp, operated by an individual developer based in Israel ("Processor", "we"), and applies where we process personal data on your behalf in connection with the Service. To execute a countersigned copy, contact support@stndp.io.

1. Roles & scope

For data you and your team submit through the Service (for example, entries, decisions, checkpoints, and team-member details), you act as the Controller and we act as the Processor under the GDPR/UK GDPR and equivalent laws. This DPA governs that processing. Where you are yourself a processor for your end users, we act as a sub-processor and these terms apply accordingly.

2. Processing details (Article 28(3))

  • Subject matter — provision of the stndp context management platform.
  • Duration — the term of your subscription, plus deletion periods below.
  • Nature & purpose — hosting, storing, transmitting, and displaying your content so your team and its AI agents can record and read shared context.
  • Types of personal data — names and handles, email addresses, and the contents of entries, decisions, checkpoints, episodes, and bugs; technical data such as IP addresses and usage metrics; and, where a user opts in, redacted shell history, AI-session records, and Git branch/commit metadata captured through optional, off-by-default capture sources.
  • Categories of data subjects — your team members and other authorized users of your account.

3. Our obligations

  • Documented instructions. We process personal data only on your documented instructions, including this DPA and your use of the Service, unless required by law (in which case we will inform you where permitted).
  • Confidentiality. Persons authorized to process the data are bound by confidentiality.
  • Security. We implement appropriate technical and organizational measures under Article 32 (see Annex 2 and our Security page).
  • Assistance. Taking into account the nature of processing, we assist you in responding to data-subject requests and in meeting your obligations under Articles 32–36 (security, breach notification, and impact assessments).
  • Breach notification. We notify you without undue delay after becoming aware of a personal data breach affecting your data.
  • Deletion or return. On termination, we delete or return your personal data as described in Section 6, save where storage is required by law.
  • Audits. We make available information necessary to demonstrate compliance and allow for reasonable audits, which may be satisfied through documentation and responses to security questionnaires.

4. Sub-processors

You provide general authorization for us to engage the sub-processors listed in Annex 1 (Sub-processors). We impose data-protection obligations on each sub-processor that are no less protective than this DPA and remain responsible for their performance. We will give advance notice of any new or replacement sub-processor and a reasonable opportunity to object on legitimate grounds.

5. International transfers

Application data is hosted in the United States. Where personal data is transferred across borders, we rely on an appropriate transfer mechanism (such as an adequacy decision or Standard Contractual Clauses), as described in our Privacy Policy.

6. Retention & deletion

You can export your data at any time (stn export) and delete your account and data from your dashboard. On termination or request, we delete your personal data, except for residual copies in routine backups, which are removed on our standard backup cycle.

7. Liability & precedence

Each party's liability under this DPA is subject to the limitations in the Terms of Service. If there is a conflict between this DPA and the Terms regarding the processing of personal data, this DPA prevails.

Annex 1 — Sub-processors

The current list of sub-processors, with purpose and location, is maintained at stndp.io/trust/subprocessors. New or replacement sub-processors are announced with reasonable advance notice as set out in Section 4, and you may object on legitimate grounds.

Annex 2 — Technical & organizational measures

Our security measures — encryption in transit and at rest, secrets management, authentication, access controls, and application hardening — are described on our Security page and form part of this DPA.

How to execute this DPA

To put a countersigned DPA in place for your organization, contact support@stndp.io. This document is a template provided for transparency and should be reviewed by your legal team for your specific requirements.