Data Processing Agreement (DPA)

Last Updated: January 5, 2025
Effective Date: January 5, 2025

GDPR & UK GDPR Compliant: This Data Processing Agreement governs how Stampier processes personal data on behalf of our business customers. It incorporates the 2021 EU Standard Contractual Clauses (SCCs) and UK International Data Transfer Addendum (IDTA) to ensure lawful international data transfers.

Important: This DPA forms part of our Terms and Conditions. By using Stampier to process customer personal data, you automatically agree to this DPA.

Quick Actions

Privacy Notice
View our privacy policy
Terms of Service
Read full terms & conditions

1 Agreement Overview

1.1 Parties to this Agreement:

  • "Data Controller" or "Customer" - You, the business using Stampier's services to manage customer loyalty programs
  • "Data Processor" or "Stampier" - Terrene Tech (Stampier), providing the loyalty platform services

1.2 Purpose and Scope:

This DPA governs Stampier's processing of personal data on behalf of the Customer in connection with the Stampier loyalty platform services ("Services"). This DPA applies when the Customer uses Stampier to process personal data of end customers participating in loyalty programs.

1.3 Data Processing Relationship:

  • The Customer acts as the Data Controller - determining the purposes and means of processing end customer data
  • Stampier acts as the Data Processor - processing data only on documented instructions from the Customer
  • This DPA incorporates GDPR Article 28 requirements and EU Standard Contractual Clauses

1.4 Data Storage Location:

EU Data Residency: All personal data processed through Stampier is stored in Helsinki, Finland (European Union). This ensures compliance with GDPR data localization preferences and provides adequate protection for EU/EEA personal data.

2 Data Processing Instructions

2.1 Nature and Purpose of Processing:

AspectDescription
Subject MatterProvision of loyalty program management and customer engagement services
DurationFor the term of the Customer's subscription to Stampier Services
Nature of ProcessingCollection, recording, organization, storage, retrieval, use, disclosure, erasure
PurposeTo enable Customer to operate loyalty programs, track customer participation, manage rewards, and analyze program performance
Categories of Data SubjectsEnd customers of the Customer's business who participate in loyalty programs

2.2 Types of Personal Data Processed:

  • Identity Data: Name, email address, phone number (if provided)
  • Loyalty Program Data: Stamp collection records, reward redemptions, enrollment dates
  • Transaction Data: QR code scans, visit timestamps, program activity
  • Technical Data: Device information, IP address (for security purposes only)
  • Note: Stampier does NOT process payment card data - all payments are handled by our sub-processor (Stripe)

2.3 Processing Instructions:

Stampier shall process personal data only on documented instructions from the Customer, including:

  • Instructions provided through the Stampier platform interface
  • These Terms and Conditions and this DPA
  • Written instructions sent to legal@stampier.co
  • Stampier will inform Customer if, in its opinion, an instruction violates GDPR or other EU/Member State data protection laws

3 Technical and Organizational Security Measures

3.1 Security Obligations (GDPR Article 32):

Stampier implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Technical Measures

  • Encryption: TLS 1.3 for data in transit, AES-256 for data at rest
  • Access Controls: Role-based access control (RBAC), multi-factor authentication
  • Network Security: Firewalls, intrusion detection, DDoS protection
  • Secure Hosting: EU-based infrastructure (Helsinki, Finland)
  • Data Isolation: Multi-tenant architecture with database-level separation
  • Logging & Monitoring: Security event logging, anomaly detection

Organizational Measures

  • Staff Training: Data protection training for all personnel
  • Confidentiality: All staff bound by confidentiality obligations
  • Access Management: Principle of least privilege, regular access reviews
  • Incident Response: Documented breach response procedures
  • Business Continuity: Regular backups, disaster recovery plan
  • Vendor Management: Due diligence on all sub-processors

3.2 Data Retention and Deletion:

  • Active data retained for duration of Customer subscription
  • Upon subscription termination: data retained for 90 days for potential reactivation
  • After 90 days: secure deletion of all personal data unless legal retention required
  • Customer may request immediate deletion by contacting privacy@stampier.co
  • Deletion method: Secure overwrite using industry-standard protocols

3.3 Testing and Certification:

  • Regular security vulnerability assessments
  • Penetration testing (annually or after major changes)
  • Compliance certifications: ISO 27001, SOC 2 Type II (in progress)

4 Sub-Processors

4.1 Authorized Sub-Processors:

The Customer authorizes Stampier to engage the following sub-processors to assist in providing the Services:

Sub-ProcessorService ProvidedData LocationSafeguards
Stripe, Inc.Payment processingEU (Ireland), USAPCI-DSS certified, EU SCCs, Privacy Shield successor framework
Cloud Hosting ProviderInfrastructure & data storageHelsinki, Finland (EU)ISO 27001, SOC 2 Type II, GDPR-compliant DPA
Email Service ProviderTransactional emails (notifications)EU/USA (configurable)GDPR-compliant DPA, encryption in transit

4.2 Sub-Processor Obligations:

  • Stampier imposes data protection obligations on sub-processors equivalent to those in this DPA
  • All sub-processors are contractually bound to comply with GDPR and this DPA
  • Stampier remains fully liable to Customer for sub-processor performance

4.3 Changes to Sub-Processors:

Notice of Changes: Stampier will notify Customer at least 30 days in advance before adding or replacing any sub-processor. Notifications will be sent to the Customer's registered email address. Customer may object to the new sub-processor within 14 days if it has reasonable grounds related to data protection compliance.

To receive sub-processor change notifications, subscribe at: legal@stampier.co

5 Data Subject Rights Assistance

5.1 Customer Responsibility:

As the Data Controller, Customer is responsible for responding to data subject requests. Stampier will provide reasonable assistance to help Customer fulfill its obligations under GDPR Articles 12-23.

5.2 Stampier Assistance:

Stampier will assist Customer in fulfilling the following data subject rights:

✓ Right of Access (Art. 15)

Stampier will provide data exports within 48 hours of Customer request

✓ Right to Rectification (Art. 16)

Customer can update data through the platform or request Stampier assistance

✓ Right to Erasure (Art. 17)

Stampier will delete data within 30 days unless legal retention applies

✓ Right to Restriction (Art. 18)

Stampier will restrict processing upon Customer instruction

✓ Right to Data Portability (Art. 20)

Stampier provides data in machine-readable format (JSON/CSV)

✓ Right to Object (Art. 21)

Customer must handle objections; Stampier assists with data cessation

5.3 Request Process:

  • Customer forwards data subject requests to dpo@stampier.co
  • Stampier responds within 48 hours with requested assistance
  • Stampier may charge reasonable fees for excessive or repetitive requests

6 Personal Data Breach Notification

6.1 Breach Notification Obligation (GDPR Article 33):

Stampier shall notify Customer without undue delay and in any event within 24 hours after becoming aware of a personal data breach affecting Customer's data.

6.2 Breach Notification Content:

Stampier's breach notification will include (to the extent known):

  • Nature of the breach (type of data, number of data subjects affected)
  • Name and contact details of Stampier's Data Protection Officer
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach and mitigate harm
  • Recommended actions for Customer to take

6.3 72-Hour Supervisory Authority Notification:

Customer Responsibility: As Data Controller, Customer must notify the relevant supervisory authority within 72 hours of becoming aware of a breach, unless the breach is unlikely to result in a risk to data subjects' rights and freedoms.

Stampier will provide all necessary information and assistance to enable Customer to meet this 72-hour deadline.

6.4 Data Subject Notification:

If a breach is likely to result in a high risk to data subjects' rights and freedoms, Customer must notify affected data subjects without undue delay. Stampier will assist by providing:

  • List of affected data subjects (if identifiable)
  • Template notification text
  • Technical details for data subject communications

6.5 Breach Response Procedure:

  1. Detection - Stampier security systems detect potential breach
  2. Assessment - Within 4 hours: Determine scope, severity, affected data
  3. Containment - Within 8 hours: Stop breach, secure systems
  4. Customer Notification - Within 24 hours: Email/phone notification to Customer
  5. Investigation - Within 72 hours: Root cause analysis, full report
  6. Remediation - Implement fixes, update security measures
  7. Documentation - Maintain breach records for regulatory compliance

6.6 Emergency Contact:

For breach notifications and security incidents:

7 International Data Transfers

7.1 Primary Data Location:

EU Data Residency: All primary data storage and processing occurs in Helsinki, Finland (European Union). This provides adequate protection for EU/EEA personal data under GDPR without requiring additional safeguards.

7.2 Limited Third-Country Transfers:

Some sub-processors may transfer data outside the EU/EEA (e.g., Stripe to USA for payment processing). For such transfers, Stampier implements the following safeguards:

Standard Contractual Clauses (2021 EU SCCs)

Stampier incorporates the 2021 EU Commission Standard Contractual Clauses for transfers of personal data to third countries.

  • Module Applied: Module 2 (Controller to Processor)
  • Governing Law: Law of the EU Member State where the Customer (Data Controller) is established
  • Competent Courts: Courts of the EU Member State where Customer is established
  • Optional Clauses:
    • Clause 7 (Docking clause): Selected - Third parties may join this agreement
    • Clause 11 (Redress): Data subjects have third-party beneficiary rights
    • Clause 17 (Governing law): EU Member State law where Customer is established

Full SCCs Text: The complete 2021 EU Standard Contractual Clauses are available at: EU Commission Website

UK International Data Transfer Addendum (IDTA)

For UK-based Customers, Stampier incorporates the UK Information Commissioner's Office (ICO) International Data Transfer Addendum to the EU SCCs.

  • Addendum Applied: UK IDTA version B1.0 (March 2022)
  • Mandatory Clauses: Tables 1-4 completed as follows:
    • Table 1: Parties - Customer (Exporter) and Stampier (Importer)
    • Table 2: Data transfers described in Section 2 of this DPA
    • Table 3: Annex III - List of Sub-Processors (Section 4 of this DPA)
    • Table 4: Security measures detailed in Section 3 of this DPA
  • Governing Law: Laws of England and Wales (or Scotland/Northern Ireland if Customer prefers)

Full UK IDTA: Available at: UK ICO Website

7.3 Transfer Impact Assessment:

Stampier has conducted a Transfer Impact Assessment (TIA) for all third-country transfers as required by GDPR and Schrems II case law. Key findings:

  • Primary data remains in EU (Finland) - no systematic third-country transfers
  • Limited transfers to USA (Stripe) protected by contractual and technical safeguards
  • No government access requests received to date
  • Encryption and access controls prevent unauthorized access by foreign authorities

7.4 Adequacy Decisions:

Where Stampier transfers data to countries with an EU adequacy decision, no additional safeguards are required. As of the effective date, no sub-processors are located in adequacy countries beyond the EU/EEA.

8 Audit and Compliance

8.1 Audit Rights (GDPR Article 28(3)(h)):

Customer has the right to audit Stampier's compliance with this DPA and GDPR. Stampier offers the following audit options:

📋 Standard Compliance Reports

Stampier provides annual compliance certifications:

  • SOC 2 Type II report (in progress)
  • ISO 27001 certificate (planned)
  • GDPR compliance attestation

Cost: Free (available on request)

🔍 On-Site/Remote Audits

Customer may conduct its own audit:

  • 30 days advance notice required
  • Maximum once per year (unless breach occurs)
  • During business hours (9 AM - 5 PM CET)
  • Customer bears all audit costs

Cost: Customer-funded

8.2 Audit Process:

  1. Customer submits audit request to legal@stampier.co
  2. Parties agree on audit scope, timing, and confidentiality terms
  3. Customer (or appointed auditor) conducts audit remotely or on-site
  4. Stampier provides reasonable assistance and access to relevant records
  5. Audit findings shared with both parties; remediation plan agreed if needed

8.3 Audit Limitations:

  • Audits must not disrupt Stampier's normal business operations
  • Access to confidential/proprietary information subject to NDA
  • Audits limited to data processing relevant to Customer's data only
  • Third-party auditors must be approved by Stampier (approval not unreasonably withheld)

8.4 Compliance Documentation:

Stampier maintains records of processing activities as required by GDPR Article 30, including:

  • Categories of processing activities
  • Categories of data subjects and personal data
  • Transfers to third countries and safeguards
  • Technical and organizational security measures
  • Data breach incident logs

9 Liability and Indemnification

9.1 Liability for GDPR Violations (Article 82):

Each party shall be liable for damages caused by its own violations of GDPR. Specifically:

  • Customer Liability: Customer is liable for violations of its obligations as Data Controller (e.g., unlawful processing instructions, failure to respond to data subject requests)
  • Stampier Liability: Stampier is liable for violations of its obligations as Data Processor (e.g., unauthorized processing, failure to implement security measures, unauthorized sub-processor engagement)
  • Joint Liability: If both parties contributed to the same damage, they are jointly and severally liable, with the right to claim back from the other party the portion corresponding to their responsibility

9.2 Limitation of Liability:

Cap on Damages: Except for liability that cannot be limited under GDPR (e.g., fines imposed by supervisory authorities), Stampier's total liability under this DPA shall not exceed the greater of €100,000 or 12 months of fees paid by Customer.

9.3 Indemnification:

  • By Stampier: Stampier will indemnify Customer against third-party claims arising from Stampier's breach of this DPA or GDPR obligations as Data Processor
  • By Customer: Customer will indemnify Stampier against third-party claims arising from Customer's unlawful processing instructions or violations of GDPR as Data Controller

9.4 Regulatory Fines:

Each party is responsible for GDPR fines imposed by supervisory authorities due to its own violations. If a fine is imposed jointly, liability will be apportioned based on fault.

10 Term and Termination

10.1 Term:

This DPA enters into force on the date Customer first uses Stampier Services to process personal data and remains in effect for the duration of the Services.

10.2 Effect of Service Termination:

Upon termination or expiration of the Services, Stampier shall (at Customer's choice):

Option 1: Return Data

  • Export all personal data in machine-readable format (JSON/CSV)
  • Provide data within 30 days of termination
  • Data includes all processed information and metadata
  • Customer may request specific format or structure

Option 2: Delete Data

  • Securely delete all personal data
  • Deletion completed within 90 days
  • Provide written certification of deletion
  • Backups deleted in normal rotation (max 180 days)

10.3 Legal Retention:

Stampier may retain personal data to the extent required by applicable law (e.g., tax records, dispute resolution). Such retained data:

  • Will be held securely and confidentially
  • Will only be processed to the extent required by law
  • Will be deleted when retention obligation expires

10.4 Survival:

The following provisions survive termination: Confidentiality (Section 3), Liability (Section 9), Audit rights (for 2 years post-termination), and any provisions required for legal compliance.

11 General Provisions

11.1 Relationship to Terms and Conditions:

This DPA is incorporated into and forms part of the Stampier Terms and Conditions. In case of conflict between this DPA and the Terms, this DPA prevails with respect to data protection matters.

11.2 Amendments:

Stampier may update this DPA to reflect changes in law or regulatory guidance. Material changes will be notified to Customer at least 30 days in advance. Continued use of Services after the effective date constitutes acceptance.

11.3 Severability:

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force and effect. Invalid provisions will be replaced with valid provisions achieving the same economic purpose.

11.4 Governing Law and Jurisdiction:

  • EU Customers: Law of EU Member State where Customer is established; courts of that Member State have jurisdiction
  • UK Customers: Laws of England and Wales (or Scotland/Northern Ireland); UK courts have jurisdiction
  • Other Customers: Indian law governs; courts of Sambhal, Uttar Pradesh, India have jurisdiction

11.5 Order of Precedence:

In case of conflict, the following order applies:

  1. EU Standard Contractual Clauses / UK IDTA (for international transfers)
  2. This Data Processing Agreement
  3. Stampier Terms and Conditions
  4. Stampier Privacy Notice

11.6 Language:

This DPA is executed in English. If translated, the English version prevails in case of discrepancies.

11.7 Entire Agreement:

This DPA, together with the Terms and Conditions, constitutes the entire agreement between the parties regarding data processing and supersedes all prior agreements on this subject.

DPA Questions & Contact

For questions about this Data Processing Agreement, data protection compliance, or to exercise your audit rights:

Terrene Tech (Stampier)

Data Protection Officer

Behjoi Road, Hayatnagar

Sambhal, Uttar Pradesh 244302

India

DPA Questions: legal@stampier.co

Data Protection: dpo@stampier.co

Security Incidents: security@stampier.co

Privacy Matters: privacy@stampier.co

We aim to respond to all DPA-related inquiries within 48 hours. For urgent security matters, please mark your subject line as "URGENT".

Acknowledgment of Data Processing Agreement

By using Stampier Services to process customer personal data, you acknowledge that you have read, understood, and agree to be bound by this Data Processing Agreement, including the incorporated EU Standard Contractual Clauses and UK International Data Transfer Addendum. You confirm that:

  • You act as Data Controller and Stampier acts as Data Processor
  • You authorize the listed sub-processors and will be notified of changes
  • You understand your obligations to respond to data subject requests
  • You acknowledge the 72-hour breach notification requirements
  • You accept the liability and indemnification provisions

If you do not agree to this DPA, you must not use Stampier Services to process personal data.

Questions About Data Protection?

Our Data Protection Officer is here to help with GDPR compliance, data processing questions, and security concerns.

Contact DPO View Privacy Policy