Legal · Last updated 3 July 2026
Data Processing Agreement
Between the Customer (Controller) and Stockisto AS (Processor), under Article 28 of the GDPR. For a countersigned copy, contact privacy@stockisto.com.
This Data Processing Agreement (DPA) forms part of the Terms of Service between you (the Customer, acting as controller) and Stockisto (acting as processor) and applies wherever Stockisto processes personal data on your behalf. It sets out how we process that data, the security measures we apply, the sub-processors we use, and how we support your obligations under the GDPR.
1. Roles & scope
You are the controller of the personal data you upload to, or generate through, the platform. Stockisto is the processor and processes that personal data only to provide the service. This DPA governs that relationship; where it conflicts with the rest of the Terms on the subject of data protection, this DPA prevails.
2. Processing on documented instructions
We process personal data only on your documented instructions, including as to international transfers, unless required to act otherwise by EU or member-state law (in which case we will inform you, unless the law prohibits it). Your use of the platform's features, together with the Terms and this DPA, constitutes your documented instructions. We will inform you if, in our opinion, an instruction infringes the GDPR.
3. Confidentiality
We ensure that persons authorised to process the personal data are bound by an appropriate duty of confidentiality and are granted access only on a need-to-know basis.
4. Security of processing (Art 32)
We implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as detailed in Annex 2.
5. Sub-processors
You give general authorisation for us to engage the sub-processors listed in Annex 3. We impose data-protection obligations on each sub-processor no less protective than those in this DPA, and we remain fully liable to you for their performance. We will give at least 30 days' notice of any intended addition or replacement of a sub-processor, and you may object on reasonable data-protection grounds.
6. Assisting with data-subject rights
Taking into account the nature of the processing, we assist you by appropriate technical and organisational measures, insofar as possible, to respond to data-subject requests under Chapter III of the GDPR (access, rectification, erasure, restriction, portability and objection). The platform provides self-service data export (Art 20) and a deletion request flow (Art 17), and our support team assists where a request cannot be met self-service. If a data subject contacts us directly about your data, we refer them to you.
7. Assisting with your Art 32–36 obligations
We assist you in ensuring compliance with your obligations regarding security of processing, personal-data-breach notification, data-protection impact assessments and prior consultation (Arts 32–36), taking into account the nature of the processing and the information available to us.
8. Personal data breach notification
We notify you without undue delay after becoming aware of a personal data breach affecting your data, with the information you reasonably need to meet your own notification duties under Arts 33–34. Report a suspected incident to security@stockisto.com.
9. Return & deletion of data (Art 28(3)(g))
At the end of the provision of services, at your choice, we delete or return the personal data and delete existing copies, unless EU or member-state law requires storage. You can export your data at any time via the in-product export; after account closure, data is deleted subject to the retention periods in the Privacy Policy (including a short backup-ageing window).
10. Audits (Art 28(3)(h))
We make available the information necessary to demonstrate compliance with Art 28 and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. In the first instance we satisfy audit requests by providing our security documentation and answering security questionnaires; on-site inspections may be arranged on reasonable notice, subject to confidentiality and without compromising other customers' security.
11. International transfers
Primary processing takes place in the EU. Where a sub-processor in Annex 3 processes personal data outside the EEA, the transfer is made under the European Commission's Standard Contractual Clauses and, where applicable, the EU–US Data Privacy Framework, together with any supplementary measures required.
12. Liability, term & governing law
This DPA takes effect when you accept the Terms and continues for as long as we process personal data on your behalf. Liability under this DPA is subject to the limitations of liability in the Terms. This DPA is governed by Swedish law.
Annex 1 — Details of the processing
- Subject-matter & duration: processing personal data to provide the Stockisto retailer-discovery platform, for the term of the agreement.
- Nature & purpose: hosting, storage, retrieval, structuring, analysis and transmission of data to operate the Locator, Widget, admin apps, Installer Portal and related communications.
- Categories of data subjects: the Customer's account users; retailer business contacts in the Customer's network; installers; and consumers who submit a “reserve & collect” request.
- Categories of personal data: names, work contact details (email, phone), business addresses, roles, authentication identifiers, and consumer reservation details (name, email, phone, free-text notes).
- Special categories: none are required or intended; the platform is not designed to process special-category data (Art 9).
Annex 2 — Technical & organisational measures
- Encryption in transit: all traffic served over TLS 1.2+ with HSTS; TLS terminated at the edge (Azure Front Door) with a managed web application firewall.
- Encryption at rest: the PostgreSQL database and object storage use Azure-managed storage encryption.
- Tenant isolation: enforced in the data layer via global query filters plus an insert-time guard, and continuously regression-tested by a dedicated cross-tenant test suite in CI.
- Access control: role-based access control with scoped roles; every authorisation decision is enforced server-side.
- Authentication: short-lived JWT access tokens with a rotating refresh token in an HttpOnly, Secure cookie (reuse detection); Google OAuth and single-use magic links.
- Audit logging: privileged tenant actions recorded to an append-first audit log retained for 7 years.
- Secrets management: credentials held in Azure Key Vault; the application fails fast at startup if security-critical configuration is missing.
- Network hardening: restrictive security headers on every response, per-tenant/per-client rate limiting, and automatic abuse blocking.
- Data minimisation in logs: direct identifiers (e.g. email) are kept out of application logs and telemetry; client IPs are not persisted in analytics.
- Backups & resilience: point-in-time backups retained up to 35 days, geo-redundant within the EU, with defined recovery objectives.
- Vulnerability management: dependency scanning and static analysis in CI, and a responsible-disclosure channel at security@stockisto.com.
Annex 3 — Approved sub-processors
| Sub-processor | Purpose | Location | Transfer basis |
|---|---|---|---|
| Microsoft Azure | Cloud hosting and infrastructure — application compute, the PostgreSQL database, object storage, the message bus, monitoring and key management. This is where all primary personal data lives. | EU — Sweden Central | Within the EU — no third-country transfer |
| Microsoft Azure OpenAI Service ★ | Optional AI assistance that drafts supplier-to-retailer outreach text. It processes retailer business-contact data, never consumer reservation data. | EU (within the Azure tenancy) | Within the EU — no third-country transfer |
| Twilio (incl. SendGrid) ★ | Delivery of transactional and lifecycle email via SendGrid — invitations, confirmations and notifications — and of SMS phone-verification codes via Twilio's messaging API, which receives the account user's phone number when they verify it. | USA | SCCs, and the EU–US Data Privacy Framework where the recipient is certified |
| Stripe | Subscription billing and card-payment processing for paying suppliers. Stripe acts as an independent controller for the payment data it collects, under its own terms. | EU / USA | SCCs, and the EU–US Data Privacy Framework where the recipient is certified |
| Google (Google Ireland Ltd) | "Sign in with Google" authentication for account users who choose it. Google acts as an independent controller for the authentication data under its own terms. | EU / USA | SCCs, and the EU–US Data Privacy Framework where the recipient is certified |
| Mapbox | Rendering map tiles in the browser on the consumer Locator, the embeddable Widget and the Installer Portal. Receives the coarse map view and the requesting IP inherent to serving tiles — never reservation contact details. | USA | SCCs, and the EU–US Data Privacy Framework where the recipient is certified |
| OpenStreetMap / Nominatim | Server-side geocoding of retailer business addresses into map coordinates during catalogue import. | EU | Within the EU — business address data only |
★ Engaged only where the corresponding feature (AI drafting / outbound email / SMS phone verification) is enabled and configured for your workspace.