Data Processing Agreement
How StackRadar processes data on your behalf
Last Updated: May 26, 2026
This Data Processing Agreement (the "DPA") forms part of, and is incorporated by reference into, the Terms of Service (the "Agreement") between you ("Customer", "Controller") and SIA StackRadar, registered in Latvia under registration number 40203749357, with registered office at Dzirciema street 121, Riga, Latvia, LV-1055 ("StackRadar", "Processor"). It governs StackRadar's processing of personal data on behalf of the Customer in connection with the Service.
This DPA takes effect automatically when the Customer accepts the Agreement or first uses the Service to process personal data. Where mandatory law requires a signed processor contract, either party may request execution of an equivalent signed version by emailing privacy@stackradar.com; the substance of this DPA controls.
Capitalized terms not defined here have the meaning given in the Agreement or in the GDPR.
1. Definitions
- "Applicable Data Protection Law" means the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), the United Kingdom GDPR and Data Protection Act 2018, the Latvian Personal Data Processing Law, and any other data protection law applicable to either party's processing under this DPA.
- "Customer Personal Data" means personal data within Customer Data that StackRadar processes on behalf of the Customer in providing the Service.
- "EU SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914.
- "UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.
- "Sub-processor" means any third party engaged by StackRadar to process Customer Personal Data on its behalf, as listed in Annex III.
Other terms (controller, processor, processing, personal data, personal data breach, Data Subject, sub-processor, special categories of personal data) have the meanings given in the GDPR.
2. Roles and Scope
The Customer is the controller (or processor acting on behalf of another controller) of Customer Personal Data. StackRadar is the processor (or sub-processor). Each party is responsible for its own compliance with Applicable Data Protection Law.
This DPA governs only StackRadar's processing of Customer Personal Data on the Customer's behalf. StackRadar's processing of personal data as a controller (for example, account contact details, billing information, and Website analytics) is described in the Privacy Policy.
3. Processing Instructions
StackRadar will process Customer Personal Data only on documented instructions from the Customer, including the instructions set out in this DPA and in the Agreement, the configuration choices the Customer makes in the Service, and any additional written instructions agreed by the parties. StackRadar will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, and may suspend the affected processing pending resolution.
The subject matter, duration, nature, purpose, types of personal data, and categories of Data Subjects are described in Annex I.
4. Confidentiality
StackRadar will ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations, are trained on data protection, and access Customer Personal Data only on a need-to-know basis.
5. Security
StackRadar will implement and maintain the technical and organizational measures described in Annex II to protect Customer Personal Data, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. StackRadar may update Annex II from time to time, provided the overall level of protection is not materially decreased.
6. Sub-processors
General authorization. The Customer grants StackRadar a general authorization to engage Sub-processors. The current list is in Annex III.
Sub-processor obligations. StackRadar will (a) enter into a written contract with each Sub-processor that imposes data protection obligations substantially equivalent to those in this DPA, (b) remain fully liable to the Customer for its Sub-processors' performance, and (c) carry out reasonable due diligence on each Sub-processor.
Notice and right to object. StackRadar will provide at least 30 days' advance notice of a new Sub-processor by updating Annex III and notifying the Customer by email to the account owner or administrator email address on file, or by an in-app notification. Within the notice period, the Customer may object in writing on reasonable data protection grounds. The parties will work in good faith to resolve the objection; if they cannot agree within 30 days, the Customer may terminate the affected subscription with a pro-rata refund of any prepaid fees for the unused portion of the term, as its sole and exclusive remedy. In urgent cases (for example, a security incident or vendor failure), StackRadar may engage a Sub-processor sooner, only to the extent necessary to preserve the security, availability, or continuity of the Service, and will give notice as soon as reasonably practicable.
7. Data Subject Rights
Taking into account the nature of the processing, StackRadar will, by appropriate measures, assist the Customer in fulfilling its obligation to respond to Data Subject requests under Chapter III GDPR. If StackRadar receives a request directly that relates to Customer Personal Data, it will promptly notify the Customer and will not respond except on the Customer's documented instructions or as required by law.
8. Assistance with Compliance
Taking into account the nature of the processing and the information available to it, StackRadar will provide reasonable assistance to the Customer in complying with its obligations under Articles 32–36 GDPR, including security, breach notification, data protection impact assessments, and prior consultation with supervisory authorities. StackRadar may charge a reasonable fee for assistance that exceeds standard support, on prior notice. No fee applies to (a) assistance required as a result of StackRadar's breach of this DPA or its obligations under Applicable Data Protection Law, or (b) the standard information StackRadar must make available to demonstrate compliance with Article 28 GDPR.
9. Personal Data Breach
StackRadar will notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will include, to the extent then known, a description of the breach (including approximate categories and numbers of Data Subjects and records concerned), likely consequences, measures taken or proposed to address it, and a contact point for further information. Information may be provided in phases without undue further delay. Notification under this Section is not an admission of fault or liability.
10. Audits and Information
StackRadar will make available to the Customer the information reasonably necessary to demonstrate compliance with Article 28 GDPR, including audit reports, security questionnaire responses, and certifications it holds.
The Customer may also conduct audits, including inspections, by an independent auditor reasonably acceptable to StackRadar (and not a competitor), at the Customer's expense, no more than once per 12-month period (except where required by a supervisory authority, following a personal data breach affecting Customer Personal Data, or where the Customer has a reasonable documented security concern), on at least 30 days' prior written notice, during normal business hours, in a manner that does not unreasonably interfere with StackRadar's operations and subject to confidentiality undertakings. The auditor will issue findings only to the Customer, who will provide a copy to StackRadar.
11. International Transfers
StackRadar is established in Latvia and receives Customer Personal Data in the European Union. StackRadar may onward-transfer Customer Personal Data outside the EEA, the UK, or Switzerland in connection with Sub-processors listed in Annex III, or as otherwise necessary to provide the Service.
For each transfer that requires safeguards under Chapter V GDPR, UK GDPR, or the Swiss Federal Act on Data Protection (each, a "Restricted Transfer"), the following apply:
- EU SCCs — onward transfers by StackRadar. StackRadar's onward transfers of Customer Personal Data to Sub-processors located outside the EEA are made under the EU SCCs, Module Three (processor to processor). The optional docking clause and Option 2 of Clause 9(a) (general written authorization of sub-processors) apply. The governing law is the law of Latvia, and the competent supervisory authority is the Latvian Data State Inspectorate (Datu Valsts inspekcija). Disputes are resolved in the courts of Riga, Latvia. Annexes I, II, and III to the EU SCCs are populated by Annexes I, II, and III to this DPA.
- EU SCCs — direct transfers from non-EEA customers to StackRadar. Where the Customer transfers Customer Personal Data directly to StackRadar from outside the EEA and that transfer constitutes a Restricted Transfer, the EU SCCs apply on the following basis: where the Customer is a controller, Module Two (controller to processor) applies; where the Customer is a processor on behalf of another controller, Module Three (processor to processor) applies. The same optional clauses, governing law, supervisory authority, jurisdiction, and Annex population apply.
- UK Addendum. Transfers subject to UK GDPR are made under the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office, with Tables 1, 2, and 3 completed using the EU SCCs as incorporated above, and "neither party" selected in Table 4.
- Switzerland. For transfers from Switzerland, the EU SCCs apply with the Swiss Federal Act on Data Protection included as Applicable Data Protection Law, the Swiss Federal Data Protection and Information Commissioner as the competent supervisory authority for transfers exclusively subject to Swiss law, and references to GDPR rights read to include analogous Swiss rights.
StackRadar implements supplementary technical and organizational measures where required following a transfer impact assessment. A copy is available on request to privacy@stackradar.com.
12. Return and Deletion
On termination of the Agreement, StackRadar will, at the Customer's choice, return Customer Personal Data to the Customer or delete it. The Customer may exercise the return option by exporting Customer Personal Data using the tools made available in the Service during the 30 days following termination. If the Customer does not communicate a different choice before the end of that 30-day period, StackRadar will delete Customer Personal Data from its production systems within a further 60 days, except to the extent Union law or Member State law requires storage of the Customer Personal Data. If a law outside the European Union or the European Economic Area would compel StackRadar to retain Customer Personal Data beyond those timelines, StackRadar will inform the Customer in advance, to the extent legally permitted, and will work with the Customer in good faith on lawful alternatives. Backup copies are overwritten on a rolling basis, typically within 35 days. StackRadar will, on request, confirm in writing that it has complied with this Section.
13. Liability, Term, and Order of Precedence
Each party's liability under this DPA is subject to the exclusions and limitations of liability in the Agreement. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law.
This DPA applies from the effective date of the Agreement and continues for as long as StackRadar processes Customer Personal Data on the Customer's behalf, after which Section 12 applies.
In case of conflict between this DPA and the Agreement with respect to data protection, this DPA controls. In case of conflict between this DPA and the EU SCCs or UK Addendum, the EU SCCs or UK Addendum control to the extent required by Applicable Data Protection Law.
StackRadar may amend this DPA from time to time, provided amendments do not materially reduce the protections offered to Customer Personal Data and customers are notified of material changes at least 30 days in advance. Amendments required to comply with Applicable Data Protection Law take effect on the date required by law.
Annex I — Description of Processing
| Item | Description |
|---|---|
| Subject matter | Provision of the StackRadar dependency and vulnerability visibility platform and related features. |
| Duration | For the term of the Agreement, plus the deletion period set out in Section 12. |
| Nature and purpose | Ingesting, analyzing, storing, displaying, and acting on dependency, vulnerability, repository, and organization data from third-party systems the Customer connects, for the purposes of discovery and inventory, vulnerability and policy analysis, generating remediation suggestions, sending notifications via configured channels, producing dashboards and reports, and related security, support, and operations. |
| Categories of Data Subjects | The Customer's authorized users; individuals identifiable from repository, commit, or organization metadata in connected systems (such as contributors and package maintainers). |
| Categories of Customer Personal Data | Authorized user identifiers (name, email, role, identifiers from the Customer's identity provider); commit author names and email addresses; package maintainer identifiers; OAuth identifiers of users who authorize connections; notification channel identifiers (such as Slack/Discord user and channel IDs); any other personal data incidentally contained in repository contents, manifests, or configuration that the Customer submits. |
| Special categories of personal data | None. The Customer must not submit special categories of personal data under Article 9 GDPR, or personal data relating to criminal convictions or offences under Article 10 GDPR, through the Service. |
| Frequency of processing | Continuous during the term, on Customer instruction and on a scheduled basis. |
| Retention | As set out in the Agreement, the Privacy Policy, and Section 12 of this DPA. |
Annex II — Technical and Organizational Measures
StackRadar maintains the following measures to protect Customer Personal Data:
- Encryption. TLS 1.2 or higher in transit. Encryption of secrets and OAuth tokens at rest. Storage-layer encryption at rest provided by the underlying cloud platform.
- Authentication. Strong password requirements, strong salted one-way password hashing, multi-factor authentication available to all accounts, and support for passkeys.
- Access controls. Role-based access controls in the Service. Least-privilege administrative access. Logging of administrative access to production. Segregation of production from non-production environments.
- Network security. Production systems hosted in EU regions of our infrastructure providers, with network-level controls provided by those platforms and rate limiting applied to the Service.
- Vulnerability management. Continuous dependency monitoring using StackRadar's own product, with patching of identified issues in line with their severity.
- Logging and monitoring. Application and security event logging, with alerting for selected anomalies.
- Backups. Automated backups with rolling retention.
- Personnel. Confidentiality undertakings for all personnel, and security and data protection training appropriate to their role.
- Vendor management. Contractual data protection obligations with each Sub-processor.
- Incident response. Documented practices for detection, triage, containment, recovery, customer notification, and post-incident review.
- Secure development. Code review, automated testing, and dependency scanning before release.
- Physical security. Hosting in data centers operated by Sub-processors that maintain industry-standard physical and environmental controls.
Annex III — Sub-processors
The Sub-processors authorized to process Customer Personal Data as of the "Last Updated" date of this DPA are:
| Sub-processor (legal entity) | Services and purpose | Location |
|---|---|---|
| Laravel Holdings Inc. | Application hosting (Laravel Cloud); application diagnostics and performance monitoring (Laravel Nightwatch) | EU primary; United States for some components |
| Amazon Web Services EMEA SARL | Cloud infrastructure services (including compute, object storage, and related services) used to provide the Service | EU regions |
| Functional Software, Inc. (Sentry) | Application error monitoring | United States |
Transfers to Sub-processors located outside the EU/EEA are made under the EU SCCs as incorporated in Section 11 of this DPA.
This Annex III lists only the Sub-processors that process Customer Personal Data on StackRadar's behalf in providing the Service. Vendors that StackRadar engages on its own behalf to administer its relationship with the Customer (for example, payment processing of the Customer's billing contact details, or delivery of account, security, and billing emails to the Customer's account holders) are not Sub-processors under this DPA and are described in the Privacy Policy.
Third-party systems the Customer connects to the Service (such as GitHub for source code, and Slack and Discord for notifications) are independent controllers, not Sub-processors. The Customer is responsible for its relationship with those systems.
To subscribe to subprocessor change notifications or to request the current list at any time, email privacy@stackradar.com.
Contact
For questions about this DPA, to request a signed copy, or to subscribe to subprocessor notifications, contact privacy@stackradar.com.