Data Processing Agreement

The Controller is the data controller for all end-user information submitted to stubkit. Cryptosam is the data processor and operates the Service strictly on the Controller's documented instructions. Cryptosam does not profile end users, sell data, or combine data across customer accounts.

Cryptosam processes the following categories of personal data: opaque external user identifiers, email addresses (where voluntarily synced by the Controller), user locale preferences, subscription status, product identifiers, provider transaction identifiers, and raw webhook payloads. No special categories of personal data (health, biometrics, political opinions, and similar) are processed.

Cryptosam uses a small number of vetted infrastructure and communication sub-processors to operate the Service. Each sub-processor is bound by written data protection obligations at least as protective as those in this DPA and has been assessed for security, reliability, and GDPR compliance.

A current list of sub-processors is available to Controllers on written request to privacy@stubkit.com. Cryptosam will provide thirty (30) days' advance notice before appointing any new sub-processor. Controllers may object to the appointment within that window by terminating the Service.

Cryptosam implements and maintains appropriate technical and organizational measures to protect personal data against unauthorized access, loss, alteration, disclosure, and destruction. These measures include, at minimum:

• Encryption at rest for all provider credentials using industry-standard authenticated encryption
• Salted cryptographic hashing of all API keys before storage
• TLS 1.2 or higher enforced on every network connection
• Webhook signature verification on every inbound payload before any persistence
• Cryptographic idempotency keys on every event to prevent duplicate processing
• Principle of least privilege for all administrative access
• Single sign-on and email allowlists for the stubkit dashboard
• Audit logging of every administrative action

A summary of our security architecture is available on the Security page.

Cryptosam will assist the Controller, taking into account the nature of the processing, to fulfill its obligation to respond to requests from data subjects exercising their rights under the GDPR. If an end user contacts Cryptosam directly with a rights request, we will route that request back to the relevant Controller within seven (7) calendar days.

In the event of a personal data breach affecting Controller data, Cryptosam will notify the affected Controller without undue delay and in any case within forty-eight (48) hours of becoming aware of the breach. Notifications will include the nature of the breach, categories and approximate number of records affected, contact information for the data protection officer, likely consequences, and measures taken or proposed.

Cryptosam will make available to the Controller all information necessary to demonstrate compliance with this DPA and will contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable confidentiality obligations.

Where personal data is transferred outside the EEA, United Kingdom, or Switzerland, Cryptosam relies on the European Commission's Standard Contractual Clauses (2021/914) as the lawful transfer mechanism, supplemented by the technical and organizational measures described in Section 4.

Upon termination of the Service agreement, Cryptosam will, at the Controller's election, return or delete all personal data within thirty (30) days. Immutable webhook archives are purged on a separate two-year schedule unless the Controller requests immediate erasure.

This DPA is governed by the laws of the State of Florida, United States, subject to the mandatory application of EU/UK privacy law where personal data of EU or UK residents is involved.