Data Processing Agreement

Introduction

This Data Processing Agreement ("DPA") is entered into between StokeForge, LLC ("Processor" or "StokeForge") and the Customer ("Controller") and forms part of the Terms of Service between the parties.

This DPA applies where and to the extent that StokeForge processes Personal Data on behalf of the Controller in connection with providing the Services, and where such processing is subject to the EU General Data Protection Regulation (GDPR), UK GDPR, or other applicable data protection law.

Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service or applicable data protection law.

"GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council
"Personal Data" means any information relating to an identified or identifiable natural person that the Controller submits to the Services
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, and deletion
"Data Subject" means the individual to whom Personal Data relates
"Sub-processor" means a third party engaged by StokeForge to process Personal Data in connection with the Services
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data adopted by the European Commission

Roles of the Parties

The parties acknowledge that, with respect to Personal Data processed in connection with the Services:

The Controller (Customer) determines the purposes and means of processing Personal Data
The Processor (StokeForge) processes Personal Data only on documented instructions from the Controller — namely, by providing the Services as described in the Terms of Service

StokeForge does not act as a Controller with respect to Customer Data. Each party is an independent Controller of personal data they collect and process for their own internal business purposes (e.g., billing, account management).

Processing Details

Categories of Personal Data

Personal Data processed under this DPA may include:

Business contact information (name, email, phone, job title) of the Controller's employees and authorized users
Account credentials (hashed passwords, MFA configurations)
Operational data the Controller inputs into the platform (which may incidentally contain personal data about the Controller's employees, customers, or suppliers)
Usage and activity logs tied to individual user accounts

Categories of Data Subjects

The Controller's employees and authorized platform users
Any other natural persons whose data the Controller chooses to input into the Services

Purpose of Processing

StokeForge processes Personal Data solely to provide the Services as described in the Terms of Service, including to operate, maintain, improve, and support the platform on the Controller's behalf.

Duration

Processing continues for the duration of the subscription term and for up to 90 days following termination, during which the Controller may request data export. After that period, Personal Data is deleted in accordance with our retention policy.

Controller Obligations

The Controller represents and warrants that:

It has a valid legal basis for processing Personal Data and for sharing it with StokeForge as Processor
It has provided all required notices to, and obtained all necessary consents from, Data Subjects
It will comply with all applicable data protection laws in its use of the Services
It will not instruct StokeForge to process Personal Data in a manner that would violate applicable law
It will keep its account credentials secure and promptly notify StokeForge of any unauthorized access

Processor Obligations

StokeForge, as Processor, agrees to:

Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law (in which case StokeForge will inform the Controller of that requirement before processing, unless prohibited by law)
Ensure that personnel authorized to process Personal Data are bound by confidentiality obligations
Implement and maintain appropriate technical and organizational security measures (see Security Measures)
Not engage Sub-processors without prior authorization from the Controller (granted by acceptance of this DPA and as described in the Sub-processors section)
Assist the Controller in responding to Data Subject rights requests, taking into account the nature of the processing
Assist the Controller in ensuring compliance with security, breach notification, impact assessment, and prior consultation obligations, taking into account the nature of processing and information available to StokeForge
Delete or return all Personal Data to the Controller after the end of the provision of Services, and delete existing copies unless required by applicable law
Provide all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits
Promptly inform the Controller if any instruction infringes the GDPR or other applicable data protection law

Sub-processors

The Controller grants StokeForge general authorization to engage Sub-processors. StokeForge will:

Maintain a current list of Sub-processors and make it available at stokeforge.com/legal/sub-processors or upon request
Provide at least 30 days' advance notice of any change to Sub-processors (additions or replacements), allowing the Controller time to object
Enter into data processing agreements with each Sub-processor that impose data protection obligations at least equivalent to those in this DPA
Remain liable to the Controller for the acts and omissions of Sub-processors as if they were StokeForge's own

Current Sub-processor Categories

Cloud Infrastructure Hosting, compute, database storage United States

Payment Processing Billing, subscription management United States

Email Delivery Transactional and notification emails United States

Error Monitoring Application error tracking and diagnostics United States

Customer Support Help desk and ticket management United States

Data Subject Rights

StokeForge will assist the Controller in fulfilling its obligations to respond to Data Subject requests for access, rectification, erasure, restriction, portability, and objection. Given the nature of the Services, the Controller is best positioned to handle requests directly through account administration tools.

If StokeForge receives a Data Subject request directly, it will promptly redirect the requester to the Controller (unless applicable law requires otherwise) and notify the Controller. StokeForge will not respond to Data Subject requests independently except as required by law.

International Data Transfers

StokeForge is based in the United States. If the Controller is subject to GDPR or UK GDPR and transfers Personal Data to StokeForge, this transfer is governed by appropriate safeguards as follows:

EU to US transfers: Governed by the EU Standard Contractual Clauses (Module 2: Controller to Processor), which are incorporated into this DPA by reference. By accepting these terms, both parties execute the SCCs as if fully set forth here.
UK to US transfers: Governed by the UK International Data Transfer Agreement (IDTA) or UK addendum to the EU SCCs, as applicable.

To obtain a signed copy of the applicable SCCs or IDTA addendum, contact privacy@stokeforge.com.

Security Measures

StokeForge implements and maintains technical and organizational security measures appropriate to the risk of processing, including:

TLS 1.2+ encryption for all data in transit
AES-256 encryption for data at rest
Role-based access controls and principle of least privilege
Multi-factor authentication for internal system access
Regular security patches and vulnerability management
Automated monitoring and anomaly detection
Documented incident response procedures
Employee confidentiality agreements and security training

A full description of our security practices is available on our Security page.

Data Breach Notification

In the event of a Personal Data breach affecting Controller's data, StokeForge will:

Notify the Controller without undue delay and within 72 hours of becoming aware of the breach
Provide available information about the nature of the breach, categories and approximate number of Data Subjects affected, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the breach
Continue to provide updates as the investigation develops

The Controller is responsible for determining whether notification to supervisory authorities and/or Data Subjects is required under applicable law and for making any such notifications.

Audit Rights

The Controller may audit StokeForge's compliance with this DPA upon reasonable written notice of at least 30 days, no more than once per calendar year, and subject to the following conditions:

Audits must be conducted during normal business hours and must not unreasonably disrupt StokeForge's operations
The Controller bears the cost of any audit it initiates
Any auditor must sign a confidentiality agreement acceptable to StokeForge before conducting the audit

As an alternative to a direct audit, StokeForge may provide a copy of its most recent third-party security audit report or certification (where available), which the Controller may treat as satisfying the audit requirement for the relevant period.

Term & Termination

This DPA enters into force on the date the Customer first accepts the Terms of Service and remains in effect for as long as StokeForge processes Personal Data on the Controller's behalf.

Upon termination of the subscription, StokeForge will, at the Controller's election, return or delete Personal Data within 90 days of written request. StokeForge may retain Personal Data where required by applicable law, for the period required by that law only.

Contact

For DPA-related inquiries, SCCs, or data protection questions:

StokeForge, LLC
Data Protection: privacy@stokeforge.com
Legal: legal@stokeforge.com