CorporateStack Data Processing Addendum (DPA)
Version: 2026/V1.0
Effective Date: 01/01/2026
Last Updated: 31/12/2026
Supersedes: All prior versions of the CorporateStack Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the CorporateStack End User License Agreement or other applicable agreement (“Agreement”) entered into between CorporateStack (“CorporateStack”) and the customer (“Customer”). This DPA applies to the extent CorporateStack processes Personal Data on behalf of the Customer in connection with the Services.
This DPA is published at a publicly accessible URL and is incorporated into the Agreement by reference.
In the event of any conflict between this DPA and the Agreement with respect to the processing of Personal Data, this DPA shall prevail.
1. Definitions
Capitalized terms not defined in this DPA have the meanings set forth in the Agreement.
- “Data Protection Laws” means all applicable data protection and privacy laws and regulations, including the data protection laws of the Gulf Cooperation Council (GCC) and the wider Middle East region (including, without limitation, the United Arab Emirates, Kingdom of Saudi Arabia, and Arab Republic of Egypt), and, to the extent applicable, the EU General Data Protection Regulation (Regulation (EU) 2016/679) (“GDPR”) and the UK GDPR.
- “Personal Data” means any information relating to an identified or identifiable natural person that is processed by CorporateStack on behalf of the Customer under the Agreement.
- “Processing” has the meaning given under applicable Data Protection Laws.
- “Controller” and “Processor” have the meanings given under applicable Data Protection Laws.
2. Roles of the Parties
2.1 The Customer is the Controller of Personal Data processed under the Agreement.
2.2 CorporateStack acts as a Processor and shall process Personal Data only on documented instructions from the Customer, including as set forth in the Agreement and this DPA, and in accordance with applicable Data Protection Laws, unless required to do otherwise by applicable law.
3. Applicability of Data Protection Laws
3.1 The parties acknowledge that the Services are primarily provided and operated within the Gulf Cooperation Council (GCC) and the Middle East region.
3.2 Processing of Personal Data shall be governed by the applicable data protection laws of the relevant jurisdiction in which such Personal Data is processed or to which it otherwise relates.
3.3 To the extent Personal Data processed under the Agreement is subject to the GDPR or UK GDPR, this DPA shall apply in a manner consistent with such laws. Where GDPR or UK GDPR does not apply, processing shall be governed exclusively by applicable local Data Protection Laws.
4. Scope and Purpose of Processing
4.1 Purpose of Processing
CorporateStack shall process Personal Data solely for the purpose of providing the Services in accordance with the Agreement. This DPA is intended to support compliance with applicable data protection laws in the GCC and Middle East region, as well as other jurisdictions where Customer Personal Data may be subject to additional legal requirements.
4.2 Categories of Data Subjects
May include Customer employees, contractors, authorized users, and other individuals whose Personal Data is submitted to the Services by or on behalf of the Customer.
4.3 Types of Personal Data
Determined and controlled by the Customer and may include identifiers, contact details, account information, and other data uploaded to the Services.
4.4 Duration of Processing
Personal Data shall be processed for the duration of the Agreement, unless retention is required by applicable law.
5. Processor Obligations
CorporateStack shall:
(a) process Personal Data only in accordance with the Agreement and this DPA;
(b) ensure that personnel authorized to process Personal Data are subject to appropriate confidentiality obligations;
(c) implement appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, or damage; and
(d) not process Personal Data for any purpose other than providing the Services.
6. Security Measures
CorporateStack shall implement reasonable administrative, technical, and physical safeguards designed to protect the confidentiality, integrity, and availability of Personal Data, including:
- encryption of data in transit using TLS 1.2 or higher (or successor standards); and
- encryption of data at rest using strong, industry-standard encryption.
Additional information regarding CorporateStack’s security and data protection practices may be made available through its trust, security, or compliance documentation, which is provided for informational purposes only and does not modify this DPA.
7. Subprocessing
7.1 The Customer provides a general authorization for CorporateStack to engage subprocessors for the purpose of providing the Services.
7.2 CorporateStack shall remain responsible for the performance of its subprocessors’ obligations under this DPA.
7.3 Information regarding subprocessors may be made available upon request or through CorporateStack’s trust or security documentation.
8. Assistance with Data Subject Rights
Taking into account the nature of the processing, CorporateStack shall provide reasonable assistance to the Customer, to the extent required by applicable Data Protection Laws and technically feasible, to enable the Customer to respond to requests from data subjects to exercise their rights.
9. Personal Data Breach
CorporateStack shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data processed under this DPA and shall provide reasonable information available to enable the Customer to comply with its obligations under applicable Data Protection Laws.
10. Data Return and Deletion
Upon termination or expiration of the Agreement, CorporateStack shall delete or return Personal Data in accordance with the Agreement and applicable law, unless retention is required by law.
11. Audits and Compliance
CorporateStack shall make available reasonable information necessary to demonstrate compliance with this DPA and may satisfy audit obligations through third-party certifications, audit reports, or written responses to reasonable information requests.
12. International Data Transfers
To the extent Personal Data is transferred outside the jurisdiction in which it was collected, such transfers shall be conducted in compliance with applicable Data Protection Laws and subject to appropriate safeguards where required.
13. Liability
Any liability arising out of or in connection with this DPA shall be subject to the limitations of liability set forth in the Agreement.
14. Governing Law
This DPA shall be governed by and construed in accordance with the governing law specified in the Agreement.
15. Contact
Questions regarding this DPA or CorporateStack’s data protection practices may be directed to:
Email: privacy@corporatestack.com
16. Updates to this DPA
CorporateStack may update this DPA from time to time to reflect changes in applicable Data Protection Laws or its data processing practices. Any such updates shall not materially reduce the level of protection afforded to Customer Personal Data under this DPA. Updated versions will be made available on CorporateStack’s website and will become effective upon publication.