StockSphere

Legal

Data Processing Agreement

Last updated: 27 April 2026

This Data Processing Agreement ("DPA") forms part of the agreement between Customer ("Controller") and StockSphere Ltd ("Processor") for use of the StockSphere Service. It is designed to satisfy Article 28 of the UK GDPR and EU GDPR.

1. Subject matter and duration

Processor will process personal data contained in Customer Data on behalf of Controller for the purpose of providing the Service, for the duration of the subscription plus any export window agreed in the Terms of Service.

2. Nature and purpose of processing

Storage, retrieval, transmission, organisation and deletion of Customer Data needed to operate inventory, lifecycle, shipping and client-portal features.

3. Categories of data subjects

  • Controller's employees and contractors using the Service.
  • Controller's customers and end-recipients (e.g. shipment recipients).

4. Categories of personal data

  • Identification and contact (name, email, phone, role).
  • Authentication credentials and audit logs.
  • Operational metadata (sites, addresses, shipment events).

5. Processor obligations

  • Process personal data only on Controller's documented instructions.
  • Ensure persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (Annex II).
  • Assist Controller with data-subject requests, security incident response, data-protection impact assessments and prior consultations.
  • Notify Controller of any personal-data breach without undue delay (within 72 hours where feasible).
  • Delete or return personal data on termination.
  • Make available all information necessary to demonstrate compliance and allow audits on reasonable notice.

6. Sub-processors

Controller grants general authorisation for Processor to engage sub-processors. Processor will maintain a current list of sub-processors and give at least 30 days' notice of additions or replacements. Controller may object on reasonable data-protection grounds.

Current sub-processors:

  • Lovable Cloud (hosting, database, authentication, file storage)
  • Resend (transactional email delivery)
  • Cloudflare (CDN, DDoS mitigation)

7. International transfers

Where personal data is transferred outside the UK or EEA, the parties rely on the UK International Data Transfer Addendum to the EU SCCs (Module Two: controller-to-processor) which is hereby incorporated by reference, supplemented by encryption in transit and at rest.

8. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service.

9. Annex I — processing details

Controller: the entity identified in the order form. Processor: StockSphere Ltd, 1 Example Street, London, EC1A 1AA, United Kingdom. Contact: dpo@stocksphere.app.

10. Annex II — security measures (summary)

  • TLS 1.2+ in transit; AES-256 at rest.
  • Row-Level Security enforced on all tenant data.
  • Role-based access; multi-factor authentication for admins.
  • Encrypted, geo-redundant backups with point-in-time recovery.
  • Continuous vulnerability scanning and dependency monitoring.
  • Documented incident-response and breach-notification procedures.

Signing

Acceptance of the Terms of Service and use of the Service constitutes Customer's acceptance of this DPA. A counter-signed PDF is available on request from dpo@stocksphere.app.