Legal

Data Processing Agreement

Effective date: March 13, 2026  ·  Version 1.0

Purpose and Scope

This Data Processing Agreement ("DPA") supplements the Terms of Service and any executed custody agreement between you (the "Controller" or "Client") and Stoneline Data LLC ("Stoneline Data," or the "Processor"). It governs the processing of personal data that Stoneline Data handles on your behalf when providing managed data custody services.

This DPA is intended to satisfy the requirements of applicable data protection laws including the European Union General Data Protection Regulation (GDPR) Article 28, the California Consumer Privacy Act (CCPA), and HIPAA where a separate Business Associate Agreement is not applicable or is supplementary to this document.

For clients who require a signed, countersigned DPA as a standalone document (for regulatory or procurement purposes), contact us via the Contact page to request an executed copy.

Definitions

For the purposes of this DPA:

  • Personal Data means any information relating to an identified or identifiable natural person that is processed by Stoneline Data on behalf of the Client as part of the storage service.
  • Controller means the Client, who determines the purposes and means of processing Personal Data.
  • Processor means Stoneline Data LLC, which processes Personal Data on behalf of the Controller.
  • Sub-Processor means a third-party processor engaged by Stoneline Data to process Personal Data.
  • Processing means any operation performed on Personal Data, including storage, retrieval, transmission, and deletion.
  • Data Subject means the natural person to whom Personal Data relates.
  • Security Incident means any unauthorized or unlawful access, destruction, loss, alteration, or disclosure of Personal Data.

Roles and Responsibilities

The Client is the Controller of Personal Data submitted for storage. Stoneline Data processes that data only as instructed by the Client in accordance with the custody agreement and these Terms. Stoneline Data does not determine the purposes for which Personal Data is processed, does not sell, rent, or otherwise commercially exploit Client data, and processes data only to provide and maintain the contracted storage services.

Instructions for Processing

Stoneline Data processes Personal Data solely on the documented instructions of the Controller, which are constituted by the custody agreement and these Terms. Stoneline Data will promptly inform the Controller if, in its opinion, an instruction infringes applicable data protection law. Stoneline Data will not process Personal Data for any purpose beyond what is necessary to provide the service.

Technical and Organizational Measures

Stoneline Data implements and maintains appropriate technical and organizational measures to protect Personal Data against unauthorized access, accidental or unlawful destruction, loss, alteration, or disclosure. These measures include:

  • AES-256 encryption at rest on all storage buckets
  • TLS 1.2 or higher enforced for all data in transit
  • Dedicated storage accounts per client with no cross-account data access
  • Multi-factor authentication required for all privileged system access
  • S3 access logging to an isolated, tamper-evident log bucket
  • Weekly automated integrity checks with logged results
  • Version retention on primary storage buckets protecting against ransomware and accidental deletion
  • Documented incident response procedures with defined detection and notification timelines

Full technical details are available on the Infrastructure page.

Sub-Processors

Stoneline Data uses the following sub-processors to deliver the storage service. All sub-processors are bound by data processing terms no less protective than this DPA.

Amazon Web Services (AWS)
Role: Primary cloud storage provider (Amazon S3, Amazon S3 Glacier, AWS KMS, AWS CloudWatch). Purpose: Primary and replica bucket storage, access logging, anomaly monitoring. Location: United States (us-east-1 primary, us-west-2 replica). AWS maintains its own HIPAA BAA, SOC 2 Type II, ISO 27001, and PCI DSS certifications. AWS DPA: aws.amazon.com/agreement
Google Cloud Platform (GCP)
Role: Secondary cloud storage provider (Cloud Storage). Purpose: Geographic redundancy copy. Location: United States (multi-region). GCP maintains HIPAA BAA availability, SOC 2 Type II, ISO 27001, and PCI DSS certifications. GCP DPA: cloud.google.com/terms/data-processing-addendum
Stripe
Role: Payment processor. Purpose: Billing and subscription management. Stripe processes payment information directly and Stoneline Data does not receive or store payment card numbers. Stripe is PCI DSS Level 1 certified. Stripe DPA: stripe.com/legal/dpa

We will notify active clients of any intended changes to sub-processors (additions or replacements) with at least 14 days advance notice, providing an opportunity to object before the change takes effect.

Confidentiality

Stoneline Data ensures that persons authorized to process Personal Data have committed to confidentiality or are bound by an appropriate statutory obligation of confidentiality. Personnel with access to client storage accounts are limited to those with an operational need, and that access is logged.

Data Subject Rights

To the extent that Personal Data held in custody is subject to data subject rights requests (such as access, rectification, erasure, portability, or objection under GDPR or CCPA), Stoneline Data will assist the Controller in responding to such requests by providing access to or deletion of stored data upon written instruction, within the timeframes required by the custody agreement.

Stoneline Data is not responsible for fielding data subject requests directly from individuals. The Controller is responsible for communicating with data subjects and directing requests to Stoneline Data where data held in storage is involved.

Security Incident and Breach Notification

In the event of a confirmed or reasonably suspected Security Incident affecting Personal Data processed on behalf of the Client, Stoneline Data will:

  • Notify the Controller without undue delay and in any event within 48 hours of becoming aware of the incident
  • Provide an initial notification including: the nature of the incident, the categories and approximate volume of Personal Data affected, the likely consequences, and the measures taken or proposed to address the incident
  • Cooperate with the Controller in investigating the incident, mitigating harm, and fulfilling any regulatory notification obligations

Notification timelines for HIPAA clients are governed by the executed Business Associate Agreement and HIPAA breach notification rules (45 CFR 164.400), which require notification to the covered entity without unreasonable delay and in no case later than 60 days after discovery.

International Data Transfers

All storage infrastructure used by Stoneline Data is located in the United States. If you are subject to laws that restrict international data transfers (such as GDPR for EU/EEA data), confirm transfer mechanisms in the applicable jurisdiction before transferring Personal Data of EU/EEA residents. Upon request, Stoneline Data will execute Standard Contractual Clauses or other appropriate transfer mechanisms.

Audits and Inspections

The Controller may request evidence of Stoneline Data's compliance with this DPA no more than once per calendar year, upon 30 days written notice. Stoneline Data will provide documentation of applicable controls and, where feasible, facilitate a reasonable audit by the Controller or an independent auditor under confidentiality obligations. Audit costs are borne by the Controller.

Return and Deletion of Data

Upon termination of the service relationship, Stoneline Data will make Client data available for export within 10 business days of the termination effective date, by a method agreed in the custody agreement (secure S3 presigned URL or physical media at Client expense). After confirmed delivery and a 30-day hold period, Stoneline Data will securely delete all copies of Client Personal Data from its storage systems and sub-processor platforms, and will provide written certification of deletion.

Stoneline Data may retain minimal metadata necessary for legal, audit, and dispute resolution purposes for up to 3 years, as described in the Privacy Policy.

Duration

This DPA is effective from the date the custody agreement is executed and remains in effect until the service relationship terminates and all Client Personal Data has been returned or deleted as described above.

Contact and Signed Copies

To request a countersigned copy of this DPA for your compliance records, or to discuss specific processing requirements, contact us via the Contact page.