Stele

§ Legal

Data Processing Addendum

This Addendum applies automatically whenever data protection law applies to personal data inside the documents you process with STELE. You are the controller; we are the processor; these are our binding commitments.

Effective date: 13 July 2026 · Version 1.0

1. Scope and roles

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between the customer (“Customer”, “you”) and STELE Technologies (“STELE”) and applies to the processing of personal data contained in Customer Content under Applicable Data Protection Law — including the EU GDPR, UK GDPR, and the New Zealand Privacy Act 2020. For such data, Customer is the controller (or a processor acting for its own controller) and STELE is the processor. This DPA prevails over the Terms in case of conflict regarding personal data.

2. Processing on documented instructions

STELE will process Customer Personal Data only on Customer’s documented instructions — namely: the Terms, this DPA, and Customer’s configuration and use of the Service’s features (upload, extraction, indexing, search, chat, review, export, deletion) — unless required otherwise by law, in which case STELE will inform Customer before processing unless legally prohibited. STELE will immediately inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

3. Details of processing

Subject matterProvision of the STELE intelligent document processing platform
DurationThe subscription term plus the deletion period in Section 10
Nature and purposeStorage, parsing, classification, field extraction, vector indexing, semantic search and retrieval, review workflows, analytics, and export of documents submitted by Customer
Categories of dataAny personal data contained in documents Customer chooses to upload — typically names, contact details, financial and transaction data, employment data — plus workspace user account data (email, role)
Special categoriesNot required by the Service; may be processed only if present in Customer’s documents, at Customer’s direction and responsibility
Data subjectsCustomer’s employees, contractors, customers, suppliers, and other individuals referenced in Customer Content

4. Confidentiality and personnel

STELE ensures that persons authorised to process Customer Personal Data are bound by confidentiality obligations, receive data protection training, and access personal data strictly on a need-to-know basis for operating and supporting the Service.

5. Security measures (Article 32)

Taking into account the state of the art and the risks of processing, STELE implements and maintains at minimum:

  • Encryption — TLS 1.2+ for all data in transit; encryption at rest for object storage, databases, and backups.
  • Access control — tenant isolation enforced at the query layer for every data access; role-based access for workspace administrators; passwords hashed with PBKDF2 (100,000 iterations, per-user salt); session tokens stored only as SHA-256 hashes in HttpOnly, Secure cookies.
  • No external AI data path — inference runs on models hosted within the same infrastructure network that stores the data; Customer Content is not transmitted to third-party AI APIs and is not used to train models.
  • Integrity and accountability — an append-only audit ledger of ingestions, extractions, escalations, and human corrections; structured request logging with request IDs.
  • Resilience — globally distributed serverless infrastructure, durable queues with dead-letter replay, automated cleanup of failed jobs, and short-lived encrypted backups.
  • Secure development — code review, static analysis and typing, dependency auditing, and least-privilege service credentials with rotation.

6. Subprocessors

Customer provides general authorisation for the subprocessors below. STELE remains fully liable for their performance and imposes data protection obligations on them no less protective than this DPA.

SubprocessorLocationPurpose
Cloudflare, Inc.USA (globally distributed edge network)Compute, object storage, database, queues, vector index, AI inference
Stripe, Inc.USAPayment processing for paid subscriptions (billing data only — no Customer Content)

STELE will give at least 30 days’ notice (by email or in-product) before adding or replacing a subprocessor that processes Customer Personal Data. Customer may object on reasonable data protection grounds within that period; if the objection cannot be resolved, Customer may terminate the affected services and receive a pro-rata refund of prepaid, unused fees.

7. International transfers

Where processing involves a transfer of personal data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the European Commission’s Standard Contractual Clauses (Decision (EU) 2021/914, Module Two — controller-to-processor, with Module Three applying where Customer is itself a processor), and for UK transfers the ICO’s International Data Transfer Addendum. The processing details in Section 3, the security measures in Section 5, and the subprocessor list in Section 6 serve as the corresponding annexes. For New Zealand-origin data, the parties rely on IPP 12 of the Privacy Act 2020, satisfied by these contractual safeguards.

8. Assistance to Customer

  • Data subject requests. Taking into account the nature of processing, STELE provides self-serve tools (search, export, correction, deletion) and reasonable further assistance so Customer can respond to data subject requests. Requests received directly by STELE that concern Customer Content will be forwarded to Customer without undue delay.
  • DPIAs and consultations. STELE will provide reasonable assistance with data protection impact assessments and prior consultations, based on information available to it.

9. Personal data breach notification

STELE will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe the nature of the breach, the categories and approximate volumes affected, likely consequences, measures taken or proposed, and a contact point — supplemented as information becomes available. STELE will not characterise Customer’s notification obligations or notify authorities or data subjects on Customer’s behalf unless agreed or legally required.

10. Return and deletion

During the term, Customer can export Customer Content at any time via the Service’s export features and API, and delete individual documents with immediate effect (encrypted backup copies expire within 35 days). Upon termination or expiry, STELE will delete Customer Personal Data within 30 days, except where retention is required by law, in which case the data remains protected by this DPA and is deleted when the requirement ends. On written request, STELE will confirm deletion.

11. Audit rights

STELE will make available information reasonably necessary to demonstrate compliance with this DPA — including summaries of security practices, subprocessor terms, and the Service’s audit ledger for Customer’s own workspace. Where Applicable Data Protection Law grants audit rights that cannot be satisfied by the above, Customer may conduct (at its cost, on 30 days’ notice, at most annually, under confidentiality, and without access to other customers’ data) an audit scoped to STELE’s processing of Customer Personal Data.

12. Liability and order of precedence

Each party’s liability under this DPA is subject to the limitations of liability in the Terms, except where Applicable Data Protection Law does not permit such limitation. If this DPA conflicts with the Standard Contractual Clauses, the Clauses prevail for the affected transfer.

13. Contact

Data protection matters: privacy@stele.example · Security incidents: security@stele.example