Data Processing Agreement

1. Definitions

In this DPA, the following terms have the meanings set out below. Capitalized terms not defined here have the meanings given in the Terms of Service.

• "Controller" means the organization administrator (Customer) who determines the purposes and means of processing personal data through the StatStack platform.
• "Processor" means StatStack, which processes personal data on behalf of the Controller to provide the Service.
• "Data Subject" means an identified or identifiable natural person whose personal data is processed. In the context of StatStack, this includes creators, staff members, and organization administrators.
• "Personal Data" means any information relating to a Data Subject, as defined in GDPR Article 4(1).
• "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and erasure.
• "Sub-Processor" means any third party engaged by StatStack to process Personal Data on behalf of the Controller.
• "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council (General Data Protection Regulation).
• "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope & Purpose of Processing

This DPA applies to all Personal Data that StatStack processes on behalf of the Controller in connection with providing the StatStack platform.

2.1 Subject Matter

StatStack is a creator and talent management platform for esports organizations. The platform enables Controllers to manage creator rosters, track social media analytics, handle contracts, coordinate content production, and run community campaigns.

2.2 Duration

Processing continues for the duration of the Controller's subscription and any post-termination retention period described in Section 11.

2.3 Categories of Data Subjects

• Organization administrators and staff members (Customer employees)
• Creators and talent managed through the platform
• Prospective creators undergoing onboarding

2.4 Types of Personal Data Processed

• Identity data: Names, usernames, email addresses
• Contact data: Mailing addresses, phone numbers
• Profile data: Social media handles, profile images, biographical information
• Financial data: PayPal email addresses (for creator payments)
• Onboarding data: Date of birth, apparel sizes, dietary preferences, emergency contacts
• Platform analytics: Social media follower counts, engagement metrics, stream statistics
• Contract data: Salary, contract dates, terms
• Usage data: Login timestamps, IP addresses, audit trail entries

2.5 Purpose of Processing

StatStack processes Personal Data solely to provide the Service as described in the Terms of Service, including:

• Displaying and managing creator profiles and rosters
• Aggregating and presenting social media statistics
• Managing content production workflows and event scheduling
• Generating analytics, growth projections, and media valuation reports
• Sending platform notifications via email, Discord, or SMS
• Processing AI assistant (Stacky) queries that reference organizational data
• Administering giveaway campaigns

3. Controller Obligations

The Controller warrants and agrees that:

• It has a lawful basis for providing Personal Data to StatStack for processing (e.g., consent, contractual necessity, or legitimate interest).
• It has provided appropriate notice to Data Subjects about how their data will be processed, including through StatStack.
• It has obtained any required consents from Data Subjects before entering their Personal Data into the platform.
• It will not provide Special Category Data (as defined in GDPR Article 9) to StatStack unless explicitly agreed in writing.
• Its instructions to StatStack regarding the processing of Personal Data comply with applicable data protection laws.

4. Processor Obligations

StatStack, as Processor, shall:

• Process on instructions only: Process Personal Data only in accordance with the Controller's documented instructions, which are defined by the Controller's use of the platform features. StatStack will not process Personal Data for any other purpose.
• Confidentiality: Ensure that all personnel authorized to process Personal Data are bound by obligations of confidentiality.
• Security: Implement and maintain appropriate technical and organizational security measures as described in Section 7.
• Sub-processing: Not engage additional Sub-Processors without meeting the requirements of Section 5.
• Assistance: Assist the Controller in fulfilling its obligations to respond to Data Subject requests (Section 9) and in ensuring compliance with GDPR Articles 32-36.
• Deletion: At the Controller's choice, delete or return all Personal Data upon termination of the Service, as described in Section 11.
• Audit: Make available to the Controller the information necessary to demonstrate compliance with this DPA, as described in Section 10.
• Notify on unlawful instructions: Inform the Controller if, in StatStack's opinion, an instruction from the Controller infringes GDPR or other applicable data protection law.

5. Sub-Processors

5.1 Authorized Sub-Processors

The Controller provides general authorization for StatStack to engage the Sub-Processors listed below. Each Sub-Processor is bound by data protection obligations no less protective than those in this DPA.

5.2 Changes to Sub-Processors

StatStack will notify the Controller of any intended changes to its Sub-Processors by updating this page and, where practicable, by email notification at least 14 days before the new Sub-Processor begins processing Personal Data.

The Controller may object to a new Sub-Processor by notifying StatStack at security@statstackhq.com within 14 days of the notification. If StatStack cannot reasonably accommodate the objection, the Controller may terminate the affected Service.

5.3 Sub-Processor Liability

StatStack remains fully liable for the acts and omissions of its Sub-Processors to the same extent as if it were performing the processing itself.

6. International Data Transfers

StatStack and all Sub-Processors are located in the United States. If the Controller is established in the EU/EEA or processes Personal Data of EU/EEA residents, the following safeguards apply:

• EU-US Data Privacy Framework: Where applicable, transfers rely on the EU-U.S. Data Privacy Framework certification of Sub-Processors (AWS, Stripe, and others maintain active certifications).
• Standard Contractual Clauses (SCCs): Where the Data Privacy Framework does not apply, StatStack relies on the European Commission's Standard Contractual Clauses (Module 2: Controller to Processor) as the transfer mechanism.
• Supplementary measures: StatStack implements encryption at rest and in transit, access controls, and audit logging as supplementary technical measures to protect transferred data.

The Controller may request a copy of the applicable SCCs by contacting security@statstackhq.com.

7. Security Measures

StatStack implements the following technical and organizational measures to protect Personal Data, pursuant to GDPR Article 32:

7.1 Encryption

• Encryption at rest: All database storage is encrypted via AWS RDS encryption (AES-256).
• Field-level encryption: Sensitive PII fields are individually encrypted using Fernet symmetric encryption (AES-128-CBC with HMAC-SHA256). Encrypted fields include: names, mailing addresses, phone numbers, dates of birth, PayPal emails, contract notes, and social account credentials.
• Encryption in transit: All connections use TLS 1.2+ (HTTPS enforced via nginx and AWS load balancers).

7.2 Access Controls

• Multi-tenant isolation: Each organization's data is logically separated by organization ID. All database queries are scoped to the authenticated user's organization.
• Role-based access: Granular staff permissions control access to sensitive features (salary data, contracts, audit logs, user approvals).
• Authentication: Passwords are hashed with Werkzeug's PBKDF2-SHA256. Session management uses Flask-Login with secure cookie flags.
• Two-factor authentication: Optional SMS-based 2FA for administrator accounts.

7.3 Monitoring & Logging

• Audit logging: All administrative actions (user creation, deletion, profile edits, permission changes, data exports) are recorded with timestamps, user identity, and IP addresses.
• Consent logging: All consent events (signup, cookie preferences) are recorded for GDPR compliance.
• Email logging: All outbound emails are logged with recipient, type, and delivery status.

7.4 Infrastructure

• Hosting: AWS EC2 instances in US-East (Virginia) with security groups restricting network access.
• Database: AWS RDS PostgreSQL with automated backups, encryption at rest, and restricted network access.
• Backup: Automated daily database backups with point-in-time recovery capability.

8. Data Breach Notification

In the event of a Data Breach affecting Personal Data processed on behalf of the Controller, StatStack shall:

• Notify without undue delay: Inform the Controller of the Data Breach without undue delay and in any event within 48 hours of becoming aware of it.
• Provide details: Include in the notification: the nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, and measures taken or proposed to mitigate the effects.
• Cooperate: Assist the Controller in fulfilling its obligation to notify the supervisory authority (within 72 hours per GDPR Article 33) and affected Data Subjects (per GDPR Article 34).
• Document: Maintain a record of all Data Breaches, including those that do not require notification, in accordance with GDPR Article 33(5).

StatStack's internal breach notification procedure is documented and maintained separately. The primary security contact is security@statstackhq.com.

9. Data Subject Rights

StatStack assists the Controller in responding to Data Subject requests exercising their rights under GDPR Chapter III, including:

• Right of access (Article 15) — Data export functionality is available to organization administrators.
• Right to rectification (Article 16) — Controllers can update creator and staff data through the platform interface.
• Right to erasure (Article 17) — Controllers can delete user records through the platform. StatStack will delete associated data from backups within 30 days.
• Right to restriction of processing (Article 18) — Controllers may deactivate user accounts to restrict processing.
• Right to data portability (Article 20) — Data can be exported in structured, machine-readable formats (Excel, JSON).
• Right to object (Article 21) — The Controller is responsible for handling objections from its Data Subjects.

If StatStack receives a request directly from a Data Subject, StatStack will promptly redirect the request to the relevant Controller, unless legally required to respond directly.

10. Audit Rights

StatStack shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and GDPR Article 28, and allow for and contribute to audits and inspections conducted by the Controller or an independent auditor mandated by the Controller.

• Audit requests must be submitted in writing to security@statstackhq.com with at least 30 days' notice.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with StatStack's operations.
• The Controller shall bear the costs of any audit it initiates.
• Audit findings and any confidential information obtained are subject to confidentiality obligations.
• StatStack may satisfy audit requests by providing relevant certifications, audit reports, or written responses to specific compliance questions.

11. Data Return & Deletion

Upon termination or expiration of the Controller's subscription:

• Data export: The Controller may export all organizational data through the platform's export functionality prior to termination.
• Retention period: StatStack retains the Controller's data for 30 days after subscription termination to allow for account recovery or data export.
• Deletion: After the 30-day retention period, StatStack will delete all Personal Data from active systems. Data may persist in encrypted backups for up to an additional 30 days before being permanently purged through the normal backup rotation cycle.
• Exceptions: StatStack may retain data where required by applicable law (e.g., billing records for tax/accounting purposes). Such retained data will be minimized and anonymized where possible.
• Certification: Upon the Controller's written request, StatStack will confirm in writing that deletion has been completed.

12. Duration & Termination

This DPA enters into force when the Controller begins using the StatStack platform and remains in effect for as long as StatStack processes Personal Data on behalf of the Controller.

The obligations of StatStack under this DPA survive termination to the extent necessary to complete any remaining data processing, return, or deletion obligations.

In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.

13. Contact

For questions about this DPA, data processing practices, or to exercise audit rights: