Legal

Data Processing Agreement

Last updated: March 29, 2026 · Effective: March 29, 2026

Note: This Data Processing Agreement ("DPA") is incorporated by reference into the Signal-Stack Terms of Service and applies to all customers on paid plans who process personal data of EU/EEA data subjects. By using the Service on a paid plan, you agree to this DPA. For an executed copy with your organization's details, contact legal@signal-stack.io.

1. Definitions

For the purposes of this DPA:

  • "Controller" means the customer entity that determines the purposes and means of processing Personal Data using the Service.
  • "Processor" means Nofluff Advisory LLC d/b/a Signal-Stack, acting on behalf of the Controller.
  • "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
  • "Processing" has the meaning given in applicable Data Protection Laws.
  • "Data Protection Laws" means GDPR (EU 2016/679), the UK GDPR, and any other applicable data protection legislation.
  • "GDPR" means Regulation (EU) 2016/679 of the European Parliament and of the Council.
  • "Sub-processor" means any third party engaged by Signal-Stack to process Personal Data on behalf of the Controller.
  • "Data Subject" means a natural person whose Personal Data is processed under this DPA.
  • "Security Incident" means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope and Roles

This DPA applies where Signal-Stack processes Personal Data on behalf of the Controller in the course of providing the Service described in the Terms of Service.

The parties acknowledge that with respect to Personal Data processed through the Service:

  • The Controller determines the purposes and means of processing (e.g. which prospect data to query, which integrations to connect).
  • Signal-Stack acts as a Processor and processes Personal Data only to provide the Service and as further described in this DPA.
  • Where Signal-Stack processes data for its own purposes (e.g. security logs, billing), it acts as an independent Controller for such processing.

3. Details of Processing

3.1 Subject Matter

AI-powered pre-call intelligence brief generation, including aggregation and synthesis of prospect and account data from connected third-party platforms.

3.2 Duration

For the duration of the Controller's subscription to the Service, or until earlier termination of the Terms of Service, after which Signal-Stack will delete or return Personal Data in accordance with Section 9.

3.3 Nature and Purpose of Processing

Signal-Stack processes Personal Data to:

  • Retrieve email thread data from Gmail to generate behavioural profiles of prospects
  • Retrieve call history, transcripts, and tracker data from Gong
  • Retrieve contact and deal data from Salesforce and HubSpot
  • Process LinkedIn connection data uploaded by the Controller for network overlap analysis
  • Retrieve enrichment data from Clay APIs
  • Synthesise the above into AI-generated pre-call briefings via the Anthropic Claude API
  • Deliver briefings by email and display them in the Service dashboard

3.4 Types of Personal Data

  • Prospect and contact identifiers: name, email address, job title, employer
  • Email communications: subject lines, thread metadata, behavioural signals derived from email content
  • Call data: call titles, dates, durations, tracker mentions, engagement signals
  • CRM data: deal stages, deal values, close dates, account information
  • LinkedIn network data: connection names, companies, positions, mutual connections
  • Calendar data: meeting titles, attendees, scheduled times

3.5 Categories of Data Subjects

  • The Controller's sales prospects and customers
  • Third-party contacts in the Controller's CRM, email, and call systems
  • The Controller's employees and team members whose accounts are connected to the Service
  • LinkedIn connections uploaded by the Controller

4. Controller Obligations

The Controller represents and warrants that:

  • It has a valid legal basis under GDPR (or other applicable Data Protection Laws) for each category of Personal Data processed through the Service.
  • It has obtained all necessary permissions, consents, or has another lawful ground to connect its Gmail, Gong, Salesforce, HubSpot, and other integrations to the Service.
  • It will comply with its own obligations under applicable Data Protection Laws, including providing required notices to Data Subjects.
  • Any LinkedIn data export uploaded to the Service was obtained through LinkedIn's official data portability tools in compliance with LinkedIn's User Agreement.
  • It will notify Signal-Stack promptly if it becomes aware of any actual or suspected Security Incident involving Personal Data processed through the Service.

5. Processor Obligations

Signal-Stack shall, in its capacity as Processor:

5.1 Instructions

Process Personal Data only on documented instructions from the Controller (as set out in this DPA and the Terms of Service), unless required to do otherwise by applicable law, in which case Signal-Stack will inform the Controller of that legal requirement before processing (unless prohibited by law on important grounds of public interest).

5.2 Confidentiality

Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.

5.3 Security

Implement and maintain technical and organisational measures appropriate to the risk, as further described in Annex A (Security Measures).

5.4 Sub-processors

Not engage Sub-processors without prior general written authorisation from the Controller. The Controller grants general authorisation for the Sub-processors listed in Annex B. Signal-Stack will inform the Controller of any intended changes to Sub-processors by updating Annex B and notifying the Controller, giving the Controller the opportunity to object within 14 days.

5.5 Data Subject Rights

Assist the Controller in fulfilling its obligations to respond to Data Subject requests (access, rectification, erasure, restriction, portability, objection) by providing reasonable technical and administrative assistance, taking into account the nature of processing.

5.6 Security Incidents

Notify the Controller without undue delay (and where feasible within 72 hours) after becoming aware of a Security Incident affecting Personal Data processed under this DPA. The notification will include, to the extent available: a description of the nature of the Security Incident, the categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed.

5.7 DPIAs and Consultation

Provide reasonable assistance to the Controller in carrying out data protection impact assessments (DPIAs) and prior consultations with supervisory authorities, to the extent required by GDPR Articles 35 and 36, taking into account the nature of processing and information available to Signal-Stack.

5.8 Deletion and Return

At the choice of the Controller, delete or return all Personal Data upon termination of the Service, and delete existing copies unless applicable law requires their retention. Where deletion occurs automatically as per the Service's retention schedule, this satisfies the Processor's obligation under this clause.

5.9 Audit Rights

Make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, and allow for audits or inspections conducted by the Controller or an auditor mandated by the Controller, provided that: (i) the Controller provides at least 30 days' prior written notice; (ii) audits are conducted during business hours with minimal disruption; and (iii) the Controller bears all costs of the audit. The parties agree that compliance with an approved code of conduct or certification mechanism, or a third-party audit report, may satisfy audit obligations where available.

6. International Data Transfers

Signal-Stack is based in the United States. Where Personal Data is transferred from the EEA, UK, or Switzerland to the United States or other countries not recognised as providing adequate protection, Signal-Stack relies on one or more of the following transfer mechanisms:

  • Standard Contractual Clauses (SCCs): The EU Commission's standard contractual clauses (Module 2: Controller to Processor) are incorporated by reference into this DPA and available upon request from legal@signal-stack.io.
  • UK IDTA: For transfers from the UK, the International Data Transfer Agreement (IDTA) is available upon request.
  • Sub-processor transfers: Signal-Stack ensures that Sub-processors receiving Personal Data outside the EEA/UK are subject to appropriate transfer mechanisms as set out in Annex B.

By entering into this DPA (including the SCCs incorporated herein), the Controller and Signal-Stack agree to the terms of the SCCs, which take precedence over this DPA to the extent of any conflict solely in respect of international transfers.

7. Data Retention and Deletion

Signal-Stack applies the following retention schedule to Personal Data processed under the Service:

  • Generated briefs: Retained for the duration of the Controller's subscription. The Controller may delete individual briefs at any time from the dashboard.
  • LinkedIn network data: Retained for 90 days from upload, then automatically deleted.
  • Cached signal snapshots: Retained for up to 24 hours for performance purposes, then purged.
  • Account deletion: Upon account deletion by the Controller, all associated Personal Data is deleted within 30 days, except where retention is required by law.

Data retrieved transiently from third-party integrations (Gmail, Gong, Salesforce, HubSpot) during brief generation is not persistently stored beyond the generated brief output, except where the Controller explicitly saves a brief.

8. Confidentiality and Security

Signal-Stack will maintain commercially reasonable technical and organisational security measures as described in Annex A. The Controller acknowledges that no security measures provide absolute protection and that the Controller is responsible for securing its own access credentials and integration tokens.

9. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any liability that cannot be excluded or limited under applicable law.

10. Term and Termination

This DPA is effective from the date the Controller accepts the Terms of Service and remains in force for the duration of the Service subscription. It terminates automatically upon termination or expiry of the Terms of Service, subject to survival of clauses that by their nature should survive (including Sections 5.8, 6, and 7).

11. Governing Law

This DPA is governed by the same governing law as the Terms of Service (State of Delaware, United States), except to the extent that Data Protection Laws of the EEA or UK require the application of their local law to specific provisions.

Annex A — Technical and Organisational Security Measures

A.1 Access Controls

  • Authentication via ECDSA-signed session tokens with 24-hour expiry
  • Role-based access control (per-user and org-level permissions)
  • API credentials stored as encrypted environment secrets, never in source code
  • Principle of least privilege applied to all integrations and internal services

A.2 Data in Transit

  • All data transmitted over TLS 1.2 or higher
  • HTTPS enforced across all endpoints via Cloudflare
  • HSTS headers applied

A.3 Data at Rest

  • Database encrypted at rest (Cloudflare D1 / SQLite)
  • KV cache encrypted at rest (Cloudflare KV)
  • Integration credentials stored as Cloudflare Worker secrets

A.4 Infrastructure

  • Hosted on Cloudflare's edge network across global data centres
  • No persistent server infrastructure; serverless architecture minimises attack surface
  • Automatic DDoS protection and WAF via Cloudflare

A.5 Organisational Measures

  • Access to production systems limited to authorised personnel only
  • Incident response procedures in place for Security Incidents
  • Dependencies reviewed regularly for known vulnerabilities

Annex B — Approved Sub-processors

The Controller grants general authorisation for Signal-Stack to engage the following Sub-processors. Signal-Stack will notify the Controller of any changes in accordance with Section 5.4.

Sub-processorPurposeLocationTransfer Mechanism
Cloudflare, Inc.Infrastructure, database (D1), KV cache, edge computeUSA (global edge)SCCs / adequacy
Anthropic, PBCAI brief synthesis (Claude API)USASCCs
Resend, Inc.Transactional email deliveryUSASCCs
Stripe, Inc.Payment processing (billing data only)USASCCs
Google LLCGmail & Calendar data retrieval (OAuth, Controller-authorised)USA (global)SCCs / adequacy
Gong.io, Inc.Call data retrieval (Controller-authorised)USASCCs
LinkedIn Corp.Network overlap analysis (Controller-uploaded data)USASCCs
Salesforce, Inc.CRM enrichment (Controller-authorised)USA (global)SCCs
HubSpot, Inc.CRM enrichment (Controller-authorised)USASCCs
Clay Technologies, Inc.Contact enrichment (Controller-authorised)USASCCs

Note: Google, Gong, Salesforce, HubSpot, and Clay act as independent Controllers for data processed on their own platforms. Signal-Stack accesses data from these platforms solely as authorised by the Controller via OAuth or API credentials. The processing of Personal Data on those platforms is governed by those platforms' own terms and privacy policies.

Contact

For DPA-related enquiries, executed copies, or custom terms:

Nofluff Advisory LLC d/b/a Signal-Stack
Email: legal@signal-stack.io
Website: www.signal-stack.io
© 2026 Nofluff Advisory LLC d/b/a Signal-Stack. All rights reserved.
Privacy PolicyTerms of ServiceContact Us← Back to home