Legal
Data Processing Addendum
Effective date: July 4, 2026
This Addendum describes how Stewyrd processes personal information on behalf of its customers when providing the Services. It supplements our Terms of Service and Privacy Policy.
1. Scope & roles
This Data Processing Addendum (“DPA”) supplements the Terms of Service between you (“Customer”) and Stewyrd, Inc. (“Stewyrd”) and governs Stewyrd’s processing of personal information contained in Customer Content on Customer’s behalf. Where this DPA conflicts with the Terms of Service on the processing of personal information, this DPA controls.
For personal information in Customer Content, Customer is the “business” / controller and Stewyrd is the “service provider” / processor. For personal information Stewyrd collects about its own account holders and website visitors, Stewyrd is the business; that processing is governed by the Privacy Policy, not this DPA.
2. Definitions
Capitalized terms not defined here have the meaning in the Terms of Service. “Applicable Data Protection Laws” means privacy and data-protection laws applicable to the processing, including the California Consumer Privacy Act as amended by the CPRA (the “CCPA/CPRA”) and other U.S. state privacy laws. “Personal Information,” “business,” “service provider,” “process,” “sell,” and “share” have the meanings in the CCPA/CPRA. “Subprocessor” means a third party engaged by Stewyrd to process personal information in Customer Content.
3. Details of processing
- Subject matter: provision of the Stewyrd Services.
- Duration: the term of the Terms of Service, plus the deletion window in Section 10.
- Nature and purpose: hosting, extracting obligations from documents, generating proposals for human review, storing records, sending notifications, and providing support and advisory services, all to provide the Services.
- Types of personal information: contact details and professional information contained in the documents and records Customer submits (for example, the names, emails, or phone numbers of staff, program officers, or funder contacts).
- Categories of data subjects: Customer’s personnel and users, and individuals named in Customer Content.
4. Customer instructions
Stewyrd will process personal information in Customer Content only on Customer’s documented instructions, including as set out in the Terms of Service, this DPA, and Customer’s use of the Services, and as required by law (in which case Stewyrd will inform Customer unless legally prohibited). Customer is responsible for the accuracy and legality of Customer Content and for having the necessary rights and notices to provide it for processing.
5. CCPA/CPRA service-provider obligations
Stewyrd acts as Customer’s service provider and certifies that it understands and will comply with the following restrictions. Stewyrd will not:
- sell or share personal information in Customer Content;
- retain, use, or disclose it for any purpose other than the business purposes specified here, or as otherwise permitted by the CCPA/CPRA;
- retain, use, or disclose it outside the direct business relationship between the parties; or
- combine it with personal information Stewyrd receives from other sources, except as permitted by the CCPA/CPRA.
Stewyrd will comply with applicable obligations under the CCPA/CPRA and provide the same level of privacy protection as required of a service provider. Customer may take reasonable and appropriate steps to help ensure Stewyrd uses personal information consistently with Customer’s obligations, and to stop and remediate unauthorized use.
6. Confidentiality of personnel
Stewyrd will ensure that personnel authorized to process personal information in Customer Content are bound by appropriate confidentiality obligations and process the information only as needed to provide the Services.
7. Security measures
Stewyrd will maintain technical and organizational measures designed to protect personal information appropriate to the risk, including encryption of data in transit, access controls scoped to each Customer organization, an append-only audit trail of changes to records, and least-privilege administrative access. A summary of current measures is set out in Annex II.
8. Subprocessors
Customer authorizes Stewyrd to engage Subprocessors to process personal information in Customer Content. Stewyrd maintains a current list of Subprocessors (Annex III), available on request, and will make reasonable efforts to notify Customer of material changes so Customer may object on reasonable data-protection grounds. Stewyrd will impose data-protection obligations on each Subprocessor that are substantially the same as those in this DPA, and remains responsible for its Subprocessors’ performance.
9. Data-subject requests
Taking into account the nature of the processing, Stewyrd will provide reasonable assistance, including through the Services’ features, to enable Customer to respond to requests from individuals exercising their rights under Applicable Data Protection Laws. If Stewyrd receives such a request directly regarding Customer Content, it will, unless legally required to act, refer the individual to Customer.
10. Personal-information breach notification
Stewyrd will notify Customer without undue delay after becoming aware of a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to personal information in Customer Content, and will provide information reasonably available to help Customer meet its own notification obligations. Stewyrd’s notification is not an acknowledgment of fault or liability.
11. Return & deletion
Customer may export Customer Content at any time during the term. On termination, Stewyrd will delete or, at Customer’s election, return personal information in Customer Content within 90 days, except for copies in routine backups (purged on their normal cycle) and information Stewyrd must retain by law, in which case Stewyrd will continue to protect it under this DPA.
12. Audits & information
On reasonable prior written request, no more than once per year (unless required by a regulator or following a breach), Stewyrd will make available information reasonably necessary to demonstrate compliance with this DPA, which may be satisfied through Stewyrd’s then-current security documentation or third-party reports. Any audit will be at Customer’s expense, during business hours, subject to confidentiality, and conducted so as not to disrupt Stewyrd’s operations or other customers’ data.
13. Data location & international transfers
Stewyrd processes personal information in the United States. If Customer requires the transfer of personal information subject to the GDPR or UK GDPR, the parties will enter into the applicable Standard Contractual Clauses or an equivalent transfer mechanism, which will apply to that data and prevail over conflicting terms of this DPA to the extent required by law.
14. Liability & precedence
Each party’s liability under or in connection with this DPA is subject to the exclusions and limitations of liability in the Terms of Service. This DPA forms part of, and does not otherwise modify, the Terms of Service. In the event of a conflict regarding the processing of personal information, the order of precedence is: applicable Standard Contractual Clauses, then this DPA, then the Terms of Service, then the Privacy Policy.
15. Annexes
Annex I — Processing details
As described in Section 3 (Details of processing).
Annex II — Security measures
Encryption in transit (TLS); access controls and row-level security scoping data to each Customer organization; an append-only, immutable audit log of canonical changes; least-privilege administrative access; secrets management; and logging and monitoring. [To be finalized with Customer’s security/diligence team.]
Annex III — Subprocessors
Categories of Subprocessors include: cloud application hosting; managed database and authentication; transactional email delivery; and AI inference / document-processing providers. A current list identifying each Subprocessor by legal entity and function is available on request. [Publish and maintain a current list before relying on this DPA.]
16. Contact
Questions about this DPA? Contact Stewyrd, Inc. at privacy@stewyrd.com.