Data Processing Addendum

Effective date: April 16, 2026 · Last updated: April 16, 2026

This Data Processing Addendum ("DPA") applies when you use Policy Stack to process personal data on behalf of a third party — for example, when an advisor processes client information through their practice account. It supplements the Terms of Service and the Advisor Agreement. If you require a counter-signed copy for procurement or compliance, email support@policystack.co.

1. Parties and Roles

This DPA is entered into between you ("Customer") and Policy Stack ("Processor," "we," or "us"). For personal data that Customer submits through the Service about Customer's own clients or end-users ("Customer Personal Data"):

Customer is the data controller (or, under CCPA/CPRA, the “business”)
Policy Stack is the data processor (or, under CCPA/CPRA, the “service provider”)

For Customer's own account data (Customer's name, billing information, and account activity), Policy Stack acts as an independent controller under its Privacy Policy.

2. Scope and Subject Matter

Subject matter	Processing personal data necessary to provide Policy Stack as described in the Terms of Service
Duration	For the term of the subscription, plus retention periods in our Privacy Policy
Nature and purpose	Storage, display, modeling, analysis, and collaboration on whole life insurance and related financial data
Categories of data	Contact information (name, email); policy and loan data; financial deployment records; goal and scenario data; uploaded carrier documents; authentication logs; communication content (AI chat, scribe transcripts)
Data subjects	Customer's clients, household members, team members, and other individuals whose information Customer enters

3. Processor Obligations

Policy Stack will:

Process Customer Personal Data only on Customer's documented instructions, including as described in the Terms of Service, the Advisor Agreement, and this DPA
Ensure personnel authorized to process Customer Personal Data are bound by confidentiality obligations
Implement the technical and organizational measures described in Section 6 and our Security page
Not engage a subprocessor without the general authorization in Section 5
Assist Customer with responding to data subject requests, data protection impact assessments, and consultations with supervisory authorities, taking into account the nature of processing
Delete or return Customer Personal Data at the end of the subscription in accordance with Section 9
Make available the information necessary to demonstrate compliance with this DPA

4. Customer Obligations

Customer is responsible for:

Having a valid legal basis to collect, use, and share Customer Personal Data with Policy Stack
Providing all notices and obtaining all consents required by applicable law, including from clients seated on an advisor account
Issuing instructions to Policy Stack that comply with applicable data protection laws
Responding to data subject requests directed to Customer
Not uploading special categories of data (health, biometric, etc.) or protected health information (PHI) unless covered by a separate written agreement

5. Subprocessors

Customer provides general authorization for Policy Stack to engage the following subprocessors to provide the Service. We will give Customer at least 30 days' notice (via our changelog or email to account admins) before adding or replacing a subprocessor. Customer may object on reasonable data protection grounds within 30 days; if the objection cannot be resolved, Customer may terminate the affected portion of the Service with a prorated refund.

Subprocessor	Purpose	Data location
Supabase, Inc.	Database, authentication, object storage	United States (AWS us-east)
Vercel, Inc.	Application hosting, edge delivery	United States (global edge)
Stripe, Inc.	Payment processing, subscription management	United States
OpenRouter, Inc.	AI model routing (Anthropic, Google)	United States
Resend, Inc.	Transactional and product email delivery	United States
Upstash, Inc.	Rate-limiting (Redis)	United States
PostHog, Inc.	Product analytics (anonymized events)	United States
Functional Software, Inc. (Sentry)	Error monitoring	United States

Each subprocessor is engaged under a written contract that imposes data protection obligations no less protective than those in this DPA.

6. Security Measures

Policy Stack implements and maintains the technical and organizational measures described on our Security page, including:

AES-256-GCM field-level encryption at rest for all financial values
TLS 1.2+ transport encryption
PostgreSQL row-level security on every table
Passwordless authentication with optional TOTP-based MFA
Immutable audit logging for critical actions
Distributed rate limiting and input validation on all endpoints
Signed URLs with 1-hour expiry for document access
Incident response playbook with 72-hour notification commitment

7. International Data Transfers

Policy Stack and its subprocessors are based in the United States. When Customer Personal Data is transferred from the European Economic Area, United Kingdom, or Switzerland, the parties rely on the following transfer mechanisms:

The EU Standard Contractual Clauses (2021/914) Module Two (Controller-to-Processor), incorporated by reference into this DPA
The UK International Data Transfer Addendum issued by the UK Information Commissioner's Office
The Swiss Federal Data Protection Act, where applicable

To the extent required, the SCCs take precedence over conflicting provisions in this DPA. Customer may request a counter-signed copy of the SCCs by emailing support@policystack.co.

8. Data Subject Rights Assistance

Policy Stack provides self-service tools to help Customer fulfill data subject requests:

Access / portability: JSON and CSV export via Settings
Correction: in-app editing of all user-entered fields
Deletion: account deletion via Settings > Profile > Danger Zone
Objection / restriction: in-app opt-outs for analytics and marketing

If Customer receives a request it cannot fulfill through in-app tools, contact support@policystack.co and we will assist within the timelines required by applicable law.

9. Return and Deletion

Upon termination of the subscription, Customer may export data through Settings for up to 30 days. After the 30-day grace period, Policy Stack permanently deletes Customer Personal Data, except as required by law (for example, billing records retained for 7 years). Backup copies are overwritten on our normal backup rotation.

10. Audit

Policy Stack will make available the information reasonably necessary to demonstrate compliance with this DPA. At Customer's written request and no more than once per year, Policy Stack will respond to a written security questionnaire or share the then-current SOC 2 Type II reports of its infrastructure subprocessors. Physical on-site audits are not available due to our cloud-native architecture.

11. Breach Notification

Policy Stack will notify Customer without undue delay, and no later than 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data. The notification will describe the nature of the breach, the categories and approximate number of records affected, the likely consequences, and the measures taken or proposed to address the breach.

12. Liability

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. Nothing in this DPA limits liability to data subjects for their statutory rights under applicable data protection law.

13. Order of Precedence

In the event of conflict, the following order of precedence applies: (1) the SCCs and UK Addendum, (2) this DPA, (3) the Advisor Agreement, (4) the Terms of Service.

14. Changes

Policy Stack may update this DPA to reflect changes in applicable law or the Service. Material changes will be communicated at least 30 days before taking effect. Continued use of the Service constitutes acceptance.

Policy Stack
Contact for DPA execution: support@policystack.co
policystack.co/dpa

PolicyStack

Back