Data Processing Agreement

"Personal Data," "processing," "controller," and "processor" have the meanings given in the General Data Protection Regulation (EU) 2016/679 ("GDPR") and, where applicable, equivalent laws in other jurisdictions.

"Customer Data" means all data — including Personal Data — that the Controller uploads to, syncs through, or generates within the Strata platform.

Strata processes Customer Data solely to provide the services described in the Terms of Service, including but not limited to:

• Storing and indexing uploaded files and connector data
• Running natural-language queries and ML analyses on Customer Data
• Generating dashboards, reports, and financial statements
• Syncing data between the Controller's connected third-party services and the Strata platform

Strata does not sell, rent, or use Customer Data for its own commercial purposes, including advertising or model training, without explicit written consent.

The Controller warrants and represents that:

• It has obtained all necessary consents and has a lawful basis for processing any Personal Data uploaded to the platform.
• It will provide Strata with instructions that comply with applicable data protection laws.
• It is responsible for the accuracy, quality, and legality of Customer Data and the means by which it was collected.

Strata shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law.
• Ensure that persons authorized to process Personal Data are bound by appropriate confidentiality obligations.
• Implement the technical and organizational security measures described in Section 7.
• Assist the Controller in responding to data subject rights requests (access, rectification, erasure, portability) within 30 days of receiving a written request.
• Notify the Controller without undue delay upon becoming aware of a Personal Data breach, as described in Section 8.
• Delete or return all Customer Data upon termination of the agreement, as described in Section 9.

The Controller grants Strata a general authorization to engage the sub-processors listed on the Subprocessors page. Strata imposes data protection obligations on sub-processors equivalent to those in this DPA via binding contracts.

Strata will inform the Controller of intended changes to sub-processors by updating the Subprocessors page. Scale plan customers may request advance email notice by contacting [email protected]. The Controller may object to a new sub-processor within 14 days of notice; if the parties cannot resolve the objection, the Controller may terminate the relevant services.

Strata will promptly notify the Controller of any requests received directly from data subjects regarding their Personal Data. The Controller, as data controller, is responsible for responding to such requests. Strata will provide reasonable technical assistance to help the Controller fulfill its obligations.

Strata implements technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include:

• Tenant isolation — all Customer Data is scoped to a unique tenant identifier; cross-tenant data access is enforced at the database and API layers.
• Encryption in transit via TLS 1.2+ for all data in motion.
• Encryption at rest for all stored data, including database volumes and object storage (Cloudflare R2).
• API tokens and OAuth credentials stored encrypted using Fernet symmetric encryption; never logged in plaintext.
• Role-based access controls for internal personnel; principle of least privilege applied.
• Continuous error and anomaly monitoring via Sentry.
• Regular dependency and vulnerability scanning in the CI pipeline.

In the event of a confirmed Personal Data breach, Strata will notify the Controller within 72 hours of becoming aware, to the extent practicable. The notification will include:

• A description of the nature of the breach, including categories and approximate number of data subjects and records affected.
• Contact details of the data protection contact at Strata.
• Likely consequences of the breach.
• Measures taken or proposed to address the breach and mitigate its effects.

The Controller is responsible for notifying the relevant supervisory authority and affected data subjects as required by applicable law.

Upon termination or expiry of the Terms of Service, Strata will:

• Retain Customer Data for 30 days post-termination to allow export via the dashboard or API.
• Permanently delete all Customer Data, including backups, within 90 days of termination, unless applicable law requires longer retention.
• On written request, provide a certificate of deletion within 30 days of completing the deletion process.

Strata's infrastructure is primarily located in the United States. Where Customer Data originating in the European Economic Area (EEA) is transferred to the United States, such transfers are made under the EU Standard Contractual Clauses (SCCs) as incorporated by reference into this DPA. A copy of the applicable SCCs is available on request from [email protected].

Strata will make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA. Scale plan customers may request an audit or inspection of Strata's data processing activities, subject to reasonable prior notice (at least 30 days) and agreement on scope and cost. Strata may satisfy audit requests by providing third-party audit reports (e.g., SOC 2 Type II, once available) in lieu of direct on-site audits.

Each party's liability under this DPA is subject to the limitations and caps set out in the Terms of Service. Nothing in this DPA is intended to impose liability on Strata for processing carried out on the Controller's documented instructions.

This DPA is governed by the same governing law as the Terms of Service (State of Delaware, United States), except where mandatory provisions of the GDPR or other applicable data protection law require a different governing law.

For questions about this DPA or data protection at Strata, contact us at [email protected]. See also our Privacy Policy and the list of Subprocessors.