Stiward
Legal Center

Data Processing Agreement

Data Processing Agreement

Updated May 20, 2026

<!-- DRAFT: needs Stiward product/legal review before publication. This DPA is intended for institutional counterparties that enter into a written agreement with Stiward — primarily family-plan principals, enterprise/team customers, and authorized resellers in V2+. Direct individual users (V1) are governed by the Privacy Policy and Terms of Service, not this DPA. Confirm domain, executing entity, and Annex contents before issuing. Counsel review required. -->

Effective Date: May 20, 2026

This Data Processing Agreement (this "DPA") forms part of the written agreement between Stiward Holdings Inc. ("Stiward") and the institutional counterparty signing or otherwise accepting it ("Customer" — typically a family-plan principal, enterprise or team customer, authorized reseller, or other organization entering into a commercial arrangement with Stiward that involves Stiward Processing Personal Data on Customer's behalf) (the "Agreement"). It governs the Processing of personal data carried out in connection with the Services Stiward provides to Customer or that Customer provides to Stiward, as the case may be. Capitalized terms not defined here have the meanings given to them in the Agreement.

This DPA does not apply to Stiward's direct individual users (consumers signing up at stiward.com on their own behalf), whose personal data is governed by Stiward's Privacy Policy — for those users Stiward is the Controller, not a Processor.

1. Subject Matter, Scope, and Roles

1.1 Data Processing

In the course of performing under the Agreement, Stiward may Process personal data provided by, or on behalf of, Customer that constitutes "personal data," "personal information," "personally identifiable information," or an analogous term under applicable law ("Customer Personal Data"). The parties agree to comply with this DPA and with all privacy and data protection laws applicable to the Processing of Customer Personal Data, including, as applicable, those of the European Union, the European Economic Area and its member states, Switzerland, the United Kingdom, and the United States (including the California Consumer Privacy Act and the California Privacy Rights Act, collectively the "CCPA") (collectively, "Data Protection Laws").

1.2 Subject Matter

The subject matter, nature, and purpose of the Processing, the types of Customer Personal Data, and the categories of "Data Subjects" (as defined under applicable Data Protection Laws) are described in Annex I, which is an integral part of this DPA.

1.3 Roles

Customer is a "Controller" or "Business" (as defined under applicable Data Protection Laws) and appoints Stiward as a "Processor" or "Service Provider" (as defined under applicable Data Protection Laws) on behalf of Customer. Customer is responsible for compliance with the requirements of Data Protection Laws applicable to Controllers and Businesses, including for ensuring that Customer has the necessary lawful basis, notices, and consents in place before disclosing Customer Personal Data to Stiward.

If Customer is a Processor on behalf of another Controller (a "Third-Party Controller"), Customer:

  • is the single point of contact for Stiward;
  • must obtain all necessary authorizations from such Third-Party Controller; and
  • undertakes to issue all instructions and exercise all rights on behalf of that Third-Party Controller.

1.4 Direct-User Data Out of Scope

Personal data of Stiward's direct individual users that is generated through their use of the Stiward platform — including profile data, Connector Data (Plaid transactions, Google Calendar events, Gmail messages and drafts), Alfred conversation history, briefings, and agent events — is not Customer Personal Data under this DPA. Stiward is the Controller of that data, and it is governed by Stiward's Privacy Policy.

2. Processing Instructions

Stiward will Process Customer Personal Data on behalf of and only in accordance with Customer's documented instructions for the following purposes:

  1. Processing in accordance with this DPA, the Agreement, and any applicable order form, statement of work, or scope-of-work document;
  2. Processing initiated by authorized users in their use of the Services; and
  3. Processing to comply with other documented reasonable instructions provided by Customer (e.g., via email) where such instructions are consistent with the terms of the Agreement.

Stiward will inform Customer if, in Stiward's opinion, an instruction infringes Data Protection Laws, unless legally prohibited from doing so.

3. Personnel

Stiward will ensure that all personnel authorized to Process Customer Personal Data are subject to a written or statutory obligation of confidentiality and have received appropriate training on data protection and security requirements.

4. CCPA Limitations on Processing

Except as permitted by applicable Data Protection Laws, the Agreement, or this DPA, Stiward will not:

  • retain, use, or disclose Customer Personal Data for any purpose other than for the specific purposes of performing the Services and in accordance with Customer's documented instructions;
  • retain, use, or disclose Customer Personal Data outside of the direct business relationship between the parties;
  • combine Customer Personal Data with personal information that Stiward obtains from, or on behalf of, sources other than Customer, except as permitted by Data Protection Laws; or
  • "Sell" or "Share" (as those terms are defined under applicable Data Protection Laws) Customer Personal Data.

Stiward certifies that it understands and will comply with these restrictions.

5. Security and Security Incidents

5.1 Security

Stiward will implement reasonable and appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk presented by the Processing of Customer Personal Data, in accordance with the measures described in Annex II. Stiward intends to obtain SOC 2 Type II attestation (or a substantially equivalent standard) and will maintain that posture during the Term once attained.

5.2 Security Incident Notification

Stiward will notify Customer without undue delay, and within seventy-two (72) hours, after becoming aware of any actual or reasonably suspected unauthorized access to, loss of, or other unauthorized Processing of, Customer Personal Data ("Security Incident"). If notification is delayed beyond seventy-two (72) hours, the notification will be accompanied by reasons for the delay.

5.3 Security Incident Response

Stiward will take reasonable measures in response to a Security Incident, including:

  1. measures designed to mitigate the Security Incident and prevent its recurrence;
  2. providing Customer with reasonable information about the Security Incident as it becomes known to Stiward; and
  3. providing other commercially reasonable assistance to Customer in complying with its obligations under applicable Data Protection Laws.

5.4 Vulnerability Testing

Stiward will perform regular vulnerability scanning and penetration testing of the platform used to provide the Services, at least annually or when significant changes are made to the platform.

5.5 Encryption

Stiward will encrypt Customer Personal Data in transit using TLS 1.2 or higher (with TLS 1.3 preferred) and at rest using AES-256 encryption or equivalent industry-standard encryption techniques.

6. Subprocessing

6.1 Authorization

Customer hereby authorizes Stiward to engage Processors that Process Customer Personal Data on behalf of Stiward ("Subprocessors"). Stiward's current Subprocessors are listed in Annex III.

6.2 Subprocessor Agreements

Stiward will enter into a written agreement with each Subprocessor that imposes substantially similar obligations on the Subprocessor as those imposed on Stiward under this DPA, including requirements for security, confidentiality, and data protection.

6.3 Subprocessor Changes

Stiward will notify Customer at least thirty (30) days in advance of any intended change to its Subprocessors that affects Customer's data, by email to the address associated with Customer's account and by updating the list at <https://stiward.com/legal/subprocessors>. Customer may object to the addition of a Subprocessor on reasonable grounds that the appointment will result in a material violation of Data Protection Laws by providing written notice setting out those grounds within thirty (30) days of Stiward's notification. The parties will work together in good faith to address Customer's objection. If Stiward chooses to retain the new Subprocessor and the parties cannot reach a mutually acceptable resolution, either party may discontinue providing or using the relevant parts of the Services that depend on that Subprocessor and may terminate the relevant parts of the Services within thirty (30) days.

7. Assistance to Customer

Taking into account the nature of the Processing and the information available to Stiward, Stiward will provide reasonable assistance to Customer:

  • in implementing appropriate technical and organizational measures;
  • in responding to Data Subject or "Consumer" (as defined under applicable Data Protection Laws) requests;
  • in replying to inquiries, complaints, and investigations from regulators; and
  • in conducting data protection impact assessments and prior consultations with regulators.

Stiward may charge reasonable fees for assistance that materially exceeds the standard support included in the Agreement.

8. Audit

On Customer's reasonable written request, and no more than once per twelve (12) months unless required by a supervisory authority, Stiward will permit Customer, at Customer's expense, to audit Stiward's controls and compliance with this DPA (an "Audit"), provided that the Audit is:

  1. conducted by Customer or by a third-party auditor designated by Customer that has executed an appropriate confidentiality agreement with Stiward;
  2. limited to a scope mutually agreed by the parties, including start date, duration, and confidentiality controls;
  3. conducted during normal business hours with at least thirty (30) days' prior written notice; and
  4. carried out in a manner that does not unreasonably interfere with Stiward's business operations.

As an alternative to an Audit, Stiward may provide Customer with a copy of its most recent SOC 2 Type II report (once available) or another equivalent certification or summary report. Customer will pay all costs and expenses incurred by Stiward in connection with the Audit. Customer may use the results of an Audit only for the purposes of meeting Customer's regulatory audit requirements and confirming compliance with this DPA.

9. International Data Transfers

9.1 European Data Transfers

Stiward will obtain Customer's specific prior written authorization for any transfer of Customer Personal Data subject to European Data Protection Law that is not subject to an adequacy decision by the European Commission ("International Data Transfer"). Customer authorizes Stiward to conduct International Data Transfers outside the EEA or Switzerland:

  • to any country subject to a valid adequacy decision of the European Commission;
  • on the basis of an organization's binding corporate rules approved by EEA Supervisory Authorities; and
  • to any data importer with whom Stiward has entered into standard contractual clauses ("SCCs").

9.2 European Transfer Mechanisms

Customer and Stiward conclude Module 2 (Controller-to-Processor) of the SCCs and, to the extent Customer is a Processor on behalf of a Third-Party Controller, Module 3 (Processor-to-Subprocessor) of the SCCs, which are incorporated into this DPA and completed as follows:

  • the "data exporter" is Customer; the "data importer" is Stiward;
  • the optional docking clause in Clause 7 is implemented;
  • Option 1 of Clause 9(a) is implemented and the time period therein is specified in Section 6.3 above;
  • the optional redress clause in Clause 11(a) is struck;
  • Option 1 in Clause 17 is implemented and the governing law is the law of Delaware;
  • the courts in Clause 18(b) are the Courts of Delaware;
  • Annexes I, II, and III to the SCCs are Annexes I, II, and III to this DPA respectively.

For International Data Transfers from Switzerland, Data Subjects who have their habitual residence in Switzerland may bring claims under the SCCs before the courts of Switzerland.

9.3 UK Data Transfers

Customer authorizes Stiward to perform International Data Transfers outside the United Kingdom:

  • to any country subject to a valid adequacy decision issued by the UK Government;
  • on the basis of an organization's binding corporate rules approved by the UK Information Commissioner; and
  • to any data importer with whom Stiward has entered into the UK Addendum or other standard contractual clauses issued by the UK Information Commissioner.

9.4 UK Transfer Mechanism

Customer and Stiward conclude the UK Addendum, which is incorporated into this DPA and applies to International Data Transfers outside the UK. Part 1 of the UK Addendum is completed as follows:

  1. in Table 1, the "Exporter" is Customer and the "Importer" is Stiward; their details are set forth in this DPA and the Agreement;
  2. in Table 2, the first option is selected and the "Approved EU SCCs" are the SCCs referred to in Section 9.2 of this DPA;
  3. in Table 3, Annexes 1 (A and B), II, and III to the "Approved EU SCCs" are Annex I, II, and III to this DPA respectively; and
  4. in Table 4, both the "Importer" and the "Exporter" can terminate the UK Addendum.

10. Return and Deletion

Following the date of expiration or earlier termination of the Agreement, Stiward will return or delete all Customer Personal Data within sixty (60) days, except that Stiward may retain copies of Customer Personal Data:

  • as expressly agreed by the parties;
  • as required by applicable law; or
  • as contained in standard backups,

in each case subject to the protections of this DPA. Customer may request expedited deletion by contacting legal@stiward.com.

ANNEX I — DESCRIPTION OF THE TRANSFER

A. List of Parties

Data Exporter

  • Name: Customer (as defined above)
  • Activities relevant to the data transferred under these Clauses: Customer engages Stiward under the Agreement (e.g., as a family-plan principal, enterprise/team customer, or authorized reseller) and provides Personal Data to Stiward in that context.
  • Role (controller/processor): Controller, or Processor on behalf of a Third-Party Controller.

Data Importer

  • Name: Stiward Holdings Inc.
  • Activities relevant to the data transferred under these Clauses: Stiward provides the Services to Customer under the Agreement and Processes Personal Data on behalf of Customer in that context.
  • Role (controller/processor): Processor on behalf of Customer, or Subprocessor on behalf of a Third-Party Controller.

B. Description of International Data Transfer

Categories of Data Subjects whose Customer Personal Data is transferred:

  • Customer's authorized administrators (e.g., the family-plan principal, the enterprise admin, or the reseller's operations contact);
  • End users that Customer provisions onto Stiward (e.g., family members on a family plan, employees on an enterprise plan, downstream customers under a reseller agreement); and
  • Other individuals whose personal data Customer chooses to share with Stiward under the Agreement.

Categories of Customer Personal Data transferred:

  • Identity and contact details (e.g., name, email address);
  • Authentication identifiers (Firebase user identifiers, the verified Google sub claim where Google sign-in is used);
  • Billing and plan-administration details (plan tier, billing-contact identity, payment-method reference held by Stripe);
  • Connector grant metadata (which sources each end user has authorized — Plaid, Google Calendar, Gmail — and the connection status); and
  • Any other personal data that Customer chooses to provide to Stiward under the Agreement.

Note on Connector Data (Plaid transactions, Google Calendar events, Gmail messages and drafts): Customer's end users grant access to their own financial, calendar, and email data directly through the relevant provider's consent flow. Stiward acts as Controller of that data with respect to each end user under the Privacy Policy, and as Processor for Customer only insofar as Customer has been validly authorized by the end user to direct Stiward's Processing (e.g., a family-plan principal acting under household-finance authority). Customer is responsible for ensuring it has that authority.

Sensitive data transferred (if applicable):

Beyond what end users themselves authorize through the Connector flows (which by their nature includes financial-account information and email content), Stiward does not solicit and is not designed to Process additional special-category or sensitive personal data from Customer. Customer must not provide sensitive personal data outside the Connector flows — including health information, government-issued identifiers, biometric data, or data revealing racial or ethnic origin, political opinions, religious beliefs, or trade-union membership — without a prior written agreement that specifically addresses such Processing.

Frequency of the International Data Transfer:

On a continuous basis for the duration of the Agreement.

Nature of the Processing:

The Customer Personal Data will be Processed and transferred as described in the Agreement, including collection, storage, retrieval, consultation, use, organization, structuring, adaptation, deletion, and disclosure for the purposes of providing the Services.

Purpose(s) of the International Data Transfer and further Processing:

  • Provision of the Services to Customer's authorized end users (financial, calendar, and inbox dashboards; AI assistant; briefings; anomaly alerts);
  • Plan administration (provisioning and deprovisioning end-user seats; usage reporting; billing);
  • Technical support and troubleshooting;
  • Improvement and development of the Services (excluding any use of end-user content to train AI/ML models — see Section 4 of the Privacy Policy); and
  • Compliance with legal obligations.

Period for which the Customer Personal Data will be retained:

For the duration of the Agreement and for sixty (60) days following termination, unless otherwise required by applicable law or longer retention is necessary for legitimate business purposes such as dispute resolution.

For International Data Transfer to (Sub)Processors, also specify subject matter, nature, and duration of the Processing:

For the subject matter and nature of the Processing, reference is made to the Agreement and this DPA. The Processing will take place for the duration of the Agreement and as necessary to provide the Services.

C. Competent Supervisory Authority

  • The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the EEA is the Irish Data Protection Commission.
  • The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in the UK is the UK Information Commissioner's Office.
  • The competent authority for the Processing of Customer Personal Data relating to Data Subjects located in Switzerland is the Swiss Federal Data Protection and Information Commissioner.

ANNEX II — TECHNICAL AND ORGANIZATIONAL MEASURES

Stiward implements technical and organizational measures designed to protect Customer Personal Data from unauthorized access, acquisition, disclosure, destruction, alteration, accidental loss, misuse, or damage. These measures include, without limitation:

Access Controls

  • Multi-factor authentication for administrative access;
  • Role-based access control (RBAC) and the principle of least privilege;
  • Regular access reviews and timely revocation procedures;
  • Unique user accounts for all personnel; and
  • Automated session timeouts.

Data Security

  • Encryption in transit using TLS 1.2 or higher (with TLS 1.3 preferred);
  • Encryption at rest using AES-256 or equivalent;
  • Secure key management and rotation procedures;
  • Database access logging and monitoring; and
  • Secure deletion and data sanitization procedures.

Network Security

  • Firewall and intrusion-detection/prevention systems;
  • Network segmentation and isolation;
  • DDoS protection and mitigation;
  • Regular security patching and updates; and
  • Vulnerability scanning and penetration testing.

Application Security

  • Secure software development lifecycle (SDLC);
  • Code review and security testing;
  • Input validation and output encoding;
  • Protections aligned with the OWASP Top 10; and
  • Periodic security assessments and audits.

Physical Security

  • Production infrastructure runs on Google Cloud Platform, whose data centers maintain SOC 2 Type II and other industry-standard certifications;
  • Physical access controls, monitoring, and environmental controls; and
  • Backup power and redundancy systems.

Organizational Measures

  • Information security policies and procedures;
  • Security awareness training for all personnel;
  • Background checks for personnel with access to Customer Personal Data;
  • Confidentiality obligations for personnel and contractors;
  • Incident response plan and procedures;
  • Business continuity and disaster recovery plans; and
  • Vendor risk management program.

Monitoring and Logging

  • Continuous security monitoring and alerting;
  • Audit logging of access to systems handling Customer Personal Data;
  • Log retention and analysis; and
  • Where applicable, security information and event management (SIEM) capabilities.

Compliance

  • SOC 2 Type II attestation in progress;
  • PCI-DSS compliance for payment processing through Stripe; and
  • Regular third-party security assessments.

ANNEX III — LIST OF SUBPROCESSORS

Customer authorizes Stiward to engage the following Subprocessors. The authoritative roster — including the data classes shared with each Subprocessor and the international-transfer mechanism — is maintained in Subprocessors.md and at <https://stiward.com/legal/subprocessors>.

SubprocessorLocation of ProcessingNature and Purpose of Processing
---------
Google Cloud PlatformUnited StatesCloud infrastructure (Cloud Run, Cloud SQL/Postgres, Cloud Tasks, Cloud Scheduler), Secret Manager, Cloud Logging
Firebase (Google)United StatesUser authentication and identity, including MFA via Identity Platform
AnthropicUnited StatesAI inference (Claude) under zero-retention enterprise terms — no training on customer data
OpenAIUnited StatesAI inference (GPT) under zero-retention enterprise terms — no training on customer data; only when explicitly enabled by the end user
PlaidUnited StatesFinancial-account connectivity (transactions, balances, liabilities) — engaged at end-user direction via Plaid Link
Google APIs (Calendar, Gmail)United StatesCalendar event sync; Gmail message + draft sync — engaged at end-user direction via Google OAuth; Limited Use commitments apply
StripeUnited StatesPayment processing for paid subscription tiers
ResendUnited StatesTransactional email delivery (briefings, alerts, service notices)
VercelUnited StatesHosting and edge serving for `stiward.com` (marketing, waitlist, blog, legal) and the Stiward admin web app
SanityUnited StatesHeadless CMS for blog and legal content rendered on `stiward.com`; no end-user data, Connector Data, or Alfred content is sent to Sanity
Expo (Application Services)United StatesPush-notification delivery to the Stiward mobile application
CloudflareUnited StatesDNS, CDN, and DDoS protection
SentryUnited StatesApplication error tracking (Connector Data and end-user content excluded from event payloads)

Stiward may update this list from time to time in accordance with Section 6.3 of this DPA. The current list of Subprocessors is maintained at <https://stiward.com/legal/subprocessors>.

Contact Information

For questions regarding this DPA:

Stiward Holdings Inc. Email: legal@stiward.com Website: stiward.com