Data Processing Agreement

Processor: Novastack Solutions Ltd, a private limited company incorporated in England and Wales (company number 16779485), registered office at 128 City Road, London, United Kingdom, EC1V 2NX, trading as SealedKeys.

Controller: The customer entity that has entered into the Terms of Service with the Processor for access to the SealedKeys service.

The Processor provides a zero-knowledge secrets management service (“Service”) under which the Controller’s authorised users store encrypted credentials and secrets. This DPA governs the Processor’s processing of personal data on behalf of the Controller in connection with the Service.

Zero-knowledge architecture note: The Service is designed so that the Processor cannot read the contents of vault items stored by the Controller. All vault data is encrypted client-side with a key derived from the user’s master password before transmission. The Processor stores only ciphertext and cannot decrypt it. As a result, the Processor’s role as a data processor is materially limited to the account metadata described in Schedule 1.

• —“Data Protection Laws” means the UK GDPR, the EU GDPR (where applicable), the Data Protection Act 2018, and any successor legislation.
• —“Personal Data” has the meaning given in Data Protection Laws.
• —“Processing” has the meaning given in Data Protection Laws.
• —“Data Subject” means an identified or identifiable natural person to whom Personal Data relates.
• —“Sub-processor” means any third party engaged by the Processor to process Personal Data on the Controller’s behalf.
• —“Security Incident” means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

The Processor shall:

• —Process Personal Data only on documented instructions from the Controller, which shall be the Terms of Service and this DPA, unless required to do so by applicable law.
• —Ensure that persons authorised to process Personal Data are subject to appropriate confidentiality obligations.
• —Implement and maintain the technical and organisational security measures set out in Schedule 3.
• —Notify the Controller promptly if, in the Processor's opinion, an instruction from the Controller infringes Data Protection Laws.
• —Not engage Sub-processors except as listed in Schedule 2 or as notified under clause 5.
• —Assist the Controller in responding to Data Subject rights requests to the extent the Processor is able, given the zero-knowledge architecture.
• —Assist the Controller in meeting its obligations under Articles 32–36 of the UK GDPR / EU GDPR (security, breach notification, data protection impact assessments).
• —At the Controller's choice, delete or return all Personal Data at the end of the Service, and delete copies unless retention is required by law.
• —Make available all information reasonably necessary to demonstrate compliance with this DPA and permit audits as described in clause 11.

The Controller shall:

• —Ensure it has a valid legal basis under Data Protection Laws for the processing described in Schedule 1.
• —Ensure that any Personal Data provided to the Processor is accurate and lawfully obtained.
• —Not instruct the Processor to process Personal Data in a manner that would breach Data Protection Laws.
• —Be responsible for the security of the master passwords used by its authorised users. The Processor cannot recover master passwords or vault contents if lost.
• —Maintain its own records of processing activities as required by Article 30 of the UK GDPR / EU GDPR.

The Controller provides general authorisation to the Processor to engage the Sub-processors listed in Schedule 2. The Processor shall: (a) enter into written agreements with Sub-processors imposing equivalent data protection obligations to those in this DPA; (b) remain liable to the Controller for the acts and omissions of Sub-processors.

The Processor shall give the Controller at least 14 days’ notice before adding or replacing a Sub-processor by updating Schedule 2 and notifying registered customers by email. If the Controller objects on reasonable data protection grounds, it may terminate the Service by giving 30 days’ written notice.

Encrypted vault data is stored exclusively on Hetzner infrastructure in Germany (EU). No vault data is transferred outside the EEA or UK.

The following Sub-processors are located outside the UK / EEA and process limited non-vault personal data (billing details and email addresses only):

• —Stripe, Inc. (USA) — payment processing. Transfer mechanism: UK/EU Standard Contractual Clauses under Stripe's own DPA, available at stripe.com/legal/dpa.
• —Resend, Inc. (USA) — transactional email. Transfer mechanism: UK/EU Standard Contractual Clauses. Resend processes email addresses only for service notification purposes.

The Processor maintains appropriate transfer mechanisms for all international transfers and will update this clause if mechanisms change.

Where the Processor receives a request directly from a Data Subject relating to Personal Data processed on behalf of the Controller, the Processor shall promptly forward that request to the Controller and shall not respond to the Data Subject directly except on the Controller’s instructions.

Given the zero-knowledge architecture, the Processor cannot provide Data Subjects with access to the contents of vault items (as the Processor cannot decrypt them). The Processor can provide access to, or delete, account metadata as set out in Schedule 1.

The Processor shall implement and maintain the technical and organisational security measures described in Schedule 3. These measures take into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk to the rights and freedoms of natural persons.

The Controller acknowledges that no security measure is perfectly impenetrable and that the Processor cannot guarantee absolute security. The Controller is responsible for ensuring its authorised users protect their master passwords and device security.

The Processor shall notify the Controller without undue delay, and in any event within 72 hours of becoming aware, of any Security Incident affecting Personal Data processed under this DPA. Notification shall be made to the email address on the Controller’s account and shall include:

• —A description of the nature of the Security Incident.
• —The categories and approximate number of Data Subjects and records concerned.
• —The likely consequences of the Security Incident.
• —Measures taken or proposed to address the incident.

Given the zero-knowledge architecture, a breach of the Processor’s servers would expose only ciphertext that the Processor cannot decrypt. The practical risk to Data Subjects from a server-side breach is therefore materially reduced.

On termination or expiry of the Controller’s subscription, or on written request, the Processor shall:

• —Delete all Personal Data from its systems within 30 days.
• —Certify deletion in writing if requested.
• —Retain only such data as is required by applicable law (e.g. billing records for tax purposes).

The Controller should export its vault before terminating the subscription. The Processor cannot decrypt vault contents to provide them in unencrypted form.

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA, including:

• —A copy of its current Cyber Essentials certification.
• —A copy of its most recent penetration test report (subject to appropriate redactions for security purposes).
• —Written responses to security questionnaires within a reasonable timeframe.

Where the Controller requires an on-site or third-party audit, the parties shall agree the scope, timing, and costs in advance. The Controller shall give at least 30 days’ notice and shall not conduct audits more than once per year unless a Security Incident has occurred.

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service. The Processor is liable only for damage caused by processing that does not comply with this DPA or Data Protection Laws, and only to the extent it is responsible for the damage.

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales, except where the Controller is located in the European Union, in which case EU courts may also have jurisdiction in respect of EU GDPR obligations.