Data Processing Addendum

Version 1.0 · Effective 2026-05-29

This Addendum governs AllStak's processing of personal data on your behalf as part of providing the service. It forms part of the Terms of Service.

1. Parties & scope

This Data Processing Addendum (“DPA”) is entered into between you (the “Customer”) and AllStak (the “Processor”) and applies to personal data that AllStak processes on your behalf in providing the observability service.

2. Roles

  • Customer is the controller of the personal data contained in telemetry it sends to AllStak.
  • AllStak is the processor of that telemetry and acts only on documented Customer instructions (the Terms, this DPA, and configuration in the dashboard).
  • For Customer's own account holders, AllStak is an independent controller — covered by our Privacy Policy.

3. Details of processing

  • Subject matter: ingest, storage, querying, alerting, and display of telemetry events generated by Customer applications.
  • Duration: for as long as the Customer has an active account, plus the retention windows in the Privacy Policy.
  • Nature & purpose: provision of the observability service.
  • Categories of data: error reports, log lines, trace spans, metrics, request samples, end-user IP addresses, browser/device metadata. Sanitizer-classified secret patterns are dropped at ingest.
  • Categories of data subjects: Customer's end users, employees, contractors, and any natural person whose data Customer's applications process and transmit to AllStak.

4. Sub-processors

AllStak engages sub-processors strictly to perform processing on its behalf. The current list will be published and kept up to date on this page. AllStak will provide Customer at least 14 days' notice of new sub-processors (via email to the billing contact and a posted update). Customer may object on reasonable data-protection grounds; if the parties cannot agree on a remediation, Customer may terminate the affected portion of the service.

Current sub-processors

  • Hosting / infrastructure — production hosting in the Kingdom of Saudi Arabia (for KSA / MENA customers) and Germany (for EEA / UK customers). Provider names and exact regions are published on request.
  • Email delivery — transactional auth and notification email.
  • Payment processing — billing & invoicing.

5. Security measures

  • Encryption in transit (TLS) and at rest for databases and object storage.
  • Tenant isolation: every authorized request is scoped through organization_members; cross-tenant access is blocked at the controller layer.
  • Authentication via cookie-based JWT with refresh rotation; session is scoped to the active organization.
  • Restrictive HTTP response headers (CSP, Referrer-Policy, Permissions-Policy).
  • Secret values stored in the platform credentials store are encrypted and never returned in plaintext after save.
  • Ingest-time telemetry sanitizer removes likely secrets (passwords, OTPs, MFA codes, API keys, bearer tokens, cookies, card numbers, IBAN, national IDs, CVV) from event payloads.
  • Audit logging for sensitive actions (logins, role changes, key rotation).
  • Background jobs for vulnerability scanning of dependencies; security patches tracked.

6. Data-subject requests

Taking into account the nature of processing, AllStak will assist Customer in responding to data-subject requests (access, rectification, erasure, restriction, objection, portability). Customer can self-serve common requests from the dashboard (export, delete). For requests AllStak receives directly from end users we will refer them to Customer unless the request relates to Customer's account holders.

7. Personal-data breach notification

AllStak will notify Customer without undue delay, and in any event within 72 hours of becoming aware of a personal-data breach affecting Customer telemetry, with the information available at the time and regular updates as the investigation progresses.

8. International transfers

Production telemetry is processed on infrastructure located in Customer's assigned region — either the Kingdom of Saudi Arabia (KSA / MENA customers) or Germany (EEA / UK customers). Telemetry does not move between regions as part of normal operation. Where a sub-processor processes personal data outside the assigned region (e.g. transactional email), AllStak relies on a lawful transfer mechanism applicable to that jurisdiction — for the EEA / UK this is the EU Standard Contractual Clauses and, where required, supplementary measures.

9. Audits

AllStak will, upon Customer's reasonable written request and no more than once every 12 months (unless otherwise required by law), provide a written summary of its current security controls and answer reasonable questions necessary to demonstrate compliance with this DPA.

10. Return / deletion at term

On termination of the Terms, AllStak will, at Customer's election, delete or return Customer personal data, subject to the retention obligations described in the Privacy Policy.

11. Liability

Liability under this DPA is subject to the limitation-of-liability provisions in the Terms of Service.

12. Governing terms

If there is a conflict between this DPA and the Terms, this DPA controls with respect to processing of personal data. Otherwise the Terms govern. Defined terms not defined here have the meaning given in the Privacy Policy or applicable law (PDPL, GDPR, CCPA).