Data Processing Addendum (DPA)

Last reviewed: January 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you (the "User" or "Data Controller") and SpeakerStacks ("Processor") and reflects the parties' agreement with regard to the processing of personal data in accordance with applicable Data Protection Laws.

1. Definitions

• Data Protection Laws: All applicable data protection and privacy laws, including the UK GDPR, EU GDPR, and the California Consumer Privacy Act (CCPA).
• Personal Data: Any information relating to an identified or identifiable natural person that is processed under this DPA.
• Data Controller: The User of the SpeakerStacks platform who determines the purposes and means of processing Personal Data.
• Data Processor: SpeakerStacks, which processes Personal Data on behalf of the User.

2. Purpose of Processing

SpeakerStacks shall process Personal Data solely for the purpose of providing the Services described in the Terms of Service, which include landing page creation, data collection, storage, export, and CRM integrations.

3. Roles and Scope

• The User is the Data Controller.
• SpeakerStacks acts only as a Data Processor.
• The User is responsible for complying with all legal obligations of a Data Controller, including providing privacy notices and obtaining necessary consents.

4. Processor Obligations

SpeakerStacks agrees to:

1. Process Personal Data only on the documented instructions of the User.
2. Ensure that persons authorized to process Personal Data are under confidentiality obligations.
3. Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
4. Assist the User in fulfilling data subject rights requests, such as access, deletion, or correction.
5. Notify the User without undue delay upon becoming aware of a Personal Data breach.
6. Delete or return all Personal Data to the User upon termination of Services, unless otherwise required by law.

5. Subprocessors

SpeakerStacks may engage subprocessors to assist in delivering the Services (e.g., hosting providers, email delivery services). A complete list of current subprocessors is available at speakerstacks.com/subprocessors. SpeakerStacks shall ensure all subprocessors are bound by data protection obligations no less protective than those set out in this DPA.

6. International Data Transfers

Where Personal Data is transferred outside the UK/EEA, SpeakerStacks shall ensure appropriate safeguards are in place, such as Standard Contractual Clauses approved by relevant authorities.

7. Audits and Certifications

Upon reasonable request, SpeakerStacks shall provide information necessary to demonstrate compliance with this DPA. SpeakerStacks may also allow for audits conducted by the User or a third-party auditor (at User's expense) with reasonable notice and during business hours.

8. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service.

9. Duration and Termination

This DPA remains in effect for as long as SpeakerStacks processes Personal Data on behalf of the User and will automatically terminate upon deletion of all such data.

10. Contact

For questions regarding this DPA or data protection practices, please contact:

privacy@speakerstacks.com