Skip to content
Login / Sign Up
Legal

Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms part of the Master Subscription & Services Agreement (the “MSA”) between Stratavor Limited (“Processor”) and the Customer identified in the applicable Order Form (“Controller”). It applies when Stratavor processes Personal Data on behalf of Customer in connection with the Subscription Services (collectively, the “Services”).

Version 2 Effective date December 27, 2025 Review cycle Annual
Schedule a meeting Back to Trust Center View Sub-processor Register
Implementation note: Annex III is maintained as a living schedule. The authoritative, always-current list is the Sub-processor Register (linked above).

1. Definitions

“Data Protection Laws” means the EU General Data Protection Regulation 2016/679 (“GDPR”), any supplementary national legislation, and, where applicable, the UK GDPR.

“EU SCCs” means the Standard Contractual Clauses annexed to Commission Implementing Decision (EU) 2021/914, as may be amended or replaced.

“Sub-processor” means another processor engaged by Stratavor to process Personal Data on behalf of Customer.

2. Roles and Scope

2.1 Customer acts as Controller and Stratavor acts as Processor with respect to the Personal Data processed under the MSA and this DPA.

2.2 The subject-matter, nature and purpose of processing, the categories of Personal Data and Data Subjects are described in Annex I.

3. Processor Obligations

Stratavor shall:

  • (a) process Personal Data only on documented instructions from Customer, including transfers to a third country;
  • (b) ensure persons authorised to process Personal Data are bound by confidentiality;
  • (c) implement the technical and organisational measures set out in Annex II;
  • (d) notify Customer without undue delay of a Personal Data Breach;
  • (e) assist Customer with Data Subject requests, DPIAs and supervisory-authority consultations;
  • (f) delete or return Personal Data at termination, subject to legal retention obligations; and
  • (g) make available information necessary to demonstrate compliance and allow for audits in accordance with clause 7.

4. Sub-processing

4.1 Customer hereby grants general authorisation for Stratavor to engage Sub-processors listed in Annex III. Stratavor shall impose on each Sub-processor the same data-protection obligations as set out in this DPA.

4.2 Stratavor will notify Customer in advance of any intended changes concerning the addition or replacement of Sub-processors, giving Customer ten (10) days to object on reasonable grounds.

5. International Transfers

Where Stratavor or its Sub-processors process Personal Data outside the EEA, Stratavor shall ensure such processing is subject to a lawful transfer mechanism under Chapter V GDPR, including the EU SCCs.

6. Liability and Indemnity

Liability under this DPA is subject to the limitations set forth in the MSA.

7. Audit

Upon written request no more than once per year, Stratavor shall provide audit summaries. On-site audits may be conducted at Customer’s cost with 30 days’ notice and subject to confidentiality.

8. Term

This DPA remains in force for the term of the MSA and so long as Stratavor processes Personal Data for Customer.

ANNEX I – Data Processing Details

A. List of Parties

Controller: Customer entity identified in Order Form.
Processor: Stratavor Limited

B. Description of Processing

  • Subject-matter: Ingestion, transformation, aggregation and visualisation of financial and operational data to generate Board-Pack slides/dashboards hosted on the Stratavor SaaS platform (downloadable).
  • Nature & Purpose: Cloud storage, computation, analytics, AI-assisted insight generation, and web-based presentation to authorised users.
  • Categories of Personal Data: Employee identifiers (name, email), customer/vendor contact details, transaction-level meta-data, usage logs, optional HR metrics.
  • Special Categories: None intentionally processed.
  • Data Subjects: Customer employees, contractors, customers and suppliers.
  • Duration: Subscription Term plus 60 days secure retention for export, then deletion.

ANNEX II – Technical & Organisational Measures

  • Access Control: Role-based access, MFA for all admin interfaces.
  • Encryption: AES-256 at rest, TLS 1.2+ in transit.
  • Network Security: Segmented VPC, WAF, continuous vulnerability scanning.
  • Monitoring: 24×7 log aggregation, SIEM alerts, automated anomaly detection.
  • Business Continuity: Daily backups with geo-redundancy; board-pack files replicated across zones.
  • Secure Development: OWASP-aligned SDLC, peer code reviews, dependency scanning.
  • Vendor Management: Sub-processor security due-diligence and annual review.
  • Physical Security: Cloud provider data-centre certified ISO 27001, SOC 2 Type II.

ANNEX III – Authorised Sub-processors

Sub-Processor_Public – Published 22/10/2025

Stratavor’s authoritative Sub-Processor Register, maintained in HubSpot. Material updates are version-controlled and notified in accordance with this DPA.

View the current Sub-processor Register.

Annex Cross-References (Implementation Note)

Annex I (Processing Details) and Annex II (Technical and Organisational Measures) are to be read together with the authoritative Risk & Compliance Register. Annex III (Approved Sub-processors) is maintained as a living schedule. The authoritative, always-current list is the Sub-processor Register. In the event of any inconsistency, that Register prevails and will be provided on request or via customer portal.

This DPA copy bundles the current Annex III as a separate document titled accordingly. Material changes to Sub-processors will be notified in accordance with the DPA’s change notification clause.