Data Processing Addendum
Effective date: July 15, 2026 · Version 1.0
This Data Processing Addendum ("DPA") forms part of the agreement between the StableDeliver customer identified in the account ("Customer") and the operator of stabledeliver.com ("StableDeliver") where StableDeliver processes Personal Data on Customer's behalf.
1. Definitions
"Applicable Data Protection Law" means privacy and data-protection law applicable to the processing, including where relevant the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021), the EU GDPR, UK GDPR, and other mandatory laws. "Customer Personal Data" means Personal Data processed by StableDeliver on Customer's documented instructions. "Subprocessor" means a processor engaged by StableDeliver.
2. Roles and instructions
Customer is controller or processor, as applicable, and StableDeliver is processor or subprocessor for Customer Personal Data. Customer instructs StableDeliver to process data to provide, secure, support, and improve the contracted Service and as otherwise documented through product configuration and lawful written instructions.
Customer is responsible for lawful instructions, notices, legal bases, data minimisation, buyer requests, and ensuring that use of the Service complies with Applicable Data Protection Law.
3. Confidentiality and personnel
StableDeliver will limit access to personnel who need it for the Service and who are subject to confidentiality obligations. StableDeliver will provide appropriate privacy and security awareness to relevant personnel.
4. Security measures
StableDeliver will maintain technical and organisational measures appropriate to risk, including access controls, tenant isolation, encryption in transit and at rest where appropriate, secure development, vulnerability management, logging, backups, incident response, and provider due diligence. A current summary is published at /security.
5. Subprocessors
Customer authorises StableDeliver to use the Subprocessors listed at /subprocessors. StableDeliver will impose data-protection obligations appropriate to the services provided. StableDeliver will provide notice of material new Subprocessors through the website, account, or email. Customer may object on reasonable data-protection grounds within 15 days; the parties will attempt a practical resolution, which may include discontinuing an affected feature.
6. International transfers
Where Customer Personal Data is transferred across borders and law requires safeguards, the parties will use applicable standard contractual clauses, approved addenda, adequacy mechanisms, or another lawful transfer mechanism. If EU Standard Contractual Clauses are required, the parties incorporate the applicable controller-to-processor or processor-to-processor module, with this DPA and service records completing the annexes.
7. Data-subject requests
Taking into account the nature of processing, StableDeliver will reasonably assist Customer with requests to access, correct, delete, restrict, object, or port Customer Personal Data. StableDeliver may refer a requester to Customer unless legally prohibited. Customer is responsible for responding and may be charged for exceptional assistance beyond standard functionality where permitted.
8. Security incidents
StableDeliver will notify Customer without undue delay after becoming aware of a confirmed Personal Data breach affecting Customer Personal Data, and will provide available information reasonably required for Customer's legal obligations. Notification is not an admission of fault or liability.
9. Compliance assistance
StableDeliver will provide reasonable information needed for Customer's data-protection assessments, consultations, and security obligations, taking into account the nature of processing and information available. Requests must be proportionate and protect other customers and confidential security information.
10. Audit information
StableDeliver may satisfy audit obligations through current security documentation, questionnaires, certifications, or independent reports where available. On reasonable written request and subject to confidentiality, Customer may conduct an audit no more than once annually unless required after a material incident or by a regulator. Customer bears its audit costs and must avoid disruption and access to other customers' data.
11. Return and deletion
At termination, Customer may export available Customer Personal Data during the stated export period. StableDeliver will delete or anonymise it according to the retention schedule unless law requires retention. Data may remain in protected backups until overwritten in the ordinary cycle.
12. Conflict and liability
If this DPA conflicts with the main agreement on data protection, this DPA controls. Liability under this DPA is subject to the limitations in the main agreement except where prohibited by Applicable Data Protection Law.
Schedule 1 — Processing details
- Subject matter: hosted crypto checkout, on-chain verification, digital fulfilment, account, API, webhook, and support services.
- Duration: for the term of the account plus the retention and backup period.
- Nature and purpose: collection, storage, organisation, retrieval, verification, delivery, transmission, logging, security, support, deletion, and other operations necessary to provide the Service.
- Data subjects: sellers, seller personnel, buyers, recipients of delivery, support contacts, and authorised users.
- Data categories: identifiers, contact details, public wallet addresses, order records, blockchain transaction data, delivery information, product-access records, support communications, and technical/security data.
- Sensitive data: not intended or authorised unless expressly agreed in writing.