Data processing agreement
Last updated: 2026-06-14. Draft pending legal review. This document describes the data processing terms Stillvault intends to offer and is provided for transparency. The executed DPA will be published before general availability. Nothing here is legal advice.
1. Parties and scope
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between the customer (“Controller”) and Wolstapp Ltd, a company registered in England and Wales (company number 14963179), trading as “Stillvault” (“Processor”). It governs the processing of personal data by the Processor on behalf of the Controller in connection with the service. In the event of conflict on data protection matters, this DPA prevails over the Terms.
2. Definitions
“Personal data”, “processing”, “controller”, “processor”, “data subject”, and “supervisory authority” have the meanings given in applicable data protection law, including the UK GDPR and the EU GDPR. “Sub-processor” means any processor engaged by the Processor.
3. Nature and purpose of processing
| Item | Detail |
|---|---|
| Subject matter | Provision of the Stillvault secret-management service |
| Duration | For the term of the Terms of Service, plus deletion windows below |
| Nature & purpose | Routing secret-release requests, coordinating human approvals, audit logging, account administration |
| Types of personal data | Account identifiers (name, email), member roles, audit metadata (timestamps, approver identity, requesting-process identity) |
| Categories of data subjects | The Controller’s authorised users — administrators, approvers, and operators |
By design, the Processor does not have access to the plaintext of the Controller’s stored secrets and holds no key that can decrypt them.
4. Processor obligations
The Processor will:
- Process personal data only on the Controller’s documented instructions, including the Terms, this DPA, and use of the service — unless required to act by law, in which case it will inform the Controller where lawfully able.
- Ensure persons authorised to process personal data are bound by confidentiality.
- Implement and maintain the technical and organisational measures in §8.
- Assist the Controller, taking account of the nature of processing, in responding to data subject requests and in meeting its security, breach-notification, and data-protection- impact-assessment obligations.
- Make available information reasonably necessary to demonstrate compliance and allow for audits as set out in §9.
- Delete or return personal data as set out in §10.
5. Sub-processors
The Controller authorises the Processor to engage the following categories of sub-processor. An up-to-date, named list will be maintained and published before general availability.
| Category | Purpose |
|---|---|
| Cloud infrastructure provider | Hosting the control plane and managed-broker tier |
| Push-notification services (APNs, FCM) | Delivering one-time approval prompts to enrolled devices |
| Email service provider | Transactional email — verification, notifications |
| Payment processor | Billing and subscription management |
The Processor imposes data protection obligations on each sub-processor no less protective than this DPA, remains liable for their performance, and will give the Controller advance notice of any new sub-processor with an opportunity to object on reasonable data protection grounds.
6. Data subject rights
The Processor will assist the Controller, by appropriate technical and organisational measures and insofar as possible, in fulfilling data subject requests under applicable law — including rights of access, rectification, erasure, restriction, portability, and objection. Where a data subject contacts the Processor directly, the Processor will refer them to the Controller.
7. Personal data breaches
The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s personal data, and will provide information reasonably available to help the Controller meet its own notification obligations.
8. Technical and organisational measures
The Processor maintains measures including:
- Vendor-blind architecture — secret plaintext and the keys that protect it are not accessible to the Processor by design.
- Encryption of personal data and ciphertext in transit (TLS) and at rest.
- Tenant isolation enforced at the data and API layers.
- Role-based access controls and audit logging for control-plane operations.
- Secure development, change management, and least-privilege administrative access.
A detailed description of measures will be published before general availability.
9. Audit
The Processor will, on reasonable request and no more than once a year (or following a material incident), make available information necessary to demonstrate compliance with this DPA, subject to confidentiality and to not compromising the security of other customers.
10. Deletion and return
On termination of the service, and at the Controller’s choice, the Processor will delete or return the Controller’s personal data, and delete existing copies — including ciphertext stores, audit logs, and enrolment records — within 30 days, unless retention is required by law.
11. International transfers
Where the Processor transfers personal data outside the UK or EEA, it will ensure an appropriate transfer mechanism is in place, such as the UK International Data Transfer Agreement or the EU Standard Contractual Clauses, together with any required supplementary measures.
12. Liability
Each party’s liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
Draft — pending legal review before general availability.