1. INTRODUCTION

 

This Data Processing Agreement ("DPA") is entered into by and between ST8MNT LLC, a California limited liability company (“Processor” or “ST8MNT”), and the Customer identified in the main subscription agreement ("Controller" or "Customer") (together, the “Parties”). This DPA forms an integral part of the main SaaS Subscription Agreement or Terms of Service governing the use of ST8MNT’s products and services (the “Principal Agreement”).

 

The purpose of this DPA is to set forth the Parties' respective obligations regarding the Processing of Personal Data in compliance with applicable data protection laws, including but not limited to the California Consumer Privacy Act of 2018 (CCPA), the General Data Protection Regulation (EU 2016/679) (GDPR), the UK GDPR, and any other data protection regulations applicable to the processing of Customer’s Personal Data.

 

ST8MNT LLC acts as a Data Processor on behalf of the Customer (the Data Controller) and processes Personal Data strictly in accordance with the Customer’s documented instructions, subject to the terms outlined herein. This DPA reflects the Parties’ commitment to ensuring the confidentiality, security, and lawful handling of all Personal Data processed under the Principal Agreement, including data transferred to and from third-party integrations (such as Salesforce, Slack, Stripe, and Salesforce AI) as part of the services provided.

 

This DPA shall remain in effect for the duration of the Principal Agreement and any applicable renewal terms and shall survive termination to the extent necessary to fulfill obligations related to Personal Data processing.

 

2. DEFINITIONS

For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms not otherwise defined herein shall have the meanings assigned to them in the Principal Agreement.

 

2.1. "Applicable Data Protection Laws" means all applicable privacy and data protection laws and regulations, including but not limited to the General Data Protection Regulation (EU 2016/679) (GDPR), the UK GDPR, the California Consumer Privacy Act of 2018 (CCPA), and any legislation or regulation amending, supplementing, or replacing the foregoing.

 

2.2. "Controller" means the Customer who determines the purposes and means of the Processing of Personal Data and on whose behalf ST8MNT LLC processes such Personal Data.

 

2.3. "Data Breach" means any actual or suspected unauthorized access, loss, alteration, disclosure, or destruction of Personal Data.

 

2.4. "Data Subject" means any identified or identifiable natural person to whom the Personal Data relates.

 

2.5. "Personal Data" means any information relating to an identified or identifiable Data Subject that is processed by ST8MNT LLC on behalf of the Customer under the Principal Agreement, including data submitted or transmitted via ST8MNT Apps, Salesforce, Slack, Stripe, or other integrated services. Personal Data includes AI-generated content to the extent such content contains or reflects information relating to an identified or identifiable Data Subject.

 

2.6. "Processing" means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, storage, use, access, disclosure, transmission, deletion, or destruction.

 

2.7. "Processor" means ST8MNT LLC, which processes Personal Data on behalf of the Controller in accordance with the Controller’s instructions under this DPA.

 

2.8. "Standard Contractual Clauses (SCCs)" means the standard data protection clauses adopted by the European Commission or other competent authority for the lawful transfer of Personal Data outside the EEA or UK.

 

2.9. "Sub-Processor" means any third party engaged by ST8MNT LLC to process Personal Data on its behalf in connection with the services provided to the Customer.

 

3. SCOPE AND ROLES

 

3.1. Roles of the Parties: For the purposes of this DPA, the Customer acts as the Data Controller, determining the purposes and means of the processing of Personal Data. ST8MNT LLC acts as the Data Processor, processing Personal Data on behalf of the Customer solely as instructed and in accordance with this DPA and the Principal Agreement.

 

3.2. Processing Activities Covered: This DPA applies to all Personal Data processed by ST8MNT LLC on behalf of the Customer while providing the services described in the Principal Agreement, including but not limited to:

• Management of Statements of Work (SOW),

• Contract workflows and project tracking,

• Integrations with third-party services such as Salesforce, Slack, Stripe, and Salesforce AI,

• Any other features or functionalities of the ST8MNT Apps utilized by the Customer.

 

3.3. No Independent Processing Rights: ST8MNT LLC shall process Personal Data solely for the purpose of delivering the services to the Customer, and shall not use, disclose, or process such Personal Data for any other purpose, including for its own benefit, without the prior written authorization of the Customer, unless otherwise required by applicable law.

 

3.4. Automated Decision-Making: ST8MNT apps, including features such as NAVIG8R, may utilize automated processing or artificial intelligence to generate suggested content or structured outputs. Such functionality is limited to drafting assistance and does not constitute automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 of the GDPR.

 

3.5. Automated Profiling: ST8MNT LLC does not engage in automated profiling of Data Subjects and does not carry out automated decision-making that produces legal or similarly significant effects within the meaning of Article 22 of the GDPR.

 

4. CATEGORIES OF PERSONAL DATA AND DATA SUBJECTS

 

4.1. Categories of Personal Data Processed: ST8MNT LLC may process the following categories of Personal Data on behalf of the Customer in connection with the services provided:

• Contact details (e.g., names, email addresses, phone numbers)

• User credentials and account identifiers

• Salesforce account-related information

• Communication records (e.g., messages or comments within integrated platforms)

• Payment-related identifiers (processed via third-party services like Stripe, no direct payment data stored by ST8MNT LLC)

• Any additional Personal Data submitted by the Customer’s authorized Users through the ST8MNT Apps, subject to the Customer’s configuration and usage.

 

4.2. Categories of Data Subjects: The categories of Data Subjects whose Personal Data may be processed include:

• The Customer’s employees, contractors, and representatives authorized to use the ST8MNT Apps;

• End users or clients of the Customer, where applicable and permitted under Customer’s use;

• Any individuals whose data is included by the Customer in its use of ST8MNT Apps and integrated services.

 

4.3. Sensitive Personal Data: ST8MNT LLC does not intentionally collect or process Sensitive Personal Data (as defined under Applicable Data Protection Laws), such as data concerning health, racial or ethnic origin, political opinions, or religious beliefs. Any submission of such data by the Customer or its Users is solely at their discretion and responsibility.

 

5. PURPOSE AND DURATION OF PROCESSING

 

5.1. Purpose of Processing: The purpose of the processing of Personal Data by ST8MNT LLC is strictly limited to the provision of services under the Principal Agreement. This includes managing Statement of Work (SOW) workflows, facilitating contract execution, enabling project tracking, supporting integrations with third-party platforms such as Salesforce, Slack, Stripe, and Salesforce AI, and any related technical or operational support required to deliver and maintain these services.

ST8MNT LLC shall process Personal Data solely in accordance with the documented instructions of the Customer, except where required by applicable law, in which case ST8MNT LLC will notify the Customer unless such notification is prohibited by law.

 

5.2. Duration of Processing: ST8MNT LLC will process Personal Data for the duration of the Principal Agreement, including any renewal terms, unless otherwise agreed in writing or required by applicable law. Upon termination or expiration of the Principal Agreement, ST8MNT LLC shall cease processing Personal Data and will, at the Customer’s choice and written instruction, delete or return all Personal Data, except where retention is required by law or necessary to comply with legal obligations. Data retention timelines and procedures are further detailed in Section 13 of this DPA.

 

6. OBLIGATIONS OF DATA PROCESSOR (ST8MNT LLC)

 

6.1. Processing Under Instructions: ST8MNT LLC agrees to process Personal Data solely on behalf of the Customer and in strict accordance with the Customer’s documented instructions, as set forth in this DPA, the Principal Agreement, or as otherwise provided in writing by the Customer. ST8MNT LLC shall not process Personal Data for its own purposes or for any purposes other than providing the contracted services, unless required by applicable law, in which case it will notify the Customer before such processing unless prohibited by law.

 

6.2. Compliance with Applicable Laws: ST8MNT LLC shall comply with all Applicable Data Protection Laws in its role as Data Processor, including but not limited to the GDPR, UK GDPR, CCPA, and other relevant privacy regulations.

 

6.3. Confidentiality of Processing Personnel: ST8MNT LLC shall ensure that all personnel, contractors, or agents authorized to process Personal Data are bound by confidentiality obligations no less protective than those set forth in this DPA. Such obligations shall survive the termination of their engagement.

 

6.4. Technical and Organizational Security Measures: ST8MNT LLC shall implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized access, accidental loss, destruction, alteration, disclosure, or unlawful processing. These measures include encryption protocols, access controls, security monitoring, and compliance with industry standards.

 

Given that ST8MNT Apps reside entirely on the Salesforce Platform, ST8MNT LLC also leverages Salesforce’s robust security infrastructure and certifications, which include but are not limited to SOC 2 Type II, ISO 27001, and PCI DSS. Salesforce’s security measures cover the underlying hosting, data storage, and platform-level services utilized by ST8MNT LLC. ST8MNT LLC shall make available Salesforce’s relevant certifications and compliance documentation upon request.

 

6.5. Assistance with Data Subject Rights: ST8MNT LLC shall, to the extent reasonably possible and considering the nature of the processing and technical limitations, assist the Customer in fulfilling its obligations to respond to Data Subject requests under Applicable Data Protection Laws. This includes requests for access, rectification, erasure, restriction, portability, or objection to processing.

 

6.6. Data Protection Impact Assessments (DPIA) and Prior Consultations: Upon written request and where required by law, ST8MNT LLC shall provide reasonable assistance to the Customer in conducting data protection impact assessments and prior consultations with supervisory authorities.

 

6.7. Record-Keeping and Documentation: ST8MNT LLC shall maintain appropriate records of processing activities carried out on behalf of the Customer and shall make such records available upon reasonable request to demonstrate compliance with this DPA.

 

6.8. AI Processing Restrictions: ST8MNT LLC does not use Personal Data processed under this DPA to train, retrain, or improve generalized artificial intelligence or machine learning models for its own independent purposes. Any AI-assisted functionality operates within the Customer’s Salesforce environment and processes Personal Data solely in accordance with the Customer’s instructions.

 

7. OBLIGATIONS OF DATA CONTROLLER (CUSTOMER)

 

7.1. Lawful Basis for Processing: The Customer represents and warrants that it has established a valid legal basis for the collection, use, and transfer of Personal Data processed by ST8MNT LLC. The Customer is solely responsible for ensuring that all necessary consents, authorizations, or other lawful grounds exist prior to transferring any Personal Data to ST8MNT LLC for processing.

 

7.2. Data Accuracy and Minimization: The Customer shall ensure that all Personal Data shared with ST8MNT LLC is accurate, complete, and limited to what is necessary for the purposes outlined in the Principal Agreement and this DPA.

 

7.3. Instructions for Processing: The Customer shall provide clear, lawful, and documented instructions regarding the processing of Personal Data. The Customer remains solely responsible for ensuring that its instructions comply with all Applicable Data Protection Laws.

 

7.4. Data Subject Requests: The Customer acknowledges that it is primarily responsible for handling requests from Data Subjects concerning their Personal Data. ST8MNT LLC shall reasonably assist the Customer in responding to such requests in accordance with Section 6.5.

 

7.5. Compliance with Laws: The Customer agrees to comply with all Applicable Data Protection Laws, including its obligations as a Data Controller relating to data security, notification of data breaches, and the rights of Data Subjects.

 

8. SUB-PROCESSORS

 

8.1. Authorized Sub-Processors: The Customer acknowledges and agrees that ST8MNT LLC may engage certain third-party service providers ("Sub-Processors") to process Personal Data on its behalf as necessary to provide the services. Current authorized Sub-Processors may include, but are not limited to:

• Salesforce (platform infrastructure)

• Slack (communication integration)

• Stripe (payment processing)

• Hosting providers and other cloud service providers

A full list of Sub-Processors, including their locations and services provided, is maintained in Annex 2 of this DPA.

 

8.2. Sub-Processor Obligations: ST8MNT LLC shall enter into a written agreement with each Sub-Processor that imposes data protection obligations substantially similar to those set forth in this DPA, ensuring that Sub-Processors provide an adequate level of data protection.

 

8.3. Notification of Changes to Sub-Processors: ST8MNT LLC shall notify the Customer in advance of any intended changes to the list of Sub-Processors, providing the Customer with the opportunity to object to the engagement of new Sub-Processors on reasonable grounds related to data protection.

 

8.4. Right to Object: If the Customer objects to a new Sub-Processor and ST8MNT LLC is unable to provide the services without engaging such Sub-Processor, either party may terminate the affected portion of the services upon thirty (30) days’ written notice without penalty.

 

8.5. Liability for Sub-Processors: ST8MNT LLC remains fully liable to the Customer for the performance of its Sub-Processors’ obligations under this DPA.

 

9. DATA TRANSFERS

 

9.1. Location of Processing: ST8MNT LLC processes all Personal Data within the Salesforce Platform infrastructure. The Customer acknowledges and agrees that all Personal Data submitted through ST8MNT Apps is hosted and stored by Salesforce, which operates data centers located in the United States and other jurisdictions globally.

 

9.2. Compliance with International Transfer Requirements: Salesforce has implemented recognized data transfer mechanisms, including certification under applicable frameworks (such as Binding Corporate Rules) and adherence to the Standard Contractual Clauses (SCCs) approved by the European Commission, ensuring lawful transfer of Personal Data outside the European Economic Area (EEA), the United Kingdom (UK), and other applicable jurisdictions.

ST8MNT LLC relies on Salesforce’s established compliance infrastructure and contractual commitments to safeguard Personal Data transferred to or processed in jurisdictions outside the Customer’s country.

 

9.3. Customer Instructions for Transfers: ST8MNT LLC will process and transfer Personal Data strictly within the Salesforce Platform, and only as necessary to provide services under the Principal Agreement, in compliance with the Customer’s documented instructions and Applicable Data Protection Laws.

 

9.4. Cooperation on Transfer Impact Assessments: Upon reasonable request, ST8MNT LLC shall provide the Customer with relevant information regarding Salesforce’s data transfer mechanisms and assist in completing any required Transfer Impact Assessments (TIAs) related to cross-border data transfers.

 

9.5. Ongoing Compliance Monitoring: ST8MNT LLC shall monitor developments in applicable data protection laws and implement changes to its transfer mechanisms, including updates to SCCs or other legal instruments, to ensure continued compliance.

 

10. DATA SECURITY MEASURES

 

10.1. Implementation of Security Measures: ST8MNT LLC shall implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized access, accidental or unlawful destruction, loss, alteration, disclosure, or misuse. These measures shall be consistent with industry standards and include, but are not limited to: (a) Encryption of Personal Data both in transit and at rest; (b) Access controls based on the principle of least privilege; (c) Secure software development practices and vulnerability management; (d) Regular security monitoring and intrusion detection; (e) Multi-factor authentication for administrative access.

 

10.2. Compliance with Certifications: ST8MNT LLC shall ensure its systems and processes adhere to recognized security frameworks, such as ISO 27001, SOC 2 Type II, or equivalent, particularly where integrated with third-party platforms like Salesforce and Stripe.

 

10.3. Personnel Security: ST8MNT LLC shall ensure that all personnel authorized to process Personal Data are subject to appropriate confidentiality obligations and receive regular security and privacy training.

 

10.4. Physical Security: ST8MNT LLC shall maintain appropriate physical security controls to prevent unauthorized access to facilities housing systems used to process Personal Data.

 

10.5. Security Assessments and Testing: ST8MNT LLC shall regularly assess, test, and improve the effectiveness of its technical and organizational security measures, including penetration testing and security audits.

 

10.6. Cooperation with Customer Security Requirements: Upon reasonable request, ST8MNT LLC shall provide the Customer with relevant documentation or summaries of security certifications and assessments to demonstrate compliance with this Section.

 

11. DATA BREACH NOTIFICATION

 

11.1. Notification of Data Breach: ST8MNT LLC shall promptly and without undue delay notify the Customer upon becoming aware of any actual or suspected Personal Data Breach. Such notification shall include all available information reasonably necessary for the Customer to meet its legal obligations under applicable Data Protection Laws, including a description of the nature of the breach, categories of affected data, number of affected Data Subjects, potential consequences, and remedial actions taken.

 

11.2. Cooperation and Mitigation Efforts: ST8MNT LLC shall take all reasonable steps to investigate, contain, and mitigate the effects of any Personal Data Breach. ST8MNT LLC shall cooperate fully with the Customer, provide timely updates, and assist the Customer in meeting its obligations to notify relevant supervisory authorities, regulators, and affected Data Subjects, where required by law.

 

11.3. No Unauthorized Disclosure: ST8MNT LLC shall not disclose information related to any Personal Data Breach to any third party, including the media or affected individuals, without prior written approval from the Customer, unless otherwise required by law.

 

12. DATA SUBJECT RIGHTS ASSISTANCE

​

12.1. Cooperation with Data Subject Requests: ST8MNT LLC shall, to the extent legally permitted and reasonably practicable, assist the Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws. These rights may include requests for access, rectification, erasure, restriction of processing, data portability, or objection to processing.

 

12.2. Notification of Requests: If ST8MNT LLC receives any request directly from a Data Subject regarding their Personal Data, it shall promptly notify the Customer in writing and shall not respond to such requests without the Customer’s prior written authorization, unless legally required to do so.

 

12.3. Technical and Organizational Support: ST8MNT LLC shall implement appropriate technical and organizational measures to enable the Customer to comply with its legal obligations in relation to Data Subject rights, including providing access to, correction of, or deletion of Personal Data where technically feasible.

 

13. DATA RETENTION AND DELETION

 

13.1. Retention Period: ST8MNT LLC shall retain Personal Data only for as long as is necessary to fulfill the purposes set forth in the Principal Agreement and this DPA, or as required by applicable law. Unless otherwise agreed, Personal Data shall not be retained longer than the term of the Customer’s subscription and any applicable post-termination period outlined in this DPA.

 

13.2. Deletion or Return of Data upon Termination:  Upon termination or expiration of the Principal Agreement, ST8MNT LLC shall, at the Customer’s written request, promptly delete or return all Personal Data, including any copies, unless continued retention is required by law or regulatory obligation. The Customer must provide written instructions regarding data return or deletion within thirty (30) days of termination; otherwise, ST8MNT LLC may securely delete all retained Personal Data in accordance with its internal data retention policies.

 

13.3. Certification of Deletion: Upon the Customer’s written request, ST8MNT LLC shall provide written certification confirming the deletion of Personal Data carried out in accordance with this Section.

 

14. AUDIT RIGHTS

 

14.1. Customer’s Right to Audit: ST8MNT LLC shall make available to the Customer, upon written request, all information necessary to demonstrate compliance with its obligations under this DPA and Applicable Data Protection Laws. The Customer may, no more than once annually, conduct an audit or appoint an independent third-party auditor to verify ST8MNT LLC’s compliance.

 

14.2. Scope and Limitations: Any audit shall be subject to reasonable notice, conducted during regular business hours, and limited to areas directly relevant to the processing of Personal Data. ST8MNT LLC reserves the right to require execution of a confidentiality agreement by the auditor.

 

14.3. Alternative Verification: At ST8MNT LLC’s discretion, provision of relevant third-party certifications (e.g., ISO 27001, SOC 2) may serve in lieu of a physical audit.

 

15. LIABILITY

 

15.1. Processor Liability Scope: ST8MNT LLC shall be liable to the Customer for any direct damages arising out of a proven breach of its obligations under this DPA, provided that such breach results solely from ST8MNT LLC’s failure to comply with Applicable Data Protection Laws or its express obligations herein. ST8MNT LLC’s total cumulative liability for all claims arising under this DPA shall not exceed the total fees paid by the Customer to ST8MNT LLC under the Principal Agreement during the twelve (12) months preceding the event giving rise to liability.

 

15.2. Exclusion of Indirect Damages: In no event shall ST8MNT LLC be liable for any incidental, consequential, punitive, exemplary, or special damages, including but not limited to lost profits, lost revenue, or loss of goodwill, whether arising in contract, tort, or otherwise, even if ST8MNT LLC has been advised of the possibility of such damages.

 

15.3. No Limitation for Willful Misconduct or Data Breach Negligence: Nothing in this Section shall limit ST8MNT LLC’s liability in the event of: (a) Proven gross negligence or willful misconduct; (b) Failure to implement minimum required security measures leading to an unauthorized Data Breach caused by ST8MNT LLC.

 

15.4. Controller Responsibility: The Customer acknowledges that it is responsible for ensuring that its instructions comply with applicable Data Protection Laws. ST8MNT LLC shall not be liable for any claim or liability arising from the Customer’s failure to comply with its legal obligations as Data Controller, including obtaining lawful consent from Data Subjects.

 

16. GOVERNING LAW AND JURISDICTION

​

16.1. Governing Law: This DPA and any dispute or claim arising out of or in connection with it shall be governed by, and construed in accordance with, the laws of the State of California, United States, excluding its conflict of law provisions. The Parties expressly exclude the application of the United Nations Convention on Contracts for the International Sale of Goods (CISG).

 

16.2. Jurisdiction and Venue: Any disputes arising from or relating to this DPA shall be subject to the exclusive jurisdiction of the state or federal courts located in San Francisco County, California. Each Party irrevocably submits to the personal jurisdiction and venue of such courts and waives any objections on the grounds of inconvenient forum.

 

16.3. Alternative Dispute Resolution Option: Where appropriate, and upon mutual written agreement, the Parties may opt to resolve disputes arising under this DPA through confidential binding arbitration conducted under the rules of the American Arbitration Association (AAA) in San Francisco, California. Any such arbitration decision shall be final and enforceable in any court of competent jurisdiction.

 

17. MISCELLANEOUS

 

17.1. Entire Agreement: This DPA, together with the Principal Agreement, constitutes the entire agreement between the Parties regarding the subject matter herein and supersedes all prior agreements, understandings, or representations, whether written or oral, concerning Personal Data processing.

 

17.2. Amendments: No amendment or modification of this DPA shall be valid unless made in writing and signed by authorized representatives of both Parties.

 

17.3. Assignment: Neither Party may assign or transfer any rights or obligations under this DPA without the prior written consent of the other Party, except that ST8MNT LLC may assign this DPA to a successor entity in connection with a merger, acquisition, or sale of substantially all its assets.

 

17.4. Severability: If any provision of this DPA is found to be invalid, unlawful, or unenforceable by a court of competent jurisdiction, the remaining provisions shall remain in full force and effect.

 

17.5. No Third-Party Beneficiaries: Nothing in this DPA shall confer any rights or remedies upon any person or entity other than the Parties hereto and their respective successors and permitted assigns.

 

17.6. Force Majeure: Neither Party shall be held liable for any failure or delay in performance of its obligations under this DPA caused by circumstances beyond its reasonable control, including but not limited to natural disasters, acts of war, governmental actions, or internet service disruptions.

 

17.7. Headings: The section headings in this DPA are for convenience only and shall not affect the interpretation or construction of any provision.

 

18. ANNEXES / SCHEDULES

 

The following Annexes form an integral part of this Data Processing Agreement and provide specific details concerning the processing of Personal Data under this Agreement. These Annexes are incorporated by reference and are binding upon both Parties:

 

Annex 1 – Details of Processing: Outlines the categories of Personal Data, types of Data Subjects, purpose, and duration of processing conducted by ST8MNT LLC on behalf of the Customer.

 

Annex 2 – Sub-Processor List: Provides a comprehensive list of Sub-Processors engaged by ST8MNT LLC, including details of services provided, location of processing, and website information.

 

Annex 3 – Security Measures Description: Describes the technical and organizational measures implemented by ST8MNT LLC to safeguard Personal Data and ensure compliance with Applicable Data Protection Laws

 

 

SIGNATURE

 

IN WITNESS WHEREOF, the Parties hereto have executed this Data Processing Agreement as of the Effective Date.

 

For ST8MNT LLC:

 

By: _________________________________________

Name: ______________________________________

Title: _______________________________________

Date: _______________________________________

For Customer (Data Controller):

 

By: _________________________________________

Name: ______________________________________

Title: _______________________________________

Date: _______________________________________

 

 

ANNEXES/SCHEDULES

 

ANNEX 1: DETAILS OF PROCESSING

 

1. Categories of Data Subjects:

​

1.1. Employees, contractors, and representatives of the Customer authorized to use the ST8MNT Apps.

​

1.2. End users, clients, or customers of the Customer whose information may be submitted by the Customer within the course of using the ST8MNT Apps.

​

1.3. Any individuals whose Personal Data is transmitted through integrated third-party services (e.g., Salesforce, Slack, Stripe) during the Customer’s use of ST8MNT Apps.

​

2. Categories of Personal Data Processed:

​

2.1. Contact information, including but not limited to names, email addresses, phone numbers.

​

2.2. User credentials and authentication identifiers related to Salesforce or third-party integrations.

​

2.3. Communication records submitted through the ST8MNT Apps, such as messages, comments, or files.

​

2.4. Transaction-related identifiers, billing-related information (limited to what is shared by Stripe integration; ST8MNT LLC does not store payment card details).

​

2.5. Any additional data that the Customer elects to submit or store within the ST8MNT Apps, subject to the Customer’s control and configuration.

​

3. Nature and Purpose of Processing:

​

3.1. Facilitation of Statement of Work (SOW) creation, management, and workflow automation.

​

3.2. Contract lifecycle management, including project tracking, approvals, and record-keeping.

​

3.3. Integration with third-party platforms such as Salesforce, Slack, Stripe, and Salesforce AI to enhance service functionality.

​

3.4. Provision of technical support, troubleshooting, service optimization, and security monitoring.

​

3.5. Compliance with applicable legal obligations.

​

3.6. Hosting of all Customer Data is carried out entirely on the Salesforce Platform, which provides the cloud infrastructure for the ST8MNT Apps.

​

3.7. AI-assisted drafting and structuring of Statements of Work and Change Orders within the Salesforce Platform.

​

4. Special Categories of Personal Data:

 

4.1. ST8MNT LLC does not intentionally collect or process any Special Categories of Personal Data (as defined under GDPR Article 9) such as health data, biometric data, racial or ethnic information, or similar sensitive data. Any such data submitted is solely at the discretion and responsibility of the Customer.

 

5. Duration of Processing:

​

5.1. Personal Data will be processed for the duration of the Customer’s subscription to ST8MNT Apps and any applicable renewal periods.

​

5.2. Upon termination or expiration, Personal Data shall be deleted or returned in accordance with Section 13 of this DPA, unless continued retention is required by law.

​

ANNEX 2: SUB-PROCESSOR LIST

 

Below is a list of third-party service providers ("Sub-Processors") engaged by ST8MNT LLC for the purpose of supporting and delivering services to the Customer. Each Sub-Processor is contractually bound to comply with data protection obligations consistent with those outlined in this DPA.

 

1. Salesforce.com, Inc.

• Service Provided: Salesforce provides the primary platform infrastructure and cloud hosting environment where the ST8MNT Apps reside. Salesforce facilitates data storage, hosting, customer relationship management (CRM) functionalities, integrations, and additional services essential to the operation of ST8MNT Apps.

• Location: Headquartered in San Francisco, California, USA, with data centers in various global locations, including the United States, Europe, and Asia-Pacific.

• Compliance Certifications: Salesforce maintains industry-standard certifications such as SOC 2 Type II, ISO 27001, PCI DSS, and participates in international data protection frameworks (e.g., Binding Corporate Rules, SCCs).

• Website: https://www.salesforce.com/

 

2. Slack Technologies, LLC​

• Service Provided: Collaboration and communication platform enabling team messaging and integrations.

• Location: Headquartered in San Francisco, California, USA.​

• Website: https://slack.com/​

 

3. Stripe, Inc.

• Service Provided: Online payment processing and financial services.

• Location: Headquartered in San Francisco, California, USA, with operations in multiple countries.

• Website: https://stripe.com/

 

4. Additional Sub-Processors: Any additional Sub-Processors engaged by ST8MNT LLC will be disclosed to the Customer prior to engagement, in accordance with Section 8.3 of this DPA. The Customer retains the right to object to the engagement of new Sub-Processors under the conditions set forth therein.

​

Note: ST8MNT LLC ensures that all Sub-Processors are bound by data protection obligations consistent with the terms of the DPA and applicable data protection laws. ​This Annex may be updated from time to time to reflect changes in Sub Processors. ST8MNT LLC will notify the Customer of any such changes as outlined in Section 8.3 of the DPA.

​

ANNEX 3: SECURITY MEASURES DESCRIPTION

​

ST8MNT LLC implements the following technical and organizational security measures to ensure the protection and confidentiality of Personal Data processed on behalf of the Customer:

​

1. Data Encryption

​

1.1. Personal Data is encrypted both in transit and at rest using industry-standard encryption protocols such as TLS (Transport Layer Security) for data in transit and AES-256 for data at rest.

​

1.2. Encryption keys are securely managed, rotated regularly, and stored in compliance with best practices.

​

2. Access Control and Authentication

​

2.1. Access to Personal Data is restricted based on the principle of least privilege and role-based access controls.

​

2.2. Multi-factor authentication (MFA) is implemented for all administrative access to production systems.

​

2.3. Strong password policies and periodic password changes are enforced for all personnel.

​

2.4. Access logs are maintained, monitored, and reviewed regularly to detect unauthorized access attempts.

​

3. Physical Security

​

3.1. Data is hosted in secure data centers operated by reputable cloud service providers (as listed in Annex 2) that comply with recognized physical security standards, including but not limited to SOC 2, ISO 27001, and PCI DSS.

​

3.2. Physical access to data centers is restricted to authorized personnel and monitored using surveillance systems.

​

4. Network Security and Monitoring

​

4.1. Firewalls, intrusion detection, and prevention systems are employed to safeguard networks against unauthorized access and attacks.

​

4.2. Regular vulnerability scanning and security patching of servers and software are performed.

​

4.3. Continuous monitoring of network traffic and system activity is in place to detect potential threats and anomalies.

​

5. Secure Development Practices

​

5.1. ST8MNT LLC follows secure software development lifecycle (SDLC) processes, including code reviews, static code analysis, and security testing.

​

5.2. Changes to production systems are subject to strict change management procedures, including peer review and approval workflows.

​

6. Personnel Security and Training

​

6.1. All employees and contractors are required to sign confidentiality agreements.

​

6.2. Regular privacy and security awareness training is provided to all personnel, emphasizing their obligations regarding the protection of Personal Data.

​

7. Incident Response and Breach Management

​

7.1. ST8MNT LLC maintains an incident response plan designed to promptly respond to security incidents and Personal Data Breaches.

​

7.2. Procedures are in place to assess, contain, and mitigate incidents, including notification to the Customer as specified in Section 11 of this DPA.

​

8. Business Continuity and Disaster Recovery

​

8.1. Backup procedures are implemented to ensure data availability and integrity in the event of system failure.

​

8.2. Regular testing of disaster recovery plans is conducted to ensure operational resilience.

​

9. Compliance Certifications and External Assessments

9.1. ST8MNT LLC and its Sub-Processors maintain relevant security certifications, such as SOC 2 Type II and ISO 27001 (where applicable).

​

9.2. Periodic third-party audits and assessments are conducted to validate the effectiveness of security controls.