Last Updated: May 8, 2026

Effective as of: May 8, 2026

This Data Processing Addendum ("DPA") forms part of the agreement between Stonesystems LLC ("Processor," "we," "us," or "our") and the business entity using our Services ("Controller," "you," or "your") and applies where we process personal information on your behalf in connection with the Services. This DPA supplements your agreement with us and our Privacy Policy.

1. Definitions

• Applicable Privacy Laws means all privacy and data protection laws applicable to the processing described in this DPA, including the California Consumer Privacy Act as amended by the CPRA, the Virginia Consumer Data Protection Act, the Colorado Privacy Act, the Connecticut Data Privacy Act, and similar U.S. state laws, each as applicable.
• Personal Information has the meaning given in Applicable Privacy Laws and includes any information that identifies, relates to, describes, or could reasonably be linked with a consumer or household.
• Process / Processing means any operation performed on Personal Information, including collection, use, storage, disclosure, analysis, deletion, or disposal.
• Services means the products and services we provide to you under our agreement, including the Platform, websites, communications tools, and related support.

2. Roles and scope

You are the business or controller of Personal Information you submit to the Services about your customers, leads, or personnel. We act as your service provider or processor and will Process that Personal Information only on your documented instructions and as described in this DPA and our agreement, unless otherwise required by law.

3. Processing instructions and restrictions

1. We will Process Personal Information only to provide the Services, comply with law, or as otherwise agreed in writing.
2. We will not sell Personal Information or retain, use, or disclose Personal Information outside the direct business relationship with you, except as permitted by Applicable Privacy Laws or our agreement.
3. We will not combine Personal Information received in connection with the Services with Personal Information we receive from other sources except as necessary to provide or improve the Services, detect security incidents, or as permitted by law.

4. Confidentiality and personnel

We ensure that persons authorized to Process Personal Information are subject to appropriate confidentiality obligations (contractual or statutory). We provide training on data protection appropriate to their role.

5. Sub-processors

5.1 Authorized sub-processors

You authorize us to engage the sub-processors listed below to Process Personal Information on your behalf. We remain responsible for each sub-processor's performance of its obligations in accordance with this DPA.

We may replace or appoint additional sub-processors in accordance with Section 5.2. An up-to-date list is published at stonesystems.io/subprocessors.

5.2 Changes to sub-processors

We will provide you at least 30 days' advance notice of a new sub-processor or a material change to a sub-processor arrangement, unless we cannot do so due to legal or security reasons (in which case we will notify you as soon as reasonably practicable). If you object on reasonable data-protection grounds, we will work with you in good faith to resolve the objection.

6. Security

We implement and maintain appropriate technical and organizational measures designed to protect Personal Information against unauthorized access, loss, or alteration, taking into account the nature of processing and the risks involved. Measures may include access controls, encryption in transit, logging, vendor reviews, and incident response procedures.

7. Consumer requests and assistance

Taking into account the nature of the Processing, we will assist you by appropriate technical and organizational measures, insofar as possible, to fulfill your obligation to respond to consumer rights requests under Applicable Privacy Laws. Where a request is submitted directly to us, we will instruct the requester to contact you unless we are legally required to respond directly.

8. Data retention and deletion

We retain Personal Information only as long as necessary to provide the Services and as described in our Privacy Policy. Upon termination of the Services or upon your written request (subject to legal retention requirements), we will delete or return Personal Information in our possession, unless retention is required by law.

9. Audits

Upon reasonable written request, we will make available information reasonably necessary to demonstrate compliance with this DPA, including summaries of our security practices or completed questionnaires. Where an on-site audit is required by Applicable Privacy Laws, such audit will be conducted during business hours, with reasonable advance notice, and subject to confidentiality and security controls.

10. International transfers

Personal Information may be processed in the United States. If we transfer Personal Information across borders where required by law, we will implement appropriate safeguards described in our agreement or as otherwise required by Applicable Privacy Laws.

11. Liability

Liability arising from our Processing of Personal Information under this DPA is subject to the limitations and exclusions in your agreement with us, except where prohibited by Applicable Privacy Laws.

12. Contact

For questions about this DPA or our Processing of Personal Information on your behalf, contact [email protected] or (808) 645-4509.