stillvault

This is a placeholder. The executed agreement will be published before general availability.

Data processing agreement

Last updated: 2026-06-12 — placeholder. Executed DPA will be published before general availability.

1. Parties and scope

This Data Processing Agreement (“DPA”) supplements the Terms of Service between the customer (“Controller”) and Stillvault (“Processor”). It governs the processing of personal data by Stillvault on behalf of the Controller in connection with the Stillvault service.

2. Processor obligations

Stillvault, as Processor, will:

  • Process personal data only on documented instructions from the Controller.
  • Ensure persons authorised to process personal data are bound by confidentiality.
  • Implement appropriate technical and organisational measures (see §5).
  • Assist the Controller in responding to data subject rights requests.
  • Delete or return personal data on termination of the service agreement.
  • Notify the Controller without undue delay of any personal data breach.

3. Sub-processors

Stillvault uses the following categories of sub-processors to deliver the service. An up-to-date list will be published before general availability:

CategoryPurpose
Cloud infrastructure providerHosting control plane and managed-broker tier
Push notification services (APNs, FCM)Delivering one-time approval URLs to enrolled phones
Email service providerTransactional email (account verification, notifications)

The Controller will be notified of any new sub-processor before engagement.

4. Data subject rights

Stillvault will assist the Controller in fulfilling data subject rights requests under applicable data protection law, including rights of access, rectification, erasure, and portability.

5. Technical and organisational measures

Stillvault implements the following measures:

  • Vendor-blind architecture: secret plaintext and DEKs are not accessible to the Processor by design.
  • Encryption at rest for all ciphertext stores.
  • Encryption in transit (TLS) for all control-plane communications.
  • Access controls and audit logging for all control-plane operations.
  • Tenant isolation enforced at the data and API layers.

A full description of technical measures will be published before general availability.

6. International transfers

Where personal data is transferred outside the EEA, appropriate safeguards (such as Standard Contractual Clauses) will be put in place. Details to follow at GA.

This is a placeholder. The executed DPA will be published before general availability.