Data Processing Addendum

1. Definitions

Capitalised terms not defined here have the meaning given in the Terms of Service. “Applicable Data Protection Law” means the EU General Data Protection Regulation (“GDPR”), the Icelandic Act on Data Protection and the Processing of Personal Data (Act No. 90/2018), the UK GDPR and Data Protection Act 2018, and any other data protection or privacy law applicable to the processing of Personal Data under this DPA. “Personal Data,” “Controller,” “Processor,” “Data Subject,” “processing” and “Personal Data Breach” have the meanings given in GDPR.

2. Roles and scope

When DEC ehf.(“Stokk”) processes Personal Data contained in Customer Data on Customer’s behalf, Customer is the Controller and Stokk is the Processor. Where Customer is itself a Processor for a third-party Controller (for example, a parent group), Stokk acts as a sub-Processor on the same terms. The subject matter, duration, nature, purpose, types of Personal Data and categories of Data Subjects are described in Annex 1.

3. Stokk’s obligations

• Process Personal Data only on Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by law (in which case Stokk will inform Customer where legally permitted).
• Ensure that personnel authorised to process Personal Data are bound by confidentiality.
• Implement and maintain the technical and organisational measures described in Annex 2 to ensure a level of security appropriate to the risk.
• Engage sub-Processors only in accordance with Section 4.
• Taking into account the nature of processing, assist Customer with appropriate technical and organisational measures, insofar as possible, to fulfil Customer’s obligation to respond to Data Subject rights requests.
• Assist Customer in ensuring compliance with its obligations under GDPR Articles 32 to 36, taking into account the nature of processing and the information available to Stokk.
• At Customer’s choice, delete or return all Personal Data after the end of the provision of services, and delete existing copies unless storage is required by law (see Terms §8 for the operational window).
• Make available to Customer all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits as set out in Section 7.

4. Sub-processors

Customer authorises Stokk to engage the sub-Processors listed at /subprocessorsas of the effective date of this DPA. Stokk will give Customer at least 30 days’ prior notice (by updating that page and, where Customer has subscribed, by email) of any intended addition or replacement of sub-Processors. If Customer reasonably objects within that period on data-protection grounds, the parties will work in good faith to find a workable solution; if none is found, Customer may terminate the affected services on written notice.

Stokk remains liable for the acts and omissions of its sub-Processors as if they were its own and will impose data-protection obligations on each sub-Processor that are no less protective than those in this DPA.

5. International transfers

Where the processing of Personal Data involves a transfer outside the EEA, Iceland or the UK to a country not the subject of an adequacy decision, the parties enter into the EU Standard Contractual Clauses (Module 2 or Module 3 as applicable, Commission Decision (EU) 2021/914) or the UK International Data Transfer Addendum, which are deemed incorporated by reference, with Customer as data exporter and Stokk (or the relevant sub-Processor) as data importer. Optional clauses are deemed not selected unless agreed in writing.

6. Personal Data Breaches

Stokk will notify Customer without undue delay and, where feasible, no later than 72 hours after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. The notification will describe, to the extent then known, the nature of the Breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences and the measures taken or proposed to address it.

7. Audits

Stokk will provide Customer, on reasonable written request and no more than once per year (except in the event of a Personal Data Breach or a regulator’s direction), with a summary of its security practices, current third-party audit reports (where available) and answers to a reasonable security questionnaire. Where Customer reasonably requires an on-site audit, the parties will agree the scope, timing and conditions in advance, including reimbursement of Stokk’s reasonable costs.

8. Data Subject requests

If Stokk receives a request from a Data Subject in relation to Customer’s Personal Data, Stokk will, where lawful, promptly forward the request to Customer and not respond on its own behalf, except to confirm that the request relates to Customer.

9. Liability

Each party’s liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

10. Term and termination

This DPA takes effect on the effective date of the Terms and continues for as long as Stokk processes Personal Data on Customer’s behalf. Provisions which by their nature should survive termination (for example, deletion or return of Personal Data) survive.

11. Order of precedence

In case of conflict, this DPA prevails over the Terms of Service with respect to the processing of Personal Data. The Standard Contractual Clauses, where they apply, prevail over this DPA in case of conflict.

Annex 1 — Details of processing

Subject matter: provision of the Stokk forecasting, replenishment, purchasing and (where enabled) loyalty services to Customer.

Duration: for the duration of the subscription, plus any retention period required by law or agreed in the Terms.

Nature and purpose: hosting and processing of Customer Data so Customer can plan inventory, place purchase orders with its suppliers, and (if enabled) issue and update wallet-based loyalty passes to its end customers.

Categories of Data Subjects:

• Customer’s users (employees, contractors).
• Customer’s suppliers’ representatives (where contact data is imported from the ERP).
• Customer’s end customers (where the loyalty module is enabled).

Categories of Personal Data:

• Identification data (name, email, role, work telephone) of users and supplier contacts.
• Authentication and audit data (sign-in metadata, IP address, user agent, action logs).
• For loyalty enrollees: name, kennitala (Icelandic national ID), email address, telephone number, pass serial, and device push tokens issued by Apple Wallet or Google Wallet.

Special categories: Customer should not upload special categories of Personal Data. Stokk does not intentionally process special categories.

Annex 2 — Technical and organisational measures

Stokk implements and maintains the following measures, which may be updated from time to time provided the level of protection is not reduced:

• Access control. Multi-tenant database with row-level security; least-privilege role-based access; multi-factor authentication for administrative access; audit logs of administrative actions.
• Encryption. TLS in transit; encryption at rest for the database and object storage; AES-256-GCM envelope encryption for stored ERP and wallet credentials, with the encryption key held in environment configuration separate from the database.
• Network and infrastructure. Hosting on managed cloud platforms (Supabase, Vercel) with current third-party security certifications; restricted ingress; vulnerability monitoring on dependencies.
• Segregation. Production data is logically isolated from non-production environments; non-production environments do not contain real Personal Data.
• Operational security. Documented deployment process; change review; backups; incident response procedure including the breach notification obligation in Section 6.
• People. Confidentiality obligations on personnel; security awareness expectations; access removed on role change or departure.
• Supplier management. Sub-Processors listed at /subprocessors; written data-protection terms with each.

Annex 3 — Sub-Processors

The current list is published at /subprocessors.

Contact

DEC ehf.
Kríuási 35, 221 Hafnarfjörður, Iceland
Legal: legal@stokkflow.com
Privacy: privacy@stokkflow.com
General: support@stokkflow.com

Changelog

• v1 — 2026-05-09: initial publication.