Skip to content
STACK
← Back home
Data processing agreement

Data Processing Agreement.

Last updated: July 8, 2026. Effective: July 8, 2026.

1. Purpose and parties

This Data Processing Agreement ("DPA") applies whenever Stack Ads processes personal data on behalf of a client in connection with our paid-media management services. It forms part of the broader service engagement between the client ("Controller") and Stack Ads ("Processor") and governs the handling of personal data under Canadian privacy law (PIPEDA) and, where the client is located in the EU/UK or serves EU/UK data subjects, GDPR.

Stack Ads is operated by Jonah Underwood, a sole proprietorship based in Kelowna, British Columbia, Canada. Questions about this DPA can be sent to privacy@stackads.ca.

2. Scope of processing

Stack Ads processes personal data only to deliver the services the Controller has engaged us for: campaign strategy, account setup, creative development, media buying, performance reporting, and communication about those activities.

  • Data subjects: Controller's customers, prospects, website visitors, and designated staff contacts.
  • Categories of personal data: names, email addresses, phone numbers, business names, website analytics events, advertising-platform identifiers, and any other data the Controller chooses to share to enable the service.
  • Special categories: none processed by default. The Controller must not provide special-category data (health, political, etc.) without prior written agreement.

3. Duration

Processing begins when the Controller engages Stack Ads and continues for the duration of the service relationship, plus any retention period required under Section 9 (Retention and deletion) or applicable law.

4. Controller instructions

Stack Ads processes personal data only on the documented instructions of the Controller, including the executed service agreement, written communication (email, platform messaging), and any approval workflows within the Stack Ads dashboard. If an instruction would, in our reasonable opinion, violate PIPEDA, GDPR, or other applicable law, we will notify the Controller and pause processing until the instruction is withdrawn or amended.

5. Confidentiality

Every person who accesses Controller data on Stack Ads' behalf, whether operator, sub contractor, or vendor staff, is bound by a written confidentiality obligation at least as strict as this DPA. Access is limited to what is strictly necessary to perform the service.

6. Security measures

Stack Ads maintains appropriate technical and organizational measures to protect Controller data, including:

  • HTTPS/TLS for all data in transit.
  • Encrypted storage at rest via managed database providers with industry-standard key management.
  • Two-factor authentication enforced on every vendor account that supports it.
  • Role-based access controls and row-level security policies that scope each client's data to their own account.
  • Credentials stored using industry-standard hashing; secrets stored in an encrypted vault and rotated when staff changes.
  • Regular automated backups (daily snapshots) retained per the managed database provider's policy.
  • Audit logging for administrative actions on Controller data.

7. Sub-processors

Stack Ads engages the following sub-processors to deliver the service. Each is bound by data-protection terms at least as protective as this DPA, and each maintains its own published security and privacy documentation.

Sub-processor Purpose Location
Supabase Managed Postgres database, auth storage United States
Clerk User authentication and session management United States
Vercel Application hosting and edge delivery United States / Global
Anthropic AI-assisted drafting of reports and communications United States
Resend Transactional and service email delivery United States
Google LLC Google Ads and Analytics API access United States
Meta Platforms Meta Ads API access United States
Inngest Background job and workflow orchestration United States
Upstash Rate limiting and ephemeral request state United States / Global
Cloudflare Turnstile bot protection on form submissions United States / Global

We notify active Controllers at least 14 days before adding or replacing a sub-processor so the Controller has an opportunity to object. If the Controller objects in good faith on data-protection grounds, we will either retain the current sub-processor or, if that is not feasible, allow the Controller to terminate the affected services without penalty.

8. International transfers

The sub-processors listed above operate primarily in the United States. Where personal data is transferred outside of Canada or the EEA/UK, Stack Ads relies on the relevant provider's Standard Contractual Clauses and, where applicable, supplementary measures such as encryption in transit and at rest to provide appropriate safeguards.

9. Data subject rights

Stack Ads will assist the Controller, at the Controller's expense where reasonable, in responding to data subject requests for access, correction, deletion, objection, or portability within timeframes required by applicable law. Requests received directly by Stack Ads will be forwarded to the Controller without undue delay.

10. Personal data breach notification

Stack Ads will notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Controller data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of records involved, likely consequences, and measures taken or proposed to address it.

11. Retention and deletion

On termination of the service, Stack Ads will delete or return all Controller personal data within 30 days, unless retention is required by law (for example, Canadian tax and billing records, which are retained for seven years). Active Controllers can download a complete export of their data at any time from Account settings. Former Controllers can request the same by emailing privacy@stackads.ca.

12. Audit

Stack Ads will make available to the Controller, on written request and no more than once per twelve-month period, the information necessary to demonstrate compliance with this DPA. This includes responses to reasonable questionnaires and, where available, the latest audit or security attestation documentation from our sub-processors.

13. Governing law

This DPA is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein. The parties submit to the non-exclusive jurisdiction of the courts of British Columbia for any dispute arising out of or in connection with this DPA.

14. Changes

When we make a material change to this DPA, we will update the date at the top of this page and notify active Controllers by email at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the revised DPA.

Operated by Jonah Underwood. Kelowna, BC, Canada.