Data Processing Addendum

This Data Processing Addendum sets out how Stillbound processes personal data on your behalf when you use CaskIQ, and forms part of your agreement with Stillbound.

1. Roles

2. What Stillbound processes on your behalf

Personal data embedded in cask records and uploaded documents: staff names, warehouse manager attributions, tasting-note authors, blender identifiers, cask owner names and bond-book signatory details, and supplier or customer names in invoices or dockets.

Processing purposes: ingestion and schema mapping; inventory and maturation metric calculation; dashboard, alert, and action generation; excise and warehouse-stock reconciliation preparation (outputs for human review — Stillbound does not file on your behalf, and your authorised warehousekeeper remains responsible for all returns to your excise authority); audit trails; customer support; and security operations.

Stillbound processes this data only on your documented instructions, which include the configured use of the service and any written request you make. All processing in standard operation is deterministic. No customer data is sent to a third-party LLM in normal operation.

3. Sensitive identifiers

The following are treated with additional controls regardless of GDPR status:

• Alcohol licence numbers
• VAT and tax identification numbers
• Customs and excise permit references
• Bank account details
• API keys and credentials

These are not displayed in ordinary dashboards, are stored in restricted object storage with audited access, and are shown in masked format where reference is necessary.

4. Sub-processors

We will give at least 30 days' notice before adding or replacing a sub-processor. You may object on reasonable data-protection grounds within that period; if we cannot resolve the objection, you may terminate the affected service. PostHog (EU Cloud) is added to a tenant's sub-processor schedule only where usage telemetry is enabled; it is off by default. Stripe processes Stillbound's own billing records, not customer records.

International transfers outside the EEA are governed by the EU Standard Contractual Clauses, relied on with the EU–US Data Privacy Framework where a US sub-processor is certified. Customer data is stored in the EU; any transfer outside it is documented in this schedule.

5. Security controls

• TLS encryption in transit; encryption at rest for databases and object storage.
• Tenant isolation — each customer's data is logically separated at the database level.
• Role-based access control; least-privilege access for all Stillbound staff.
• Multi-factor authentication for all admin accounts.
• Audit logs for data import, export, sensitive record access, and user management events.
• Separate development, staging, and production environments. No customer data in development.
• Secrets management: credentials in managed secret storage, not in source control.

6. Breach notification

Stillbound will notify affected customers of a personal data breach without undue delay and within 72 hours of becoming aware of it, with sufficient information to meet the customer's own notification obligations to the DPC.

7. Deletion and return

You can export your data at any time while the subscription is active. On termination, you have a 30-day window to export your data, after which Stillbound deletes it from production systems; encrypted backups are overwritten on their normal cycle within a further 30 days. Statutory records subject to a legal hold (for example Revenue-required bonded warehouse records) are retained only for the minimum statutory period and then deleted.

8. Audit

On reasonable written notice, and no more than once a year unless required by a regulator or following a breach, Stillbound will make available the information needed to demonstrate compliance with this DPA, including completing a reasonable vendor security questionnaire. Audits must respect the confidentiality and security of other customers.

9. Contact

DPA queries and executed agreement requests: hello@stillbound.ai