1. Purpose and parties
This Data Processing Agreement ("DPA") applies whenever Stack Ads processes personal data on behalf of a client in connection with our paid-media management services. It forms part of the broader service engagement between the client ("Controller") and Stack Ads ("Processor") and governs the handling of personal data under Canadian privacy law (PIPEDA) and, where the client is located in the EU/UK or serves EU/UK data subjects, GDPR.
Stack Ads is operated by Jonah Underwood, a sole proprietorship based in Kelowna, British Columbia, Canada. Questions about this DPA can be sent to privacy@stackads.ca.
2. Scope of processing
Stack Ads processes personal data only to deliver the services the Controller has engaged us for: campaign strategy, account setup, creative development, media buying, performance reporting, and communication about those activities.
- Data subjects: Controller's customers, prospects, website visitors, and designated staff contacts.
- Categories of personal data: names, email addresses, phone numbers, business names, website analytics events, advertising-platform identifiers, and any other data the Controller chooses to share to enable the service.
- Special categories: none processed by default. The Controller must not provide special-category data (health, political, etc.) without prior written agreement.
3. Duration
Processing begins when the Controller engages Stack Ads and continues for the duration of the service relationship, plus any retention period required under Section 9 (Retention and deletion) or applicable law.
4. Controller instructions
Stack Ads processes personal data only on the documented instructions of the Controller, including the executed service agreement, written communication (email, platform messaging), and any approval workflows within the Stack Ads dashboard. If an instruction would, in our reasonable opinion, violate PIPEDA, GDPR, or other applicable law, we will notify the Controller and pause processing until the instruction is withdrawn or amended.
5. Confidentiality
Every person who accesses Controller data on Stack Ads' behalf, whether operator, sub contractor, or vendor staff, is bound by a written confidentiality obligation at least as strict as this DPA. Access is limited to what is strictly necessary to perform the service.
6. Security measures
Stack Ads maintains appropriate technical and organizational measures to protect Controller data, including:
- HTTPS/TLS for all data in transit.
- Encrypted storage at rest via managed database providers with industry-standard key management.
- Two-factor authentication enforced on every vendor account that supports it.
- Role-based access controls and row-level security policies that scope each client's data to their own account.
- Credentials stored using industry-standard hashing; secrets stored in an encrypted vault and rotated when staff changes.
- Regular automated backups (daily snapshots) retained per the managed database provider's policy.
- Audit logging for administrative actions on Controller data.
7. Sub-processors
Stack Ads engages the following sub-processors to deliver the service. Each is bound by data-protection terms at least as protective as this DPA, and each maintains its own published security and privacy documentation.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Managed Postgres database, auth storage | United States |
| Clerk | User authentication and session management | United States |
| Vercel | Application hosting and edge delivery | United States / Global |
| Anthropic | AI-assisted drafting of reports and communications | United States |
| Resend | Transactional and service email delivery | United States |
| Google LLC | Google Ads and Analytics API access | United States |
| Meta Platforms | Meta Ads API access | United States |
| Inngest | Background job and workflow orchestration | United States |
| Upstash | Rate limiting and ephemeral request state | United States / Global |
| Cloudflare | Turnstile bot protection on form submissions | United States / Global |
We notify active Controllers at least 14 days before adding or replacing a sub-processor so the Controller has an opportunity to object. If the Controller objects in good faith on data-protection grounds, we will either retain the current sub-processor or, if that is not feasible, allow the Controller to terminate the affected services without penalty.
8. International transfers
The sub-processors listed above operate primarily in the United States. Where personal data is transferred outside of Canada or the EEA/UK, Stack Ads relies on the relevant provider's Standard Contractual Clauses and, where applicable, supplementary measures such as encryption in transit and at rest to provide appropriate safeguards.
9. Data subject rights
Stack Ads will assist the Controller, at the Controller's expense where reasonable, in responding to data subject requests for access, correction, deletion, objection, or portability within timeframes required by applicable law. Requests received directly by Stack Ads will be forwarded to the Controller without undue delay.
10. Personal data breach notification
Stack Ads will notify the Controller without undue delay, and in any case within 72 hours, after becoming aware of a personal data breach affecting Controller data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of records involved, likely consequences, and measures taken or proposed to address it.
11. Retention and deletion
On termination of the service, Stack Ads will delete or return all Controller personal data within 30 days, unless retention is required by law (for example, Canadian tax and billing records, which are retained for seven years). Active Controllers can download a complete export of their data at any time from Account settings. Former Controllers can request the same by emailing privacy@stackads.ca.
12. Audit
Stack Ads will make available to the Controller, on written request and no more than once per twelve-month period, the information necessary to demonstrate compliance with this DPA. This includes responses to reasonable questionnaires and, where available, the latest audit or security attestation documentation from our sub-processors.
13. Governing law
This DPA is governed by the laws of the Province of British Columbia and the federal laws of Canada applicable therein. The parties submit to the non-exclusive jurisdiction of the courts of British Columbia for any dispute arising out of or in connection with this DPA.
14. Changes
When we make a material change to this DPA, we will update the date at the top of this page and notify active Controllers by email at least 14 days before the change takes effect. Continued use of the service after the effective date constitutes acceptance of the revised DPA.