1. Definitions
In this DPA, the following terms have the meanings set out below:
- "Controller": the Customer, the natural or legal person that determines the purposes and means of the processing of Personal Data.
- "Processor": Stellary, which processes Personal Data on behalf of the Controller in connection with the provision of the Service.
- "Personal Data": any information relating to an identified or identifiable natural person, as defined in Article 4(1) of the GDPR.
- "Processing": any operation or set of operations performed on Personal Data, as defined in Article 4(2) of the GDPR.
- "Data Breach": a security incident resulting in the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
- "Sub-processor": any third-party service provider engaged by Stellary to process Personal Data on behalf of the Customer.
- "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016.
- "Service": the Stellary platform as described in the Terms of Service.
2. Subject matter, nature and purpose of processing
2.1 Subject matter
This DPA sets out the conditions under which Stellary processes Personal Data on behalf of the Customer in connection with the provision of the AI-powered project management and collaboration Service.
2.2 Nature of processing
Stellary carries out the following processing operations on Personal Data: collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, erasure or destruction.
2.3 Purposes of processing
Stellary processes Personal Data solely for the following purposes:
- Providing the Service and its features (project management, boards, documents)
- User authentication and access management
- AI features (Project Wizard, AI Agents, automated suggestions)
- Transactional communications related to the Service
- Customer support and technical incident resolution
- Billing and subscription management
- Compliance with applicable legal obligations
3. Types of data and categories of data subjects
3.1 Types of Personal Data
In connection with the Service, Stellary may process the following types of data:
- Identification data: name, surname, email address, user identifier
- Connection data: IP address, access logs, login timestamps
- Professional data: organisation, role, job title
- User content: projects, tasks, comments, documents and any data entered into the Service by the Customer's users
- AI interaction data: queries submitted to AI features and generated responses
- Billing data: partial payment information (processed by Stripe)
Stellary does not process special categories of data within the meaning of Article 9 of the GDPR, unless the Customer includes such data in its User Content. In that case, responsibility for such collection lies with the Customer.
3.2 Categories of data subjects
- Employees, collaborators and contractors of the Customer using the Service
- Persons invited to the Customer's workspace
- Any person whose data is entered into the Service by the Customer or its users
4. Obligations of Stellary as Processor
Stellary undertakes to:
- Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law
- Ensure that persons authorised to process Personal Data are subject to an appropriate obligation of confidentiality
- Implement the appropriate technical and organisational measures referred to in Article 32 of the GDPR (see Section 6)
- Respect the conditions applicable to engaging sub-processors (see Section 5)
- Assist the Controller in fulfilling its obligation to respond to requests for the exercise of data subjects'rights
- Assist the Controller in ensuring compliance with its obligations relating to security, breach notification, DPIAs and prior consultation
- Delete or return all Personal Data to the Controller at the end of the service provision, at the Controller's choice
- Make available to the Controller all information necessary to demonstrate compliance with the obligations set out in this DPA
- Not process Personal Data for its own purposes, including for advertising or AI model training purposes
5. Sub-processors
5.1 General authorisation
The Customer authorises Stellary to engage the sub-processors listed below for the purposes of providing the Service. Stellary will inform the Customer of any planned changes to this list (additions or replacements), giving the Customer the opportunity to object to such changes.
5.2 List of approved sub-processors
| Provider | Purpose | Country | Safeguards |
|---|
| OVHcloud | Hosting & infrastructure | France (EU) | EU adequacy decision |
| Stripe | Payment processing | EU / United States | EU-US Data Privacy Framework |
| OpenAI | AI features | United States | Standard Contractual Clauses (SCCs) |
| Sentry | Error tracking & monitoring | EU | EU adequacy decision |
Stellary imposes on its sub-processors data protection obligations equivalent to those set out in this DPA.
6. Technical and organisational measures
In accordance with Article 32 of the GDPR, Stellary implements the following security measures to protect Personal Data:
6.1 Technical measures
- Encryption of data at rest (AES-256)
- Encryption of data in transit (TLS 1.3)
- Salted password hashing (bcrypt, high cost factor)
- Two-factor authentication (TOTP) available and encouraged
- HTTP-only authentication cookies with CSRF protection
- AI secrets and TOTP keys encrypted at rest (AES-256-GCM)
- Role-based access control (RBAC) with 36 granular permissions
- Personal access tokens (PAT) with limited scope
- HTTP security headers (HSTS, CSP, X-Frame-Options, X-Content-Type-Options)
- Rate limiting on sensitive endpoints (authentication)
- Network segmentation on dedicated infrastructure
6.2 Organisational measures
- Data access restricted to personnel on a need-to-know basis
- Confidentiality obligations for personnel accessing data
- Daily encrypted backups with 7-day retention
- Geographically separated backups within the EU
- Regular security audits and dependency updates
- Documented incident response process
- Data breach notification procedure (see Section 7)
7. Data Breach notification
In the event of a Personal Data Breach of which Stellary becomes aware, Stellary undertakes to:
- Notify the Controller within 72 hours of becoming aware of the breach
- Communicate, to the extent possible, the following information: the nature of the breach, the data and individuals affected (categories and approximate number), the likely consequences, and the measures taken or proposed to address the breach
- Document all breaches, including facts, effects and remedial actions taken, to enable the Controller to meet its obligation to notify the supervisory authority
- Provide all necessary assistance to the Controller to enable it to meet its own notification obligations (supervisory authority within 72 hours, data subjects where there is a high risk)
Breach notifications should be addressed to security@stellary.co and privacy@stellary.co.
8. Assistance with data subjects' rights
To the extent possible, Stellary assists the Controller in fulfilling its obligation to respond to requests for the exercise of data subjects' rights (access, rectification, erasure, restriction, portability, objection) by appropriate technical and organisational measures.
The Service provides native data export (GDPR Art. 15) and account deletion (GDPR Art. 17) features accessible from the workspace settings. For requests requiring additional assistance, Controllers may contact privacy@stellary.co.
9. International data transfers
Data is primarily stored and processed within the European Union (France, OVHcloud). Transfers to third countries are governed as follows:
- Stripe (United States): Covered by the EU-US Data Privacy Framework certification, which benefits from an adequacy decision by the European Commission
- OpenAI (United States): Covered by a Data Processing Agreement with Standard Contractual Clauses (SCCs) pursuant to Article 46 of the GDPR
Stellary does not transfer Personal Data to third countries not covered by an appropriate safeguard within the meaning of Chapter V of the GDPR.
10. Duration of processing and fate of data
10.1 Duration
This DPA applies for the duration of the contractual relationship between the Customer and Stellary, as defined in the Terms of Service.
10.2 Return or deletion of data upon termination
Upon expiry or termination of the contract:
- The Customer has 30 days to export its data via the Service's export features
- After this period, Stellary will permanently and securely delete all of the Customer's Personal Data
- Billing data is retained for 10 years in accordance with French accounting and tax obligations
- Server logs are retained for 12 months in accordance with French law (LCEN)
- Upon written request from the Customer, Stellary will provide a certificate of deletion within a reasonable timeframe
11. Data Protection Impact Assessments (DPIA) and prior consultation
Stellary assists the Controller in carrying out, where applicable, a Data Protection Impact Assessment (DPIA) pursuant to Article 35 of the GDPR, by providing the necessary information regarding security measures and processing activities carried out.
Where prior consultation with the competent supervisory authority is required pursuant to Article 36 of the GDPR, Stellary will provide all reasonable assistance to the Controller.
12. Audit rights
Stellary makes available to the Customer all information necessary to demonstrate compliance with the obligations set out in this DPA and permits audits or inspections, including by auditors mandated by the Customer, in relation to the processing of Personal Data, subject to the following conditions:
- Written request addressed to privacy@stellary.co with reasonable notice (minimum 30 days)
- Audits must not disrupt Stellary's normal operations
- The auditor is subject to a confidentiality obligation
- Audit costs are borne by the Customer
- Maximum one audit per year, except in the event of a confirmed Data Breach requiring an extraordinary audit
13. Liability
The Controller (Customer) is solely responsible for the lawfulness of the processing it carries out or has carried out, the relevance of the data collected, compliance with data subjects' rights and the applicable legal basis for each processing activity.
Stellary, as Processor, is responsible for compliance with its obligations under this DPA and Articles 28 and 29 of the GDPR.
Stellary's liability under this DPA is limited in accordance with the limitation of liability provisions in the Terms of Service.
14. Governing law
This DPA is governed by French law and the GDPR. Any dispute relating to its interpretation or performance shall be subject to the exclusive jurisdiction of the courts of Paris, France, without prejudice to mandatory provisions of applicable law.
15. Amendments
Stellary may amend this DPA to reflect legal or regulatory developments, or changes in its processing practices. Any material changes will be notified to the Customer at least 30 days before they take effect. If the Customer disagrees with the changes, it may terminate the Service in accordance with the Terms of Service.