Data Processing Agreement& sub-processor disclosure (Art. 28 GDPR)

The Controller is the natural or legal person using the stads platform who determines the purposes and means of processing the personal data of their own end-users, recipients, or contacts – for example, an advertiser uploading a campaign or a publisher operating a developer account.

The Processor is the stads operator:

Provider (legal entity)

Fabian Bachfischer Software

Responsible person

Fabian Bachfischer

Data protection contact

privacy@soundworks-ai.com

Data protection officer (DPO)

None appointed and none legally required (Art. 37 GDPR); the data-protection contact is Fabian Bachfischer, privacy@soundworks-ai.com.

VAT ID

None – small business under § 19 UStG (Kleinunternehmer); no VAT ID.

Commercial register

None – not entered in the Handelsregister (sole proprietorship).

Postal address of the Processor:

Postal addressFabian Bachfischer Software
c/o POSTFLEX PFX-504-917
Emsdettener Straße 10
48268 Greven
Deutschland (Germany)

Where stads itself determines the purposes and means of processing – for instance, for its own billing, fraud-prevention, security, and statutory record-keeping – stads acts as an independent controller for that processing, which is described in the Privacy Policy rather than in this DPA.

The subject matter of the processing is the operation of the stads advertising service for CLI-delivered text advertising. By design, stads is data-minimising: ads are one labelled line of plain text, there are no tracking pixels, no images, and no code leaves the publisher’s machine. The client reports only coarse, non-identifying signals needed to validate impressions and split revenue.

Nature & purpose

Serving ads, validating impressions, attributing and splitting revenue, billing, and providing dashboards and reporting to the Controller.

Categories of data subjects

The Controller's end-users / account holders, and contacts named on advertiser and publisher accounts.

Categories of personal data

Account identifiers (e.g. email, account ID), billing and payout metadata, coarse non-identifying usage signals, and technical data such as IP address and request metadata processed transiently for security and delivery.

Special categories

None are intentionally processed. The Controller must not submit special-category data (Art. 9 GDPR) through the platform.

Duration

For the term of the Controller's use of the platform, plus the retention periods set out in § 08.

stads processes personal data only on the documented instructions of the Controller, including with regard to transfers to a third country, unless required to do so by EU or Member-State law – in which case stads informs the Controller of that legal requirement before processing, unless the law prohibits such information on important grounds of public interest (Art. 28(3)(a) GDPR).

The Controller’s instructions are given through the configuration choices made in the platform (e.g. creating a campaign, setting up a payout account) and through this DPA and the Terms of Service. stads informs the Controller if, in its opinion, an instruction infringes the GDPR or other EU or Member-State data-protection provisions (Art. 28(3) final sentence GDPR).

stads ensures that persons authorised to process the personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (Art. 28(3)(b) GDPR). Access is limited to personnel who need it to perform the contract.

The Controller grants stads general written authorisation to engage the sub-processors listed below (Art. 28(2) and (4) GDPR). stads remains fully liable to the Controller for the performance of each sub-processor’s obligations and imposes, by contract, data-protection obligations equivalent to those in this DPA. stads informs the Controller of any intended addition or replacement of a sub-processor with reasonable notice, giving the Controller the opportunity to object.

Current sub-processors

Hosting region selection is enforced where the provider offers it (e.g. an EU-hosted database project). Some providers may process limited support, billing, or security metadata outside the EU; the transfer basis for any such processing is set out in § 06.

stads keeps personal data within the European Union / European Economic Area wherever the sub-processor offers an EU region, and configures EU residency accordingly. Where a transfer to a third country nonetheless occurs (for example, to a US-incorporated provider’s support or billing function), it is carried out on one of the following bases:

• ▸an adequacy decision under Art. 45 GDPR where one applies to the recipient (for instance, where the recipient is certified under the EU–US Data Privacy Framework);
• ▸the European Commission’s Standard Contractual Clauses (SCCs, Implementing Decision (EU) 2021/914) under Art. 46(2)(c) GDPR, supplemented by a transfer impact assessment and appropriate supplementary measures (e.g. encryption in transit and at rest);
• ▸for UK data, the UK International Data Transfer Addendum to the SCCs, where relevant.

The data-protection terms and transfer mechanisms of each sub-processor are available from the provider and are linked from the current sub-processor list. stads will provide a copy of the relevant transfer mechanism to the Controller on request, subject to redaction of commercially confidential terms.

stads implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk (Art. 28(3)(c) and Art. 32 GDPR), taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing. These include, as appropriate:

• ▸Encryption of personal data in transit (TLS) and at rest;
• ▸Data minimisation by design - no tracking pixels, no images, coarse non-identifying usage signals only, and no execution of remote code on the publisher's machine;
• ▸Role-based access control and least-privilege access, with row-level security enforced at the database layer;
• ▸Server-side validation of impressions to resist invalid traffic and fraud, with reversible ledger entries rather than destructive edits;
• ▸Logical separation of Controllers' data and a double-entry, append-style ledger for money state;
• ▸Pseudonymisation and tokenisation of payment data via the payment provider, so that full card data never reaches stads systems;
• ▸Regular backups, monitoring, and the ability to restore availability and access in a timely manner after an incident;
• ▸Processes for regularly testing, assessing, and evaluating the effectiveness of these measures.

A current, detailed description of the technical and organisational measures is maintained and can be requested from the data-protection contact (privacy@soundworks-ai.com); it forms an annex to this DPA.

Taking into account the nature of the processing, stads assists the Controller by appropriate technical and organisational measures, insofar as possible, in fulfilling the Controller’s obligation to respond to requests for exercising the data subject’s rights (Art. 28(3)(e) and Chapter III GDPR), and assists the Controller in ensuring compliance with the obligations under Art. 32 to 36 GDPR (security, breach notification, data-protection impact assessment, and prior consultation) – Art. 28(3)(f) GDPR.

stads notifies the Controller without undue delay after becoming aware of a personal-data breach affecting the Controller’s data, with the information the Controller needs to meet its own notification obligations under Art. 33 and 34 GDPR.

At the Controller’s choice, stads deletes or returns all personal data after the end of the provision of services and deletes existing copies, unless EU or Member-State law requires storage (Art. 28(3)(g) GDPR). Statutory retention periods – for example, German commercial and tax record-keeping obligations of up to ten years (§ 257 HGB, § 147 AO) – apply to billing and accounting records.

stads makes available to the Controller all information necessary to demonstrate compliance with the obligations in Art. 28 GDPR and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (Art. 28(3)(h) GDPR). Audits are conducted on reasonable prior notice, during business hours, no more than once per year unless triggered by an incident or a supervisory authority, and in a manner that does not disproportionately disrupt operations. stads may satisfy audit requests by providing relevant certifications, reports, or the sub-processors’ own audit documentation where appropriate.

This DPA is concluded electronically and forms an integral part of the stads Terms of Service. By creating an advertiser or publisher account, configuring a campaign or payout account, or otherwise using the platform to process personal data on the Controller’s behalf, the Controller accepts this DPA. No separate signature is required for it to take effect; acceptance of the Terms of Service constitutes acceptance of this DPA.

Controllers who require a separately signed Auftragsverarbeitungsvertrag – for procurement or internal-compliance reasons – may request a counter-signed copy by writing to privacy@soundworks-ai.com. The most recent version of this DPA published at stads.cc/dpa is the operative version; material changes are notified to Controllers with reasonable notice.

In case of conflict between this DPA and the Terms of Service on matters of data protection, this DPA prevails. This DPA is governed by the laws of Germany and the GDPR, without prejudice to mandatory data-subject protections.

Authoritative language. The German version of this DPA is the legally authoritative one. This English translation is provided for convenience only; in case of any discrepancy, the German text prevails.