Stark Chat Logo

Data Processing Agreement

Last updated: May 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Aduro Creative Ltd, trading as Stark Chat ("Processor", "we", "us"), and the customer agreeing to these terms ("Controller", "you").

This DPA applies where and to the extent that we process Personal Data on your behalf in the course of providing our services. This DPA is designed to ensure compliance with the requirements of the UK General Data Protection Regulation (UK GDPR), the EU General Data Protection Regulation (EU GDPR), and other applicable data protection laws.

By using our services, you agree to be bound by this DPA. If you are entering into this DPA on behalf of an organisation, you represent that you have the authority to bind that organisation.

2. Definitions

In this DPA, the following terms have the meanings set out below:

  • "Data Protection Laws" means the UK GDPR, EU GDPR, the Data Protection Act 2018, and any other applicable laws relating to the processing of Personal Data and privacy.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by us on your behalf in connection with the services.
  • "Processing" means any operation performed on Personal Data, including collection, recording, storage, retrieval, use, disclosure, and erasure.
  • "Data Subject" means the identified or identifiable natural person to whom the Personal Data relates.
  • "Sub-processor" means any third party engaged by us to process Personal Data on your behalf.
  • "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.
  • "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international data transfers.

3. Scope and Purpose of Processing

3.1 Subject Matter

This DPA applies to the processing of Personal Data that you upload to, or that is collected through, the Stark Chat platform in connection with your use of our services.

3.2 Nature and Purpose

We process Personal Data for the purpose of providing you with AI-powered document search, retrieval, and chat functionality. This includes:

  • Retrieving content from sources you upload or authorise (including file uploads and OAuth-connected sources such as Google Drive, Dropbox, Notion, and public URLs)
  • Converting retrieved files to markdown or plain text format
  • Generating dense and sparse vector embeddings of your content and storing them, together with content chunks and metadata, in a managed vector database
  • Sending user queries and the relevant retrieved chunks to a third-party large-language-model provider for inference, and returning the generated response to authorised users
  • Displaying content to users you have authorised
  • Storing access rules and sharing permissions
  • Operating the service (transactional email, error monitoring, product analytics, billing)

3.3 Types of Personal Data

The types of Personal Data processed depend on the content you upload and may include:

  • Names and contact information
  • Employment information
  • Financial information
  • Any other Personal Data contained in your uploaded documents

3.4 Categories of Data Subjects

Data Subjects may include your employees, customers, suppliers, business contacts, and any other individuals whose Personal Data is contained in the content you upload.

3.5 Duration

We will process Personal Data for the duration of your use of our services and for 90 days following account termination, unless a longer retention period is required by law or requested by you.

4. Controller Obligations

As the Controller, you are responsible for:

  • Ensuring you have a lawful basis for processing the Personal Data you upload to our platform
  • Providing any required notices to Data Subjects and obtaining any necessary consents
  • Ensuring the accuracy and quality of Personal Data
  • Complying with all applicable Data Protection Laws in your use of our services
  • Determining the purposes and means of processing Personal Data
  • Responding to Data Subject requests (with our assistance as set out in this DPA)
  • Notifying us promptly of any changes that may affect our processing of Personal Data

5. Processor Obligations

As the Processor, we will:

  • Process Personal Data only on your documented instructions, unless required by law to do otherwise (in which case we will notify you before processing, unless prohibited by law)
  • Ensure that persons authorised to process Personal Data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
  • Respect the conditions for engaging Sub-processors as set out in this DPA
  • Assist you in responding to Data Subject requests
  • Assist you in ensuring compliance with your obligations regarding security, breach notification, data protection impact assessments, and prior consultations
  • Delete or return all Personal Data at the end of the provision of services, as set out in this DPA
  • Make available to you information necessary to demonstrate compliance with our obligations and allow for audits
  • Immediately inform you if, in our opinion, an instruction infringes Data Protection Laws

6. AI Processing

You acknowledge that our services involve AI processing of your content using Amazon Bedrock for large-language-model inference and embedding generation, and Pinecone for vector storage and retrieval. We confirm that:

  • Data isolation: Your Personal Data, content chunks, and embeddings are logically segregated by tenant and are not accessible to other customers or their chatbots.
  • No model training: AWS does not use, and contractually requires the underlying foundation-model providers not to use, prompts or completions processed through Amazon Bedrock to train any models. Pinecone does not train models on customer data.
  • Processing location: Application compute and storage (AWS) and Bedrock inference are located in the United Kingdom and Ireland (AWS eu-west-2 and eu-west-1). Storage of embeddings in Pinecone takes place in the United States; the relevant transfer mechanisms are set out in section 8 and on our Sub-processors page.

7. Sub-processors

7.1 Authorised Sub-processors

You provide general authorisation for us to engage Sub-processors to process Personal Data on your behalf. The current list of authorised Sub-processors — including each Sub-processor's purpose, the categories of Personal Data processed, the processing location, and the applicable cross-border transfer mechanism — is maintained at starkchat.com/subprocessors and forms part of this DPA.

For clarity, certain providers we use to operate our own business (for example product analytics, advertising measurement, and consent management on our marketing and product surfaces) are not Sub-processors under this DPA: in respect of those activities Stark Chat is the Controller of the limited operational and product-usage data collected, and customer-uploaded content is not routed through those tools. Those providers are disclosed in our Privacy Policy. The relationship with Stripe is split: Stripe acts as our Sub-processor for billing-contact metadata that we send to it (account email and company name), and as an independent Controller for full payment-card data, which Stark Chat does not receive or store.

7.2 Sub-processor Changes

We will notify you of any intended changes to our Sub-processors by updating the Sub-processors page and, where practicable, by email notification at least 14 days before the change takes effect. You may object to a new Sub-processor by notifying us in writing within 14 days of receiving notice. If you object on reasonable grounds relating to data protection, we will work with you to find a mutually acceptable resolution. If no resolution can be reached, you may terminate your account.

7.3 Sub-processor Obligations

We will ensure that each Sub-processor is bound by data protection obligations no less protective than those set out in this DPA. We remain fully liable to you for the performance of our Sub-processors' obligations.

8. International Data Transfers

8.1 Primary Processing Location

The application's compute, storage, and AI-inference infrastructure is located within the United Kingdom and the European Economic Area:

  • AWS eu-west-2 (London, UK) — application compute (Lambda), relational database (RDS), object storage (S3), key-value storage (DynamoDB), authentication (Cognito), email (SES), and message queues (SQS).
  • AWS eu-west-1 (Ireland) and eu-west-2 (London) — Amazon Bedrock inference profiles for large-language-model inference and embedding generation.

8.2 Transfers Outside the UK/EEA

Certain Sub-processors that we rely on to deliver the service process Personal Data outside the United Kingdom and European Economic Area, principally in the United States. These currently include Pinecone (vector storage), Stripe (payments), Sentry (error monitoring), Cloudflare (DNS for customer custom domains), and Firecrawl (URL fetching). Where such transfers occur, we ensure that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • The UK International Data Transfer Agreement or UK Addendum to the EU SCCs, as applicable
  • The EU–US Data Privacy Framework, where the recipient is currently certified under that framework
  • Any other valid transfer mechanism under applicable Data Protection Laws

8.3 Transfer Impact Assessments

We conduct transfer impact assessments for transfers to third countries to evaluate whether the recipient country provides an adequate level of data protection and whether supplementary measures are required.

9. Security Measures

We implement appropriate technical and organisational measures to protect Personal Data, including:

  • Encryption of Personal Data in transit using TLS 1.2 or higher
  • Encryption of Personal Data at rest
  • Access controls and authentication mechanisms
  • Regular security assessments and testing
  • Employee training on data protection and security
  • Incident response procedures
  • Business continuity and disaster recovery measures
  • Logical separation of customer data

We regularly review and update our security measures to address evolving threats and maintain an appropriate level of protection.

10. Security Incidents

10.1 Notification

We will notify you without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting your Personal Data. Notification will be sent to the email address associated with your account.

10.2 Notification Contents

Our notification will include, to the extent known:

  • A description of the nature of the Security Incident
  • The categories and approximate number of Data Subjects affected
  • The categories and approximate number of Personal Data records affected
  • The likely consequences of the Security Incident
  • The measures taken or proposed to address the Security Incident
  • Contact details for obtaining further information

10.3 Cooperation

We will cooperate with you and provide reasonable assistance in investigating and mitigating the Security Incident, and in meeting any notification obligations you may have to supervisory authorities or Data Subjects.

11. Data Subject Rights

11.1 Assistance with Requests

We will assist you in responding to requests from Data Subjects exercising their rights under Data Protection Laws, including rights of access, rectification, erasure, restriction, portability, and objection.

11.2 Direct Requests

If we receive a request directly from a Data Subject relating to Personal Data you have uploaded, we will promptly notify you and will not respond to the request directly unless authorised by you or required by law.

11.3 Response Timeframe

We will provide reasonable assistance to help you respond to Data Subject requests within the timeframes required by Data Protection Laws.

12. Data Protection Impact Assessments

Upon request, we will provide you with reasonable assistance in conducting data protection impact assessments and prior consultations with supervisory authorities, where required under Data Protection Laws, in relation to your use of our services.

13. Audits

13.1 Audit Rights

We will make available to you all information reasonably necessary to demonstrate our compliance with this DPA. You may conduct audits, including inspections, either directly or through an independent auditor, subject to the following conditions:

  • You provide us with at least 30 days' prior written notice
  • Audits are conducted during normal business hours and no more than once per year
  • The auditor agrees to reasonable confidentiality obligations
  • The audit does not unreasonably disrupt our operations
  • You bear the costs of the audit

13.2 Certifications and Reports

Where available, we may provide you with relevant certifications, audit reports, or other documentation to demonstrate our compliance with this DPA in lieu of an on-site audit.

14. Data Deletion and Return

14.1 Upon Termination

Upon termination of your account or upon your written request, we will delete all Personal Data processed on your behalf within 90 days, unless:

  • You request return of the Personal Data, in which case we will provide it in a commonly used format
  • We are required by applicable law to retain the Personal Data
  • Retention is necessary for the establishment, exercise, or defence of legal claims

14.2 Certification

Upon your written request, we will provide written confirmation that Personal Data has been deleted in accordance with this DPA.

15. Liability

The liability of each party under this DPA is subject to the limitations and exclusions set out in our Terms of Service. Nothing in this DPA limits either party's liability for breaches of Data Protection Laws to the extent such liability cannot be limited under applicable law.

16. Governing Law

This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.

17. Changes to This DPA

We may update this DPA from time to time to reflect changes in our processing activities, Sub-processors, or applicable laws. We will notify you of material changes by posting the updated DPA on our website and updating the "Last updated" date. For significant changes affecting your rights or obligations, we will provide advance notice by email.

18. Contact Us

If you have any questions about this DPA, please contact us:

Email: privacy@starkchat.com

Company: Aduro Creative Ltd (trading as Stark Chat)
Company Number: 11200639

Address: Aduro Creative Ltd (trading as Stark Chat)
27 Old Gloucester Street, London, WC1N 3AX