This Data Processing Agreement ("DPA") forms part of the agreement between MiceStack ("Processor") and the organisation accessing the Platform ("Controller"). It governs the processing of personal data on behalf of the Controller in connection with the MiceStack platform.

1. Definitions

Personal Data means any information relating to an identified or identifiable natural person processed through the Platform, including client names, email addresses, and contact details stored within your account.

Processing means any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.

Controller means the organisation (you) that determines the purposes and means of processing personal data.

Processor means MiceStack, which processes personal data on behalf of the Controller.

2. Scope and purpose

MiceStack processes personal data solely to provide the services described in the Terms of Service. We process only the categories of data necessary for those services and act only on the Controller's documented instructions.

Categories of data processed include: names and email addresses of the Controller's clients and contacts; supplier contact information; and any personal data included in quotations, invoices, or run sheets created within the Platform.

3. Controller obligations

As Controller, you are responsible for:

Ensuring you have a lawful basis for processing the personal data you input into the Platform
Providing appropriate privacy notices to your clients and contacts
Responding to data subject requests from your clients
Ensuring personal data is accurate before uploading it to the Platform

4. Processor obligations

MiceStack, as Processor, commits to:

Process personal data only on the Controller's documented instructions
Ensure all personnel with access to personal data are bound by confidentiality obligations
Implement appropriate technical and organisational security measures (see Section 6)
Assist the Controller in responding to data subject requests within a reasonable timeframe
Notify the Controller of any personal data breach without undue delay
Delete or return personal data upon termination of the agreement

5. Sub-processors

MiceStack engages the following sub-processors to deliver the service. Each is bound by data protection obligations no less protective than this DPA:

Supabase, Inc. — Database hosting and authentication (US/EU). Data may be stored in EU-West-1 or US-East-1 regions.
Vercel, Inc. — Application and serverless function hosting (US/EU edge locations).
Stripe, Inc. — Payment processing. Only billing contact details and subscription status are shared.
Resend, Inc. — Transactional email delivery. Recipient email addresses are passed for delivery only.
OpenAI / Anthropic — AI-assisted features. Data submitted to AI features is not used for model training per our agreements with these providers.
Cloudflare, Inc. — CDN, DDoS protection, and bot management.

MiceStack will notify Controllers of any intended changes to sub-processors by updating this page. Controllers who object to a new sub-processor may terminate the agreement within 30 days of notification.

6. Security measures

MiceStack maintains the following technical and organisational measures to protect personal data:

Encryption in transit: TLS 1.2+ for all data transmitted between client and server
Encryption at rest: AES-256 encryption for data stored in Supabase
Access control: Row-level security policies ensure each account's data is isolated; staff access to production data is restricted and logged
Authentication: Multi-factor authentication available for all accounts; session tokens are short-lived and rotated
Security reviews: Regular internal security reviews and dependency vulnerability scanning
Backups: Daily encrypted backups retained for 7 days

7. International data transfers

Some sub-processors operate infrastructure outside India. Where personal data is transferred internationally, MiceStack ensures appropriate safeguards are in place through contractual agreements with sub-processors that comply with applicable data protection standards. All sub-processors listed in Section 5 maintain appropriate international transfer mechanisms.

8. Data subject rights

MiceStack will assist Controllers in fulfilling data subject rights requests (access, correction, deletion, portability) within 5 business days of receiving a request forwarded by the Controller. Controllers may also direct their clients to contact privacy@micestack.in for direct assistance.

9. Data breach notification

In the event of a personal data breach affecting Controller data, MiceStack will notify the Controller by email within 72 hours of becoming aware of the breach. The notification will include: the nature of the breach; categories and approximate number of records affected; likely consequences; and measures taken or proposed to address the breach.

10. Audit rights

Controllers may request a summary of MiceStack's current security certifications, sub-processor agreements, and relevant internal policies once per calendar year. Requests should be sent to legal@micestack.in. On-site audits may be arranged by mutual agreement with reasonable advance notice.

11. Retention and deletion

Personal data within the Platform is retained for as long as the Controller's account remains active. Upon account termination, data is retained for 90 days to allow for export or recovery, then permanently deleted from all systems including backups within 30 days of the retention period expiring. Controllers may request earlier deletion at any time.

12. Term and termination

This DPA remains in effect for the duration of the Controller's subscription. It automatically terminates when the service agreement ends. Upon termination, Sections 4, 6, and 9 survive for as long as MiceStack retains any personal data belonging to the Controller.

13. Governing law

This DPA is governed by the laws of India, consistent with the Information Technology Act 2000 and applicable data protection rules. Any disputes shall be subject to the exclusive jurisdiction of the courts of India.

14. Contact

Data protection enquiries: privacy@micestack.in
Legal enquiries: legal@micestack.in