Data Processing Addendum

StitchQueue
Operated by Stitched By Susan

1. Purpose and Scope

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between you (the “Customer” or “Data Controller”) and Stitched By Susan (the “Service Provider” or “Data Processor”) for our StitchQueue workflow management software.

1.1 Why This DPA Exists

When you use StitchQueue to manage your quilting business, you store information about your clients (names, addresses, phone numbers, etc.). Under data protection laws such as the General Data Protection Regulation (GDPR), UK GDPR, and California Consumer Privacy Act (CCPA), this makes you a Data Controller and us a Data Processor.

This DPA defines:

• What data we process on your behalf
• How we process it
• Your rights and our responsibilities
• Security measures we implement

1.2 Who This Applies To

This DPA applies to you if:

• You operate a longarm quilting business
• You store client personal data in StitchQueue
• You or your clients are subject to GDPR, UK GDPR, CCPA, or similar data protection laws

If you don’t store client data (e.g., you only use StitchQueue for internal project management with no client names/addresses), this DPA may not apply to you. However, we recommend reading it to understand how we handle data.

2. Definitions

3. Roles and Responsibilities

3.1 Your Role (Data Controller)

As the Data Controller, you are responsible for:

Legal Basis:

• Determining the legal basis for collecting client data (e.g., contract performance, consent, legitimate interests)
• Ensuring you have the right to collect and process client information

Transparency:

• Informing your clients about how their data will be used (e.g., via your own privacy policy or intake form disclosure)
• Providing clients with information about their rights (access, correction, deletion)

Consent and Permissions:

• Obtaining necessary consents from clients (e.g., email marketing consent)
• Honoring client requests to access, correct, or delete their data

Data Accuracy:

• Ensuring client information in StitchQueue is accurate and up-to-date
• Correcting or deleting inaccurate data promptly

Data Minimization:

• Collecting only the data necessary for your business operations
• Not storing sensitive or unnecessary information

Your Instructions to Us:

• You control what data is entered into StitchQueue
• You may instruct us to delete or export data at any time
• We will only process data according to your instructions (via the Service features)

3.2 Our Role (Data Processor)

As the Data Processor, we are responsible for:

Following Your Instructions:

• Processing client data only as necessary to provide the Service
• Not using client data for our own purposes (e.g., marketing, analytics) unless anonymized

Security:

• Implementing appropriate technical and organizational measures to protect data (see Section 6)

Confidentiality:

• Ensuring our employees and contractors are bound by confidentiality obligations

Sub-Processors:

• Using only vetted, compliant sub-processors (see Section 5)
• Notifying you of sub-processor changes

Data Subject Requests:

• Assisting you in responding to client requests (access, deletion, etc.)

Data Breaches:

• Notifying you of any data breach affecting client data within 72 hours (see Section 7)

Data Deletion:

• Deleting or returning client data upon request or account closure (see Section 9)

Audits:

• Cooperating with audits or inspections (within reason) to verify compliance

4. Data Processing Details

4.1 What Client Data We Process

We process the following categories of Personal Data on your behalf:

We do NOT process:

• Payment card information (handled by Stripe, our payment processor — we receive only last 4 digits, card brand, expiration, and billing ZIP)
• Sensitive personal data (health, race, religion, biometrics, etc.) unless you choose to store it (which we discourage)

4.2 How We Process Data

Processing Activities:

• Storage: Data is stored in a PostgreSQL database (Supabase) hosted in the United States
• Display: Data is shown to you via the StitchQueue web application
• Email Delivery: Client names/addresses are included in emailed estimates and invoices (via Resend)
• Backup: Automatic daily backups for disaster recovery (Supabase managed)
• Reporting: Aggregated analytics (e.g., revenue totals) generated from your data

Duration of Processing:

• Data is processed for as long as your account is active
• After account closure, data is deleted within 90 days (see Section 9)

4.3 Your Instructions

By using StitchQueue, you instruct us to process client data as necessary to provide the Service features, including:

• Creating and managing projects
• Generating estimates and invoices
• Sending emails on your behalf
• Storing data for future reference
• Providing reports and analytics

Changes to Instructions: You may change your instructions by adjusting settings in the app or contacting us at legal@stitchqueue.com.

5. Sub-Processors

5.1 Authorized Sub-Processors

We use the following sub-processors to help provide the Service:

All sub-processors:

• Are contractually obligated to protect data
• Implement appropriate security measures
• Comply with GDPR, CCPA, and other applicable laws
• Use data only for the specified purpose

5.2 Sub-Processor Changes

If we add or replace a sub-processor, we will:

• Notify you at least 30 days in advance via email
• Update this DPA to reflect the change
• Provide you with an opportunity to object

Right to Object:

If you object to a new sub-processor on reasonable grounds (e.g., concerns about their security or compliance), you may:

• Request that we do not use the new sub-processor for your data
• Terminate your account without penalty if we cannot accommodate your objection

6. Security Measures

We implement the following technical and organizational measures to protect Personal Data:

6.1 Technical Measures

Encryption:

• All data in transit is encrypted using TLS 1.2+ (HTTPS)
• Passwords are hashed using bcrypt (never stored in plain text)
• Database connections are encrypted

Access Controls:

• Row Level Security (RLS) on all database tables (you can only access your own data)
• Role-based access control (when multi-user functionality becomes available)
• Session tokens expire after inactivity

Infrastructure Security:

• Servers hosted in secure, SOC 2-certified data centers (Supabase)
• Firewalls and intrusion detection systems
• Regular security updates and vulnerability patching

Backup and Recovery:

• Automatic daily backups (Supabase managed)
• Backups encrypted at rest
• Disaster recovery plan in place

6.2 Organizational Measures

Personnel:

• Access to production data limited to authorized personnel only
• All personnel sign confidentiality agreements
• Security awareness training

Policies and Procedures:

• Incident response plan (see Section 7)
• Data retention and deletion procedures (see Section 9)
• Vendor security assessment process

Monitoring:

• Error logging and monitoring (when implemented)
• Regular security audits and penetration testing (planned)

6.3 Your Security Responsibilities

You are responsible for:

• Using a strong, unique password
• Safeguarding your login credentials
• Enabling two-factor authentication (when available)
• Logging out of shared or public devices
• Promptly reporting suspected security breaches

7. Data Breach Notification

7.1 Our Obligations

If we become aware of a data breach affecting Personal Data processed on your behalf, we will:

Within 72 hours:

• Notify you via email to your primary account email address
• Provide details about the breach (what data was affected, how many records, suspected cause)
• The 72-hour period begins when we become aware of the breach

Important: You are responsible for monitoring your primary account email address. We are not responsible if you do not check your email or if our notification is caught by spam filters.

Ongoing:

• Investigate the breach and take corrective action
• Provide updates as we learn more
• Cooperate with you and regulatory authorities

7.2 What Constitutes a Breach

A data breach includes:

• Unauthorized access to Personal Data (hacking, insider threat)
• Accidental disclosure (email sent to wrong recipient, misconfigured database)
• Data loss (hardware failure, accidental deletion)
• Ransomware or malware affecting data integrity

Not included:

• Breaches of your account security due to weak passwords or sharing credentials (your responsibility)
• Breaches affecting only anonymized or aggregated data

7.3 Your Obligations

Upon receiving breach notification, you are responsible for:

• Assessing whether you must notify your clients (Data Subjects) or regulatory authorities (depends on severity and jurisdiction)
• Complying with applicable breach notification laws (e.g., GDPR requires notification within 72 hours if high risk to individuals)

We will assist you with breach response, but you are the Data Controller and ultimately responsible for client notifications.

8. Data Subject Rights

8.1 Your Clients’ Rights

Under GDPR, CCPA, and similar laws, your clients (Data Subjects) have rights including:

• Right to Access: Request a copy of their data
• Right to Rectification: Request correction of inaccurate data
• Right to Erasure (“Right to be Forgotten”): Request deletion of their data
• Right to Restrict Processing: Request that processing be limited
• Right to Data Portability: Receive their data in a structured format
• Right to Object: Object to processing based on legitimate interests

8.2 Handling Client Requests

Your Role:

• You are responsible for receiving and responding to Data Subject requests from your clients
• You must verify the requester’s identity
• You must respond within the legally required timeframe (typically 30 days under GDPR)

Our Role:

• We will assist you by providing tools to:
  • Access: Export client data via Settings > Data Management
  • Rectification: Edit client information in the app
  • Erasure: Delete individual projects or full account
  • Portability: Download data in CSV format

Limitations:

• We cannot directly respond to Data Subject requests from your clients (we don’t have a relationship with them)
• If we receive a request directly, we will forward it to you

8.3 Requesting Our Assistance

If you need help responding to a Data Subject request, contact us at:

legal@stitchqueue.com
Subject: “Data Subject Request Assistance — [Client Name]”

Provide:

• Nature of the request (access, deletion, etc.)
• Client information (to help us locate the data)
• Any deadline you need to meet

We will respond within 5 business days and provide the necessary data or take the requested action.

9. Data Retention and Deletion

9.1 Retention Period

We retain Personal Data only as long as necessary to provide the Service:

While Your Account Is Active:

• All project data and client information is retained indefinitely
• You control when to archive or delete individual projects

After Account Closure:

• Data is deleted within 90 days of closure request
• Legal hold exceptions: Data may be retained longer if required by law (e.g., tax audits, legal disputes)

9.2 Data Deletion Procedure

To Delete Individual Projects:

1. Navigate to the project in StitchQueue
2. Archive the project (moves to Archive page)
3. Permanently delete from Archive (cannot be undone)

To Delete Your Entire Account (and all client data):

1. Email legal@stitchqueue.com with “Close Account” in subject line
2. We verify your identity (to prevent unauthorized deletion)
3. All data is marked for deletion
4. Data is permanently deleted within 90 days
5. You receive confirmation email once deletion is complete

Backup Retention:

• Deleted data may persist in backups for up to 30 days (Supabase retention policy)
• Backups are overwritten automatically; we do not manually extract deleted data from backups

9.3 Return of Data

Upon account closure, you may request a copy of your data before deletion:

Request Process:

1. Email legal@stitchqueue.com with “Data Export Before Closure”
2. We will provide a CSV export of all projects and settings
3. You have 30 days to download the export
4. After 30 days, data is permanently deleted

10. International Data Transfers

10.1 Where Data Is Processed

StitchQueue and its sub-processors are primarily located in the United States. If you or your clients are located outside the US (e.g., EU, UK, Canada), your data will be transferred to the US for processing.

10.2 Safeguards for GDPR Compliance

For transfers of Personal Data from the EU/EEA/UK to the US, we rely on:

Standard Contractual Clauses (SCCs):

• We have incorporated the European Commission’s Standard Contractual Clauses (2021 version) by reference
• Our sub-processors (Supabase, Vercel, Resend) also use SCCs for GDPR-compliant transfers

Supplementary Measures:

• Encryption of data in transit and at rest
• Access controls and authentication
• Regular security audits

UK GDPR:

• The UK International Data Transfer Addendum (IDTA) applies for transfers from the UK

10.3 Other Jurisdictions

For other jurisdictions (e.g., Canada, Australia, Brazil):

• We comply with local data protection laws where applicable
• We implement equivalent safeguards (encryption, access controls, etc.)

10.4 Your Consent

By using StitchQueue, you acknowledge and consent to the transfer of Personal Data to the United States and other locations where our sub-processors operate.

If you are subject to laws requiring additional safeguards, contact legal@stitchqueue.com.

11. Audits and Compliance

11.1 Your Right to Audit

As the Data Controller, you have the right to audit our data processing activities to ensure compliance with this DPA and Data Protection Laws.

Audit Process:

1. Submit a written audit request to legal@stitchqueue.com at least 30 days in advance
2. Specify the scope and purpose of the audit
3. We will schedule a mutually convenient time
4. Audits may be conducted remotely (video conference) or on-site (at our discretion)

Frequency:

• One audit per year at no charge
• Additional audits may be subject to a fee (to cover our administrative costs)

Audit Costs:

• The Customer bears all costs associated with conducting the audit (travel, consultant fees, etc.)
• Exception: If the audit reveals a material breach by Stitched By Susan, we will reimburse reasonable audit costs

Limitations:

• Audits must not interfere with our operations or other customers’ data
• You may not access other customers’ data or confidential business information
• We may require you to sign a non-disclosure agreement (NDA)

11.2 Compliance Documentation

Upon request, we will provide:

• Copies of our security policies
• SOC 2 reports (if available)
• Sub-processor agreements
• Evidence of compliance with this DPA

11.3 Regulatory Audits

If a data protection authority (e.g., ICO, CNIL) requests an audit or investigation, we will:

• Cooperate fully with the authority
• Provide requested information and documentation
• Notify you if the audit relates to your data (unless prohibited by law)

12. Liability and Indemnification

12.1 Limitation of Liability

To the maximum extent permitted by law:

Our liability for data breaches or processing violations is limited to:

• Direct damages only (no consequential, indirect, or punitive damages)
• Maximum amount: The lesser of (a) $25,000 USD or (b) the amount you paid us in the 12 months prior to the claim

This limitation does NOT apply to:

• Breaches caused by our gross negligence or willful misconduct
• Violations of GDPR or other Data Protection Laws where unlimited liability is required by law

12.2 Your Indemnification

You agree to indemnify us against claims arising from:

• Your violation of Data Protection Laws (e.g., collecting data without consent)
• Your instructions to us that violate laws or third-party rights
• Your failure to notify your clients about how their data is used

Example: If your client sues us because you didn’t provide them with a privacy notice, you agree to cover our legal costs.

13. Term and Termination

13.1 Effective Date

This DPA takes effect on the date you create your StitchQueue account and remains in effect as long as we process Personal Data on your behalf.

13.2 Termination

This DPA terminates when:

• You close your account (and all data is deleted per Section 9)
• We cease operating StitchQueue (with 90 days’ notice)
• Either party terminates the Terms of Service

13.3 Post-Termination Obligations

Upon termination:

• We will delete or return your data within 90 days (at your choice)
• We will certify deletion upon request
• Backup copies will be overwritten per our retention policy (30 days)

Surviving Provisions:

• Sections related to confidentiality, liability, and indemnification survive termination

14. Changes to This DPA

14.1 Notification of Changes

We may update this DPA to reflect:

• Changes in Data Protection Laws
• Changes to our sub-processors
• Improvements to our security measures

You will be notified at least 30 days in advance via email.

14.2 Material Changes

Material changes (e.g., adding a new sub-processor, changing data retention periods) require:

• Advance notice via email
• Option for you to object or terminate (see Section 5.2)

14.3 Acceptance

Continued use of the Service after changes constitutes acceptance. If you do not agree, you must close your account before the effective date of the change.

15. Governing Law and Disputes

15.1 Governing Law

This DPA is governed by the same law as the Terms of Service: Washington State, USA.

For GDPR-related disputes, the laws of the EU member state where you (the Data Controller) are established may also apply.

15.2 Dispute Resolution

Disputes will be resolved according to the Terms of Service (Section 11), including arbitration provisions.

Exception: Disputes related to GDPR compliance may be brought before the competent data protection authority or courts in the EU, regardless of arbitration agreements.

16. Contact Information

For DPA-related questions or requests:

Email: legal@stitchqueue.com
Subject Line: “DPA Inquiry — [Your Topic]”
Mailing Address: 1310 E Cleveland Bay Ln, Spokane, WA 99208, USA

For Data Subject Rights assistance: legal@stitchqueue.com
For technical support: support@stitchqueue.com

17. Standard Contractual Clauses (SCCs)

By agreeing to this DPA, you and Stitched By Susan agree to be bound by the Standard Contractual Clauses for the transfer of Personal Data to third countries adopted by the European Commission (Decision 2021/914 of 4 June 2021).

Module Applied: Module Two (Controller to Processor)

Roles:

• Data Exporter (Controller): You (the Customer)
• Data Importer (Processor): Stitched By Susan (operating StitchQueue workflow management software)

Docking Clause: The optional docking clause (Clause 7) of the Standard Contractual Clauses is included, allowing additional data importers or exporters to join this DPA by signing the relevant appendix.

A full copy of the SCCs is available at:
https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj

For UK transfers: The UK International Data Transfer Addendum (IDTA) is incorporated by reference:
ICO International Transfers Guidance

18. Summary (Plain Language)

What this DPA means:

• You (the quilter) are the Data Controller. You decide what client data to collect.
• We (StitchQueue) are the Data Processor. We store and process client data according to your instructions.
• We protect your clients’ data using encryption, access controls, and secure infrastructure.
• We use trusted sub-processors (Supabase, Vercel, Resend) that are GDPR-compliant.
• If there’s a data breach, we’ll notify you within 72 hours.
• Your clients have rights (access, correction, deletion). You handle their requests; we provide tools to help.
• Data is deleted within 90 days after you close your account.
• International transfers from EU/UK to US are protected by Standard Contractual Clauses.

Your responsibilities:

• Get your clients’ consent to store their data
• Provide your own privacy notice or intake form disclosure
• Respond to client requests (we’ll help)
• Keep data accurate and secure

Questions? Contact legal@stitchqueue.com for legal/compliance matters or support@stitchqueue.com for technical support

END OF DATA PROCESSING ADDENDUM

This DPA was prepared on February 7, 2026. It incorporates Standard Contractual Clauses and complies with GDPR, UK GDPR, and CCPA requirements. Have your lawyer review before relying on it for compliance purposes.