Data Processing Addendum
Last updated: 2026-06-23
This Data Processing Addendum ("DPA") forms part of the agreement between FanXus — operator of StoneAI, The Covenant Engine ("Processor," "we," "us") — and the Customer ("Controller," "you"). It governs the processing of personal data under the EU and UK General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA/CPRA), and supplements our Terms of Service and Privacy Policy.
Roles. When StoneAI processes personal data contained in your decrees, covenants, audit records, or governed systems, you are the Controller and FanXus is the Processor acting on your documented instructions. Under California law, you are the "Business" and FanXus is a "Service Provider." StoneAI will not "sell" or "share" personal information and will not retain, use, or disclose it for any purpose other than performing the Service.
01Definitions
"Personal Data," "Processing," "Controller," "Processor," "Data Subject," and "Supervisory Authority" have the meanings given in the GDPR. "Customer Personal Data" means personal data we process on your behalf in providing the Service.
02Roles & Scope of Processing
We process Customer Personal Data only to provide, secure, support, and bill the Service, and only on your documented instructions (including via the configuration of your tenant). The subject matter is the operation of AI-governance workflows; the duration is the term of the agreement; the nature and purpose are decree evaluation, covenant verification, audit-ledger maintenance, and metering.
Categories of Data Subjects: your administrators and authorized signers, and any individuals whose data appears within the decrees, covenants, or systems you submit. Categories of Personal Data: identifiers, business contact details, authentication and public-key data, usage and metering records, audit metadata, and any content you direct us to process.
03Processor Obligations
- Process Customer Personal Data only on your documented instructions, unless required by law (in which case we will inform you unless legally prohibited).
- Ensure personnel authorized to process the data are bound by confidentiality.
- Implement appropriate technical and organizational measures (Section 6).
- Assist you, taking into account the nature of processing, in responding to Data-Subject requests and in meeting your obligations under Articles 32–36 GDPR.
- Make available information necessary to demonstrate compliance and submit to audits (Section 8).
04Sub-Processors
You authorize us to engage the sub-processors listed below. Each is bound by data-protection terms no less protective than this DPA. We will give reasonable prior notice of any intended addition or replacement so you may object on reasonable, data-protection grounds; if we cannot resolve a legitimate objection, you may terminate the affected portion of the Service.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | Cloud hosting, compute, and encrypted storage | United States |
| Stripe | Card and bank payment processing | United States |
| PayPal | Wallet and bank payment processing | United States |
| Coinbase Commerce | Cryptocurrency payment processing | United States |
The payment sub-processors receive payment credentials directly; StoneAI does not store full card numbers or cryptocurrency wallet credentials.
05International Transfers
Where Customer Personal Data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the transfer is governed by the European Commission's Standard Contractual Clauses (SCCs), which are incorporated into this DPA by reference, together with the UK International Data Transfer Addendum where applicable. We apply supplementary measures including encryption in transit and at rest and least-privilege access controls.
06Security Measures
We maintain technical and organizational measures appropriate to the risk, including:
- Per-tenant cryptographic isolation and strict tenant separation.
- Ed25519 covenant verification binding each authorization to a decree content hash.
- An append-only, hash-chained audit ledger that makes unauthorized changes tamper-evident.
- Encryption of data in transit (TLS) and at rest.
- Least-privilege access, authentication controls, logging, and monitoring.
Our full security posture is described in our Security & Trust overview.
07Personal-Data Breach Notification
We will notify you without undue delay and in any event within seventy-two (72) hours after becoming aware of a personal-data breach affecting Customer Personal Data. The notice will describe, to the extent known, the nature of the breach, the categories and approximate number of records affected, likely consequences, and the measures taken or proposed. We will cooperate with you in investigating and remediating the breach.
08Audit Rights
We will make available to you the information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an independent auditor you mandate, no more than once per year (and following a breach) on reasonable notice, subject to confidentiality and to not unreasonably disrupting our operations. Where available, current third-party attestations may satisfy an audit request.
09Data-Subject Requests
We will, to the extent legally permitted, promptly notify you of any request we receive directly from a Data Subject and will assist you in fulfilling your obligation to respond, taking into account the nature of the processing and the tooling available within the Service.
10Return & Deletion on Termination
Upon termination or expiry of the agreement, and at your choice, we will return or delete Customer Personal Data and existing copies within a commercially reasonable period, unless retention is required by law. Where deletion is not technically feasible for tamper-evident records, we will isolate, protect, and cease active processing of that data until deletion is possible. We will confirm deletion on request.
11Liability & Order of Precedence
Each party's liability under this DPA is subject to the limitations in the Terms of Service. In the event of a conflict between this DPA and the Terms regarding the processing of personal data, this DPA controls; the SCCs control over this DPA to the extent of any conflict.