Stardex DPA


Last Updated: Mar 20, 2026


This Data Processing Addendum ("DPA") is incorporated into and forms part of the SaaS Services Agreement or Terms of Service (the "Agreement") between SedimentIQ Corp (dba Stardex), with a place of business at 169 Madison Ave #2089, New York, NY, 10016 ("Processor" or "Stardex"), and the customer identified in the Agreement ("Controller" or "Customer").


This DPA applies to the extent that Stardex processes Personal Data on behalf of Customer in the course of providing the Stardex platform.

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Stardex on behalf of Customer through the platform.

  • "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

  • "Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any other applicable data protection legislation.

  • "Subprocessor" means any third party engaged by Stardex to process Personal Data on behalf of Customer.

  • "Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data.

2. Scope and Roles

Customer is the Controller of Personal Data processed through the Stardex platform. Stardex is the Processor, processing Personal Data only on behalf of and under the instructions of Customer, except where required by applicable law.

3. Details of Processing


Subject matter: Provision of the Stardex ATS and CRM platform

Duration: For the term of the Agreement, plus any post-termination data retention period

Nature and purpose: Storage, organization, retrieval, and AI-assisted processing of recruitment-related data to provide platform functionality

Categories of data subjects: Candidates, clients, contacts, and end users of the platform

Types of Personal Data: Names, contact information (email, phone, address), employment history, resumes/CVs, communication records, notes, assessments, and other recruitment-related data input by Customer

4. Customer Obligations

Customer shall:

  • Ensure it has a lawful basis for processing Personal Data and for instructing Stardex to process Personal Data on its behalf.

  • Provide any required notices to, and obtain any required consents from, data subjects whose Personal Data is processed through the platform.

  • Be responsible for the accuracy, quality, and legality of Personal Data provided to Stardex.

5. Stardex Obligations

Stardex shall:

  • Process Personal Data only on documented instructions from Customer, unless required to do so by applicable law (in which case Stardex will inform Customer before processing, unless prohibited by law).

  • Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.

  • Implement appropriate technical and organizational measures to protect Personal Data (see Section 8).

  • Not use Personal Data for any purpose other than providing the Services under the Agreement.

  • Not use Personal Data to train AI models or any machine learning systems.

6. Subprocessors

Stardex uses third-party subprocessors to deliver the platform. Customer provides general authorization for Stardex to engage subprocessors, subject to the following:

  • Stardex will maintain a list of current subprocessors (see Annex B) and make it available to Customer upon request.

  • Stardex will notify Customer at least 30 days in advance of any new subprocessor being engaged, via email to the address on file.

  • Customer may object to a new subprocessor within 14 days of notification. If Customer has a reasonable objection and Stardex cannot accommodate it, either party may terminate the affected Services.

  • Stardex will enter into written agreements with each subprocessor imposing data protection obligations no less protective than those in this DPA.

7. International Transfers

Where Personal Data is transferred outside the European Economic Area ("EEA"), United Kingdom, or other jurisdiction with data transfer restrictions, Stardex will ensure that appropriate transfer mechanisms are in place, such as:

  • Standard Contractual Clauses (SCCs) approved by the European Commission (included as Annex C upon request).

  • Any other transfer mechanism recognized under applicable Data Protection Laws.

8. Security Measures

Stardex implements and maintains appropriate technical and organizational security measures, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).

  • Role-based access controls with multi-factor authentication for internal systems.

  • Regular vulnerability assessments and penetration testing.

  • SOC 2 Type II compliance, with audit reports available to Customer upon request under NDA.

  • Logging and monitoring of access to systems containing Personal Data.

  • Secure software development practices.

  • Employee security awareness training.

9. Data Breach Notification

In the event of a Data Breach affecting Customer's Personal Data, Stardex will:

  • Notify Customer without undue delay, and in any event within 72 hours of becoming aware of the breach.

  • Provide Customer with sufficient information to enable Customer to meet its own breach notification obligations under applicable Data Protection Laws, including the nature of the breach, categories of data affected, approximate number of records affected, likely consequences, and measures taken or proposed to address the breach.

  • Cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

10. Data Subject Rights

Stardex will assist Customer in responding to requests from data subjects exercising their rights under applicable Data Protection Laws (such as access, correction, deletion, portability, and objection). Stardex will promptly notify Customer if it receives a request directly from a data subject, and will not respond to such requests directly unless authorized by Customer.

11. Data Retention and Deletion

Upon termination of the Agreement, Stardex will:

  • Make Customer Data available for export for ninety (90) days following termination.

  • After the 90-day period, securely delete or anonymize all Personal Data in its possession, unless retention is required by applicable law.

  • Upon Customer's request, provide written confirmation of deletion.

12. Audits

Customer may, at its own expense and upon reasonable notice (not more than once per year), audit Stardex's compliance with this DPA, or request that Stardex provide its most recent SOC 2 Type II report or equivalent third-party audit report. Stardex will cooperate with reasonable audit requests and provide relevant information, subject to confidentiality obligations.

13. Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Agreement.

14. Conflict

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.

Annex A: Standard Contractual Clauses

Where required for international transfers, the parties agree to enter into the Standard Contractual Clauses as approved by the European Commission (Commission Implementing Decision (EU) 2021/914). These will be provided as a separate attachment upon request.

Annex B: List of Subprocessors

  • Amazon Web Services (AWS): Cloud hosting and infrastructure - United States

  • Vercel: Frontend hosting - United States

  • Google Cloud Platform: Cloud services - United States

  • Stripe: Payment processing - United States

  • Clerk: Authentication and user management - United States

  • Nylas: Email integration (where customer opts in) - United States

  • Anthropic: AI model provider (Claude models) - United States

  • OpenAI: AI model provider (GPT models) - United States

  • Microsoft: AzureAI model provider (Azure OpenAI Service) - United States

  • Slack: Customer support communications - United States

  • Plain: Customer support platform - United States

  • Inngest: Durable backend task execution - United States

This list is current as of the Last Updated date above. Customers will be notified of changes per Section 6.

Annex C: Standard Contractual Clauses (available upon request)

Contact support@stardex.ai to request executed SCCs.