Stardex DPA

Name: AI powered ATS & CRM
Brand: Stardex
Rating: 4.9 (200 reviews)

Last Updated: April 14, 2026

This Data Processing Addendum ("DPA") is incorporated into and forms part of the SaaS Services Agreement or Terms of Service (the "Agreement") between SedimentIQ Corp (dba Stardex), with a place of business at 169 Madison Ave #2089, New York, NY, 10016 ("Stardex"), and the customer identified in the Agreement ("Customer").

This DPA applies to the extent that Stardex processes Personal Data on behalf of Customer in the course of providing the Stardex platform.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person that is processed by Stardex on behalf of Customer through the platform.

"Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.

"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including the EU General Data Protection Regulation (GDPR), the UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and any other applicable data protection legislation.

"Controller" means the entity that determines the purposes and means of the Processing of Personal Data.

"Processor" means the entity that processes Personal Data on behalf of the Controller.

"Subprocessor" means any third party engaged by Stardex to process Personal Data on behalf of Customer.

"Data Breach" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data (a "Personal Data Breach" as defined in Article 4 of the GDPR).

"EEA SCCs" means the standard contractual clauses annexed to the European Commission's Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679.

"UK Addendum" means the international data transfer addendum to the EEA SCCs issued by the UK Information Commissioner under S119A(1) Data Protection Act 2018.

"Special Category Data" has the meaning given in Article 9 of the GDPR.

2. Scope and Roles

2.1 Stardex as Processor. Where Customer is a Controller of Personal Data, Stardex acts as a Processor, processing Personal Data on behalf of Customer.

2.2 Stardex as Subprocessor. Where Customer is itself a Processor acting on behalf of a third-party Controller, Stardex acts as a Subprocessor of the Personal Data. In this case, Customer will comply with all Data Protection Laws that apply to Customer as a Processor, and Customer's agreement with its Controller will similarly require such compliance.

3. Details of Processing

Subject matter: Provision of the Stardex ATS and CRM platform.
Duration: For the term of the Agreement, plus any post-termination data retention period.
Nature and purpose: Storage, organization, retrieval, and AI-assisted processing of recruitment-related data to provide platform functionality.
Categories of data subjects: Candidates, clients, contacts, and end users of the platform.
Types of Personal Data: Names, contact information (email, phone, address), employment history, resumes/CVs, communication records, notes, assessments, and other recruitment-related data input by Customer.
Frequency of transfer: Continuous, for the duration of the Agreement.

4. Customer Obligations

Customer shall:

(a) Ensure it has a lawful basis for processing Personal Data and for instructing Stardex to process Personal Data on its behalf.

(b) Provide any required notices to, and obtain any required consents from, data subjects whose Personal Data is processed through the platform.

(d) Comply with all Data Protection Laws concerning its provision of Personal Data to Stardex and/or the Service, including making all required disclosures, obtaining all required consents, and implementing relevant safeguards required under Data Protection Laws.

5. Stardex Obligations

Stardex shall:

(a) Process Personal Data only on documented instructions from Customer, unless required to do so by applicable law (in which case Stardex will inform Customer before processing, unless prohibited by law). Stardex will immediately inform Customer if it is unable to follow the processing instructions.

(b) Ensure that persons authorized to process Personal Data are subject to confidentiality obligations.

(d) Not use Personal Data for any purpose other than providing the Services under the Agreement.

(e) Not use Personal Data to train AI models or any machine learning systems.

6. Subprocessors

6.1 Stardex uses third-party subprocessors to deliver the platform. Customer provides general written authorization for Stardex to engage subprocessors, subject to the following:

(a) Stardex will maintain a list of current subprocessors (see Annex B) including their identities, country of location, and anticipated processing tasks, and make it available to Customer upon request.

(b) Stardex will notify Customer at least 30 business days in advance and in writing of any intended changes to the subprocessors, whether by addition or replacement, which allows Customer to have enough time to object before Stardex begins using the new subprocessor(s). Stardex will give Customer the information necessary to allow Customer to exercise its right to object.

(c) Customer has 30 days after notice of a change to the subprocessors to object, otherwise Customer will be deemed to accept the changes. If Customer objects within 30 days, Customer and Stardex will cooperate in good faith to resolve Customer's objection or concern. If the parties cannot resolve the objection, either party may terminate the affected Services.

(d) Stardex will enter into written agreements with each subprocessor that ensure the subprocessor only accesses and uses Personal Data (i) to the extent required to perform the obligations subcontracted to it, and (ii) consistent with the terms of the Agreement. These agreements will impose data protection obligations no less protective than those in this DPA.

(e) If the GDPR applies to the processing, the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR) will also be imposed on the subprocessor, and Stardex's agreement with the subprocessor will incorporate these obligations.

(f) At Customer's request, Stardex will share a copy of its agreements with its subprocessors. To the extent necessary to protect business secrets or other confidential information, Stardex may redact the text prior to sharing.

(g) Stardex will be liable for the acts and omissions of its subprocessors to the same extent Stardex would be liable if performing the services directly. Stardex will notify Customer of any failure by its subprocessors to fulfill a material obligation regarding Personal Data.

7. International Transfers

7.1 Authorization. Customer agrees that Stardex may transfer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If Stardex transfers Personal Data to a territory for which the European Commission or other relevant supervisory authority has not issued an adequacy decision, Stardex will implement appropriate safeguards for the transfer consistent with Data Protection Laws.

7.2 EEA Transfers. Customer and Stardex agree that if the GDPR protects the transfer of Personal Data, the transfer is from Customer within the EEA to Stardex outside of the EEA, and the transfer is not governed by an adequacy decision made by the European Commission, then by entering into this DPA, Customer and Stardex are deemed to have signed the EEA SCCs and their Annexes, which are incorporated by reference. Any such transfer is made pursuant to the EEA SCCs, which are completed as follows:

(a) Module Two (Controller to Processor) of the EEA SCCs applies when Customer is a Controller and Stardex is processing Personal Data for Customer as a Processor.

(b) Module Three (Processor to Sub-Processor) of the EEA SCCs applies when Customer is a Processor and Stardex is processing Personal Data on behalf of Customer as a Subprocessor.

(i) The optional docking clause in Clause 7 does not apply;
(ii) In Clause 9, Option 2 (general written authorization) applies, and the minimum time period for prior notice of subprocessor changes is 10 business days;
(iii) In Clause 11, the optional language does not apply;
(iv) All square brackets in Clause 13 are removed;
(v) In Clause 17 (Option 1), the EEA SCCs will be governed by the laws of Ireland;
(vi) In Clause 18(b), disputes will be resolved in the courts of Ireland;
(vii) Annex I, Annex II, and Annex III of the EEA SCCs are completed using the information in Section 3, Section 9, and Annex B of this DPA respectively.

7.3 UK Transfers. Customer and Stardex agree that if the UK GDPR protects the transfer of Personal Data, the transfer is from Customer within the United Kingdom to Stardex outside of the United Kingdom, and the transfer is not governed by an adequacy decision made by the United Kingdom Secretary of State, then by entering into this DPA, Customer and Stardex are deemed to have signed the UK Addendum and its Annexes, which are incorporated by reference. Any such transfer is made pursuant to the UK Addendum, which is completed as follows:

(a) Section 7.2 of this DPA contains the information required in Table 2 of the UK Addendum.

(b) Table 4 of the UK Addendum is modified as follows: Neither party may end the UK Addendum as set out in Section 19 of the UK Addendum; to the extent the ICO issues a revised Approved Addendum under Section 18 of the UK Addendum, the parties will work in good faith to revise this DPA accordingly.

(c) Annex 1A, Annex 1B, Annex II, and Annex III of the UK Addendum are completed using the information in Section 3, Section 9, and Annex B of this DPA respectively.

7.4 Swiss Transfers. For Personal Data transfers where Swiss law (and not the law in any EEA member state or the United Kingdom) applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act or its successor instead, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.

8. Data Breach Notification

8.1 In the event of a Data Breach affecting Customer's Personal Data, Stardex will:

(a) Notify Customer without undue delay, and in any event within 72 hours of becoming aware of the breach.

(b) Provide Customer with sufficient information to enable Customer to meet its own breach notification obligations under Data Protection Laws, including the nature of the breach, categories of data affected, approximate number of records affected, likely consequences, and measures taken or proposed to address the breach.

(c) Promptly take reasonable steps to contain and investigate the breach, and cooperate with Customer to assist in the investigation, mitigation, and remediation of the breach.

8.2 Stardex's notification of or response to a Data Breach as required by this DPA will not be construed as an acknowledgment by Stardex of any fault or liability for the Data Breach.

9. Security Measures

Stardex implements and maintains appropriate technical and organizational security measures, including:

(a) Encryption of data in transit (TLS 1.2+) and at rest (AES-256).

(b) Role-based access controls with multi-factor authentication for internal systems.

(d) Regular vulnerability assessments and annual third-party penetration testing.

(e) SOC 2 Type II compliance, with audit reports available to Customer upon request under NDA.

(f) Logging and monitoring of access to systems containing Personal Data.

(g) Secure software development practices, including peer-reviewed code changes and version-controlled deployments.

(h) Employee background checks and annual security awareness training.

(i) Endpoint protection, including malware protection software, disk encryption, and auto-lock policies.

(j) Firewall protections with deny-by-default rules on all production hosts.

(k) Zero-retention policies with AI providers (Anthropic, OpenAI, Microsoft Azure), as set forth in Stardex's contractual agreements with these providers: no Customer Data is stored by these providers after API requests complete, and no Customer Data is used by these providers to train, fine-tune, or improve their models.

10. Data Subject Rights

Stardex will assist Customer in responding to requests from data subjects exercising their rights under Data Protection Laws (such as access, correction, deletion, portability, and objection). Stardex will promptly notify Customer if it receives a request directly from a data subject, and will not respond to such requests directly unless authorized by Customer.

11. Response to Third-Party Inquiries

11.1 If Stardex receives any inquiry or request from a third party about the processing of Personal Data (including judicial, administrative, or regulatory agency orders, or requests from data subjects), Stardex will notify Customer about the request and will not respond without Customer's prior consent, unless prohibited by applicable law.

11.2 If allowed by applicable law, Stardex will follow Customer's reasonable instructions about these requests, including providing status updates and other information reasonably requested by Customer. Stardex will cooperate with and provide reasonable assistance to Customer, at Customer's expense, in any legal response or other procedural action taken by Customer in response to a third-party request about Stardex's processing of Personal Data under this DPA.

12. Data Protection Impact Assessments

If required by Data Protection Laws, Stardex will reasonably assist Customer, at Customer's expense, in conducting any mandated data protection impact assessments (DPIAs) or data transfer impact assessments (DTIAs) and consultations with relevant data protection authorities, taking into consideration the nature of the processing and Personal Data. Such assistance will be limited to providing information about Stardex's processing activities and security measures as described in this DPA.

13. Data Retention and Deletion

13.1 Deletion by Customer. Stardex will enable Customer to delete Personal Data in a manner consistent with the functionality of the Service. Stardex will comply with such instructions as soon as reasonably practicable, except where further storage is required by applicable law.

13.2 Deletion at Termination. Upon termination of the Agreement, Stardex will:

(a) Make Customer Data available for export for ninety (90) days following termination.

(b) After the 90-day period, securely delete or anonymize all Personal Data in its possession, unless retention is required by applicable law. If deletion is impracticable or prohibited by applicable law, Stardex will make reasonable efforts to prevent additional processing of Personal Data and will continue to protect the Personal Data remaining in its possession.

(c) Upon Customer's request, provide written confirmation of deletion. If Customer and Stardex have entered the EEA SCCs or the UK Addendum as part of this DPA, Stardex will provide the certification of deletion described in Clause 8.1(d) and Clause 8.5 of the EEA SCCs upon Customer's request.

14. Audits

14.1 Audit Rights. Stardex will give Customer all information reasonably necessary to demonstrate its compliance with this DPA. Customer acknowledges that its primary audit mechanism will be the Security Reports described in Section 14.2 and the Security Due Diligence process described in Section 14.3. Where Customer can demonstrate that the information provided through these mechanisms is not sufficient to verify Stardex's compliance, Customer may conduct or commission an audit of Stardex's compliance with this DPA, not more than once per year, at Customer's own expense, upon at least 30 days' written notice, and subject to reasonable confidentiality obligations. Stardex may restrict access to data or information if Customer's access would negatively impact Stardex's intellectual property rights, confidentiality obligations, or other obligations under applicable law.

14.2 Security Reports. Stardex is regularly audited against its security standards by independent third-party auditors. Upon written request, Stardex will give Customer, on a confidential basis, a copy of its most recent SOC 2 Type II report or equivalent third-party audit report so that Customer can verify Stardex's compliance.

14.3 Security Due Diligence. In addition to audit reports, Stardex will respond to reasonable requests for information made by Customer to confirm Stardex's compliance with this DPA, including responses to information security, due diligence, and audit questionnaires. Such requests must be in writing, directed to support@stardex.ai, and may only be made once per year.

14.4 Compliance Records. Stardex will maintain records of its compliance with this DPA for 3 years after the DPA ends.

15. Liability

15.1 Liability Caps. To the maximum extent permitted under Data Protection Laws, each party's total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.

15.2 Related-Party Claims. Any claims made against Stardex or its affiliates arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement.

15.3 Exceptions. This DPA does not limit any liability to an individual about the individual's data protection rights under Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.

16. Conflicts Between Documents

This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.

17. Conflicts Between Documents

This DPA will be effective when Customer accepts the Agreement and will continue until the Agreement expires or is terminated. However, both parties will remain subject to the obligations in this DPA and Data Protection Laws until Customer stops transferring Personal Data to Stardex and Stardex stops processing Personal Data.

Annex A: Standard Contractual Clauses

The EEA SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA by reference as described in Section 7.2. By entering into this DPA, the parties are deemed to have signed the EEA SCCs. The Annexes to the EEA SCCs are completed as follows:

Annex I(A) - List of Parties:

Data exporter: Customer, as identified in the Agreement. Contact: Customer's account administrator. Role: Controller (Module 2) or Processor (Module 3).
Data importer: SedimentIQ Corp (dba Stardex), 169 Madison Ave #2089, New York, NY, 10016. Contact: support@stardex.ai. Role: Processor (Module 2) or Subprocessor (Module 3).

Annex I(B) - Description of Transfer: As described in Section 3 of this DPA.

Annex I(C) - Competent Supervisory Authority: The supervisory authority of the EU member state in which the data exporter is established. Where the data exporter is not established in the EU, the supervisory authority of the EU member state in which the data exporter's EU representative is established. Where the data exporter is not required to appoint an EU representative, the Irish Data Protection Commission.

Annex II - Technical and Organizational Measures: As described in Section 9 of this DPA.

Annex III - List of Subprocessors: As described in Annex B of this DPA.

Annex B: List of Subprocessors

Amazon Web Services (AWS): Cloud hosting and infrastructure - United States
Vercel: Frontend hosting - United States
Google Cloud Platform: Cloud services - United States
Stripe: Payment processing - United States
Clerk: Authentication and user management - United States
Nylas: Email integration (where customer opts in) - United States
Anthropic: AI model provider (Claude models) - United States
OpenAI: AI model provider (GPT models) - United States
Microsoft: AzureAI model provider (Azure OpenAI Service) - United States
Slack: Customer support communications - United States
Plain: Customer support platform - United States
Inngest: Durable backend task execution - United States

This list is current as of the Last Updated date above. Customers will be notified of changes per Section 6.

Annex C: Security Measures (Technical and Organizational Measures)

The following technical and organizational measures are implemented by Stardex to protect Personal Data:

Encryption: All data is encrypted in transit using TLS 1.2+ and at rest using AES-256. All production databases storing customer data are encrypted at rest.

Access Controls: Role-based access controls restrict access to Personal Data to authorized personnel only. Multi-factor authentication is required for access to all critical systems. Access is provisioned on the principle of least privilege. Access reviews are conducted quarterly by the Information Security Officer.

Network Security: Production databases are not accessible from the public internet. All production hosts are protected by firewalls with deny-by-default rules. API authentication via JWT tokens is validated on every request.

Multi-Tenant Isolation: Row-level security is implemented in the database, with every table including organization and team identifiers to enforce tenant boundaries.

Vulnerability Management: Regular vulnerability scans are conducted. Annual penetration testing is performed by a qualified third-party provider. Vulnerabilities are tracked and remediated according to documented policy.

Monitoring: Continuous monitoring of critical assets for performance, capacity, and security anomalies. Infrastructure is configured to generate and review audit events for security-relevant actions.

Endpoint Security: Endpoints with access to critical systems are protected by malware-protection software, disk encryption, and auto-screen-lock after 15 minutes of inactivity.

Personnel Security: Background checks are performed on all employees. Annual security awareness training is required for all staff. Employees acknowledge security policies upon hire and annually thereafter.

Incident Response: A documented incident response plan is maintained and tested. Security incidents are logged, investigated, and remediated.

Business Continuity: Documented business continuity and disaster recovery plans are maintained and tested. Daily backups are maintained with verified integrity. Backups are retained for up to 30 days on a rolling basis.

AI Provider Controls: Third-party AI providers (Anthropic, OpenAI, Microsoft Azure) operate on a zero-retention basis. Customer Data is processed in real-time and not stored after the API request completes. No Customer Data is used for model training, fine-tuning, or improvement.

Development Practices: Secure software development lifecycle with version-controlled source code, peer-reviewed code changes, and segregated development/production environments.