Data Processing Addendum

This Addendum applies when CourtStairs processes personal data within Customer Data on behalf of a business Customer. For that data, the Customer is the controller and CourtStairs is the processor under the GDPR (Regulation (EU) 2016/679). The Customer is responsible for having a lawful basis and any required consents.

We process Customer Data only to provide and support the service, and only on the Customer’s documented instructions (including these Terms and the Privacy Policy), for as long as the agreement lasts.

We do not use Customer Data to train public AI models, and our AI providers are contractually barred from doing so.

Our staff and contractors who handle Customer Data are bound by confidentiality obligations.

We use technical and organizational measures appropriate to the risk, including encryption in transit and at rest, row-level access controls so each customer reaches only its own data, least-privilege access, logging, and regular reviews.

We use vetted sub-processors to run the service: Supabase (database and authentication), Vercel (hosting and analytics), Stripe (payments), Retell (voice calls), and AI model providers. Each is bound by data-protection terms consistent with Article 28 GDPR. We will give notice of new sub-processors and let you object on reasonable grounds.

Core data is hosted in the EEA where available. Some processing (AI providers and voice calls) may occur outside the EEA. For such transfers we rely on appropriate safeguards under Chapter V GDPR, such as the European Commission’s Standard Contractual Clauses, together with technical and organizational measures.

Taking into account the nature of processing, we will reasonably help you respond to data-subject requests (access, rectification, erasure, portability, objection), carry out data protection impact assessments, and meet your obligations under Articles 32–36 GDPR.

We will notify you without undue delay after becoming aware of a personal data breach affecting your Customer Data, with the information you need to meet your own notification duties to supervisory authorities and data subjects.

On termination, we delete or return Customer Data on the schedule in our Privacy Policy, except records we must keep by law.

On reasonable request, we will make available the information needed to demonstrate compliance with this Addendum and Article 28 GDPR, and allow for and contribute to a reasonable audit, subject to confidentiality.

This Addendum forms part of the Terms of Service. If it conflicts with the Terms on the handling of Customer Data, this Addendum prevails for that data.