This Data Processing Addendum ("DPA") forms part of the Pancake Laboratories Inc., DBA ShortStack.com ("ShortStack") Terms and Conditions of Service and Use of ShortStack.com, as amended and restated as of February 2026, the ShortStack Privacy Policy, and any other written or electronic agreement by and between ShortStack and its affiliates (collectively, "Pancake Laboratories, Inc." referred to herein as "Pancake") and the undersigned customer of ShortStack ("Customer") for the purchase of online services ("Services") from Pancake (the "Agreement") to reflect the parties' agreement with regard to the Processing of Personal Data.
How This DPA Becomes Effective
By executing the Agreement or by using the Services after the effective date of this DPA, Customer agrees to be bound by the terms of this DPA. If Customer has previously executed a DPA with Pancake, this DPA supersedes and replaces that prior DPA in its entirety as of the effective date. For enterprise customers requiring a separately executed DPA, Customer may contact Pancake at support@shortstack.com.
Data Processing Terms
In the course of providing the Services to Customer pursuant to the Agreement, Pancake may Process Personal Data on behalf of Customer. Both Pancake and Customer agree to comply with the following provisions with respect to any Personal Data submitted by or for Customer to Pancake or collected and processed by or for Customer using Pancake Services. In connection with the Services, the parties anticipate that Pancake may Process outside of the European Economic Area ("EEA"), Switzerland, the United Kingdom, and other jurisdictions, Personal Data in respect of which the Customer or any member of the Customer Group may be a data controller under applicable Data Protection Laws.
1. Definitions
In this DPA, the following terms shall have the meanings set out below and cognate terms shall be construed accordingly:
means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. "Control," for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity, or the power to direct or cause the direction of the management and policies of such entity, whether through ownership of voting securities, by contract, or otherwise.
means all laws, rules, regulations, and governmental requirements relating to the privacy, security, confidentiality, protection, or integrity of Personal Data that apply to either Party's performance under the Agreement, as amended, superseded, or replaced from time to time, including without limitation:
- (a) Regulation (EU) 2016/679 (the "GDPR");
- (b) the UK General Data Protection Regulation and the UK Data Protection Act 2018 (the "UK GDPR");
- (c) the Swiss Federal Act on Data Protection of 25 September 2020 and its implementing ordinances (the "nFADP");
- (d) the California Consumer Privacy Act, Cal. Civ. Code § 1798.100 et seq., as amended by the California Privacy Rights Act of 2020 (collectively, the "CPA");
- (e) the Canadian Personal Information Protection and Electronic Documents Act ("PIPEDA");
- (f) the Brazilian General Data Protection Law (Lei Geral de Proteção de Dados), Federal Law No. 13,709/2018 ("LGPD");
- (g) the Privacy Act 1988 (Cth) of Australia, as amended; and
- (h) any other applicable federal, state, provincial, or local data protection or privacy law.
means Customer and any of Customer's Affiliates.
means the entity which determines the purposes and means of the Processing of Personal Data, or as otherwise defined under Applicable Data Protection Laws (including "Business" under the CPA).
means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise Processed by Pancake or its Subprocessors.
means the identified or identifiable person to whom the Personal Data relates.
means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller to Processor), as set forth in Schedule 1 to this DPA.
means either the Data Processor or Data Controller, and "Parties" means both the Data Processor and Data Controller.
means any information relating to an identified or identifiable natural person that Pancake will Process or have access to as part of providing the Services, including any such information that is created by means of the Services, and including data defined as "Personal Information" under the CPA or any other Applicable Data Protection Law.
means any operation or set of operations which is performed upon Personal Data, including but not limited to collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure, or destruction of Personal Data.
means the entity which Processes Personal Data on behalf of the Controller, or as otherwise defined under Applicable Data Protection Laws (including "Service Provider" under the CPA).
means has the meaning given to it under the CPA.
means has the meaning given to it under the CPA.
means any (a) special categories of personal data as defined in Article 9 of the GDPR; (b) Personal Data relating to criminal convictions and offenses as defined in Article 10 of the GDPR; (c) "Sensitive Personal Information" as defined under the CPA; or (d) any similar category under other Applicable Data Protection Laws.
means any third party engaged by Pancake or its Affiliates to Process Personal Data in connection with the Services.
means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018, as may be revised from time to time.
2. Processing of Personal Data
2.1. Roles of the Parties
The parties acknowledge and agree that with regard to the Processing of Personal Data when using the Services provided by Pancake, Customer is the Controller, Pancake is the Processor, and that Pancake will engage Subprocessors pursuant to the requirements set forth in Section 5 "Subprocessors" below.
2.2. Customer's Processing of Personal Data
Customer shall, in its use of the Services, Process Personal Data in accordance with the requirements of Applicable Data Protection Laws. For the avoidance of doubt, Customer's instructions for the Processing of Personal Data shall comply with Applicable Data Protection Laws. Customer shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which Customer acquired Personal Data.
2.3. Pancake's Processing of Personal Data
Pancake shall treat Personal Data as Confidential Information and shall Process Personal Data in a manner compliant with Applicable Data Protection Laws. Pancake will only Process Personal Data to the extent necessary to perform the Services in accordance with the Agreement and in accordance with Customer's documented instructions, unless Processing is required by applicable law to which Pancake is subject, in which case Pancake shall (to the extent permitted by law) inform Customer of that legal requirement before the relevant Processing. Pancake shall immediately inform Customer if, in Pancake's opinion, an instruction from Customer infringes Applicable Data Protection Laws.
2.4. Prohibited Data
Customer will not provide (or cause to be provided) any Sensitive Data to Pancake for Processing under the Agreement, and Pancake will have no liability whatsoever for Sensitive Data, whether in connection with a Customer Data Incident or otherwise.
2.5. Details of the Processing
The subject-matter of Processing of Personal Data by Pancake is the performance of the Services pursuant to the Agreement. The duration of the Processing, the nature and purpose of the Processing, the types of Personal Data, and categories of Data Subjects Processed under this DPA are further specified in Annex I.B (Description of Transfer) to this DPA.
2.6. Restrictions on Use of Personal Data
Pancake shall not:
- (a) Sell or Share Customer Personal Data;
- (b) retain, use, disclose, or otherwise Process Customer Personal Data for any purpose other than for the specific business purposes of performing the Services under the Agreement;
- (c) retain, use, disclose, or otherwise Process Customer Personal Data outside of the direct business relationship between Pancake and Customer; or
- (d) combine Customer Personal Data with personal data that Pancake receives from or on behalf of another person or that Pancake collects from its own interactions with individuals, except to the extent necessary to perform the Services.
2.7. Certification
Pancake certifies that it understands and will comply with the restrictions set forth in Section 2.6 and will notify Customer if it determines that it can no longer meet its obligations under this Section.
3. Rights of Data Subjects
3.1. Data Subject Request
Pancake shall promptly notify Customer if Pancake receives a request from a Data Subject to exercise their rights under Applicable Data Protection Laws with respect to Personal Data (including access, rectification, restriction, deletion, portability, or the right to correct, as applicable). Taking into account the nature of the request, Pancake shall assist Customer by appropriate technical and organizational measures, to the extent legally required, for the fulfillment of Customer's obligation to respond to a Data Subject Request under Applicable Data Protection Laws.
4. Pancake Personnel and Confidentiality
4.1. Confidentiality
Pancake shall ensure that its personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data and Service Data and have received appropriate training on their responsibilities.
4.2. Reliability
Pancake shall take commercially reasonable steps to ensure the reliability of any Pancake personnel who may have access to Customer Personal Data or who may be engaged in the Processing of Personal Data.
4.3. Limitation of Access
Pancake shall ensure that Pancake's access to Personal Data is limited to those Pancake personnel who need to know or access the relevant Personal Data while performing Services in accordance with the Agreement.
4.4. Data Protection Officer
Pancake has appointed a data protection officer, who can be reached at support@shortstack.com.
5. Subprocessors
5.1. Appointment of Subprocessors
Customer acknowledges and agrees that Pancake may engage third-party Subprocessors in connection with the provision of the Services. Pancake has entered into a written agreement with each Subprocessor imposing on the Subprocessor data protection obligations no less protective than those set forth in this DPA.
5.2. List of Current Subprocessors
Pancake maintains a current list of Subprocessors at https://www.shortstack.com/subprocessors/ (or such other URL as Pancake may designate). Customer may subscribe to notifications of changes to the Subprocessor list at that URL.
5.3. Notification of New Subprocessors
Pancake shall provide notification of a new Subprocessor(s) before authorizing any new Subprocessor(s) to Process Personal Data in connection with the provision of the applicable Services. Notification will be supplied via the mechanism described in Section 5.2.
5.4. Objection Right for New Subprocessors
Customer may object to Pancake's use of a new Subprocessor by notifying Pancake promptly in writing (via email to support@shortstack.com) within fifteen (15) business days after receipt of Pancake's notice. The objection must be based on reasonable grounds relating to data protection.
5.5. Resolution of Objections
In the event Customer objects to a new Subprocessor pursuant to Section 5.4, Pancake and Customer shall work together in good faith to find a mutually acceptable resolution. If the parties are unable to resolve such objection, either party may terminate the applicable Service by providing written notice to the other party. Customer shall receive a refund of any prepaid but unused fees for the period following the effective date of termination.
5.6. Liability
Where a Subprocessor fails to fulfill its data protection obligations under its agreement with Pancake, Pancake will remain liable to the Customer for the performance of such Subprocessor's data protection obligations.
6. Ownership of Service Data
As between Customer and Pancake, Customer retains all right, title, and interest in and to the Personal Data collected through use of the Services. For the avoidance of doubt, to the extent that the Agreement grants Pancake any license to use information submitted to ShortStack for the purpose of improving or modifying ShortStack, such license shall not apply to Personal Data, which is governed exclusively by this DPA.
7. Security
7.1. Controls for the Protection of Customer Data
Pancake will implement and maintain technical, physical, administrative, and organizational measures to protect Personal Data against theft, unauthorized or unlawful acquisition, access, or Processing, accidental loss, destruction, alteration, or damage as described in Annex II (Technical and Organisational Measures) of this DPA, as well as any other minimum security requirements required by Applicable Data Protection Laws. Pancake will not materially decrease the overall security of the Services during a subscription term.
7.2. Security Documentation
Upon Customer's written request at reasonable intervals (not more than once per twelve-month period), Pancake shall make available to Customer that is not a competitor of Pancake (or Customer's independent, third-party auditor that is not a competitor of Pancake) documentation reasonably necessary to demonstrate Pancake's compliance with its obligations under this DPA, including Pancake's then-current security practices and procedures, subject to reasonable confidentiality obligations.
7.3. Audit Rights
Pancake shall allow for and contribute to audits and inspections conducted by Customer or an independent auditor mandated by Customer, for the purpose of demonstrating Pancake's compliance with its obligations under this DPA and Applicable Data Protection Laws. Such audits shall be subject to the following conditions:
- (a) Customer shall provide at least thirty (30) days' prior written notice;
- (b) audits shall be conducted during normal business hours and shall not unreasonably disrupt Pancake's operations;
- (c) audits shall not be conducted more than once per twelve-month period, unless required by a supervisory authority or following a Customer Data Incident;
- (d) any third-party auditor shall not be a competitor of Pancake and shall be bound by appropriate confidentiality obligations; and
- (e) Customer shall bear its own costs associated with any such audit.
7.4. Customer Responsibilities
Customer agrees that except as provided by this DPA, Customer is responsible for its secure use of the Services, including securing its account authentication credentials.
8. Breach of Personal Data Security
8.1. Notification
After becoming aware of a Customer Data Incident, Pancake shall notify Customer without undue delay, and in any event within forty-eight (48) hours. Pancake shall make reasonable efforts to identify the cause of such Customer Data Incident and take those steps as Pancake deems necessary and reasonable in order to remediate the cause of such Customer Data Incident to the extent the remediation is within Pancake's reasonable control. Pancake shall take reasonable measures to mitigate the effects and to minimize any damage resulting from the Customer Data Incident. The obligations herein shall not apply to incidents that are caused by Customer or Customer's users.
8.2. Content of Notification
Pancake's notice shall include the following information to the extent it is reasonably available to Pancake at the time of the notice, and Pancake shall update its notice as additional information becomes reasonably available:
- (a) the dates and times of the Customer Data Incident;
- (b) the facts that underlie the discovery of the Customer Data Incident;
- (c) a description of the Personal Data involved in the Customer Data Incident; and
- (d) the measures planned or underway to remedy or mitigate the vulnerability giving rise to the Customer Data Incident.
8.3. Cooperation
Pancake shall cooperate with Customer and take commercially reasonable steps to assist Customer in complying with its obligations under Articles 33 and 34 of the GDPR (or equivalent provisions under other Applicable Data Protection Laws), including any obligation to notify a supervisory authority or communicate a breach to affected Data Subjects, taking into account the nature of the Processing and the information available to Pancake.
9. Data Protection Impact Assessments
Pancake shall provide reasonable assistance to Customer with any data protection impact assessments, and prior consultations with supervisory authorities or other competent data privacy authorities, which Customer reasonably considers to be required by Applicable Data Protection Laws, in each case solely in relation to Processing of Personal Data by, and taking into account the nature of the Processing and information available to, Pancake.
10. Data Return and Deletion
10.1. Duration of Processing
Pancake will Process Personal Data for the duration of the Agreement, unless otherwise agreed upon in writing.
10.2. Termination
Following termination or expiration of the Agreement ("Termination of Service"), Pancake shall, within thirty (30) days, delete Customer Personal Data. Pancake may retain Personal Data to the extent and for such period required by Applicable Data Protection Laws.
10.3. Customer Request
Subject to Section 10.4, Customer may by written notice (via email) to Pancake at support@shortstack.com within seven (7) days of the Termination of Service require Pancake to (a) return a complete copy of all Customer Personal Data to Customer in a commonly used machine-readable format; and (b) delete and procure the deletion of all other copies of Customer Personal Data Processed by Pancake and any Subprocessor.
10.4. Legal Retention
Pancake and Subprocessors employed by Pancake may retain Customer Personal Data to the extent required by Applicable Data Protection Laws and only to the extent and for such period as required by such laws, provided that Pancake shall ensure the confidentiality of all such Customer Personal Data and shall ensure that such Customer Personal Data is only Processed as necessary for the purpose(s) specified in the applicable laws requiring its storage and for no other purpose. Upon expiration of any applicable legal retention period, Pancake shall delete or destroy all remaining Customer Personal Data within thirty (30) days.
11. International Data Transfers
11.1. Data Center Locations
Customer acknowledges that Pancake may transfer and Process Customer Data to and in the United States and anywhere else in the world where Pancake or its Subprocessors maintain data processing operations. Pancake shall at all times ensure that such transfers are made in compliance with the requirements of Applicable Data Protection Laws and this DPA.
11.2. Transfers Outside of Europe
In connection with the Services, the parties anticipate that Pancake will transfer outside of the European Economic Area ("EEA"), Switzerland, and the United Kingdom to Pancake's Services environment located in the United States, and Process Personal Data in respect of which the Customer or any member of the Customer Group may be a data controller under Applicable Data Protection Laws.
11.3. Transfer Mechanisms
With respect to transfers of Personal Data under this DPA from the EEA, Switzerland, and/or the United Kingdom to countries which do not ensure an adequate level of data protection within the meaning of Applicable Data Protection Laws, Pancake makes available the following transfer mechanisms:
11.3.1. EU SCCs
The EU SCCs set forth in Schedule 1 to this DPA shall apply to transfers subject to the GDPR.
11.3.2. Swiss Transfers
The EU SCCs set forth in Schedule 1 to this DPA shall apply to transfers subject to the nFADP, with the modifications required to comply with the nFADP, including that the competent supervisory authority shall be the Swiss Federal Data Protection and Information Commissioner, and disputes shall be resolved before the courts of Switzerland.
11.3.3. UK Transfers
The UK Addendum, completed with the relevant information set out in the Annexes to this DPA, shall apply to transfers subject to the UK GDPR. The UK Addendum shall be governed by the laws of England and Wales, and disputes shall be resolved before the courts of England and Wales.
11.3.4. EU-U.S. Data Privacy Framework
Pancake has certified its adherence to the EU-U.S. Data Privacy Framework (EU-U.S. DPF) and the Swiss-U.S. Data Privacy Framework (Swiss-U.S. DPF) as set forth by the U.S. Department of Commerce. Pancake will maintain its DPF certification for the term of the Agreement and will provide at least the level of privacy protection required by the DPF Principles. Details of Pancake's certification are available at https://www.dataprivacyframework.gov/.
11.3.5. Order of Precedence
In the event that Services are covered by more than one transfer mechanism, the transfer of Personal Data will be subject to a single transfer mechanism in accordance with the following order of precedence: (a) the Standard Contractual Clauses (including the UK Addendum, as applicable); and (b) Pancake's EU-U.S. Data Privacy Framework certification.
12. Miscellaneous
12.1. Limitation of Liability
Any claims brought in connection with this DPA (including, where applicable, the SCCs) shall be subject to the Terms and Conditions, including but not limited to the exclusions and limitations set forth in the Agreement. In no event shall any party limit its liability with respect to any Data Subject rights under this DPA.
12.2. EU GDPR
Pancake will Process Personal Data in accordance with the GDPR requirements directly applicable to Pancake's provision of its Services.
12.3. Legal Effect
This DPA becomes legally binding upon Customer's execution of the Agreement or, where applicable, upon Customer's use of the Services following the effective date of this DPA.
12.4. Modification of DPA
This DPA may not be amended or modified except through a written agreement signed by both Parties hereto, or through Pancake's publication of an updated DPA to which Customer assents by continued use of the Services.
12.5. Duration
The DPA will remain in force as long as Pancake Processes Personal Data on behalf of Customer under the Agreement.
12.6. Entire DPA
This DPA, together with its Schedules and Annexes, constitutes the entire agreement between the Parties with respect to the subject matter hereof and supersedes all prior or contemporaneous data processing agreements or addenda between the Parties.
List of Schedules and Annexes
- Schedule 1: Standard Contractual Clauses (EU SCCs, Module Two: Controller to Processor)
- UK Addendum: International Data Transfer Addendum to the EU SCCs
- Annex I.A: List of Parties
- Annex I.B: Description of Transfer
- Annex II: Technical and Organisational Measures
- Annex III: List of Subprocessors
Annex I
A. List of Parties
Data Exporter
- Name: The Customer identified in the Agreement
- Address: As set forth in the Agreement
- Contact person: As set forth in the Agreement
- Activities: Use of the ShortStack platform and Services as described in the Agreement
- Role: Controller
Data Importer
- Name: Pancake Laboratories, Inc.
- Address: 50 Washington Street, Suite 301, Reno, Nevada 89503, USA
- Contact: Data Protection Officer, support@shortstack.com
- Activities: Data importer operates a cloud-based marketing services platform, including online forms, contests, and interactive marketing features. The data importer will host and Process Personal Data in the course of providing its cloud-based Services to data exporter pursuant to the Agreement.
- Role: Processor
B. Description of Transfer
Categories of Data Subjects
Data exporter may submit Personal Data to the Pancake Services, the extent of which is determined and controlled by the data exporter in its sole discretion, and which may include, but is not limited to, Personal Data relating to the following categories of data subjects: data exporter's contacts and other end users, including data exporter's collaborators, customers, prospects, employees, agents, advisors, freelancers, and suppliers (who are natural persons).
Categories of Personal Data Transferred
The Personal Data transferred may include, but is not limited to: first and last name; professional information (title, position, employer); contact information (email, phone, physical address); form submission data; social media interaction data (imported comments, posts collected through ShortStack Feeds); campaign interaction data (campaign views, entry storage records); application integration data; system usage data; and other electronic data submitted to the Services by the data exporter.
Special Categories of Data
Data exporter may submit special categories of data to the Pancake Services, the extent of which is determined and controlled by the data exporter in its sole discretion. For the sake of clarity, this includes Personal Data with information possibly revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, trade-union membership, and the processing of data concerning health or sex life. Pursuant to Section 2.4 of the DPA, Customer shall not provide Sensitive Data to Pancake for Processing.
Frequency of Transfer
Continuous, for the duration of the Agreement.
Retention Period
For the duration of the Agreement, and thereafter in accordance with Section 10 of the DPA.
Nature of the Processing
The data importer will host and Process Personal Data in the course of providing its cloud-based Services to data exporter pursuant to the Agreement, including collection, storage, organization, structuring, retrieval, use, disclosure by transmission, and erasure or destruction.
Purpose of the Data Transfer
The purpose of the data transfer is the provision of the Services by Pancake to Customer, including the operation of interactive marketing campaigns, online forms, contests, data collection, social media integration, and related cloud-based marketing features.
Annex II — Technical and Organisational Measures
Pancake observes the technical and organizational security measures described in its Comprehensive Security Documentation and at /security-faqs. Pancake reserves the right to modify or update these practices at its sole discretion provided that such modification and update does not result in a material degradation in the protection offered by these practices. These measures include, without limitation:
- Encryption of Personal Data in transit (TLS 1.2 or higher) and at rest
- Access controls and authentication measures, including role-based access and multi-factor authentication for administrative access
- Regular vulnerability scanning and penetration testing
- Network security measures including firewalls and intrusion detection
- Employee security awareness training
- Physical security measures at data processing facilities
- Regular backups and disaster recovery procedures
- Logging and monitoring of access to Personal Data
Annex III — List of Subprocessors
A current list of Subprocessors is maintained at /subprocessors and is incorporated herein by reference. Customer may subscribe to notifications of changes to the Subprocessor list at that URL.
Schedule 1 — Standard Contractual Clauses (EU SCCs)
The Standard Contractual Clauses approved by the European Commission in Implementing Decision (EU) 2021/914 of 4 June 2021, Module Two (Controller to Processor), are incorporated herein by reference. The parties agree that:
The optional docking clause is included.
OPTION 2 (general written authorization) is selected. Pancake shall inform the data exporter of any intended changes to the list of sub-processors through the mechanism described in Section 5 of the DPA, allowing the data exporter to object to such changes within fifteen (15) business days.
The optional language regarding independent dispute resolution is not included.
The supervisory authority of the EU member state in which the data exporter is established, or, where the data exporter is not established in the EU, the supervisory authority of the EU member state where the data exporter's EU representative is established, shall act as the competent supervisory authority. Where neither applies, the supervisory authority of the member state where the Data Subjects most affected by the transfer are located shall act as competent supervisory authority.
The SCCs shall be governed by the laws of Ireland.
Disputes shall be resolved before the courts of Ireland.
UK Addendum to the EU SCCs
For transfers subject to the UK GDPR, the UK Addendum (International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, Version B1.0, in force 21 March 2022, as issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018) is incorporated herein by reference, completed with the information set out in the Annexes to this DPA. In the event of any conflict between the UK Addendum and the EU SCCs, the UK Addendum shall prevail to the extent of the conflict for transfers subject to the UK GDPR.
Related Documents:
Have Questions?
Data Protection Officer available upon request
For questions or concerns about this Data Processing Addendum, get in touch with our team.
Contact Us