Stitch Data Processing Addendum
1. Scope
This Data Processing Addendum ("DPA") applies where Stitch processes personal data on behalf of a Client in connection with the Services, and forms part of the Agreement between Stitch and the Client.
2. Definitions
Terms used in this DPA have the meanings given in the Stitch Services Terms and Conditions, unless defined otherwise here.
3. Roles of the parties
For personal data contained in Client Data, the Client acts as the data user, controller, or equivalent business responsible for determining the purposes and means of processing, and Stitch acts as the data processor, service provider, or equivalent party processing the data on the Client's documented instructions.
Stitch may act as an independent data user or controller for limited information processed for its own legitimate business and legal purposes, including account administration, billing and payment records, fraud prevention, service security, legal compliance, communications with Client representatives, and management of the commercial relationship. Each party is independently responsible for complying with the legal obligations applicable to its role.
The Client is responsible for the lawful collection of Client Data, providing required privacy notices, obtaining required permissions or consents, determining the purposes for which Client Data is processed, and ensuring that its instructions to Stitch comply with applicable law. Stitch shall process Client Data only to provide the Services, on the Client's documented instructions, as required by applicable law, or as otherwise expressly permitted by the Agreement.
4. Processing instructions
Stitch processes Client Data to provide, maintain, secure, and support the Services, in accordance with the Client's use of the Platform and this DPA.
5. Nature and purpose of processing
Stitch processes Client Data for the purpose of digitising, structuring, storing, and making searchable the Client's tailoring business records, including through AI-assisted mapping and preview functions.
6. Categories of data and individuals
Categories of data may include customer profiles, measurements, orders, fabrics, preferences, alteration notes, and uploaded photographs. Categories of individuals may include the Client's own customers and Authorised Users.
7. Confidentiality
Stitch must preserve the confidentiality of Client Data and does not own the Client's customer data.
8. Security safeguards
Stitch maintains reasonable technical and organisational security safeguards, including encryption in transit and at rest, access controls, authentication safeguards, and secure cloud infrastructure.
9. Authorised personnel
Stitch uses personnel and service providers where required to deliver the Services, subject to confidentiality obligations.
10. Subprocessors
The Client provides general written authorisation for Stitch to engage subprocessors where reasonably necessary to provide, maintain, secure, or support the Services. Stitch shall conduct reasonable diligence before engaging a subprocessor; require the subprocessor to protect personal data through written contractual obligations appropriate to the services performed; remain responsible for the subprocessor's performance of its data protection obligations to the extent required by applicable law; and limit the subprocessor's access to personal data to what is reasonably necessary.
Stitch may change or appoint subprocessors during the term of the Agreement. Where a new subprocessor is expected to materially affect the processing of Client Data, Stitch will provide at least fourteen (14) days' advance notice by email or through the Platform. The Client may raise a reasonable, documented objection based on material data protection concerns during that notice period, and the parties will work in good faith to address it. Where no commercially reasonable alternative is available, either party may terminate the affected Service by written notice; the Client remains responsible for fees accrued before the effective termination date.
Stitch may appoint a subprocessor without advance notice where urgently necessary to address a security incident, service continuity, legal or regulatory requirements, or failure of an existing provider. In such circumstances, Stitch will notify the Client as soon as reasonably practicable.
11. International processing
The Client authorises Stitch and its subprocessors to process Client Data internationally where reasonably necessary to provide the Services. Where Client Data is processed outside the jurisdiction in which it was collected, Stitch will use reasonable contractual, technical, and organisational measures designed to protect the data, and will comply with applicable legal requirements governing international processing and transfers.
The Client acknowledges that the Services may depend on globally distributed infrastructure, personnel, and service providers, and that Stitch does not guarantee that Client Data will remain exclusively within one country.
12. Assistance with data requests
Stitch will provide reasonable assistance to the Client in responding to data subject requests relating to Client Data, to the extent required by applicable law.
13. Security incidents
Stitch shall notify the Client without undue delay after becoming aware of a confirmed personal data security incident affecting Client Data. Where reasonably practicable, Stitch will provide the initial notice within seventy-two (72) hours after confirming that the incident affects Client Data. The initial notice may be provided in stages and will include information then reasonably available concerning the nature of the incident, the categories of data affected, the likely consequences, measures taken or proposed, reasonable steps the Client may take, and a contact point for further information.
Stitch is not required to notify the Client of unsuccessful security events that do not result in unauthorised access, disclosure, alteration, loss, destruction, or material unavailability of Client Data. Notification does not constitute an admission of fault or liability. The Client is responsible for determining whether notice must be given to its customers, regulators, or other persons, although Stitch will provide reasonable assistance where required by applicable law.
14. Return and deletion
The Client may request a standard export of its available Client Data following termination. Stitch may permanently delete Client Data ninety (90) days after termination, unless law or a written agreement requires otherwise.
15. Audit and compliance information
Upon reasonable written request, Stitch will make available information reasonably necessary to demonstrate compliance with this Data Processing Addendum. Such information may include, where available and appropriate, descriptions of technical and organisational security measures, relevant policies or summaries, information concerning subprocessors, responses to reasonable security questionnaires, and available independent assessment or compliance information. Any information provided is subject to confidentiality obligations.
Where the information provided is not reasonably sufficient to demonstrate compliance, the Client may request an additional audit subject to the following conditions: no more than once in any twelve-month period, unless required by a regulator or following a confirmed material security incident; at least thirty (30) days' advance written notice; conducted during normal business hours; conducted in a manner that does not materially disrupt Stitch's operations; limited to systems, records, and processing relevant to that Client; performed by an independent auditor subject to confidentiality obligations; and conducted at the Client's expense.
Stitch may reject or limit any audit request that could compromise the security or confidentiality of other Clients; expose proprietary source code, models, prompts, architecture, or trade secrets; create unreasonable operational or security risk; or duplicate a recent audit or assessment already made available. Stitch does not claim to hold any particular security certification unless that certification has been expressly confirmed and remains current.
16. Liability relationship with the main Terms
Liability arising under this DPA is subject to the limitation of liability set out in the Stitch Services Terms and Conditions.
17. Duration
This DPA remains in effect for as long as Stitch processes Client Data on the Client's behalf under the Agreement.
18. Governing law
This DPA is governed by the same governing law as the Stitch Services Terms and Conditions: the laws of Hong Kong, with non-exclusive jurisdiction of the Hong Kong courts.