Steppr

Data Processing Addendum

Effective April 25, 2026

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Steppr (“Processor”) and the customer that has accepted those Terms (“Controller”), and applies whenever Steppr processes personal data on the Controller’s behalf in connection with the Service. By accepting the Terms of Service, the Controller accepts this DPA.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms or in the applicable Data Protection Laws. “Data Protection Laws” means the EU GDPR (Regulation 2016/679), the UK GDPR and Data Protection Act 2018, the California Consumer Privacy Act (as amended by the CPRA), and any other comparable laws applicable to the processing.

2. Roles and scope

Controller determines the purposes and means of processing personal data submitted to the Service via the SDK or API (“Customer Personal Data”). Steppr processes Customer Personal Data only as a processor on Controller’s documented instructions, including those reflected in the Terms, this DPA, and the configuration the Controller chooses in the dashboard.

3. Nature, purpose, and categories of processing

  • Subject matter: hosting and processing Customer Personal Data so the Controller can deliver product tours, checklists, and in-app guidance to its end users.
  • Duration: for the term of the Controller’s subscription, plus the deletion period in §10.
  • Categories of data subjects: the Controller’s end users (the people who visit the websites or applications on which the SDK is installed).
  • Categories of personal data: end-user identifiers (anonymous cookie ID or external ID supplied by the Controller), traits the Controller chooses to send via identify(), page URLs, interaction events, IP address, and browser metadata.
  • Special categories: none. The Controller agrees not to send special categories of data (e.g. health, biometric, financial-account numbers) through the Service.

4. Controller responsibilities

The Controller represents and warrants that it has:

  • A lawful basis for collecting Customer Personal Data and providing it to Steppr;
  • Provided all required notices to its end users about the processing performed by Steppr; and
  • Configured the Service in accordance with applicable law (including consent banners where required).

5. Steppr’s obligations

Steppr will:

  • Process Customer Personal Data only on documented instructions from the Controller;
  • Ensure personnel authorized to process the data are bound by appropriate confidentiality obligations;
  • Implement the security measures described in §7;
  • Assist the Controller, taking into account the nature of the processing, in fulfilling the Controller’s obligations to respond to data-subject requests and to conduct DPIAs and prior consultations under Articles 32–36 of the GDPR;
  • Notify the Controller without undue delay (and within 72 hours of confirmation) of any Personal Data Breach affecting Customer Personal Data;
  • Make available all information reasonably necessary to demonstrate compliance with this DPA.

6. Sub-processors

The Controller authorizes Steppr to engage the following sub-processors to provide the Service:

  • Railway — application hosting and managed Postgres (United States).
  • Stripe — payment processing (United States).
  • Resend — transactional email delivery (United States / EU).
  • Bunny.net — CDN delivery of the SDK bundle (global edge).
  • Google Cloud (OAuth) — identity provider for sign-in via Google (United States).

Steppr will give the Controller at least 30 days’ prior notice of any new sub-processor by updating this list. The Controller may object on reasonable data-protection grounds; if Steppr cannot accommodate the objection, the Controller may terminate the affected portion of the Service for convenience.

7. Security measures

Steppr implements appropriate technical and organizational measures to protect Customer Personal Data, including:

  • Encryption in transit (TLS 1.2+) for all Service traffic;
  • Encryption at rest for the production database and backups;
  • Role-based access control with the principle of least privilege;
  • Audit logging of administrative actions and access to Customer Personal Data;
  • Secret management with periodic rotation;
  • Vulnerability scanning of dependencies and timely patching;
  • Segregation of production and non-production environments;
  • Background checks and confidentiality obligations for personnel with production access.

8. International transfers

Where transfers of Customer Personal Data outside the EEA, UK, or Switzerland are required, the parties agree to incorporate the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (Controller-to-Processor), and the UK International Data Transfer Addendum, by reference. Steppr acts as the data importer.

9. Data subject requests

If Steppr receives a request from a data subject relating to Customer Personal Data, Steppr will, without undue delay, forward it to the Controller and not respond directly unless required by law. Steppr will, taking into account the nature of the processing, assist the Controller in responding to such requests via the dashboard’s data export and deletion tools.

10. Return or deletion of data

On termination of the Service, Steppr will delete all Customer Personal Data within 30 days, except where retention is required by law. The Controller may export Customer Personal Data through the dashboard prior to deletion. Backups are deleted in accordance with Steppr’s rolling backup schedule, no longer than 35 days after production deletion.

11. Audits

Steppr will respond to reasonable written requests for information necessary to demonstrate compliance with this DPA. Where Data Protection Laws require an on-site audit, the Controller may conduct one (or appoint an independent third party who is not a competitor of Steppr) on at least 30 days’ written notice, no more than once per year, during business hours, and subject to confidentiality. Each party bears its own costs.

12. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service.

13. Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Customer Personal Data. The Standard Contractual Clauses (if applicable) prevail over both.

14. Contact

Data protection questions: privacy@steppr.io. To request a counter-signed copy of this DPA, email legal@steppr.io.