Skip to main content
BoardStack logo BoardStack logo

Data Processing Agreement

Last updated: April 14, 2026

This DPA is available upon request for enterprise customers. Contact us at [email protected] to request a signed copy.

Purpose

This Data Processing Agreement ("DPA") sets out the terms under which Ventora Labs C Corp processes personal data on behalf of enterprise customers who are subject to GDPR, CCPA, or similar data protection regulations. The DPA supplements and is incorporated into the BoardStack Terms of Service.

BoardStack acts as a data processor with respect to personal data that enterprise customers upload or generate through the platform. The customer acts as the data controller and retains responsibility for determining the purposes and means of processing.

GDPR and CCPA Compliance

BoardStack is committed to processing personal data in accordance with applicable data protection law, including the General Data Protection Regulation (GDPR) for customers in the European Economic Area and the California Consumer Privacy Act (CCPA) for California residents. We implement technical and organizational measures appropriate to the risk of processing.

We process personal data only on documented instructions from the customer, unless required by law to do otherwise. Our sub-processors are bound by data protection terms no less protective than those in this DPA, and we maintain an up-to-date public list at /subprocessors.

Data Subject Rights

We assist enterprise customers in responding to data subject requests, including requests for access, rectification, erasure, restriction, and portability. When we receive a request directly from a data subject, we will promptly notify the customer and await their instructions before responding.

Enterprise customers may export all community data in machine-readable format from the account settings at any time. Upon termination, we will delete or return all personal data within 90 days unless retention is required by law.

Security Measures

We implement appropriate technical and organizational security measures including encryption at rest and in transit, access controls, regular security assessments, and incident response procedures. We will notify enterprise customers of any data breach affecting their data within 72 hours of becoming aware of it.

Contact

To request a signed DPA or for questions about data processing, contact our privacy team at [email protected] .