Skip to content

streamboard · legal

Data Processing Agreement

Last updated: May 26, 2026 (v1)

This Data Processing Agreement ("DPA") forms part of the Terms & Conditions between Dr Jacob Cable, an individual sole trader trading as streamboard with a contact address at 7 Kellands Row, Kingsbridge, TQ7 1LT, United Kingdom ("Processor"), and the customer ("Controller") who uses the Service on behalf of an organisation to process personal data about other people. It applies whenever the Controller's use of the Service involves streamboard processing personal data on the Controller's behalf within the meaning of the UK GDPR and the EU GDPR.

To enter into an executed counterpart of this DPA, or to request modifications for procurement / vendor-review purposes, email support@usestreamboard.com with your organisation's legal entity name. Smaller customers may rely on the published version of this DPA without signature as part of accepting the Terms.

1. Definitions

Capitalised terms not defined here have the meaning given in the UK GDPR, the EU GDPR, and the Terms.

  • "Controller" means the customer organisation using the Service.
  • "Processor" means streamboard.
  • "Customer Personal Data" means personal data processed by streamboard on the Controller's behalf via the Service.
  • "Sub-Processor" means any third party engaged by streamboard to process Customer Personal Data on its behalf (e.g. Cloudflare, Polar, Resend).
  • "Data Protection Laws" means the UK GDPR, the Data Protection Act 2018, the EU GDPR (where applicable), and any other applicable data-protection or privacy laws.

2. Scope and Roles

The Controller appoints streamboard as a Processor to process Customer Personal Data solely for the purposes of providing the Service. The parties acknowledge that:

  • The Controller determines the purposes and means of processing Customer Personal Data.
  • streamboard processes Customer Personal Data only on documented instructions from the Controller, including with regard to transfers to a third country, unless required to do otherwise by applicable law (in which case streamboard will inform the Controller of that legal requirement, unless prohibited by law).

3. Subject Matter, Nature, Duration, Purpose, Data Categories, Data Subjects

  • Subject matter: provision of the Service (generative-UI dashboards, organisations, comments, live-data API, billing).
  • Nature of processing: hosting, storing, displaying, transmitting, backing up, deleting Customer Personal Data.
  • Duration: for the term of the Controller's account with the Service, plus any retention periods set out in the Privacy Policy section 8.
  • Purpose: to provide the Service and perform the obligations in the Terms.
  • Categories of personal data: as set out in the Privacy Policy section 2 (account, authentication, session metadata, streamboard data and pushed state, token metadata, organisation membership, comments, notification preferences, push subscriptions, subscription & trial data, onboarding responses, terms-acceptance records, security & error telemetry).
  • Categories of data subjects: the Controller's authorised users, members of the Controller's organisation, and any third parties whose personal data the Controller pushes into streamboard's live-data layer or includes within a streamboard spec.

4. Obligations of streamboard

streamboard shall:

  • Process Customer Personal Data only on the Controller's documented instructions.
  • Ensure that personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations.
  • Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk (see section 7 below).
  • Assist the Controller, taking into account the nature of processing, in fulfilling its obligation to respond to data-subject requests.
  • Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32–36 UK GDPR, taking into account the nature of processing and the information available to streamboard.
  • At the choice of the Controller, delete or return all Customer Personal Data after the end of the provision of services, and delete existing copies unless retention is required by law. Account deletion (section 9 of the Privacy Policy) satisfies this on request.
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable confidentiality and notice arrangements.

5. Sub-Processors

The Controller provides a general authorisation for streamboard to engage Sub-Processors. The current list of Sub-Processors is set out in the Privacy Policy section 5.

streamboard will use reasonable efforts to give the Controller at least 30 days' prior notice of any intended additions or replacements of Sub-Processors. During that period, the Controller may object on reasonable data-protection grounds; the parties will work in good faith to resolve any objection, and if unresolved, the Controller may terminate the affected portion of the Service.

streamboard remains liable to the Controller for the acts and omissions of its Sub-Processors to the same extent as if those acts and omissions were its own.

6. International Transfers

Where Customer Personal Data is transferred outside the UK / EEA to a Sub-Processor, the parties shall ensure appropriate safeguards under UK GDPR Chapter V / EU GDPR Chapter V, including (as applicable) the UK International Data Transfer Agreement (IDTA), the UK Addendum to the EU Standard Contractual Clauses, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), and / or the EU-US Data Privacy Framework. The Privacy Policy section 6 sets out the safeguards relied upon for each Sub-Processor.

7. Security

streamboard implements and maintains appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data. A summary of the current security posture is published at /security. Measures include:

  • Encryption in transit (TLS 1.2+) for all data transmitted between users and the Service, between the Service and Sub-Processors, and between Cloudflare edge nodes and storage.
  • Encryption at rest provided by Cloudflare D1 and R2.
  • Authentication via Better Auth with hashed passwords and OAuth provider tokens; session-scoped tokens with server-side revocation.
  • Per-streamboard data-push tokens stored as SHA-256 hashes; raw secrets shown only once at mint time.
  • Per-request observability with request-id correlation, retained per Cloudflare Analytics Engine defaults.
  • Principle of least privilege for operational access; secrets stored only in Cloudflare's secret manager.
  • Soft-delete + 30-day grace before physical purge of customer data; cascade-delete of all owned resources on account erasure.

8. Personal Data Breaches

streamboard shall notify the Controller without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and in any event within 72 hours where feasible. The notification shall include the information specified in UK GDPR Art. 33(3) to the extent it is then available.

9. Data Subject Requests

streamboard shall, taking into account the nature of processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights under UK GDPR Chapter III. If streamboard receives a request directly from a data subject relating to the Controller's processing, streamboard will forward the request to the Controller without undue delay.

10. Liability and Term

Each party's liability under or in connection with this DPA shall be subject to the limitations and exclusions of liability set out in the Terms. This DPA shall remain in force for the duration of the Terms and shall survive termination to the extent necessary to give effect to its post-termination obligations (e.g. data return / deletion).

11. Governing Law

This DPA is governed by the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

12. Order of Precedence

In the event of any conflict between this DPA and the Terms with regard to processing of Customer Personal Data, this DPA prevails. In the event of any conflict between this DPA and a separately executed data-processing agreement signed by both parties for an enterprise contract, that signed agreement prevails.

13. Contact

For DPA enquiries or to request an executed counterpart, email support@usestreamboard.com.