Data Processing Agreement
This Data Processing Agreement (the "DPA") is part of the Compass Terms of Service. You accept it when you accept the Terms at sign-up. You do not need to sign anything separately.
Here is what it is for, in plain terms. When you connect your own tools to Compass, or feed in data about your customers and audience, that data still belongs to you and your customers. You stay in charge of it. Compass acts on your instructions to process it and give you back marketing intelligence, plans, content, and reporting. UK GDPR Article 28 requires that arrangement to be set out in a written contract between us. This is that contract. It sits alongside our Privacy Notice, which covers the data we hold about you as your account holder, and our Sub-processor List, which names every third party that helps us run the service.
1. Who We Are and the Words We Use
Compass is provided by Starlight Tech Limited, a company registered in England and Wales.
- Company name: Starlight Tech Limited
- Company number: 17175089
- Registered office: 71-75 Shelton Street, Covent Garden, London WC2H 9JQ
- Contact for data protection: privacy@starlighttech.ai
In this DPA, "Starlight Tech", "Compass", "we", "us" and "our" mean Starlight Tech Limited. "You" and "your" mean the person or organisation that holds the Compass account.
| Term | Meaning |
|---|---|
| Applicable Data Protection Law | The UK GDPR, the Data Protection Act 2018, the Privacy and Electronic Communications Regulations 2003, and any other data protection law that applies to processing under this DPA. |
| Connector | A third-party service you authorise Compass to access so it can power your dashboard. |
| Connector Data | Personal data Compass accesses through a Connector on your instruction. |
| Customer Personal Data | Personal data Compass processes on your behalf, including Connector Data and any other personal data you put into Compass. |
| Sub-processor | A third party we engage to help process Customer Personal Data. |
| Standard Contractual Clauses | The UK International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, issued by the Information Commissioner under section 119A of the Data Protection Act 2018, or any successor instrument in force at the time. |
2. Your Role and Ours
You are the controller of Customer Personal Data. We are the processor. You decide what data goes into Compass and why; we process it on your instructions to deliver the service.
Where we process data about you as our customer, for example your account details and billing, we act as a controller in our own right. That processing is governed by the Privacy Notice, not this DPA.
This DPA takes effect when you accept the Terms of Service and lasts for as long as you use Compass. The deletion and return obligations in section 10 continue after it ends.
3. Our Instructions
We process Customer Personal Data only on your documented instructions. Your instructions are set out in this DPA, the Terms of Service, the Privacy Notice, and the settings you configure in Compass. If we believe an instruction breaks Applicable Data Protection Law, we tell you.
We do not use Customer Personal Data to train any artificial intelligence or machine learning model, whether ours or a Sub-processor's, unless you separately opt in. The default is off.
4. Confidentiality
Starlight Tech is a small, founder-led operation. Everyone with access to Customer Personal Data is bound by a duty of confidence, whether by contract or by statutory duty. Our Sub-processors are bound by equivalent confidentiality obligations through their own agreements with us.
5. Security
We put appropriate technical and organisational measures in place to protect Customer Personal Data against unauthorised or unlawful processing and against accidental loss, destruction, or damage, as required by Article 32 UK GDPR. The measures in force are summarised in Schedule 2 and reviewed at least once a year. A fuller user-facing summary is in our Security Statement.
6. Sub-Processors
You authorise us to engage Sub-processors to help provide the service. The current list, with each one's location and transfer mechanism, is maintained at our Sub-processor List.
We give you at least 30 days' notice before adding a new Sub-processor, by email and by in-product notification. You may object on reasonable data protection grounds during the notice period. If we cannot resolve your objection, you may cancel the affected services and receive a pro-rata refund.
Every Sub-processor is bound by data protection obligations no less protective than those in this DPA.
7. Helping You with Data Subject Requests
If one of your own customers or contacts exercises a data protection right, we help you respond, taking into account the nature of the processing. Where the request concerns data we hold on your behalf, you can export or delete that data through the data tools in your Compass account, and we will help with any request we are able to action for you.
8. Helping You Meet Your Wider Obligations
We assist you with your obligations under Articles 32 to 36 UK GDPR: security, breach notification, data protection impact assessments, and prior consultation with the regulator. Where you need to carry out a data protection impact assessment for an activity you run through Compass, we provide the information you reasonably need for it.
9. If There Is a Breach
If a personal data breach affects Customer Personal Data, we notify you without undue delay and within 72 hours of becoming aware of it. The notification covers what happened, the categories and approximate numbers of people and records affected, the likely consequences, and what we have done or propose to do about it.
10. Getting Your Data Back, and Deletion
When you stop using Compass, you have 30 days to ask us to export Customer Personal Data in a structured, commonly used, machine-readable format.
After that window, or earlier if you instruct us, we delete Customer Personal Data, except where we are required to keep some of it by law. Backups that contain Customer Personal Data are cleared on our standard backup rotation, which does not exceed 90 days.
11. Audit
We make available to you the information you need to show we are meeting this DPA and Article 28 UK GDPR. You, or someone you appoint, may audit our compliance on reasonable notice, no more than once a year unless a regulator requires otherwise. We may meet an audit request by providing recent third-party assurance reports, such as certification or penetration-test summaries.
12. International Transfers
Where Customer Personal Data moves outside the UK, the transfer is covered by the Standard Contractual Clauses or another lawful transfer mechanism. The routes and mechanisms in use are in Schedule 4, and the per-provider position is on the Sub-processor List. We carry out a transfer risk assessment for each restricted transfer and review it at least once a year.
13. Liability
Each party's liability under this DPA is subject to the limits of liability in the Terms of Service. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law.
14. Governing Law
This DPA is governed by the laws of England and Wales, and the courts of England and Wales have exclusive jurisdiction over any dispute arising from it.
Schedule 1: What We Process and Why
We process Customer Personal Data to provide marketing intelligence, coaching, content generation, and performance reporting inside Compass.
The categories of data subjects are your own customers, prospects, audiences, and contacts. The types of personal data depend on which Connectors you authorise and what you put into Compass. For each Connector, the provider, the data categories, the access scope, and the conditions we operate under are set out in full in the connector schedule, summarised on the Sub-processor List. You authorise every Connector individually and can disconnect any of them at any time in Settings.
At launch, Compass supports 18 Connectors across analytics, advertising, email, commerce, CRM, knowledge, reviews, scheduling, and search-trend sources. Where a Connector can carry free-text that might include special category data, we filter it and never use it to train a model.
Schedule 2: Security Measures
We keep the following measures in place and review them at least once a year.
Access control. Role-based access to production systems. Multi-factor authentication on all administrative accounts. No standing third-party access to the production database.
Encryption. Data in transit protected by TLS 1.2 or above. Data at rest in our database encrypted with AES-256.
Tenant isolation. Row Level Security in the database keeps each account's data separate. No cross-account queries.
Hosting. Production hosting with deployment protection and least-privilege configuration. Database hosted in the United Kingdom and European Union.
Backups. Automated daily backups retained for up to 90 days. Recovery tested at least once a year.
Logging. Application logs kept for 90 days. Authentication logs kept for 12 months. Alerting on administrative actions.
Vendor management. Sub-processor security reviewed before engagement and at least once a year afterwards.
Incident response. A documented process with 72-hour notification to controllers, exercised at least once a year.
Schedule 3: Sub-Processors
The current Sub-processors, with their service, location, and transfer mechanism, are maintained at the Sub-processor List. That page is the live record and is updated by notice in line with section 6. We do not reproduce a second copy here, so the two cannot drift apart.
Schedule 4: International Transfers
The United Kingdom is our primary place of processing. Where a Sub-processor operates outside the UK, we rely on one of the following:
- Adequacy for the European Economic Area, Switzerland, the Crown Dependencies, and other adequacy-listed countries.
- Standard Contractual Clauses approved by the European Commission, combined with the UK International Data Transfer Addendum issued under section 119A of the Data Protection Act 2018.
- Approved certification schemes or codes of conduct where they apply.
We carry out a transfer risk assessment for each restricted transfer and review it at least once a year.
Contact
For any question about this agreement, email privacy@starlighttech.ai.
Change Log
- v1.0, 10 June 2026. First publication.