Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Taskachu (“Processor”, “we”, “us”) and the customer (“Controller”, “you”) using the Taskachu service (the “Service”). It reflects the parties’ obligations under the General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR, and analogous data-protection laws.
If you need a signed counterpart for procurement records, email andrii.nadosha@shally.app — we’ll send back a countersigned copy within one business day. Until then, the text on this page is the canonical DPA between us.
1. Roles & subject matter
You are the Controller of any personal data you submit to the Service (workspace members, document contents, card assignees, imported records). We are the Processor and process this data only on your instructions, as set out in the Terms of Service, this DPA, and the Service’s configuration.
2. Nature, purpose, and duration of processing
- Nature— storage, retrieval, indexing (including for retrieval-augmented AI features), collaboration, and synchronisation across the Controller’s chosen integrations.
- Purpose— to provide the Service as described in the Terms of Service and the marketing site.
- Duration— for the term of the Controller’s subscription, plus the period required for return / deletion described in § 9.
3. Categories of data subjects and personal data
The personal data processed under this DPA is limited to what the Controller chooses to submit. Typical categories include:
- Data subjects— the Controller’s workspace members, the Controller’s end customers (where named in imported tickets), and other individuals named in documents or cards the Controller creates.
- Personal data categories— contact data (name, email), authentication data (Firebase identifiers), content data (whatever the Controller writes into cards and documents), usage data (timestamps, IP addresses for security logging), and any further categories the Controller chooses to include.
We do not process special-category data (GDPR Article 9) as part of the Service. If the Controller submits such data, it does so at its own risk and outside the scope of this DPA.
4. Processor obligations
Taskachu agrees to:
- Process personal data only on the documented instructions of the Controller, including with regard to transfers of personal data to a third country.
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality.
- Take all measures required pursuant to Article 32 GDPR — see § 6 below.
- Assist the Controller, taking into account the nature of processing, in fulfilling its obligation to respond to data-subject requests (Articles 12–22 GDPR).
- Assist the Controller in ensuring compliance with the obligations of Articles 32–36 GDPR (security, breach notification, DPIAs).
- At the choice of the Controller, return or delete all personal data after the end of provision of services (see § 9).
- Make available all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, by the Controller or another auditor mandated by the Controller, subject to reasonable confidentiality and scheduling.
5. Sub-processors
The Controller authorises Taskachu to engage sub-processors for the performance of the Service. The current list of sub-processors is set out in our Security page § 5 and in our Privacy Policy § 4.
Taskachu will:
- Impose, by way of a contract, data-protection obligations on each sub-processor that are no less protective than those in this DPA.
- Remain fully liable to the Controller for the performance of each sub-processor.
- Notify the Controller of any intended additions or replacements of sub-processors at least 30 days in advance, giving the Controller the opportunity to object.
If the Controller objects to a new sub-processor on reasonable grounds and Taskachu cannot accommodate the objection, the Controller may terminate the affected workspace and receive a pro-rata refund of any prepaid fees.
6. Technical and organisational measures
The technical and organisational measures that Taskachu maintains pursuant to Article 32 GDPR are documented in our Security page, which forms an integral part of this DPA. They include, at minimum:
- Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
- Access control on a least-privilege basis with audit logging.
- Workspace-level isolation enforced at every API endpoint.
- Secrets management via AWS Secrets Manager with KMS encryption.
- Vulnerability disclosure programme and incident response policy with 72-hour breach notification target.
- Regular backup of customer data with encrypted storage.
Taskachu reserves the right to update its security measures, provided that updates do not materially decrease the level of protection.
7. International data transfers
Taskachu primarily processes personal data within the European Economic Area (EEA), with infrastructure in eu-west-1(Ireland). Where personal data is transferred outside the EEA to a country without an adequacy decision — specifically to sub-processors based in the United States (OpenAI, Stripe, Resend, Firebase, AWS for global services) — the transfer is governed by the European Commission’s Standard Contractual Clauses (Module 2, Controller-to-Processor) executed between Taskachu and each sub-processor, with appropriate supplementary measures as required by the Schrems II ruling.
8. Data-subject requests
If a data subject makes a request to Taskachu that properly belongs to the Controller (access, rectification, erasure, portability, restriction, objection), Taskachu will:
- Promptly forward the request to the Controller.
- Not respond to the request itself, except on the Controller’s documented instructions.
- Provide reasonable assistance to the Controller in responding to the request, taking into account the nature of the processing.
Workspace owners can fulfil most data-subject requests directly through the Service: data export via Settings → Exports, and deletion via the per-document delete action or the workspace-wide “Delete all documents” action.
9. Return or deletion of personal data
On termination or expiry of the Controller’s subscription:
- The Controller has 30 days to export all personal data via the in-product export tools.
- After 30 days, Taskachu will permanently delete the personal data from active systems within a further 30 days, except where storage is required by applicable law.
- Backups containing personal data are retained for up to 90 days following deletion from active systems, after which they are overwritten in the normal backup rotation.
The account-deletion flow available in the Service triggers the same cascade on demand — see Security § 3.
10. Personal-data breach notification
Taskachuwill notify the Controller without undue delay (and in any event within 72 hours of confirmed scope) after becoming aware of a personal-data breach affecting the Controller’s data. The notification will include the information required under Article 33(3) GDPR insofar as it is available to Taskachu at the time.
11. Audit rights
The Controller may, no more than once per calendar year and on at least 30 days’ written notice, audit Taskachu’s compliance with this DPA. Taskachu will respond to audit requests by providing:
- The most recent security and compliance documentation it has available (penetration test summaries, sub-processor list, this DPA, the Security page).
- Where reasonably necessary and proportionate, written responses to specific questions, subject to confidentiality.
- On-site audits only where the Controller demonstrates a specific concern that cannot be addressed by the above — with reasonable scheduling, scope, and the Controller bearing the cost.
12. Liability & precedence
Each party’s liability arising under or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service. In case of conflict, this DPA prevails over the Terms of Service with respect to the processing of personal data.
13. Term & termination
This DPA enters into effect on the date the Controller starts using the Service and remains in effect for the duration of the Controller’s subscription plus the post-termination period described in § 9.
14. Contact
For questions about this DPA, sub-processor changes, audit requests, or signed counterparts: andrii.nadosha@shally.app.