1. Definitions
- Controller: the Customer — the entity that determines the purposes and means of processing personal data entered into Manager.
- Processor: Manager — processes personal data on behalf of the Controller to provide the service.
- Personal Data: any information relating to an identified or identifiable natural person, as defined by GDPR Article 4(1).
- Processing: any operation performed on personal data (storage, retrieval, use, disclosure, etc.).
2. Subject matter and duration
Manager processes personal data as described in the Privacy Policy solely to provide the services set out in the Terms of Service. Processing continues for the duration of the subscription and ceases upon account termination.
3. Nature and purpose of processing
Processing activities include:
- Storing workspace content (tasks, meetings, contacts, comments).
- Sending transactional emails on behalf of the Customer.
- Providing analytics and reporting features within the platform.
- Maintaining audit logs for security and compliance.
4. Types of personal data processed
- Name and email address of workspace members and contacts.
- Task and meeting content entered by the Customer.
- IP addresses and usage metadata for security purposes.
5. Processor obligations
Manager agrees to:
- Process personal data only on documented instructions from the Controller.
- Ensure that authorised personnel are subject to a duty of confidentiality.
- Implement appropriate technical and organisational security measures (encryption, access controls, non-root processes, security headers).
- Assist the Controller in responding to data subject rights requests where technically feasible.
- Notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach affecting the Controller's data.
- Delete or return all personal data upon termination of services, at the Controller's choice, unless retention is required by law.
6. Sub-processors
Manager uses the following sub-processors. By agreeing to this DPA, the Controller grants general authorisation for Manager to engage these sub-processors:
| Sub-processor | Purpose | Location |
|---|
| Clerk | Authentication | USA (SCCs) |
| Stripe | Payment processing | USA (SCCs) |
Manager will inform the Controller of any intended changes to sub-processors with at least 14 days' notice, giving the Controller the opportunity to object.
7. International transfers
Where personal data is transferred outside the EEA or UK, Manager ensures appropriate safeguards are in place (Standard Contractual Clauses or equivalent mechanisms) in accordance with GDPR Chapter V.
8. Audit rights
Upon reasonable notice and no more than once per calendar year, the Controller may request a summary security audit report, or may instruct an independent auditor at the Controller's cost.