Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) forms an integral part of the Terms of Service or Subscription Agreement (collectively, the “Agreement”) between Taskforce.sh Inc. (“Processor”) and you, the Client (“Controller”). By agreeing to the Agreement—whether through signing up as an individual user or subscribing as an organization—you automatically accept the terms of this DPA. This DPA governs the processing of personal data by Taskforce.sh Inc. on behalf of the Controller in accordance with applicable data protection laws, including the GDPR.

1. Definitions

• “Controller” : The entity determining the purposes and means of processing personal data. For organizational subscriptions, this is the subscribing organization; for individual users, this may be Taskforce.sh Inc. itself (see Section 2).
• “Processor” : Taskforce.sh Inc., which processes personal data on behalf of the Controller.
• “Personal Data” : Any information relating to an identified or identifiable natural person (“Data Subject”).
• “Processing” : Any operation performed on personal data, including collection, storage, use, or deletion.

2. Scope and Applicability

Organizational Subscriptions : When an organization subscribes to Taskforce.sh and provides personal data (e.g., of employees or authorized users), the organization acts as the Controller, and Taskforce.sh serves as the Processor.

Individual Users : When an individual signs up directly without an organizational subscription, Taskforce.sh acts as the Controller of their personal data. In such cases, the Processor-specific obligations of this DPA do not apply, but relevant provisions (e.g., security, data subject rights) remain in effect.

Automatic Inclusion : This DPA is automatically binding upon acceptance of the Agreement, eliminating the need for separate signatures.

3. Purpose of Processing

Taskforce.sh will process personal data to provide its services, including:

• User authentication and access to the Taskforce.sh dashboard.
• Subscription management, such as payment processing and invoicing.

4. Categories of Personal Data

The following types of personal data may be processed:

• Login Data : Email addresses and passwords (managed via Auth0).
• Subscription Data : Names, contact details, and payment information (processed via Stripe for subscribers).

5. Obligations of the Processor

Taskforce.sh, as the Processor, agrees to:

• Process personal data only based on the Controller’s documented instructions, as outlined in the Agreement or provided via the service.
• Implement robust technical and organizational measures, such as encryption and access controls, to protect personal data.
• Engage sub-processors (e.g., Auth0 for authentication, Stripe for payments) under agreements ensuring GDPR compliance.
• Assist the Controller in responding to Data Subject Access Requests (DSARs) and fulfilling other GDPR obligations.
• Manage data retention and deletion as follows:
  • Login Data : Deleted upon account termination.
  • Subscription Data : Retained for 7 years to comply with legal obligations, then deleted.
• Notify the Controller of any personal data breach within 72 hours of discovery.

6. International Data Transfers

Personal data may be transferred to sub-processors located outside the European Economic Area (e.g., Auth0 and Stripe in the U.S.). Such transfers are safeguarded by Standard Contractual Clauses (SCCs) or other GDPR-approved mechanisms.

7. Amendments

Taskforce.sh reserves the right to update this DPA to reflect changes in applicable laws or its operations. You will be notified of significant updates via email or through the Taskforce.sh dashboard. Continued use of the service following such updates constitutes acceptance of the revised DPA.

8. Governing Law

This DPA is governed by the laws of Sweden, aligning with Taskforce.sh’s operational jurisdiction.