This Data Processing Amendment (“DPA”) forms part of the Terms of Service or Privacy Policy between Taskip (“Company”) and the Customer (“Controller”).
This DPA sets out the obligations of the parties regarding the processing of Personal Data in connection with the use of the Taskip website and services, in compliance with the EU General Data Protection Regulation (“GDPR”), UK GDPR, and the California Consumer Privacy Act (“CCPA”).
Definitions
- “Personal Data”: Information relating to an identified or identifiable person.
- “Processing”: Any operation performed on Personal Data (collection, storage, use, transfer, deletion, etc.).
- “Controller”: The Customer, who determines purposes and means of Processing.
- “Processor”: Taskip, which processes Personal Data on behalf of the Customer.
- “Sub-processor”: A third party engaged by Taskip to process Personal Data.
Roles of the Parties
- Customer acts as Controller of the Personal Data.
- Taskip acts as Processor and will process Personal Data solely to provide and maintain the Service on the Customer’s instructions.
Scope of Processing
Taskip processes Personal Data only on the Customer’s documented instructions and solely to provide and maintain the Service, including to:
- host, store, and back up the Customer’s workspace data;
- enable the features the Customer uses (projects, client portal, invoicing, messaging, and related functions);
- provide support requested by the Customer;
- maintain the security, integrity, and availability of the Service; and
- comply with applicable legal obligations.
Taskip does not use Customer Content for advertising or marketing, and does not use it — in original, anonymized, or aggregated form — to train AI or machine-learning models or to develop or improve its products.
Security Measures
Taskip will implement technical and organizational measures to protect Personal Data from unauthorized access, alteration, disclosure, or destruction.
Sub-processors
Taskip engages the sub-processors listed in Annex II to provide the Service. Each sub-processor is bound by a written agreement imposing data-protection obligations no less protective than those in this DPA, and may process Customer Content solely to provide its services to Taskip and for no other purpose.
Customer Content is encrypted in transit and at rest. Infrastructure sub-processors do not access the contents of Customer Content in the ordinary course, and no sub-processor uses Customer Content to train artificial-intelligence or machine-learning models.
Taskip will give the Customer notice of any new sub-processor and a reasonable opportunity to object on legitimate data-protection grounds before the new sub-processor begins processing Customer Content.
International Transfers
If Personal Data is transferred outside the EEA/UK, Taskip will ensure compliance with applicable data protection laws (e.g., using Standard Contractual Clauses).
Data Subject Rights
Taskip will assist the Customer in responding to data subject requests regarding access, correction, deletion, or restriction of Personal Data.
Data Breach Notification
Taskip will notify the Customer without undue delay in the event of a confirmed data breach affecting Personal Data collected through the Taskip website.
Data Retention and Deletion
Taskip will retain Personal Data and workspace data only as long as necessary to provide services, ensure disaster recovery, or comply with legal requirements. Upon request, Taskip will delete or anonymize Personal Data.
Liability and Governing Law
This DPA is subject to the limitations of liability and governing law defined in the Agreement or Privacy Policy.
Annex I – Details of Processing
- Subject Matter: Provision of the Taskip application and related services.
- Duration: For the term of the Customer’s subscription, plus any retention period required for backup or legal compliance.
- Nature and Purpose: Hosting, storage, processing, and transmission of Customer workspace data to deliver the Service on the Customer’s instructions.
- Types of Personal Data: Data the Customer chooses to store, which may include the names, contact details, and project, billing, and communication records of the Customer’s own clients and contacts; and account data of the Customer’s users (names, email addresses, login data).
- Categories of Data Subjects: The Customer’s users, and the Customer’s clients and contacts whose data the Customer stores in the Service.
Annex II – Sub-processor List
| Sub-processor | Purpose | Data Processed | Location |
| Vultr | Web app hosting and database server | Technical & usage data | EU |
| Contabo | WebSocket hosting | Technical & usage data | EU |
| Vercel | Frontend hosting and status monitor server | Technical & usage data | Global |
| Postmark | Email delivery & notifications | Email addresses, message metadata | Global |
| Cloudflare | DNS management and asset storage (R2) | Technical & usage data | Global |
| Pusher | Real-time messaging | Usage data, session data | EU |