Data Processing Agreement

1. Introduction

This Data Processing Agreement (DPA) governs the processing of personal data by WeTask (the "Processor") on behalf of our business customers (the "Controller").

This DPA complies with the General Data Protection Regulation (GDPR) and other applicable data protection laws.

2. Definitions

2.1 Personal Data

Any information relating to an identified or identifiable natural person, including but not limited to:

• Name, email address, and contact information
• User account credentials (processed in encrypted form)
• Task and project data
• Usage patterns and preferences
• IP addresses and device identifiers
• Communications and support interactions

2.2 Data Subject

The natural person whose personal data is processed by the Processor on behalf of the Controller.

2.3 Processing

Any operation performed on personal data, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, or making available.

3. Scope of Processing

The Processor agrees to process personal data only for the following purposes and in accordance with the Controller's instructions:

3.1 Service Provision

• Providing task management and collaboration services
• User authentication and account management
• Data backup and recovery services
• Customer support and technical assistance
• System maintenance and updates

3.2 Data Processing Activities

• Storing and organizing user data
• Processing task and project information
• Managing team collaboration data
• Providing analytics and reporting
• Handling customer support requests
• Sending service-related communications

4. Controller's Obligations

4.1 Lawful Instructions

The Controller warrants that all instructions provided to the Processor are lawful and in compliance with applicable data protection laws.

4.2 Data Protection Impact Assessment

The Controller acknowledges responsibility for conducting data protection impact assessments where required by law.

4.3 Cooperation and Assistance

The Controller agrees to provide reasonable assistance to the Processor in fulfilling its obligations under this DPA.

5. Processor's Obligations

5.1 Confidentiality and Security

The Processor shall implement and maintain appropriate technical and organizational security measures to protect personal data, including:

• Encryption of data at rest and in transit (AES-256 minimum)
• Access controls and authentication mechanisms
• Regular security testing and vulnerability assessments
• Incident detection and response procedures
• Staff training on data protection
• Secure backup and recovery systems

5.2 Processing Restrictions

The Processor shall:

• Process personal data only on documented Controller instructions
• Not process data for purposes other than those specified
• Maintain processing records as required by law
• Ensure personnel are bound by confidentiality obligations
• Not engage subprocessors without Controller consent

5.3 Data Subject Rights

The Processor shall assist the Controller in responding to data subject rights requests, including:

• Access requests and identity verification
• Rectification of inaccurate personal data
• Erasure of personal data where required
• Data portability requests
• Objection to processing and profiling

6. Subprocessors

The Processor may engage subprocessors for specific processing activities with prior Controller consent and must:

• Provide adequate written assurances regarding data protection
• Ensure subprocessors comply with this DPA obligations
• Remain liable for subprocessor actions
• Maintain up-to-date list of all subprocessors

7. Data Breach Notification

The Processor shall notify the Controller without undue delay of any personal data breach, including:

• Nature of the breach and categories of data affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Timeline for discovery and notification (within 72 hours)
• Contact information for more information

8. Data Retention and Deletion

Personal data shall be retained only as long as necessary for processing purposes and shall be securely deleted upon:

• Written request from the Controller
• Completion of service provision
• Legal requirement for deletion
• End of retention period

9. International Data Transfers

Any international transfers of personal data shall comply with GDPR requirements and shall only occur to:

• Countries with adequate data protection laws
• Entities bound by EU Standard Contractual Clauses
• Binding Corporate Rules with approved safeguards

10. Audit and Compliance

The Processor shall cooperate with reasonable audits and compliance checks, including:

• Regular security audits and penetration testing
• Data protection impact assessments
• Documentation of processing activities
• Compliance reporting to the Controller
• Cooperation with supervisory authorities

11. Term and Termination

This DPA shall remain in effect until terminated by either party with 30 days written notice.

11.1 Return of Data

Upon termination, the Processor shall securely return or delete all personal data in the Controller's possession.

11.2 Survivability

Confidentiality, security, and compliance obligations shall survive termination of this agreement.

12. Liability and Indemnification

12.1 Processor Liability

The Processor shall be liable for damages arising from breach of this DPA or applicable data protection laws.

12.2 Limitation of Liability

Processor liability shall be limited to direct damages resulting from willful misconduct or gross negligence.

13. Governing Law and Disputes

This DPA shall be governed by the laws of the Controller's jurisdiction and any disputes shall be resolved through:

• Good faith negotiations between parties
• Mediation services
• Courts of competent jurisdiction

14. Contact Information

For matters related to this Data Processing Agreement, contact:

• Data Protection: dpo@openfly.tech
• Legal: legal@openfly.tech
• Support: support@openfly.tech
• Website: https://openfly.tech