Does Tasqly work offline?

Yes. The PWA supports offline queueing and syncs when connectivity returns.

Can we restrict who sees which requests?

Absolutely. Role- and location-based permissions control visibility and routing.

Do you integrate with Slack or Teams?

Yes. Tasqly supports notifications and two-way actions via Slack/Teams apps and webhooks.

Security & Privacy

Data Processing Addendum (DPA)

Legally binding processor terms for Tasqly, including TOMs, SCCs for international transfers, CPRA service-provider terms, and authorized subprocessors.

Jump to contents Print / Save as PDF

Definitions Scope & Roles Instructions Security PII & Content Subprocessors DSRs Breach Retention Audits Transfers (SCCs) Annex I Annex II Annex III CPRA Execution

1) Definitions

“Applicable Data Protection Laws” include EU/UK GDPR, Swiss FADP, and US state privacy laws (e.g., CCPA/CPRA). Capitalized terms not defined here have the meanings in the Agreement or the Standard Contractual Clauses (SCCs).

2) Scope & Roles

Customer is the Controller/Business and Tasqly is the Processor/Service Provider for Customer Personal Data processed to provide the Services.

3) Processing Instructions & Purpose Limitation

Tasqly processes Customer Personal Data only on documented instructions from Customer, including to provide, maintain, secure, and improve the Services; to prevent or address technical/security issues; or as required by law (with prior notice where lawful).

4) Security Measures

Tasqly implements and maintains the technical and organizational measures (TOMs) in Annex II, appropriate to the risks of processing.

5) PII & User-Uploaded Content

Service PII: names, business emails, roles, IPs, auth data, audit logs for account/security purposes.
Content PII: Customer-controlled media/assets (e.g., photos, signatures, labels) may contain PII; Tasqly does not require it.
Storage: User content in Cloudflare R2 (encrypted, RBAC); app services on OVHcloud (NA—Canada); app data in MongoDB Atlas (East-US); email via Twilio SendGrid.

6) Subprocessors

General authorization for Subprocessors listed in Annex III. Tasqly imposes terms no less protective than this DPA and remains responsible for Subprocessor obligations. Tasqly will notify Customer of material changes and allow reasonable objections related to data protection.

7) Data Subject Requests

Tasqly assists Customer by appropriate technical and organizational measures to respond to data subject requests under Applicable Laws.

8) Personal Data Breach

Tasqly will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably necessary for Customer’s notification obligations.

9) Retention & Deletion

Logs: retained 365 days.
Backups: retained 90 days; encrypted; routine restore tests. RTO target 24h; RPO target 12h.
End-of-term: delete or return Personal Data per Customer election; backups overwrite on schedule.
User-Uploaded: active R2 objects removed within 30 days of deletion; cached edge copies purge per CDN TTL; backups up to 90 days.

10) Audits & Reports

On request and subject to confidentiality, Tasqly will make available information necessary to demonstrate compliance and allow reasonable audits no more than annually, during business hours, without undue disruption.

11) International Transfers & SCCs

If Customer Personal Data from the EEA, UK, or Switzerland is transferred to a country lacking adequacy, the parties rely on EU SCCs (Module Two), the UK Addendum, and the Swiss Addendum as detailed below. For SCC Clause 17/18, the parties select Ireland (law & forum) for SCC purposes only.

Annex I — Details of Processing

Controller / Business	Customer entity named in the Agreement.
Processor / Service Provider	Tasqly (legal entity & address to be confirmed). Contacts: [email protected]; [email protected]
Subject Matter	Tasqly platform for intake, routing, KDS, notifications, analytics, administration.
Duration	Term of Agreement + deletion/return period.
Nature & Purpose	Hosting, storage, transmission, logs, analytics, notifications, exports, integrations.
Data Subjects	Customer staff/admins; authorized contractors; guests/end users submitting requests.
Personal Data	Identifiers (name, email, role, optional phone), request metadata, assignment/location, IP/device/usage, audit/telemetry; optional user-uploaded media (Customer-controlled).
Special Categories	Not intended; prohibited unless agreed in writing.
Processing Locations	OVHcloud (NA—Canada), MongoDB Atlas (East-US), Cloudflare R2 (global storage/edge delivery), Cloudflare DNS/CDN/WAF (global), Twilio SendGrid (global).
Transfers	EU SCCs (Module Two) + UK Addendum + Swiss Addendum.

Annex II — Technical & Organizational Measures (TOMs)

Governance & Policy

ISMS policies: access, encryption, vulnerability, incident, BC/DR, vendor risk.
Training at hire and annually; confidentiality obligations.

Access Control

Least-privilege RBAC; SoD; periodic access reviews; session timeouts.
MFA for production access; SSO support for customers (plan-based).
Secrets via managed KMS; rotation policy.

Encryption

TLS 1.2+; HSTS on public endpoints.
Encryption at rest for DB (Atlas), objects (R2), and storage (OVH).

App & Infra Security

Cloudflare DNS/CDN/WAF; minimal ingress; hardening.
Secure SDLC: code review, dependency/container scanning, CI checks.
Vulnerability scans & SLAs based on severity.

Monitoring & IR

Centralized logging for auth/admin/actions; alerting on anomalies.
Incident runbooks, on-call rotations, customer comms.
Log retention 365 days.

Resilience

Encrypted backups retained 90 days; restore drills.
Targets: RTO 24h, RPO 12h.

Annex III — Authorized Subprocessors

Subprocessor	Purpose	Data Categories	Regions	Safeguards
OVHcloud	IaaS hosting for application services & web/PWA endpoints	Account data; request metadata; telemetry	North America (Canada)	Contractual DP terms; encryption; access controls
Cloudflare, Inc.	DNS, CDN, WAF, edge security & caching	Traffic metadata (IP, headers); cached content as configured	Global edge	Contractual DP terms; regional controls where available
Cloudflare R2	S3-compatible object storage for user-uploaded content/media	User-uploaded content; optional PII therein	Global storage footprint with edge delivery	Encryption at rest; RBAC; contractual DP terms
MongoDB Atlas	Managed database (DBaaS) for application data	Account/config data; logs; content metadata	East-US	Encryption at rest; network controls; backups
Twilio SendGrid	Transactional email delivery	Recipient email, names, message metadata	Global	DPA/SCCs; encryption in transit; abuse controls

Tasqly will notify Customer of material changes to this list in accordance with the Agreement.

EU SCCs + UK & Swiss Addenda; CPRA Terms

SCCs: Commission Implementing Decision (EU) 2021/914 — Module Two (Controller → Processor). Clause 17 governing law and Clause 18 forum: Ireland (SCC purposes only).
UK Addendum: ICO IDTA Addendum to the EU SCCs (Part 1 tables map to Annexes I–III).
Swiss Addendum: References to EU GDPR/Member State read as FADP/Switzerland; FDPIC as authority.
CPRA: Tasqly acts as a Service Provider; no selling/sharing for cross-context ads; use limited to Services; assistance for consumer requests via Customer.

Execution

For Customer

Name: _________________________
Title: _________________________
Date: _________________________
Signature: _____________________

For Tasqly

Name: _________________________
Title: _________________________
Date: _________________________
Signature: _____________________

Version: DPA v1.0 • Jurisdiction: New York, USA