Data Processing Addendum
Last updated 12 June 2026 · Effective 3 June 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service between the Customer ("Controller") and [GG Legal Entity Ltd] ("Processor", "we") and reflects Article 28 of the EU and UK GDPR. It governs our processing of personal data within Customer Data on your behalf. Where it conflicts with the Terms on data protection, this DPA prevails.
1. Definitions
“Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach” and “Sub-processor” have the meanings in the GDPR. “Customer Data” means data the Customer submits to the Service. “Data Protection Law” means the EU GDPR, the UK GDPR and Data Protection Act 2018, and other applicable privacy laws including US state privacy laws.
2. Roles & scope
The Controller determines the purposes and means of processing; we process only as a Processor on the Controller’s documented instructions, which include the Terms, this DPA and use of the Service’s features. We will tell you if we believe an instruction breaches Data Protection Law.
3. Details of processing (Annex I)
| Item | Detail |
|---|---|
| Subject matter | Provision of the GG service (CRM, communication capture & AI summarisation, enrichment, offers, analytics). |
| Duration | For the term of the subscription, plus the deletion period in §9. |
| Nature & purpose | Hosting, storing, organising, summarising and analysing Customer Data to deliver the Service. |
| Types of personal data | Contact identifiers (name, role, email, phone), company details, communication summaries and metadata, deal/offer data, and any data the Customer chooses to enter. |
| Categories of data subject | The Customer's contacts, leads, clients and their representatives, and the Customer's own users. |
| Special categories | Not intended; the Customer must not submit special-category data except as separately agreed with appropriate safeguards. |
4. Our obligations as processor
- Instructions: process Personal Data only on your documented instructions, including for transfers, unless required by law (in which case we notify you unless prohibited).
- Confidentiality: ensure personnel authorised to process are bound by confidentiality.
- Security: implement the technical and organisational measures in §6 (Art. 32).
- Assistance: assist you, taking account of the nature of processing, to respond to data-subject requests and to meet your obligations under Arts. 32–36 (security, breach notification, DPIAs, prior consultation).
- Records: maintain records of processing and make available the information needed to demonstrate compliance.
5. Sub-processors
You grant general authorisation for us to engage sub-processors to provide the Service. Our current sub-processors are listed at /legal/subprocessors. We impose data-protection obligations on each sub-processor at least as protective as this DPA, and we remain liable for their performance. We will give advance notice of any new or replaced sub-processor (you may subscribe to updates), and you may object on reasonable data-protection grounds; if we cannot resolve the objection you may terminate the affected Service.
6. Security measures (Annex II)
- Tenant isolation: per-organisation row-level isolation so one customer cannot access another’s data.
- Encryption: data encrypted in transit (TLS); encryption at rest as provided by our infrastructure.
- Access control: role-based access, least privilege, and authentication for administrative access.
- Auditability: an immutable audit log of sensitive actions (exports, erasure, consent and plan changes).
- Resilience: regular backups and the ability to restore availability after an incident.
- Data minimisation: raw captured messages are not retained — only AI summaries, intent and metadata — reducing the personal data at rest.
7. Data-subject requests & controls
The Service provides self-service tools to help you meet data-subject rights — including per-client and per-organisation export (access/portability), right-to-erasure with cascading deletion, and recording-consent and retention settings. If a data subject contacts us directly about Customer Data, we will refer them to you and not respond except on your instruction.
8. Personal data breaches
We will notify you without undue delay after becoming aware of a Personal Data Breach affecting Customer Data, with the information you reasonably need to meet your own notification duties (which, for many breaches under the GDPR, must be made to the supervisory authority within 72 hours). Notices go to your designated workspace contact.
9. International transfers & deletion
- Transfers: where we transfer Customer Data outside the EEA/UK, we rely on the EU Standard Contractual Clauses and the UK IDTA/Addendum (incorporated by reference) plus supplementary measures, or another lawful transfer mechanism.
- Deletion / return: on termination, at your choice we delete or return Customer Data and delete existing copies within a reasonable period (typically up to 90 days), except where law requires retention; backups expire on their normal cycle.
10. Audits
We make available information necessary to demonstrate compliance with Art. 28 and allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate — on reasonable notice, no more than once a year (unless required by an authority), during business hours, subject to confidentiality and without disrupting our operations. We may satisfy audit requests by providing third-party audit reports or certifications where available.
11. Liability & order of precedence
Liability under this DPA is subject to the limitations of liability in the Terms. This DPA, the Terms and any applicable Standard Contractual Clauses are read together; in case of conflict on data protection, the SCCs prevail, then this DPA, then the Terms.
12. Contact
Data-protection matters under this DPA: legal@taskgg.com. To request a signed copy of this DPA or the SCCs/IDTA, email legal@taskgg.com.