Data Processing Addendum

In this Addendum, "Controller" means the organization, and "Processor" means Tasksphere. "Personal Data", "Processing", "Data Subject", and "Sub-processor" carry the meaning given in the GDPR.

The Processor processes Personal Data only on documented instructions from the Controller, ensures persons authorized to process Personal Data are bound by confidentiality, and assists the Controller in fulfilling its obligations under Articles 32–36.

Encryption in transit (TLS 1.2+) and at rest (AES-256), least-privilege access controls, audit logging, regular penetration testing, and an incident response process aligned with ISO 27001 controls.

Current sub-processors include hosting (cloud infrastructure), email delivery, identity verification, and payout providers. A current list is available on request and updated when material changes occur.

The Processor will assist the Controller in responding to data subject requests (access, rectification, erasure, portability, objection) within the timelines required by the GDPR.

The Processor will notify the Controller without undue delay, and in any case within 72 hours, of becoming aware of a Personal Data breach affecting Controller data, including the information required to support the Controller's own notification obligations.