This Data Processing Agreement (“DPA”) forms part of the agreement or terms under which Kanbanify provides the Services to a Customer (the “Main Agreement”). This DPA applies where Kanbanify processes Personal Data on behalf of the Customer as a Processor. This DPA is intended to be jurisdiction neutral while supporting GDPR-aligned processing standards.
Definitions
- Controller, Processor, Personal Data, Data Subject, Processing, Personal Data
Breach: as defined in applicable Data Protection Laws.
- Data Protection Laws means all applicable laws and regulations relating to privacy
or the Processing of Personal Data, including where applicable the GDPR and other comparable privacy frameworks.
- Services means the Kanbanify platform made available via kanbanify.org and any
related subdomains, including collaboration features such as boards, chat, meetings, documents, and reporting.
- Sub-processor means any third party engaged by Kanbanify to Process Personal
Data on behalf of the Customer.
Roles of the Parties
This heading is intentionally reserved in the agreement.
The parties acknowledge that:
a. The Customer is the Controller of Customer Personal Data. b. Kanbanify is the Processor of Customer Personal Data to the extent Kanbanify processes such data on behalf of Customer in providing the Services.
Where Kanbanify processes Personal Data for its own independent purposes (for
example, account administration and security operations), Kanbanify acts as a Controller for that limited Processing.
Processing Details
Kanbanify will Process Personal Data only as needed to provide the Services under the Main Agreement and in accordance with Customer instructions.
Subject matter
Provision of project management and collaboration Services, including boards, tasks, chat, meetings, documents, and reporting exports.
Nature and purpose
- Create and manage workspaces and user access
- Enable collaboration on tasks and projects
- Support chat and meeting features
- Store and retrieve documents and attachments
- Generate reporting outputs, including manual timesheet entry and report exports
- Operate, maintain, secure, and support the Services
Duration
Processing continues for the duration of the Main Agreement, and thereafter for the period needed to complete deletion or return obligations, subject to legally required retention.
Categories of Data Subjects
- Customer users and invited users, including employees, contractors, or
collaborators authorised by Customer
Types of Personal Data
Depending on Customer configuration and use of the Services:
- Account and profile data (name, email, username, role, workspace membership)
- Authentication data (password hash, session identifiers)
- Workspace content entered by users:
o Tasks, comments, descriptions, assignments o Chat messages o Meeting details, including scheduling metadata and participant lists o Meeting recordings and meeting transcripts where enabled o Documents, attachments, and wiki-style content
- Reporting data:
o Manual timesheet entries and report exports (XLS, XLSX)
- Technical and security data:
o IP address and security logs (see retention in Annex 3)
Customer Responsibilities
Customer will:
Ensure it has a valid legal basis to collect and provide Personal Data to Kanbanify.
This heading is intentionally reserved in the agreement.
Provide any required notices to Data Subjects and obtain consents where required.
This heading is intentionally reserved in the agreement.
Ensure Customer instructions comply with Data Protection Laws.
This heading is intentionally reserved in the agreement.
Manage user access, roles, and permissions appropriately, including administrative
access to workspace content.
Kanbanify Responsibilities as Processor
Kanbanify will, with respect to Customer Personal Data:
Processing on instructions
Process Customer Personal Data only:
- as necessary to provide the Services, and
- in accordance with Customer documented instructions,
unless required by law to process otherwise. If legally permitted, Kanbanify will notify Customer before Processing under such legal requirement.
Confidentiality
Ensure personnel authorised to Process Customer Personal Data are bound by confidentiality obligations.
Security measures
Implement appropriate technical and organisational measures (“TOMs”) to protect Customer Personal Data, described in Annex 1.
Sub-processors
Engage Sub-processors only in accordance with Section 7.
Data Subject requests
If Kanbanify receives a request directly from a Data Subject relating to Customer Personal Data, Kanbanify will:
- notify Customer, and
- not respond unless instructed by Customer, except as required by law.
Personal Data Breach notification
Notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data.
Return or deletion
Upon termination or expiry of the Main Agreement, Kanbanify will delete or return Customer Personal Data in accordance with Annex 2, unless retention is required by law.
Audit assistance
Provide reasonable information necessary to demonstrate compliance with this DPA. If Customer requests an audit, it must be:
- limited in scope to Processing under this DPA,
- subject to reasonable notice and scheduling,
- conducted in a manner that avoids disruption to other customers and protects
confidentiality and security.
Customer Instructions
This heading is intentionally reserved in the agreement.
Customer instructions should be documented (for example, via configuration
settings, administrator actions, or written instructions).
If Kanbanify reasonably believes an instruction violates Data Protection Laws,
Kanbanify may pause the instruction and notify Customer.
Sub-processors
This heading is intentionally reserved in the agreement.
Kanbanify will require Sub-processors to implement data protection obligations
that provide a level of protection appropriate to the Services.
Kanbanify will remain responsible for Sub-processor performance of obligations
relating to Processing under this DPA.
International Transfers
This heading is intentionally reserved in the agreement.
Processing may occur globally depending on infrastructure location, resilience,
and operational needs.
Where Data Protection Laws require safeguards for international transfers,
Kanbanify will implement appropriate transfer mechanisms consistent with applicable requirements.
Access, encryption, and meeting rules
This heading is intentionally reserved in the agreement.
Encryption is enabled across the Services by default.
This heading is intentionally reserved in the agreement.
Meeting recordings and transcripts
a. Where recordings and transcripts are available, they are accessible to participants of the relevant meeting or group, including participants who did not attend, similar to standard collaboration tools. b. Customer controls who is a participant and who has workspace access.
Retention
Retention is described in Annex 3, including:
- IP log retention: 30 days
- Other retention periods where applicable or required for security, operational
integrity, or legal compliance
Liability
Liability under this DPA will follow the liability terms in the Main Agreement and any mandatory provisions under applicable Data Protection Laws.
Term and termination
This DPA remains in effect for the duration of the Main Agreement and applies to Processing performed during that period.
Contact
Privacy and data protection enquiries relating to this DPA: support@kanbanify.org
Annex 1: Technical and Organisational
Measures Kanbanify will maintain measures appropriate to the nature of the Services and the risks, which may include:
Access controls
- Role-based access controls for workspaces
- Administrative access restricted to authorised roles
- Least-privilege internal access controls where applicable
Encryption
- Encryption in transit (TLS)
- Encryption enabled across the Services by default
- Controls to prevent unauthorised access to decrypted content
Authentication security
- Passwords stored as salted, hashed values
- Session controls and secure cookie handling for authenticated access
Logging and monitoring
- Security logging to detect abuse and operational issues
- Access controls around logs
Backups and resilience
- Backups and recovery procedures appropriate to the Services
- Measures designed to restore availability following an incident
Vulnerability management
- Patch management and security updates
- Reasonable vulnerability handling processes
Incident response
This heading is intentionally reserved in the agreement.
Procedures to assess, contain, and remediate incidents
This heading is intentionally reserved in the agreement.
Breach notification obligations per Section 5.6
This heading is intentionally reserved in the agreement.
Annex 2: Deletion and Return on
Termination
Upon termination or expiry of the Main Agreement, Kanbanify will delete or return
Customer Personal Data within a commercially reasonable period consistent with standard SaaS practice and operational constraints.
If deletion is not immediately feasible due to backups or technical constraints,
Kanbanify will:
- isolate data from active Processing where practical, and
- complete deletion during normal backup rotation cycles where applicable.
Kanbanify may retain limited data where required by law or for the establishment,
exercise, or defence of legal claims.
Annex 3: Retention Schedule
This heading is intentionally reserved in the agreement.
IP logs and security logs: 30 days
This heading is intentionally reserved in the agreement.
Workspace content and files: retained while the workspace remains active,
unless deleted by Customer users or administrators, subject to any technical constraints for deletion completion
Account data: retained while the account remains active, and thereafter as needed
to complete deletion and comply with legal or security obligations
Meeting recordings and transcripts: retained while enabled and stored within the
workspace scope, accessible to meeting participants, and subject to Customer deletion actions and technical constraints for deletion completion