Hazydo

Data Processing Agreement

Last updated [set HAZYDO_LEGAL_LAST_UPDATED].

This Data Processing Agreement ("DPA") forms part of the contract between Angels' Ware ("Processor", "we") and the customer organisation that has accepted Hazydo's terms of service ("Controller", "you") and governs the Processor's processing of personal data on behalf of the Controller when the Controller's personnel use the hosted Hazydo service at https://hazy.r8.rs ("the Service").

It is structured to satisfy Article 28 of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the equivalent UK GDPR. Where the Controller is established outside the EEA / UK, an equivalent obligation in the Controller's jurisdiction is read in. Defined terms not otherwise defined here take their meaning from the GDPR.

This DPA takes effect automatically when the Controller's organisation has at least one user with active Service access. No signature is required for it to bind, but a counter-signed PDF can be requested at hazy@r8.rs for organisations whose procurement requires one.

1. Subject matter and duration

The Processor processes personal data on behalf of the Controller solely to provide, secure, and support the Service. Processing begins when the Controller's first user account is created and continues until the Controller's account is closed plus the retention windows described in Section 9 and in our privacy policy.

2. Nature and purpose of processing

Hazydo is a multi-tenant shared to-do list. Processing consists of: storing workspace content the Controller's users create (projects, tasks, comments), storing the Controller's authentication material (bcrypted passwords, encrypted TOTP secrets), and writing operational and audit logs. A full description is provided in Annex 1.

3. Controller's instructions

The Processor processes personal data only on documented instructions from the Controller, which are constituted by this DPA, the Service's documented configuration surface (settings, API), and any further written instructions the Controller sends to hazy@r8.rs.

If an instruction cannot be carried out without breaching applicable data-protection law, the Processor will inform the Controller in writing rather than acting on it. The Processor will not process personal data for its own purposes or share it with third parties except as described in Section 5.

4. Confidentiality

The Processor ensures that every person authorised to process personal data on its behalf is bound by a written or statutory duty of confidentiality and has received training appropriate to their role.

5. Sub-processors

The Controller authorises the Processor to engage the sub-processors listed in Annex 3. The Processor remains liable to the Controller for each sub-processor's performance of its data-protection obligations.

When the Processor intends to add or replace a sub-processor it will give the Controller at least 30 days' notice before the change takes effect, by email to the Controller's account-admin address and by updating Annex 3. The Controller may object during that window; if no commercially reasonable resolution is found, the Controller may terminate the affected portion of the Service with prorated refund.

6. Assistance with data subject rights

The Service provides Controller-side users with self-service access (Settings → "Your data"), correction (display name, password), and erasure (Settings → "Delete account") for their own personal data. The Processor will assist the Controller with any additional data subject request that cannot be satisfied through these surfaces within ten (10) business days of a written request to hazy@r8.rs.

7. Security measures

The Processor implements technical and organisational measures ("TOMs") appropriate to the risk of processing, described in detail in Annex 2. TOMs may be updated to track evolving best practice; updates that materially reduce protection require the Controller's written consent.

8. Personal data breach

The Processor will notify the Controller of any confirmed personal data breach affecting the Controller's data without undue delay, and in any event within 48 hours of becoming aware of it. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.

The Controller remains responsible for notifying its own supervisory authority (Art. 33 GDPR) and, where required, affected data subjects (Art. 34). The Processor will cooperate with reasonable Controller requests for additional information needed to make these notifications.

9. Return or deletion at end of processing

On termination of the Controller's account, or at any earlier written request, the Processor will:

Operational logs that incidentally contain personal data (HTTP access logs, auth audit) follow the retention windows in the privacy policy §5. Encrypted backups containing the Controller's data are purged on the rolling 30-day cycle stated there; copies persisting in backups beyond the active dataset are quarantined and not restored to production absent the Controller's written instruction.

10. Audit and inspection

The Controller may, on at least 30 days' written notice and not more than once per twelve-month period, request information necessary to demonstrate compliance with this DPA, including reasonable inspection of the Processor's relevant policies and records. The Processor will respond within fifteen (15) business days. Where independent audit reports (SOC 2, ISO 27001, etc.) are available the Controller agrees to accept those in lieu of an on-site audit.

11. International transfers

The Processor will not transfer personal data outside the jurisdiction of Sweden or the EEA except where (a) an adequacy decision applies, (b) Standard Contractual Clauses are in place with the receiving party, or (c) another lawful transfer mechanism applies and is documented in Annex 3.

12. Liability and governing law

Each party's liability under this DPA is subject to the limitations of the underlying terms of service. This DPA is governed by the laws of Sweden; the parties consent to the jurisdiction of the courts of Sweden for disputes that cannot be resolved by negotiation.

13. Conflict and precedence

In the event of conflict between this DPA and the terms of service regarding the processing of personal data, this DPA prevails.

14. Contact

Data protection contact: hazy@r8.rs. General contact: hazy@r8.rs.


Annex 1 — Description of processing

Categories of data subjects

Categories of personal data

Purpose

Authentication, authorisation, task orchestration, audit, and service support. No processing for advertising, profiling, or resale.

Duration

Until account closure plus the retention windows stated in Section 9 and the privacy policy §5.

Annex 2 — Technical and organisational measures

Measures in force at the date listed at the top of this document. They may be updated to reflect evolving best practice; see Section 7.

Access control

Multi-tenant isolation

Network and transport

Auditing and monitoring

Resilience and recovery

Organisational

Annex 3 — Authorised sub-processors

The Processor engages the following sub-processors. Changes to this list are notified in accordance with Section 5.

Provider Function Region
[set HAZYDO_HOSTING_PROVIDER] Infrastructure hosting (application + database) Sweden
[set HAZYDO_EMAIL_PROVIDER] Transactional email (verification, password reset) Sweden

Self-hosted Hazydo installations have no Processor-engaged sub-processors — the operator IS the controller and processor in one. This DPA applies only to the hosted Service.