Data Processing Agreement
Last updated [set HAZYDO_LEGAL_LAST_UPDATED].
This Data Processing Agreement ("DPA") forms part of the contract
between Angels' Ware ("Processor", "we") and
the customer organisation that has accepted Hazydo's
terms of service ("Controller", "you") and
governs the Processor's processing of personal data on behalf of
the Controller when the Controller's personnel use the hosted
Hazydo service at https://hazy.r8.rs ("the Service").
It is structured to satisfy Article 28 of the EU General Data Protection Regulation (Regulation 2016/679, "GDPR") and the equivalent UK GDPR. Where the Controller is established outside the EEA / UK, an equivalent obligation in the Controller's jurisdiction is read in. Defined terms not otherwise defined here take their meaning from the GDPR.
This DPA takes effect automatically when the Controller's organisation has at least one user with active Service access. No signature is required for it to bind, but a counter-signed PDF can be requested at hazy@r8.rs for organisations whose procurement requires one.
1. Subject matter and duration
The Processor processes personal data on behalf of the Controller solely to provide, secure, and support the Service. Processing begins when the Controller's first user account is created and continues until the Controller's account is closed plus the retention windows described in Section 9 and in our privacy policy.
2. Nature and purpose of processing
Hazydo is a multi-tenant shared to-do list. Processing consists of: storing workspace content the Controller's users create (projects, tasks, comments), storing the Controller's authentication material (bcrypted passwords, encrypted TOTP secrets), and writing operational and audit logs. A full description is provided in Annex 1.
3. Controller's instructions
The Processor processes personal data only on documented instructions from the Controller, which are constituted by this DPA, the Service's documented configuration surface (settings, API), and any further written instructions the Controller sends to hazy@r8.rs.
If an instruction cannot be carried out without breaching applicable data-protection law, the Processor will inform the Controller in writing rather than acting on it. The Processor will not process personal data for its own purposes or share it with third parties except as described in Section 5.
4. Confidentiality
The Processor ensures that every person authorised to process personal data on its behalf is bound by a written or statutory duty of confidentiality and has received training appropriate to their role.
5. Sub-processors
The Controller authorises the Processor to engage the sub-processors listed in Annex 3. The Processor remains liable to the Controller for each sub-processor's performance of its data-protection obligations.
When the Processor intends to add or replace a sub-processor it will give the Controller at least 30 days' notice before the change takes effect, by email to the Controller's account-admin address and by updating Annex 3. The Controller may object during that window; if no commercially reasonable resolution is found, the Controller may terminate the affected portion of the Service with prorated refund.
6. Assistance with data subject rights
The Service provides Controller-side users with self-service access (Settings → "Your data"), correction (display name, password), and erasure (Settings → "Delete account") for their own personal data. The Processor will assist the Controller with any additional data subject request that cannot be satisfied through these surfaces within ten (10) business days of a written request to hazy@r8.rs.
7. Security measures
The Processor implements technical and organisational measures ("TOMs") appropriate to the risk of processing, described in detail in Annex 2. TOMs may be updated to track evolving best practice; updates that materially reduce protection require the Controller's written consent.
8. Personal data breach
The Processor will notify the Controller of any confirmed personal data breach affecting the Controller's data without undue delay, and in any event within 48 hours of becoming aware of it. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it.
The Controller remains responsible for notifying its own supervisory authority (Art. 33 GDPR) and, where required, affected data subjects (Art. 34). The Processor will cooperate with reasonable Controller requests for additional information needed to make these notifications.
9. Return or deletion at end of processing
On termination of the Controller's account, or at any earlier written request, the Processor will:
- make a final JSON export of every Controller user's personal data available for at least 30 days through the existing Settings → "Your data" surface; and
- delete the Controller's workspace content (projects, tasks, comments, authentication material) within 30 days of account closure.
Operational logs that incidentally contain personal data (HTTP access logs, auth audit) follow the retention windows in the privacy policy §5. Encrypted backups containing the Controller's data are purged on the rolling 30-day cycle stated there; copies persisting in backups beyond the active dataset are quarantined and not restored to production absent the Controller's written instruction.
10. Audit and inspection
The Controller may, on at least 30 days' written notice and not more than once per twelve-month period, request information necessary to demonstrate compliance with this DPA, including reasonable inspection of the Processor's relevant policies and records. The Processor will respond within fifteen (15) business days. Where independent audit reports (SOC 2, ISO 27001, etc.) are available the Controller agrees to accept those in lieu of an on-site audit.
11. International transfers
The Processor will not transfer personal data outside the jurisdiction of Sweden or the EEA except where (a) an adequacy decision applies, (b) Standard Contractual Clauses are in place with the receiving party, or (c) another lawful transfer mechanism applies and is documented in Annex 3.
12. Liability and governing law
Each party's liability under this DPA is subject to the limitations of the underlying terms of service. This DPA is governed by the laws of Sweden; the parties consent to the jurisdiction of the courts of Sweden for disputes that cannot be resolved by negotiation.
13. Conflict and precedence
In the event of conflict between this DPA and the terms of service regarding the processing of personal data, this DPA prevails.
14. Contact
Data protection contact: hazy@r8.rs. General contact: hazy@r8.rs.
Annex 1 — Description of processing
Categories of data subjects
- The Controller's authorised users (employees, contractors, or other personnel given access to the Controller's workspace).
- Third parties whose information is incidentally entered by those users into the workspace (e.g. a task body mentioning a customer's name). Hazydo is not designed to be a primary store for such third-party data and the Controller is responsible for ensuring its inclusion is lawful.
Categories of personal data
- Account data: email address, display name, bcrypted password hash, role, email verification timestamp, encrypted TOTP secret (when 2FA enabled), bcrypted recovery codes.
- Authentication artefacts: session tokens, API keys (hashed), audit log entries (login OK/fail, password change, account deletion).
- Workspace content: any personal data the Controller's users place into projects, tasks, and comments.
- Operational metadata: request timestamps, IP addresses, user-agent strings, and sign-in events.
Purpose
Authentication, authorisation, task orchestration, audit, and service support. No processing for advertising, profiling, or resale.
Duration
Until account closure plus the retention windows stated in Section 9 and the privacy policy §5.
Annex 2 — Technical and organisational measures
Measures in force at the date listed at the top of this document. They may be updated to reflect evolving best practice; see Section 7.
Access control
- Per-user authentication; passwords stored as bcrypt hashes at the default cost factor.
- Optional time-based one-time-password (TOTP) second factor; secrets stored AES-256-GCM-encrypted at rest, with the key held outside the database.
- Session cookies are HttpOnly + SameSite=Lax + Secure when TLS is detected (directly or via a trusted reverse proxy).
- CSRF defended by double-submit cookie + header pattern on cookie-authenticated routes.
- Personal API keys hashed at rest, prefix-only displayed in UI, revocable per-key, optional read-only scope.
Multi-tenant isolation
- Postgres row-level security enforced on every user-facing table; the application connection demotes to a non-superuser role before issuing user queries so RLS cannot be bypassed.
- Cross-tenant lookups (login, password reset, public-link consumption) go through SECURITY DEFINER helpers with explicit documented intent; no general-purpose super-tenant query path is exposed to request handlers.
Network and transport
- HTTPS / WSS in production; HSTS recommended at the reverse proxy layer.
- WebSocket origin restricted by configuration to the deployed public URL; cross-origin browser connections are refused.
Auditing and monitoring
- Authentication-related events (login OK/fail, password change, account deletion, signup, email verify, 2FA setup / disable / verify) recorded in a dedicated audit table; rows survive user deletion with the username preserved.
- HTTP access logs retained 30 days; auth audit retained 90 days. See privacy policy §5.
Resilience and recovery
- Encrypted database backups retained for 30 days on a rolling window.
- Documented breach-response procedure with the notification timing committed in Section 8.
Organisational
- Personnel access to production data is restricted on a need-to-know basis and bound by written confidentiality obligations.
- Sub-processors are reviewed for adequate security commitments before engagement and re-reviewed at the renewal of each sub-processor's contract.
Annex 3 — Authorised sub-processors
The Processor engages the following sub-processors. Changes to this list are notified in accordance with Section 5.
| Provider | Function | Region |
|---|---|---|
| [set HAZYDO_HOSTING_PROVIDER] | Infrastructure hosting (application + database) | Sweden |
| [set HAZYDO_EMAIL_PROVIDER] | Transactional email (verification, password reset) | Sweden |
Self-hosted Hazydo installations have no Processor-engaged sub-processors — the operator IS the controller and processor in one. This DPA applies only to the hosted Service.