Data Processing Agreement
UAB APP FOREST · Version 1.0 · Last updated
Draft — effective at launch, last updated . UAB APP FOREST is in formation. This policy is published for transparency and takes legal effect once the company is incorporated and its registration details are completed.
This Data Processing Agreement (the “DPA”) records the terms on which UAB APP FOREST (trading as Foresttasks, “we”, “us”, the “Processor”) processes personal data on behalf of a customer (“you”, the “Controller”) in the course of providing the Foresttasks task-queue platform (the “Service”).
1. Parties & incorporation
This DPA forms part of, and is incorporated into, the Terms of Service (the “Terms”) between you and us. It applies whenever, and to the extent that, we process personal data on your behalf in connection with the Service. Where the General Data Protection Regulation (Regulation (EU) 2016/679, the “GDPR”) or an equivalent data-protection law applies to that processing, this DPA governs it. If there is any conflict between this DPA and the Terms in respect of the processing of personal data, this DPA prevails (see Section 17).
2. Definitions
Capitalised terms not defined here have the meaning given in the GDPR or the Terms. In this DPA:
- Controller
- the entity that, alone or jointly with others, determines the purposes and means of the processing of personal data — here, you.
- Processor
- the entity that processes personal data on behalf of the Controller — here, us.
- Personal data
- any information relating to an identified or identifiable natural person that we process on your behalf under the Terms (the “Customer Personal Data”).
- Processing
- any operation performed on personal data — including collection, storage, use, disclosure, and erasure — whether or not by automated means.
- Sub-processor
- any third party engaged by us to process Customer Personal Data on our behalf in order to provide the Service.
- Standard Contractual Clauses (“SCCs”)
- the standard data-protection clauses adopted by the European Commission under Article 46(2) GDPR for the transfer of personal data to processors established in third countries.
- Data subject, supervisory authority, personal-data breach
- have the meanings given in Article 4 GDPR.
3. Roles of the parties
For Customer Personal Data, you act as the Controller and we act as the Processor. You are responsible for establishing a lawful basis for the processing and for the lawfulness of the instructions you give us. We process Customer Personal Data only as a Processor on your behalf. Where we determine the purposes and means of processing for our own purposes (for example, account administration, billing, and securing the Service), we act as an independent controller for that processing under our Privacy Policy, and that processing falls outside this DPA.
4. Scope & instructions
We will process Customer Personal Data only on your documented instructions, including with regard to transfers, unless required to do otherwise by EU or member-state law to which we are subject; in that case we will inform you of that legal requirement before processing, unless the law prohibits it on important grounds of public interest.
Your documented instructions consist of:
- the Terms and this DPA;
- your configuration and use of the Service (including which optional, customer-enabled features you turn on — see Section 8); and
- any further written instructions you give us that are consistent with the Terms and the functionality of the Service.
We will inform you if, in our opinion, an instruction infringes the GDPR or another data-protection provision. The subject matter, duration, nature, and purpose of the processing, the types of personal data, and the categories of data subjects are described in Annex I.
5. Confidentiality
We ensure that persons authorised to process Customer Personal Data are bound by an appropriate obligation of confidentiality (whether contractual or statutory) and process the data only as needed to provide the Service. We limit access to Customer Personal Data to personnel who need it for that purpose.
6. Security measures
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. Those measures are described in Annex II and may be updated over time provided the level of security is not materially reduced.
7. Sub-processors
You give us general written authorisation to engage sub-processors to process Customer Personal Data in order to provide the Service. Our current sub-processors are listed at our Sub-processors page and in Annex III.
Where we engage a sub-processor, we impose on it, by contract, data-protection obligations that are no less protective than those in this DPA. We remain fully liable to you for a sub-processor's performance of its obligations.
We will give you advance notice of any intended addition or replacement of a sub-processor — by updating the Sub-processors page and, where you have requested it, by notifying you at the contact address you provide (see Annex III). You may object on reasonable, data-protection-related grounds within thirty (30) days of that notice. If we cannot reasonably accommodate your objection, you may terminate the affected part of the Service in accordance with the Terms as your sole remedy.
8. Assisting with data-subject requests
Taking into account the nature of the processing, we will assist you by appropriate technical and organisational measures, insofar as possible, in fulfilling your obligation to respond to requests from data subjects exercising their rights under Chapter III GDPR (access, rectification, erasure, restriction, portability, and objection). Where the Service provides self-service tools that let you act on such requests yourself, your use of those tools constitutes that assistance. If we receive a request directly from one of your data subjects, we will not respond to it ourselves (except to confirm that the request should be directed to you) and will promptly forward it to you.
9. Assistance with Articles 32–36
Taking into account the nature of the processing and the information available to us, we will assist you in ensuring compliance with your obligations under Articles 32 to 36 GDPR, namely:
- the security of processing (Article 32) — through the measures in Annex II;
- notification of a personal-data breach to the supervisory authority and to data subjects (Articles 33 and 34) — see Section 10;
- data-protection impact assessments and prior consultation (Articles 35 and 36) — by making available the information about our processing reasonably necessary for you to carry them out.
10. Personal-data breach notification
We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data. To the extent reasonably available to us, the notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it and mitigate its effects. We will provide this information in phases if it is not all available at once, and we will reasonably cooperate with you in your own breach-notification obligations. Notifications under this Section do not constitute an admission of fault or liability.
11. International transfers
We host the primary application and its database on infrastructure located in the European Union. Where providing the Service involves transferring Customer Personal Data to a country outside the European Economic Area that is not the subject of an adequacy decision, that transfer is made under an appropriate Article 46 GDPR safeguard — in particular the Standard Contractual Clauses and, where applicable, the EU-US Data Privacy Framework. Details of the sub-processors involved in such transfers and the safeguards relied on are set out on the Sub-processors page. You authorise us, on your behalf, to enter into the SCCs with sub-processors where required to enable a transfer in connection with the Service.
12. Audits & information
We will make available to you the information reasonably necessary to demonstrate compliance with the obligations in Article 28 GDPR and this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate. Audits will be conducted on reasonable prior written notice, no more than once per year unless required by a supervisory authority or following a personal-data breach, during normal business hours, and in a manner that does not unreasonably disrupt our operations or compromise the security or confidentiality of other customers' data. We may satisfy an audit request by providing relevant documentation, security summaries, or third-party reports where available.
13. Return & deletion of data
On termination or expiry of the Service, and at your choice, we will delete or return all Customer Personal Data and delete existing copies, unless EU or member-state law requires continued storage. We will carry this out within a reasonable period after termination, following which deletion takes place subject to routine, time-limited expiry of backups. Until deletion, the data remains subject to this DPA. Where the Service offers an export facility, you are responsible for exporting your data before the end of any applicable retention window.
14. Liability
Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Terms, and any reference to a party's liability under the Terms means that party's aggregate liability under the Terms and this DPA together. Nothing in this DPA limits a data subject's rights under the GDPR or either party's liability towards data subjects or a supervisory authority under applicable law.
15. Term
This DPA takes effect when you accept the Terms and continues for as long as we process Customer Personal Data on your behalf. The obligations in Sections 5, 13, and 14 survive termination.
16. Governing law
This DPA is governed by the law specified in the Terms, without prejudice to the mandatory application of the GDPR and the law of the data subject's jurisdiction where required.
17. Order of precedence
In the event of a conflict, the following order of precedence applies in descending order: (1) the Standard Contractual Clauses (where they apply to a transfer); (2) this DPA; (3) the Terms; (4) any other agreement between the parties relating to the Service.
18. How to execute this DPA
This DPA is accepted automatically when you accept the Terms; no signature is required for it to take effect. If your organisation requires a separately signed copy or a counter-signed version for its records, contact us at legal@foresttasks.app and we will arrange signature.
Annex I — Description of the processing
A. List of parties
- Data exporter (Controller)
- You, the customer, as identified in your Foresttasks account and the Terms. You determine the purposes and means of the processing of the personal data you submit to the Service.
- Data importer (Processor)
- UAB APP FOREST (trading as Foresttasks), Lithuania. Contact: privacy@foresttasks.app. We process the personal data on the Controller's behalf to provide the Service.
B. Description of the processing
- Subject matter
- Our provision of the Foresttasks task-queue platform to you under the Terms, and the processing of Customer Personal Data necessary to do so.
- Duration of the processing
- For the duration of the Terms, until the data is returned or deleted in accordance with Section 13.
- Nature and purpose of the processing
- Hosting and operating the task/queue platform on your behalf — storing and serving the account and task content your users submit, running the queue and workflow features you use, and delivering related notifications and integrations you enable. We do not use Customer Personal Data for any purpose other than providing the Service to you.
- Types of personal data
- Account data (such as the names, email addresses, and credentials of your users and members) and the task content your users submit to the Service, which may itself contain personal data (for example, names, contact details, and other information referenced in task titles, descriptions, comments, attachments, and activity). The categories of personal data are determined by you through your use of the Service.
- Categories of data subjects
- Your users and members (the people in your organisation who use the Service) and any individuals referenced in the content your users submit.
- Special categories of personal data
- The Service is not designed to process special categories of personal data (Article 9 GDPR). You should not submit such data unless you have ensured an appropriate lawful basis and additional safeguards.
C. Competent supervisory authority
The competent supervisory authority for the Processor is the State Data Protection Inspectorate (Valstybinė duomenų apsaugos inspekcija) (VDAI), Lithuania. Your own competent supervisory authority is determined by your place of establishment or the location of the affected data subjects.
Annex II — Technical & organisational measures
We maintain the following technical and organisational security measures to protect Customer Personal Data (Article 32 GDPR):
- Encryption in transit. All traffic to and from the service is protected with TLS. Internal service-to-service traffic stays on private networks.
- Encryption at rest. Secrets and customer-supplied keys (including bring-your-own LLM keys) are encrypted at rest with AES-256-GCM, scoped and keyed per organisation so one organisation's secrets can never be decrypted in another's context.
- Tenant isolation. Data is partitioned per organisation. Every read and write is scoped to the authenticated principal's organisation, and access controls are enforced server-side rather than relying on the client.
- Tamper-evident provenance. Verification evidence is recorded in an append-only, tamper-evident provenance log. Database triggers block updates and non-cascading deletes, so the record of who decided what cannot be silently altered.
- Authenticated integrations. Outbound webhooks are signed with an HMAC signature so receivers can verify authenticity and integrity. Inbound integration webhooks are likewise verified before processing.
- Access control & authentication. Human access uses authenticated sessions; programmatic access uses scoped API keys (read / write / delete, with an optional per-project allow-list). Agents are first-class principals whose actions are attributed to the server-authenticated identity, not self-reported.
- EU-region hosting. The primary application and its database are hosted on infrastructure located in the European Union.
- Operational controls. Database migrations are applied fail-fast on boot, and personnel with access to personal data are bound by confidentiality obligations (see Section 5).
Annex III — Sub-processors
You authorise the sub-processors listed on our Sub-processors page, which forms part of this DPA and is kept current. At the date of this version, the authorised sub-processors are: Stripe, Resend, Cloudflare, Hosting provider (European Union), Google, Your chosen AI provider (e.g. Anthropic, OpenAI, OpenRouter), Object storage (S3-compatible).
To receive advance notice of changes to this list (Section 7), email privacy@foresttasks.app asking to be added to sub-processor change notifications.