The Article 28 controller-to-processor terms that govern Customer Data.
This Data Processing Agreement (“DPA”) forms part of, and is incorporated by reference into, the agreement between Customer and KanbanGenie Limited (trading as TaskVal) (“We”, “Us”, “Our”) under which Customer has been granted access to the Service (the “Principal Agreement”). The Principal Agreement is the TaskVal Terms and Conditions available at /legal/terms, together with any order, plan, or written agreement between Customer and Us that references those Terms.
This DPA was last updated on 1st May 2026.
This DPA applies to Our processing of Personal Data on Customer's behalf in connection with the Service, where Customer is a Controller and We are a Processor within the meaning of UK Data Protection Law. By accepting the Terms and Conditions, Customer accepts this DPA, and this DPA is treated as if signed by both parties on the date Customer first accepts the Terms (or, if this DPA is updated, on the date the updated version takes effect).
Defined terms used in this DPA but not defined here have the meanings given to them in the Terms and Conditions.
In this DPA, in addition to the terms defined in the Terms and Conditions:
Other capitalised terms used in this DPA but not defined here (including, without limitation, "Principal Agreement", "Documentation", "Subscription", and "Fees") have the meanings given to them in the Terms and Conditions.
2.1 The subject matter of the Processing is the provision of the Service to Customer.
2.2 The duration of the Processing is the term of the Principal Agreement, plus any limited period thereafter required for return, deletion, or backup-cycle expiry of Customer Personal Data as described in clause 12.
2.3 The nature and purpose of the Processing, the categories of Data Subjects, and the categories of Personal Data are set out in Annex 1.
2.4 Customer is the Controller of Customer Personal Data. We are a Processor acting on Customer's behalf in respect of Customer Personal Data. Personal Data that We Process about Customer's authorised users in Our capacity as a controller (for example, account billing data and direct security communications with the named user) is governed by Our Privacy Policy at /legal/privacy, not this DPA.
3.1 Customer warrants and represents that: (a) it has and will maintain a valid lawful basis under Article 6 UK GDPR (and, where relevant, Article 9) for the Processing of Customer Personal Data via the Service; (b) it has provided all notices and obtained all consents required for Us to Process Customer Personal Data as contemplated by the Principal Agreement and this DPA; (c) the instructions it gives Us in respect of Personal Data are lawful; and (d) Customer Personal Data does not infringe the rights of any Data Subject or third party.
3.2 The Principal Agreement (including this DPA), Customer's configuration of the Service, and Customer's use of the Service through its authorised users together constitute Customer's documented instructions to Us in respect of Customer Personal Data. We will only Process Customer Personal Data in accordance with those documented instructions, save where We are required to Process by UK or EU law (in which case We will inform Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest).
3.3 If We believe that an instruction infringes UK Data Protection Law, We will inform Customer without undue delay. We are not obliged to monitor Customer's compliance with UK Data Protection Law more generally.
3.4 Customer must not upload, submit, or otherwise cause Us to Process Special Category Data, criminal-conviction data, or any other Personal Data that requires additional safeguards beyond those described in Annex 2 unless: (a) it has obtained Our prior written consent; and (b) the Service has been configured in writing to handle that data lawfully. We may suspend Processing under clause 15 of the Terms if Customer breaches this clause.
4.1 We will ensure that any person We authorise to Process Customer Personal Data is subject to a duty of confidentiality (whether under contract, employment law, or otherwise) and is appropriately trained in handling Personal Data.
4.2 Access to Customer Personal Data within Our organisation is limited to personnel who require access to perform their duties in connection with the Service, on a least-privilege basis.
5.1 We will implement appropriate technical and organisational measures to ensure a level of security of Customer Personal Data appropriate to the risk, in accordance with Article 32 UK GDPR. The measures We have in place at the date of this DPA are described in Annex 2.
5.2 We may update the measures in Annex 2 from time to time, provided that any update does not materially diminish the overall level of security of the Service.
6.1 Customer grants Us general written authorisation to engage Sub-processors to assist in providing the Service, subject to this clause 6.
6.2 The list of Sub-processors engaged by Us at the date of this DPA is set out in Annex 3.
6.3 Before engaging a new Sub-processor or replacing an existing one, We will: (a) update Annex 3 with the name, location, and category of the new Sub-processor; (b) give Customer at least thirty (30) days' prior notice (via email to the account contact, an in-product notice, or an update to Annex 3 with a notification mechanism) of the change; and (c) take reasonable steps to ensure that the Sub-processor is bound by written terms imposing data protection obligations no less protective than those set out in this DPA.
6.4 If, within fourteen (14) days of receiving notice under clause 6.3, Customer objects on reasonable grounds relating to data protection to Our use of the new Sub-processor, the parties will discuss the objection in good faith. If the parties cannot reach agreement, Customer may terminate the affected part of the Principal Agreement on written notice, with no refund of Fees already paid for the period before termination.
6.5 We remain responsible to Customer for the acts and omissions of Our Sub-processors in the Processing of Customer Personal Data as if they were Our own acts and omissions, subject to the limitations of liability in the Terms and this DPA.
7.1 The Service is hosted in the United Kingdom. Customer Personal Data submitted to the Service by Customer is stored and primarily Processed in the United Kingdom.
7.2 Where a Restricted Transfer is necessary in connection with the Service (for example, where a Sub-processor listed in Annex 3 Processes Personal Data outside the United Kingdom), We will ensure that an appropriate UK Transfer Mechanism is in place before the Restricted Transfer occurs.
7.3 To the extent that the parties are required to enter into a UK Transfer Mechanism directly with each other in respect of Customer Personal Data (for example, where Customer is established outside the United Kingdom), the parties agree that the relevant UK Transfer Mechanism is incorporated into this DPA by reference, with Customer acting as data exporter and Us acting as data importer, and with this DPA constituting the commercial terms required by that mechanism. The parties will complete and exchange any required schedules on request.
8.1 We will notify Customer without undue delay, and in any event within seventy-two (72) hours of Our becoming aware, of any Personal Data Breach affecting Customer Personal Data.
8.2 Our notice will include, to the extent reasonably available to Us at the time of notification: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the likely consequences of the breach; (c) the measures taken or proposed to be taken to address the breach and mitigate its possible adverse effects; and (d) the name and contact details of a point of contact at Us where more information can be obtained.
8.3 Where We do not have all of the information described in clause 8.2 at the time of initial notification, We will provide further information promptly as it becomes available.
8.4 Customer is responsible for any notification it is required to make to a Supervisory Authority or to affected Data Subjects under Articles 33 and 34 UK GDPR. We will provide reasonable assistance to enable Customer to make such notifications.
9.1 Customer is responsible for handling requests from Data Subjects to exercise their rights under UK Data Protection Law (including rights of access, rectification, erasure, restriction, portability, objection, and rights in relation to automated decision-making) in respect of Customer Personal Data.
9.2 Taking into account the nature of the Processing, We will assist Customer by appropriate technical and organisational measures, insofar as this is possible, to enable Customer to fulfil its obligation to respond to Data Subject requests. Where the Service provides self-service tooling that enables Customer to action a request directly (for example, account deletion, data export, or rectification), Customer will use that tooling in the first instance.
9.3 If We receive a request from a Data Subject directed at Us in respect of Customer Personal Data, We will: (a) not respond to the request directly except where required by law; and (b) without undue delay, forward the request to Customer.
9.4 We may charge Customer reasonable costs for assistance under this clause 9 that goes substantially beyond the self-service capabilities of the Service or beyond what is reasonably required of a Processor under UK Data Protection Law.
10.1 Taking into account the nature of the Processing and the information available to Us, We will assist Customer with: (a) Customer's data protection impact assessments under Article 35 UK GDPR in respect of the Service; and (b) any prior consultation Customer is required to undertake with the Information Commissioner's Office under Article 36 UK GDPR.
10.2 Such assistance will normally consist of making available Annex 2 (Technical and Organisational Measures), Annex 3 (Sub-processors), and Our then-current responses to common security and data protection questionnaires. Customer is responsible for drafting and owning its own DPIA. We are not obliged to author, co-author, or substantively contribute to a DPIA on Customer's behalf.
10.3 We may charge Customer at Our then-current rates for any assistance under this clause 10 that goes beyond making available the documents described in clause 10.2, including (without limitation) completing bespoke questionnaires, providing live support, attending meetings, or producing custom narratives.
11.1 We will make available to Customer all information reasonably necessary to demonstrate compliance with Our obligations under Article 28 UK GDPR and this DPA. We will satisfy this obligation by making available a standard information package consisting of Annex 2 (Technical and Organisational Measures), Annex 3 (Sub-processors), summaries of any independent audit reports or security certifications We hold (where available), and Our then-current responses to common security and data protection questionnaires. Customer must use this information package in the first instance and must not invoke clause 11.2 unless and until it has done so.
11.2 An on-site audit may only be conducted where Customer can reasonably demonstrate, by reference to a specific concern, that the information package described in clause 11.1 is materially insufficient to verify Our compliance with this DPA in respect of that concern. Any on-site audit is subject to all of the following conditions: (a) it may take place not more than once in any twelve (12) month period, except where additionally required by a Supervisory Authority or in response to a confirmed Personal Data Breach affecting Customer; (b) Customer must give at least sixty (60) days' prior written notice; (c) Customer bears all of its own costs and shall reimburse Us in full for Our reasonable costs of preparing for and engaging in the audit, including personnel time at Our then-current rates and any third-party costs incurred; (d) the auditor must be Customer's own qualified personnel or a qualified, independent third-party auditor that is not a competitor of Ours, and must sign a confidentiality undertaking on terms reasonably acceptable to Us; (e) the audit must take place at reasonable times during normal business hours, must not unreasonably interfere with Our operations, and must not compromise the security or confidentiality of the data of any other customer or any of Our Sub-processors; (f) the scope of the audit is limited to verifying Our compliance with this DPA in respect of Customer Personal Data.
11.3 In lieu of an on-site audit, We may at Our option propose an alternative means of providing the information Customer reasonably requires (such as a written response to specific questions, a recorded walk-through, or a video meeting with relevant personnel). Where such an alternative reasonably satisfies Customer's verification need, the parties will adopt that alternative.
12.1 During the term of the Principal Agreement, Customer is responsible for retrieving any Customer Personal Data it wishes to retain. Where the Service provides self-service functionality enabling Customer to view, copy, or export Customer Personal Data, Customer should use that functionality. Where the Service does not provide self-service export of any Customer Personal Data Customer reasonably requires, We will provide an export on Customer's reasonable written request, at Customer's cost calculated at Our then-current rates for personnel time and any third-party costs incurred.
12.2 On termination or expiry of the Principal Agreement, Customer's access to the Service ends. Customer is solely responsible for retrieving Customer Personal Data before termination, and We are under no obligation to provide continued access to the Service after termination for the purpose of export.
12.3 If, within thirty (30) days of termination, Customer has not previously exported Customer Personal Data and requests in writing a copy of Customer Personal Data, We will use reasonable efforts to provide a copy at Customer's cost in accordance with clause 12.1. After thirty (30) days following termination, no further export of Customer Personal Data will be available, and any subsequent request will be treated as a request that We are unable to fulfil.
12.4 Save to the extent retention is required by law (in which case We will continue to protect that data in accordance with this DPA for so long as it is retained), We will delete or anonymise all Customer Personal Data within Our active production systems within sixty (60) days following termination of the Principal Agreement.
12.5 Customer Personal Data may persist in routine encrypted backups beyond the deletion timeline in clause 12.4 in accordance with Our then-current backup policy. Such backups are not actively used for Processing and will be overwritten in the ordinary course of backup rotation. We will continue to protect that data in accordance with this DPA for so long as it is retained.
12.6 On Customer's reasonable written request, We will confirm in writing that deletion has been completed.
13.1 Each party's liability arising out of or in connection with this DPA is subject to the limitations and exclusions of liability set out in clause 12 of the Terms (Our Liability). For the avoidance of doubt, the aggregate cap in clause 12.4 of the Terms applies to claims arising under this DPA in addition to all other claims under the Principal Agreement; this DPA does not introduce a separate or additional cap.
13.2 Nothing in this DPA limits a Data Subject's rights under Article 82 UK GDPR or otherwise affects rights that cannot be limited or excluded by contract under UK Data Protection Law.
13.3 As between the parties, each party is solely responsible for any administrative fines or other regulatory penalties imposed on it by a Supervisory Authority for its own breach of UK Data Protection Law, and neither party will indemnify the other in respect of such fines or penalties.
14.1 In the event of a conflict between this DPA and the Terms, this DPA prevails on data protection matters only. On all other matters (including, without limitation, liability cap, governing law, jurisdiction, suspension, termination, fees, and entire-agreement provisions), the Terms prevail.
14.2 In the event of a conflict between this DPA and any UK Transfer Mechanism incorporated under clause 7, the UK Transfer Mechanism prevails to the extent of the conflict in respect of the Restricted Transfer it governs.
15.1 We may update this DPA from time to time to reflect changes in law, regulator guidance, the Service, or Our Sub-processor list. Material updates will be notified to Customer in accordance with the notice mechanism in the Terms. Continued use of the Service after the effective date of an updated DPA constitutes acceptance of the updated DPA.
15.2 This DPA is governed by, and shall be construed in accordance with, the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any dispute arising out of or in connection with this DPA.
15.3 If any provision or part-provision of this DPA is or becomes invalid, illegal, or unenforceable, it shall be deemed modified to the minimum extent necessary to make it valid, legal, and enforceable. If such modification is not possible, the relevant provision or part-provision shall be deemed deleted, without affecting the validity and enforceability of the rest of this DPA.
The provision of the TaskVal SaaS platform (the “Service”) to Customer, including hosting, storing, and processing Customer Data; computing aggregate and per-user metrics; supporting authentication, access control, and notifications; and providing customer support.
The term of the Principal Agreement plus the Export Window and deletion timeline described in clause 12.
Hosting, transmission, storage, structured retrieval, and display of Customer Data; computation of team-level aggregate metrics derived from Customer Data (including cycle time, lead time, throughput, time-in-state, work efficiency, and alignment ratio metrics, computed at the level of a team rather than at the level of an individual); display of workload allocation showing which tasks are assigned to which authorised user; authentication of users; authorisation of access to specific data sets via role-based access control; notification of users about events relevant to them within the Service; logging and monitoring necessary for security, fraud prevention, debugging, and operational integrity of the Service; backup of Customer Data; and provision of customer support and incident response.
Team-level aggregate metrics that do not identify, single out, or otherwise relate to an identified or identifiable individual are not Personal Data. The Service is not designed to compute or display per-individual performance metrics.
The Service is not designed to receive Special Category Data or criminal-conviction data, and Customer must not upload such data without Our prior written consent (see clause 3.4).
Continuous, for the duration of the Principal Agreement.
We implement and maintain the following technical and organisational measures to protect Customer Personal Data, in accordance with Article 32 UK GDPR. We may update these measures from time to time, provided no update materially diminishes the overall level of security.
The following Sub-processors are authorised by Customer in accordance with clause 6 of this DPA. The list is current as at the date of this DPA and may be updated in accordance with clause 6.3.
Customer should treat this list as the authoritative current Annex 3. Where a more recent version is published by Us, that version supersedes this one as at the effective date stated in the update notice.