Data Processing Addendum
As of June 2024
This Data Processing Addendum (“DPA”) forms part of the Terms of Service or other written agreement (the “Agreement”) between CARDBOARDit, Inc. (“CardBoard”, “we”, “us”) and the customer organization that agrees to the Agreement (“Customer”, “you”). It reflects the parties’ agreement on the processing of personal data in connection with the Service. Capitalized terms not defined here have the meaning given in the Agreement.
If you require a signed copy of this DPA, contact [email protected].
1. Definitions
- “Applicable Data Protection Law” means all laws and regulations applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and U.S. state privacy laws including the California Consumer Privacy Act as amended by the CPRA (“CCPA”).
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, and “Personal Data Breach” have the meanings given in the GDPR (and the equivalent terms — such as “business”, “service provider”, and “consumer” — under the CCPA).
- “Customer Personal Data” means Personal Data contained within the Content that CardBoard processes on Customer’s behalf in providing the Service.
- “Sub-processor” means any third party engaged by CardBoard to process Customer Personal Data.
- “Standard Contractual Clauses” (“SCCs”) means the clauses approved by the European Commission in Decision 2021/914, as completed in Annex I–III.
2. Roles and scope
For Customer Personal Data, Customer is the Controller (or a Processor acting on behalf of its own controllers) and CardBoard is the Processor (or Sub-processor). This DPA applies only to CardBoard’s processing of Customer Personal Data and does not apply to data for which CardBoard is itself the Controller (for example, account-administration and billing data), which is governed by the Privacy Policy. Each party will comply with its obligations under Applicable Data Protection Law. Customer is responsible for having a lawful basis for the Customer Personal Data it submits and for any notices or consents required from its Data Subjects.
3. Processing instructions
CardBoard will process Customer Personal Data only:
- on Customer’s documented instructions, including as set out in the Agreement, this DPA, and Customer’s configuration and use of the Service;
- as necessary to provide and support the Service; and
- as required by applicable law, in which case CardBoard will inform Customer of that legal requirement before processing unless the law prohibits it.
If CardBoard believes an instruction infringes Applicable Data Protection Law, it will inform Customer. The subject matter, duration, nature, and purpose of processing, the types of Personal Data, and the categories of Data Subjects are described in Annex I.
4. Confidentiality
CardBoard ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only on instruction.
5. Security
CardBoard implements appropriate technical and organizational measures to protect Customer Personal Data, as described in Annex II and summarized at Security & compliance. CardBoard regularly reviews these measures and may update them provided the level of protection is not materially reduced.
6. Sub-processing
Customer provides general authorization for CardBoard to engage Sub-processors to process Customer Personal Data. The current Sub-processors are listed in Annex III. CardBoard will:
- impose data-protection obligations on each Sub-processor that are substantially the same as those in this DPA, and remain liable for each Sub-processor’s performance; and
- give Customer notice of any intended addition or replacement of a Sub-processor (for example, by email or by updating Annex III) with a reasonable opportunity to object on reasonable data-protection grounds. If the parties cannot resolve a documented objection, Customer may terminate the affected part of the Service.
7. Assistance to Customer
Taking into account the nature of the processing, CardBoard will assist Customer, by appropriate technical and organizational measures and insofar as possible, to:
- respond to Data Subject requests to exercise their rights (access, correction, deletion, portability, objection, and restriction). If CardBoard receives such a request directly, it will, unless legally prohibited, direct the Data Subject to Customer or forward the request; and
- meet Customer’s obligations regarding security of processing, breach notification, data protection impact assessments, and prior consultation with supervisory authorities (GDPR Articles 32–36).
8. Personal Data Breach
CardBoard will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its own notification obligations. Notice of a breach is not an acknowledgment of fault or liability.
9. Deletion or return
Upon termination or expiry of the Agreement, CardBoard will, at Customer’s choice, delete or return Customer Personal Data, and delete existing copies, unless retention is required by applicable law. Customer can export its Content (for example, via CSV export) before the end of the Service. Residual copies in routine backups are deleted in accordance with CardBoard’s backup-rotation schedule.
10. Audits
CardBoard will make available to Customer information reasonably necessary to demonstrate compliance with this DPA, including relevant third-party certifications or reports where available. To the extent that information does not provide sufficient assurance, CardBoard will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, on reasonable prior notice, during business hours, no more than once per year (unless required by a supervisory authority or following a Personal Data Breach), subject to confidentiality obligations.
11. International transfers
Where CardBoard processes Customer Personal Data originating from the EEA, UK, or Switzerland in a country that has not received an adequacy decision, the transfer is governed by the Standard Contractual Clauses, which are incorporated into this DPA:
- Module Two (Controller-to-Processor) applies where Customer is a Controller, and Module Three (Processor-to-Processor) applies where Customer is a Processor.
- The optional docking clause applies; the clause on changes to Sub-processors operates under the general authorization option (Section 6).
- For the UK, the parties incorporate the UK International Data Transfer Addendum to the SCCs; for Switzerland, the SCCs apply with the amendments required by the FADP.
- The Annexes to the SCCs are populated by Annex I–III of this DPA. The governing law and forum for the SCCs are as stated in Annex I.
12. CCPA and U.S. state laws
When CardBoard processes Personal Data subject to the CCPA as a service provider (or to the equivalent U.S. state laws as a processor), CardBoard:
- will process the Personal Data only for the business purposes specified in the Agreement and will not sell or share it, or retain, use, or disclose it for any purpose other than performing the Service, or outside the direct business relationship;
- will not combine Personal Data received under the Agreement with Personal Data from other sources, except as permitted by the CCPA; and
- certifies that it understands and will comply with these restrictions.
Customer may take reasonable steps to ensure CardBoard uses Personal Data consistent with Customer’s obligations under U.S. state law.
13. Liability and precedence
Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. In the event of a conflict between this DPA and the Agreement on the subject of data protection, this DPA prevails; in the event of a conflict between this DPA and the SCCs, the SCCs prevail.
Annex I — Description of processing
- Parties: Customer (data exporter; Controller or Processor) and CardBoard (data importer; Processor or Sub-processor), as identified in the Agreement.
- Subject matter: CardBoard’s provision of the Service (collaborative mapping connected to issue trackers).
- Duration: the term of the Agreement, plus any period until deletion or return of Customer Personal Data under Section 9.
- Nature and purpose: hosting, storage, and processing of Content to provide and support the Service, including synchronization with trackers the Customer connects and access by AI assistants the Customer authorizes.
- Types of Personal Data: account and profile identifiers (such as names and email addresses) of Customer’s members and invited guests, and any Personal Data the Customer includes within board Content. Customer should avoid placing special-category data in the Service.
- Categories of Data Subjects: Customer’s personnel, collaborators, guests, and any individuals referenced in Customer’s Content.
- Frequency: continuous, for the term of the Agreement.
- Competent supervisory authority: the Irish Data Protection Commission, unless the Customer’s lead supervisory authority is another EEA or UK authority, in which case that authority applies.
- Governing law / forum for the SCCs: Ireland. (The SCCs must be governed by the law of an EEA member state; this is separate from the governing law of the Agreement, which is the State of Indiana, USA.)
Annex II — Technical and organizational measures
CardBoard maintains measures including:
- Encryption in transit: TLS enforced on all connections (TLS 1.2+).
- Encryption at rest: file storage encrypted at the storage layer; application secrets stored in encrypted credentials.
- Access control: layered, server-side authorization (organization- and board-level) on a least-privilege model; authentication via password, Google/Microsoft OAuth, and SAML SSO; scoped OAuth for API and AI-agent (MCP) access.
- Audit logging: change and system events are recorded and attributed to the acting member.
- Segregation: separate production and staging environments; data hosted in the United States.
- Resilience: routine backups; recovery details available on request.
- Organizational: confidentiality obligations for personnel; vulnerability reporting via [email protected].
Multi-factor authentication is available when signing in through a single sign-on or OAuth provider that enforces it. CardBoard does not currently hold a SOC 2 or equivalent third-party certification, and does not offer formal RTO/RPO commitments; backup and recovery details are available on request.
Annex III — Sub-processors
| Sub-processor | Purpose | Location |
|---|---|---|
| Heroku (Salesforce) | Application hosting | United States |
| Amazon Web Services (S3) | File storage | United States |
| Stripe | Payment processing | United States |
| Google LLC | Authentication (OAuth sign-in) | United States |
| Microsoft | Authentication (Entra ID sign-in) | United States |
| Loops | Transactional and notification email | United States |
| PostHog | Product analytics | United States |
| Help Scout | Customer support communications | United States |
A current list of Sub-processors is maintained and available on request at [email protected].