DATA PROCESSING AGREEMENT (DPA)

1. Definitions

"GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).

"Personal Data", "Processing", "Data Subject", "Controller", and "Processor" have the meanings given to them in the GDPR.

"Services" means the DoneThat AI time-tracking and productivity services provided by Processor to Controller under the Agreement.

"Subprocessor" means any third-party processor engaged by DoneThat to assist in processing Personal Data.

2. Scope and Role of Parties

2.1. The parties agree that for the provision of the Services, Customer is the Controller and DoneThat is the Processor.

2.2. DoneThat shall process Personal Data only on behalf of and in accordance with Customer’s documented instructions (including this DPA and the Agreement), unless required to do otherwise by applicable law.

2.3. The details of the processing (subject matter, nature, purpose, and categories of data) are set out in Annex A.

3. Processor Obligations

3.1. Confidentiality: DoneThat ensures that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

3.2. Security: Taking into account the state of the art, the costs of implementation, and the nature of the processing, DoneThat shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex B.

3.3. Data Subject Rights: DoneThat shall, to the extent legally permitted and taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of Customer’s obligation to respond to requests for exercising the Data Subject's rights (e.g., access, rectification, erasure).

3.4. Assistance: DoneThat shall assist Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR (security, data breach notification, data protection impact assessments), taking into account the nature of processing and the information available to DoneThat.

4. Subprocessing

4.1. Authorization: Customer grants DoneThat a general authorization to engage Subprocessors to provide the Services. The current list of Subprocessors is referenced in Annex C.

4.2. Changes: DoneThat will notify Customer (via email, in-app notification, or website update) of any intended changes concerning the addition or replacement of Subprocessors. Customer may object to such changes on reasonable grounds within 14 days. If the parties cannot resolve the objection, Customer may terminate the Agreement.

4.3. Liability: DoneThat remains fully liable to Customer for the performance of the Subprocessor’s obligations.

5. International Transfers

5.1. If Personal Data is transferred outside the European Economic Area (EEA) to a country not recognized by the European Commission as providing an adequate level of protection, DoneThat agrees to abide by the Standard Contractual Clauses (SCCs) or rely on another valid transfer mechanism under Chapter V of the GDPR.

6. Data Breaches

6.1. DoneThat shall notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer’s data.

6.2. The notification shall describe the nature of the breach, the likely consequences, and the measures taken or proposed to be taken to address the breach.

7. Audit Rights

7.1. Upon request, DoneThat shall make available to Customer all information necessary to demonstrate compliance with this DPA.

7.2. To the extent that the information provided under 7.1 is insufficient, Customer may request an audit. To minimize business disruption, such audits shall:

• (a) Be conducted during regular business hours with at least 30 days' prior written notice;
• (b) Be limited to once per calendar year (unless a confirmed data breach has occurred); and
• (c) Rely primarily on DoneThat's internal security documentation and responses to standard security questionnaires, avoiding physical inspections unless strictly required by law.

8. Deletion or Return of Data

8.1. Upon termination of the Services, DoneThat shall, at the choice of Customer, delete or return all Personal Data to Customer, unless applicable law requires storage of the Personal Data.

9. Governing Law

9.1. This DPA shall be governed by the laws of the Netherlands. Disputes shall be resolved by the competent court of Amsterdam.

ANNEX A: DETAILS OF PROCESSING

1. Nature and Purpose of Processing

The Personal Data is processed to provide the DoneThat SaaS application services, including automated time tracking, work categorization, AI-driven work summaries, and team analytics.

2. Categories of Data Subjects

Employees, contractors, and team members of the Customer using the Services.

3. Types of Personal Data

A. Common Data (Processed for all users):

• Identity Data: Information that identifies or relates to an identifiable individual, such as name, contact details (for example, email address), job title or role, organization name, and profile information you choose to provide (for example, profile pictures or similar identifiers).
• User Inputs & Goals: Information you actively provide in the Services, which may include, for example, goals, todos, tasks, manual time entries, planning data, and information about working hours or availability.
• Social & Interaction Data: Comments, reactions (e.g., likes), and other metadata regarding interactions with content in the Services or with other users' content.
• Agent Interaction Data: Chat queries and history with the AI agent, including any context or content you voluntarily share within the chat (for example, snippets, images, or screenshots).
• General User Content: Any other text, images, files, or data voluntarily submitted or generated by the user through the Services.
• Derived Data: Data derived from your use of the Services, such as AI-generated work summaries, work patterns, productivity indicators or scores, categorization tags, analytics about time allocation (for example, working hours by project or activity), and other similar insights.
• Technical Data: Technical identifiers and telemetry related to the use of the Services, such as IP addresses, device identifiers, browser type, operating system, and similar technical information.

B. Raw Activity Data & AI Processing (Depending on configuration):

Option 1: DoneThat AI (Default):

Raw Activity Data (such as screenshots, window titles, activity logs, audio recordings or transcripts, and similar work-activity signals) is processed by DoneThat and its authorized AI Subprocessors.

Option 2: BYO AI:

Raw Activity Data is processed locally or transmitted directly to the Customer's own AI provider using the Customer's API credentials. In this configuration, DoneThat does not process Raw Activity Data through its own AI Subprocessors.

ANNEX B: SECURITY MEASURES (TOMs)

DoneThat implements the following Technical and Organizational Measures to protect Personal Data:

Access Control: Access to production data is restricted to authorized personnel on a strict need-to-know basis. Multi-Factor Authentication (MFA) is enforced for administrative access.

Encryption:

• In Transit: Data is encrypted using TLS 1.2 or higher.
• At Rest: Data stored in the cloud infrastructure is encrypted at rest using AES-256 standards.

Data Minimization: Raw data (such as screenshots) is processed immediately and, where applicable, not permanently stored beyond the duration required for analysis or user-configured retention settings.

Vendor Management: All Subprocessors and third-party vendors are vetted for security compliance and privacy practices. Data sharing is strictly limited to the minimum necessary for the provision of the Services.

Physical Security: DoneThat utilizes top-tier cloud providers (Google Cloud Platform) which maintain strict physical security controls at their data centers (ISO 27001 certified).

ANNEX C: LIST OF SUBPROCESSORS

The current list of Subprocessors authorized by the Customer is maintained online at:

https://donethat.ai/subprocessors

DoneThat may update this list from time to time in accordance with Section 4.2 of this DPA.