This DPA is self-service and takes effect automatically when you accept the Terms of Service. If your organisation requires a countersigned DPA for your compliance records, email legal@fsckmsft.org with your company name and billing email address to request a countersigned copy.
1. Definitions
For the purposes of this DPA:- “GDPR” means the EU General Data Protection Regulation (2016/679) and, where applicable, the UK GDPR.
- “Personal Data” has the meaning given in the GDPR.
- “Data Subject” means the natural person to whom Personal Data relates.
- “Processing” has the meaning given in the GDPR.
- “Controller” means the Customer, who determines the purposes and means of processing Personal Data.
- “Processor” means fsckmsft, which processes Personal Data on behalf of the Controller.
- “Subprocessor” means any third party engaged by fsckmsft to process Personal Data in connection with providing the Service.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission under Decision 2021/914.
2. Scope and Applicability
This DPA applies to all processing of Personal Data that fsckmsft performs on behalf of the Customer in the course of providing the Service. It supplements and forms part of the Terms of Service. In the event of a conflict between this DPA and the Terms of Service on a matter of data protection, this DPA takes precedence.3. Subject Matter, Duration, Nature, and Purpose of Processing
3.1 Subject matter
The subject matter of processing is the Personal Data that the Customer and its authorised users upload, create, or otherwise introduce into the fsckmsft platform.3.2 Duration
Processing continues for the duration of the Customer’s active subscription and for the 30-day data retention period following account termination or deletion, after which Personal Data is permanently purged from production systems. Backup media containing Personal Data is cycled out within 90 days.3.3 Nature and purpose
fsckmsft processes Personal Data for the sole purpose of providing the Service as described in the Terms of Service, including:- Storing and retrieving Customer Data on request
- Running automation workflows defined by the Customer
- Delivering transactional communications (export notifications, workspace invitations)
- Providing customer support
- Maintaining service security and integrity
4. Types of Personal Data Processed
The types of Personal Data that may be processed depend on the Customer’s use of the Service and may include:- Identity data: Names, usernames, profile photos
- Contact data: Email addresses, job titles, organisation names
- Usage data: IP addresses, browser/device information, activity logs, feature usage events
- Content data: Any personal data included in projects, tasks, documents, or automation workflows created by Customer users
- Communication data: Support request content and correspondence
5. Categories of Data Subjects
Data Subjects whose Personal Data may be processed include:- The Customer’s employees, contractors, and authorised users of the Service
- Any third-party individuals whose data the Customer chooses to input into the Service (e.g. contact information in projects or tasks)
6. Obligations of fsckmsft as Processor
6.1 Instructions
fsckmsft processes Personal Data only on documented instructions from the Controller (the Customer), as set out in these Terms and this DPA, unless required by applicable law to process otherwise. If fsckmsft is required by law to process Personal Data in a manner not covered by the Customer’s instructions, fsckmsft will notify the Customer before such processing unless legally prohibited from doing so.6.2 Confidentiality
fsckmsft ensures that all personnel authorised to process Customer Personal Data are bound by appropriate confidentiality obligations, whether by contract or professional duty.6.3 Security
fsckmsft implements and maintains technical and organisational measures appropriate to the risk of processing, including:- Encryption of Personal Data at rest (AES-256) and in transit (TLS 1.2 or higher)
- Access controls and least-privilege principles for internal staff
- Mandatory multi-factor authentication for employees with production system access
- Regular security assessments and penetration testing
- Incident detection and response procedures
6.4 Subprocessors
fsckmsft engages Subprocessors to assist in providing the Service. The current list of Subprocessors is published at fsckmsft.org/legal/subprocessors. fsckmsft will provide the Customer with at least 30 days’ prior written notice (via email and status page update) before adding or replacing a material Subprocessor. The Customer may object to the use of a new Subprocessor by emailing legal@fsckmsft.org within the notice period, stating the grounds for objection. If the parties cannot resolve the objection, the Customer may terminate the affected Service with a pro-rata refund. All Subprocessors are bound by data processing agreements with fsckmsft that require them to protect Personal Data to at least the standard required by this DPA.6.5 Data Subject Rights Assistance
fsckmsft provides the Customer with technically feasible assistance to fulfil its obligations in responding to Data Subject Requests (DSARs), including requests for access, correction, deletion, restriction, portability, and objection. The self-service data export and account deletion features available in the platform are provided for this purpose. Where a DSAR cannot be fulfilled through self-service, the Customer may request fsckmsft’s technical assistance by emailing privacy@fsckmsft.org.6.6 Assistance with Controller obligations
Taking into account the nature of processing and information available to fsckmsft, fsckmsft provides reasonable assistance to the Customer in ensuring compliance with obligations related to security, breach notification, data protection impact assessments (DPIAs), and prior consultations with supervisory authorities.6.7 Personal data breach notification
fsckmsft will notify the Customer without undue delay — and where feasible, within 72 hours — upon becoming aware of a Personal Data Breach affecting Customer Data. The notification will include:- The nature of the breach and categories/approximate volume of Personal Data affected
- Contact details of the Data Protection Officer or relevant contact point
- Likely consequences of the breach
- Measures taken or proposed to address the breach
7. International Data Transfers
Where fsckmsft transfers Personal Data originating in the EEA, UK, or Switzerland to countries outside those jurisdictions that do not benefit from an adequacy decision, fsckmsft relies on the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) as the lawful transfer mechanism. By accepting this DPA, the Customer is deemed to have entered into the SCCs with fsckmsft on the terms set out therein. Customers requiring EU data residency should review the EU Data Residency page to keep Personal Data within the EU.8. Deletion and Return of Data
Upon termination of the Service or upon written request from the Customer, fsckmsft will:- Make Customer Data available for export for 30 days post-termination via the export feature.
- Permanently delete Customer Data from production systems within 30 days of account termination.
- Cycle Personal Data out of backup systems within 90 days.
- Provide a written confirmation of deletion upon request.