1. Introduction
This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between IS.TEAM LLC ("IS.TEAM," "Processor," "we," "us," or "our") and the entity or individual agreeing to the Agreement ("Customer," "Controller," "you," or "your").
This DPA applies where and only to the extent that IS.TEAM processes Personal Data on behalf of the Customer in the course of providing the Service, and such Personal Data is subject to Data Protection Laws. This DPA is incorporated into and supplements the Agreement.
By using the Service, you acknowledge that you have read and agreed to this DPA. If you are entering into this DPA on behalf of a company or other legal entity, you represent that you have the authority to bind that entity.
2. Definitions
| Term | Meaning |
|---|---|
| Data Protection Laws | All applicable laws relating to the processing of Personal Data, including GDPR (EU 2016/679), UK GDPR, Swiss FADP, and any applicable US state privacy laws (CCPA/CPRA, etc.) |
| Personal Data | Any information relating to an identified or identifiable natural person that IS.TEAM processes on behalf of Customer as part of the Service |
| Processing | Any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, use, disclosure, erasure, or destruction |
| Controller | The entity that determines the purposes and means of Processing Personal Data (the Customer) |
| Processor | The entity that processes Personal Data on behalf of the Controller (IS.TEAM) |
| Subprocessor | A third party engaged by IS.TEAM to process Personal Data on behalf of the Customer |
| Data Subject | The identified or identifiable natural person to whom Personal Data relates |
| Standard Contractual Clauses (SCCs) | The standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission Decision 2021/914 |
| Service | The is.team platform and all related applications, APIs, and services as described in the Agreement |
3. Scope and Roles
3.1 Roles of the Parties
- Customer acts as the Controller of Personal Data processed through the Service.
- IS.TEAM acts as the Processor, processing Personal Data solely on behalf of and under the documented instructions of the Customer.
3.2 Categories of Data Subjects
Personal Data processed under this DPA may relate to:
- Customer's employees and contractors
- Customer's team members and collaborators
- Any individuals whose data is entered into the Service by Customer or its authorized users
3.3 Types of Personal Data
The following categories of Personal Data may be processed:
- Identity data: names, display names, email addresses, profile photos
- Account data: authentication credentials (hashed), language and timezone preferences
- Workspace data: task descriptions, comments, notes, file attachments, labels, assignments
- Time tracking data: worklog entries, timer durations, descriptions
- Communication data: comments, @mentions, meeting note transcriptions
- Technical data: IP addresses, browser type, device information, usage logs
3.4 Purpose of Processing
IS.TEAM processes Personal Data solely to provide the Service as described in the Agreement, including:
- Hosting and operating the collaborative project management platform
- Authenticating users and managing workspace memberships
- Sending transactional notifications (email, in-app, Slack)
- Processing payments and managing subscriptions
- Providing AI-powered features (workflow planning, meeting transcription, card assistant)
- Providing analytics and reporting within the Service
4. Obligations of IS.TEAM (Processor)
4.1 Processing Instructions
IS.TEAM shall:
- Process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such a case, IS.TEAM shall inform the Customer of that legal requirement before Processing, unless prohibited by law.
- Immediately inform the Customer if, in IS.TEAM's opinion, an instruction infringes Data Protection Laws.
4.2 Confidentiality
IS.TEAM shall ensure that persons authorized to process Personal Data:
- Have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Process Personal Data only on instructions from the Customer, unless required by applicable law.
4.3 Security Measures
IS.TEAM shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
- Encryption: Data encrypted in transit (TLS 1.2+) and at rest (AES-256 via Firebase/Google Cloud)
- Access controls: Role-based access control, authentication via Firebase Auth, API rate limiting
- Infrastructure security: Hosted on Vercel (edge network) and Google Cloud Platform with SOC 2 Type II certification
- Application security: Input validation, CSRF protection, Content Security Policy headers, HMAC-SHA256 webhook signatures
- Monitoring: Sentry error tracking, automated security scanning, audit logging
- Backup: Daily automated Firestore backups to Google Cloud Storage with point-in-time recovery capability
- Employee access: Minimal access principle; production database access restricted to authorized personnel
4.4 Subprocessing
IS.TEAM shall not engage another Processor (Subprocessor) without prior general written authorization of the Customer. The Customer hereby provides general authorization for IS.TEAM to engage Subprocessors listed in Section 8 of this DPA.
IS.TEAM shall:
- Inform the Customer of any intended changes concerning the addition or replacement of Subprocessors, giving the Customer the opportunity to object to such changes.
- Impose the same data protection obligations as set out in this DPA on any Subprocessor by way of a contract.
- Remain fully liable for the performance of its Subprocessors' obligations.
4.5 Data Subject Rights
IS.TEAM shall, taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures for the fulfillment of the Customer's obligations to respond to requests from Data Subjects exercising their rights under Data Protection Laws. These rights include:
- Right of access (Art. 15 GDPR)
- Right to rectification (Art. 16 GDPR)
- Right to erasure / "right to be forgotten" (Art. 17 GDPR)
- Right to restriction of processing (Art. 18 GDPR)
- Right to data portability (Art. 20 GDPR)
- Right to object (Art. 21 GDPR)
If IS.TEAM receives a request from a Data Subject directly, IS.TEAM shall promptly redirect the Data Subject to the Customer, unless otherwise instructed.
4.6 Data Protection Impact Assessments
IS.TEAM shall assist the Customer in ensuring compliance with the obligations regarding data protection impact assessments and prior consultation with supervisory authorities (Articles 35 and 36 GDPR), taking into account the nature of Processing and the information available to IS.TEAM.
5. Data Breach Notification
5.1 Notification Obligation
IS.TEAM shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data breach.
5.2 Notification Content
The notification shall include, to the extent available:
- A description of the nature of the Personal Data breach, including the categories and approximate number of Data Subjects and records concerned
- The name and contact details of IS.TEAM's point of contact for further information
- A description of the likely consequences of the breach
- A description of the measures taken or proposed to be taken to address the breach, including measures to mitigate its possible adverse effects
5.3 Cooperation
IS.TEAM shall cooperate with the Customer and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Personal Data breach.
6. International Data Transfers
6.1 Transfer Mechanisms
IS.TEAM is based in the United States. Where Personal Data originating from the EEA, UK, or Switzerland is transferred to the United States, such transfers are made under one or more of the following mechanisms:
- EU-US Data Privacy Framework (DPF) — where the Subprocessor is certified under the DPF
- Standard Contractual Clauses (SCCs) — European Commission Decision 2021/914, Module Two (Controller to Processor)
- UK International Data Transfer Addendum — the UK Addendum to the EU SCCs, as issued by the UK Information Commissioner's Office
6.2 Additional Safeguards
In addition to the transfer mechanisms above, IS.TEAM implements supplementary measures including:
- Encryption of data in transit and at rest
- Access controls limiting who can access Personal Data
- Regular security assessments of Subprocessors
- Contractual commitments from Subprocessors to maintain equivalent protections
7. Audit Rights
7.1 Information and Audit
IS.TEAM shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in this DPA and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer.
7.2 Audit Process
- Audits shall be conducted with reasonable prior written notice (at least 30 days), during normal business hours, and shall not unreasonably disrupt IS.TEAM's operations.
- The Customer shall bear its own costs of any audit.
- Audit findings and reports shall be treated as Confidential Information.
- IS.TEAM may satisfy audit requests by providing relevant SOC 2 Type II reports, ISO 27001 certifications, or equivalent third-party audit reports from its infrastructure providers (Google Cloud, Vercel).
8. Subprocessors
IS.TEAM uses the following Subprocessors to provide the Service:
| Subprocessor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Google Cloud / Firebase (Google LLC) | Authentication, database (Firestore), real-time sync, cloud storage | USA (global CDN) | EU-US DPF, SCCs |
| Google Analytics 4 (Google LLC) | Website usage analytics and audience measurement | USA (global) | EU-US DPF, SCCs |
| Google AI / Gemini (Google LLC) | AI features: transcription, task generation, workflow suggestions, card assistant | USA | EU-US DPF, SCCs |
| Stripe, Inc. | Payment processing and subscription management | USA | EU-US DPF, SCCs |
| Vercel, Inc. | Application hosting, edge network, serverless functions | USA (global edge) | SCCs |
| Cloudflare, Inc. | CDN, DDoS protection, DNS, Turnstile CAPTCHA | USA (global CDN) | EU-US DPF, SCCs |
| Resend, Inc. | Transactional, notification, and marketing email delivery | USA | SCCs |
| Daily.co (Daily.co, Inc.) | Voice/video room infrastructure | USA | SCCs |
| Skribby.io (Skribby Inc.) | AI meeting bot — joins calls to record and transcribe meeting audio | USA | SCCs |
| Sentry (Functional Software, Inc.) | Error tracking and performance monitoring | USA | SCCs |
| Smartlook (Smartlook.com, s.r.o.) | Session recording, heatmaps, and user experience analytics | Czech Republic (EU) | N/A (EU-based) |
| Unsplash (Unsplash Inc.) | Stock photo API for board cover images | Canada | SCCs |
| SerpAPI (SerpApi LLC) | Search data enrichment for outreach features | USA | SCCs |
8.2 Customer-Initiated Third-Party Integrations
The following services are connected by the Customer at their discretion. When enabled, data flows directly between the Customer's accounts on these platforms and IS.TEAM:
| Integration | Data Exchanged |
|---|---|
| GitHub (Microsoft) | Repository names, PR/issue titles, status updates |
| Slack (Salesforce) | Channel names, task notification messages |
| Google Drive (Google LLC) | File names, thumbnails, embed URLs |
| Figma (Figma, Inc.) | File names, thumbnails, embed URLs |
| Google Calendar (Google LLC) | Event titles, dates, attendee names for deadline sync |
| Twitter/X (X Corp.) | Social media post content (IS.TEAM-managed, not user data) |
| LinkedIn (Microsoft) | Social media post content (IS.TEAM-managed, not user data) |
These integrations are governed by each provider's own terms and privacy policies. IS.TEAM acts as a conduit and does not store integration data beyond what is necessary to display it within the Service.
8.3 Changes to Subprocessors
IS.TEAM maintains an up-to-date list of Subprocessors on this page. When IS.TEAM engages a new Subprocessor:
- IS.TEAM will update this list and notify the Customer via email (to the workspace owner's email address) at least 14 days before the new Subprocessor begins processing Personal Data.
- If the Customer objects to a new Subprocessor on reasonable data protection grounds, the parties shall discuss the concern in good faith. If no resolution is reached within 30 days, the Customer may terminate the affected Service by providing written notice.
9. Data Retention and Deletion
9.1 During the Agreement
IS.TEAM shall process and store Personal Data for the duration of the Agreement, unless otherwise required by applicable law.
9.2 Upon Termination
Upon termination of the Agreement, IS.TEAM shall, at the choice of the Customer:
- Return all Personal Data to the Customer in a commonly used, machine-readable format (JSON export); or
- Delete all Personal Data and existing copies, unless applicable law requires storage of the Personal Data.
IS.TEAM shall complete the deletion within 90 days of the termination date or the Customer's deletion request, whichever is later.
9.3 Certification
Upon request, IS.TEAM shall provide the Customer with a written certification that all Personal Data has been deleted in accordance with this DPA.
10. Obligations of the Customer (Controller)
The Customer warrants that:
- It has a lawful basis for processing Personal Data and for instructing IS.TEAM to process Personal Data on its behalf.
- It has provided appropriate notices to, and obtained necessary consents from, Data Subjects as required by Data Protection Laws.
- It shall comply with its obligations under Data Protection Laws with respect to the Personal Data it provides to IS.TEAM.
- Its instructions to IS.TEAM regarding the processing of Personal Data comply with Data Protection Laws.
11. Limitation of Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Agreement.
12. Governing Law and Jurisdiction
This DPA shall be governed by and construed in accordance with the laws specified in the Agreement, except to the extent that Data Protection Laws require otherwise:
- For EEA Data Subjects: the laws of the Republic of Ireland
- For UK Data Subjects: the laws of England and Wales
- For Swiss Data Subjects: the laws of Switzerland
- For all others: the laws of the State of Delaware, United States
13. Term and Termination
This DPA shall remain in effect for as long as IS.TEAM processes Personal Data on behalf of the Customer. Upon termination of the Agreement, this DPA shall automatically terminate, subject to Section 9 (Data Retention and Deletion).
14. Amendments
IS.TEAM may update this DPA from time to time to reflect changes in Data Protection Laws, our processing activities, or our Subprocessors. Material changes will be notified via email to workspace owners at least 30 days before taking effect.
The "Last Updated" date at the top of this DPA indicates when it was most recently revised.
15. Contact
For questions or requests regarding this DPA, contact us at:
IS.TEAM LLC 8 The Green, Ste A Dover, DE 19901 United States
Email: hello@is.team Subject line: "DPA Inquiry" for expedited handling