Data Processing Agreement

1. Definitions

Capitalised terms used but not defined in this DPA have the meaning given in the Terms of Service or in the UK GDPR and the UK Data Protection Act 2018 (together, "UK Data Protection Law").

• •Personal Data means any information relating to an identified or identifiable natural person that the Customer or its end users submit to the Service.
• •Processing has the meaning given in the UK GDPR and includes hosting, storage, retrieval, and transmission of Personal Data through the Service.
• •Sub-processor means any third party engaged by TaskNext.AI to Process Personal Data on the Customer's behalf.
• •Data Subject means the natural person to whom Personal Data relates.
• •Personal Data Breach means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Roles of the Parties

The Customer is the Controller of Personal Data Processed under the Service. TaskNext.AI is the Processor and Processes Personal Data only on the Customer's documented instructions, including those given through ordinary use of the Service (account configuration, content uploads, scheduling actions, OAuth permissions granted to social platforms).

Where the Customer's end users (such as audience members or message senders on connected social accounts) provide Personal Data, the Customer remains the Controller of that data and is responsible for the lawful basis under which it is collected.

3. Subject Matter and Duration

Subject matter: the Processing of Personal Data necessary to provide the Service as described in the Terms of Service.

Duration: for the term of the Customer's active subscription, plus any retention period required by Section 11 below.

Nature and purpose: AI-assisted content generation, scheduling, publishing, and analytics across connected social platforms.

4. Categories of Personal Data and Data Subjects

Categories of Personal Data:

• •Account identifiers (name, email, password hash, billing information held by Stripe)
• •Connected social account metadata (platform handle, access token, refresh token, scopes granted)
• •Content the Customer creates, schedules, or publishes through the Service
• •Audience analytics returned by connected platforms (aggregate engagement counts, follower counts, post performance)
• •Technical telemetry (IP address, browser metadata, session timestamps, error logs)

Categories of Data Subjects:

• •Customer users (account holders and team members)
• •End users of the Customer's connected social accounts (followers, audience members, commenters)

5. Obligations of the Processor

TaskNext.AI shall:

• •Process Personal Data only on the Customer's documented instructions, including for international transfers, unless required to do otherwise by UK or EU law (in which case we will inform the Customer before Processing, unless prohibited);
• •Ensure that personnel authorised to Process Personal Data are bound by confidentiality;
• •Implement appropriate technical and organisational measures as set out in Section 6;
• •Engage Sub-processors only in accordance with Section 7;
• •Assist the Customer with Data Subject requests as set out in Section 8;
• •Notify the Customer of Personal Data Breaches as set out in Section 9;
• •Make available all information necessary to demonstrate compliance with Article 28 UK GDPR.

6. Security Measures

Taking into account the state of the art and the risks presented by Processing, TaskNext.AI maintains the following technical and organisational measures:

• •Encryption in transit: TLS 1.2 or higher for all Customer-facing endpoints and inter-service communication.
• •Encryption at rest: AES-256 for the production database (Supabase Postgres) and all object storage.
• •Access control: role-based access on the principle of least privilege; production access is limited to named operators and audited; multi-factor authentication required.
• •Secret management: credentials and API keys held in environment-variable stores, rotated on suspicion of compromise, never committed to source control.
• •Network isolation: production services run on Vercel and Railway with managed firewalls and TLS termination.
• •Logging and monitoring: application logs and webhook events retained for at least 90 days for security investigation; alerting on anomalous traffic.
• •Backups: automated daily database backups retained for 7 days; point-in-time recovery enabled on the production Postgres instance.
• •Vulnerability management: dependency scanning on every deployment; security patches applied promptly.
• •Personnel: all personnel sign a confidentiality undertaking and receive data-protection awareness briefings.

7. Sub-processors

The Customer grants TaskNext.AI general authorisation to engage Sub-processors to deliver the Service. TaskNext.AI imposes data-protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable for their acts and omissions to the same extent as for its own.

The current Sub-processors are:

TaskNext.AI will provide the Customer with at least 30 days' notice of any intended addition or replacement of Sub-processors via the Service or by email. The Customer may object to a new Sub-processor on reasonable data-protection grounds within that period, in which case the Customer's exclusive remedy is to terminate the affected portion of the Service.

8. Data Subject Rights

Taking into account the nature of the Processing, TaskNext.AI assists the Customer by appropriate technical and organisational measures, insofar as possible, to fulfil the Customer's obligation to respond to Data Subject requests under Chapter III UK GDPR (including rights of access, rectification, erasure, restriction, portability, and objection).

The Customer can self-serve most requests through the Service (export, delete, edit account data). For requests that require Processor assistance, contact support@tasknextai.one; we will respond within 5 business days.

9. Personal Data Breach Notification

TaskNext.AI shall notify the Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting the Customer's Personal Data. The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, and the measures taken or proposed to address the breach.

Notifications will be sent to the email address on the Customer's account. The Customer is responsible for keeping that address current.

10. Data Protection Impact Assessments

On reasonable request, TaskNext.AI will provide the Customer with information necessary to carry out Data Protection Impact Assessments and prior consultations with the Information Commissioner's Office (or other competent supervisory authority) in respect of the Service.

11. International Transfers

Where TaskNext.AI transfers Personal Data outside the United Kingdom or the European Economic Area, the transfer is governed by the UK International Data Transfer Agreement (IDTA) or the UK Addendum to the EU Standard Contractual Clauses, whichever is applicable. The Customer is deemed to enter into the IDTA / SCCs as data exporter, with TaskNext.AI as data importer, on signature of the Terms of Service.

TaskNext.AI carries out and documents transfer risk assessments for transfers to USA-based Sub-processors and applies supplementary measures (encryption in transit and at rest, contractual restrictions on government access requests) as required.

12. Audit Rights

The Customer (or an independent auditor mandated by the Customer and reasonably acceptable to TaskNext.AI) may audit TaskNext.AI's compliance with this DPA no more than once every 12 months, on at least 30 days' written notice and during normal business hours, subject to reasonable confidentiality undertakings.

TaskNext.AI may satisfy audit obligations by providing summaries of its information-security policies and any third-party attestations or penetration test reports it holds, where these reasonably address the Customer's concerns.

13. Return or Deletion of Personal Data

On termination or expiry of the Customer's subscription, TaskNext.AI will, at the Customer's option, delete or return all Personal Data Processed on its behalf, and delete existing copies, within 30 days, unless retention is required by law.

Backups containing Personal Data will be overwritten in the ordinary course of business within the backup retention window described in Section 6.

14. Liability

Each party's liability arising out of or related to this DPA is subject to the limitation of liability set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under UK Data Protection Law.

15. Order of Precedence

In the event of a conflict between this DPA and the Terms of Service, this DPA prevails in respect of the Processing of Personal Data.

16. Governing Law

This DPA is governed by the laws of England and Wales. The courts of England and Wales have exclusive jurisdiction over any disputes arising from it, without prejudice to the Customer's right to bring proceedings before its local supervisory authority.

17. Contact

For all matters relating to this DPA, including counter-signature requests:

18. Related Documents

This DPA should be read together with the Terms of Service, Privacy Policy, and Refund Policy.