Legal

Data Processing Agreement

Last updated: March 23, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between TaskAI (“Processor”, “we”, “us”) and the organization or individual using TaskAI services (“Controller”, “you”, “your”) for the processing of personal data in connection with the TaskAI platform.

1. Definitions

“Personal Data” means any information relating to an identified or identifiable natural person, as defined under PIPEDA and applicable privacy legislation.

“Processing” means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.

“Subprocessor” means any third party engaged by TaskAI to process Personal Data on behalf of the Controller.

“Data Breach” means any unauthorized access to, or disclosure of, Personal Data.

2. Scope of Processing

TaskAI processes Personal Data solely for the purpose of providing the TaskAI service, which includes:

  • Authenticating users via OAuth 2.0 through Microsoft, Google, or Atlassian identity providers
  • Retrieving email metadata (subject, sender name, date, snippet) for task suggestion
  • Retrieving calendar event metadata (title, time, attendees) for task suggestion
  • Retrieving Jira issue and Confluence page metadata for task linking
  • Storing user-created tasks, projects, and workspace configuration

3. Categories of Personal Data

CategoryData ElementsSource
IdentityName, email address, profile image URLOAuth provider
Email metadataSubject line, sender name/email, date, snippetMicrosoft Graph / Gmail API
Calendar metadataEvent title, start/end time, attendee namesMicrosoft Graph / Google Calendar API
Project dataJira issue keys/summaries, Confluence page titlesAtlassian REST API
User contentTasks, projects, notes, workspace settingsUser input

4. Processor Obligations

TaskAI, as Processor, agrees to:

  • Process Personal Data only on documented instructions from the Controller and only for the purposes described in this DPA
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
    • AES-256 encryption of data at rest
    • TLS 1.2+ encryption of data in transit
    • Row-level data isolation between users and workspaces
    • OAuth-only authentication (no password storage)
    • JWT-based session management with httpOnly cookies
    • Input validation, CSRF protection, and security headers
  • Not engage another Subprocessor without prior notification to the Controller (see Section 6)
  • Assist the Controller in responding to data subject requests (access, rectification, deletion)
  • Delete or return all Personal Data upon termination of services, at the Controller's choice
  • Make available all information necessary to demonstrate compliance with this DPA

5. Data Breach Notification

In the event of a Data Breach, TaskAI will:

  • Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
  • Provide sufficient information to allow the Controller to meet any obligations to report the breach to relevant authorities and affected individuals
  • Cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach
  • Maintain a record of all Data Breaches, including facts, effects, and remedial actions taken

6. Subprocessors

TaskAI uses the following Subprocessors to deliver the service:

SubprocessorPurposeLocation
Vercel Inc.Application hosting and edge deploymentUnited States
Turso (ChiselStrike)Database hosting (libSQL)United States
Stripe Inc.Payment processingUnited States
GitHub (Microsoft)Source code hosting and CI/CDUnited States

TaskAI will notify the Controller of any intended changes to Subprocessors, providing the Controller with the opportunity to object.

7. Data Subject Rights

TaskAI will assist the Controller in fulfilling data subject requests, including:

  • Right of access — Users can view all data stored about them through their TaskAI account settings
  • Right to rectification — Users can update their profile information and task data at any time
  • Right to deletion — Users can delete their account and all associated data. Deletion is completed within 30 days
  • Right to restrict processing — Users can disconnect integrations to stop data retrieval from specific services
  • Right to data portability — Users can export their task data. Contact security@taskai.ca for data export requests

8. International Data Transfers

Personal Data is processed and stored in North America (primarily the United States and Canada). Where Personal Data is transferred outside the Controller's jurisdiction, TaskAI ensures appropriate safeguards are in place, including contractual obligations with Subprocessors that provide equivalent data protection.

9. Term and Termination

This DPA is effective for the duration of the Controller's use of TaskAI services. Upon termination:

  • TaskAI will cease processing Personal Data within 30 days
  • All Personal Data will be permanently deleted within 30 days, unless retention is required by law
  • The Controller may request a data export prior to termination

10. Contact

For questions about this DPA or to exercise data protection rights:

Security & Privacy Team

security@taskai.ca