Data Processing Addendum (DPA)

Parties and Precedence

This DPA is entered into by and between [RETRO RAIL LEGAL ENTITY NAME], with registered office at [ENTITY ADDRESS] ("Processor"), and the customer identified in the Order Form or subscription record ("Controller").

This DPA supplements the main services agreement between the parties (the "Agreement"). If there is a conflict between this DPA and the Agreement on data protection matters, this DPA controls to the extent of that conflict.

Definitions

"Applicable Data Protection Law" means laws applicable to processing personal data under the Agreement, including where relevant GDPR, UK GDPR, and similar laws. "Personal Data", "Controller", "Processor", "Data Subject", and "Processing" have the meanings given under Applicable Data Protection Law.

1. Scope and Purpose

This Data Processing Addendum ("DPA") forms part of the agreement between RetroRail ("Processor") and the customer entity using RetroRail ("Controller") where RetroRail processes personal data on behalf of Controller in connection with the services.

2. Processing Details

• Subject matter: Provision of Slack-based retrospective and action-tracking services.
• Duration: For the term of the services and any agreed post-termination retention period.
• Nature and purpose: Hosting, storing, organizing, summarizing, and analyzing retrospective inputs and related metadata.
• Data categories: User identifiers, profile metadata, retrospective content, comments, votes, action items, telemetry, and support records.
• Data subjects: Customer employees, contractors, workspace members, and authorized users.

3. Roles and Instructions

Controller is responsible for determining the lawful basis for processing personal data. Processor processes personal data only on documented instructions from Controller, including as set out in the service configuration and this DPA, unless otherwise required by applicable law.

4. Controller Obligations

Controller warrants that it has all necessary rights, notices, and legal bases to provide personal data to Processor for processing under the Agreement and this DPA.

5. Confidentiality and Security

Processor ensures that personnel with access to personal data are bound by confidentiality obligations. Processor implements appropriate technical and organizational security measures, taking into account the state of the art, implementation costs, and the nature, scope, context, and purposes of processing.

6. Subprocessors

Controller authorizes Processor to engage subprocessors to deliver the services. Processor remains responsible for subprocessor performance in accordance with this DPA and will impose data protection obligations on subprocessors consistent with applicable law.

Requests for the current subprocessor list may be sent to [email protected].

7. Subprocessor Changes and Objections

Processor will provide notice of material subprocessor changes through a public list, customer notice, or support channel. Controller may object on reasonable data protection grounds within [10-30] days. If the parties cannot resolve the objection, Controller may terminate the affected services without penalty for the unused portion of the term.

8. International Data Transfers

Where Personal Data is transferred from the EEA, UK, or Switzerland to a jurisdiction without an adequacy decision, the parties agree to apply recognized transfer mechanisms, including the EU Standard Contractual Clauses ("EU SCCs"), the UK International Data Transfer Addendum or UK Addendum to the EU SCCs, and the Swiss addendum where required.

For SCC purposes, Controller is the data exporter and Processor is the data importer; Module 2 (Controller-to-Processor) applies unless a different module is required by law. Annex I, II, and III below form part of these transfer terms.

9. Data Subject Requests

Processor will provide reasonable assistance to Controller in responding to requests from data subjects to exercise rights of access, correction, deletion, portability, restriction, or objection, to the extent legally required and feasible.

10. Security Incidents

Processor will notify Controller without undue delay after becoming aware of a confirmed personal data breach affecting Controller data and will provide information reasonably necessary for Controller to meet legal reporting obligations.

Incident notices will be sent to [CUSTOMER SECURITY CONTACT] unless otherwise designated in writing.

11. Return and Deletion

Upon termination of services, Processor will delete or return personal data to Controller according to documented instructions, unless retention is required by law or for legitimate recordkeeping obligations.

Default deletion timeline after termination: [e.g., 30-90 days], unless a different timeline is agreed in writing.

12. Audits and Information

Processor will make available information reasonably necessary to demonstrate compliance with this DPA and applicable data protection obligations, subject to appropriate confidentiality and security safeguards.

Where permitted by law, third-party audit reports and security certifications may satisfy audit requests. Additional audits are limited to once annually and require reasonable prior notice and confidentiality protections.

13. Liability

Each party's liability under this DPA is subject to the liability limitations and exclusions in the Agreement, except where such limitations are prohibited by Applicable Data Protection Law.

14. Governing Law and Venue

This DPA is governed by the laws of [GOVERNING LAW JURISDICTION], and disputes are subject to the courts of [VENUE], unless mandatory law requires otherwise.

15. Contact

For DPA requests or data protection questions, contact [email protected] and [email protected].

Annex I — Processing Description

Annex II — Security Measures

• Encryption in transit and at rest for production data where technically feasible.
• Access controls based on least privilege and role separation.
• Authentication controls for privileged systems.
• Change management, vulnerability management, and patching procedures.
• Logging and monitoring for security events and anomalous activity.
• Backup, disaster recovery, and business continuity processes.
• Security awareness and confidentiality commitments for personnel.
• Documented incident response procedures.

Annex III — Subprocessors

Current subprocessors are listed at [PUBLIC SUBPROCESSOR URL] or provided on request at [email protected].