Trust Center / Data Processing Addendum

Data Processing Addendum

This Data Processing Addendum (DPA) is incorporated into and forms part of the Saga PM Terms of Service. It applies automatically when a Customer's use of the Service involves the processing of Personal Data subject to applicable Data Protection Laws — there is no separate signature required.

Version: v1.0 Effective: May 7, 2026 Last updated: May 7, 2026

Need a counter-signed copy?

This DPA applies automatically when you accept our Terms of Service — most customers do not need a signed copy. If your procurement or legal team requires one for their records, email [email protected] and we'll send a pre-signed PDF the same day.

Enterprise customers negotiating a custom Master Services Agreement may redline this DPA as part of that process — contact your account contact, or [email protected].

Parties. This DPA is between Saga PM, Inc. ("Saga PM", "Processor") and the customer organization ("Customer", "Controller") that has accepted the Saga PM Terms of Service.

1. Definitions

Capitalized terms not defined here have the meaning given in the Terms of Service or in applicable Data Protection Laws.

  • "Applicable Data Protection Laws" means the EU GDPR (Regulation (EU) 2016/679), the UK GDPR, the Swiss Federal Act on Data Protection, the California Consumer Privacy Act as amended by the California Privacy Rights Act ("CCPA/CPRA"), and any successor or equivalent legislation.
  • "Personal Data" means any information relating to an identified or identifiable natural person that Customer or its Authorized Users submit to or generate within the Service.
  • "Processing" has the meaning given in GDPR Article 4(2).
  • "Subprocessor" means any third party engaged by Saga PM to process Personal Data on Customer's behalf.
  • "Personal Data Breach" has the meaning given in GDPR Article 4(12).
  • "Standard Contractual Clauses" (SCCs) means the European Commission's standard contractual clauses for international transfers (Decision 2021/914), together with the UK Addendum issued by the ICO.

For CCPA/CPRA purposes, Customer is a "Business" and Saga PM is a "Service Provider".

2. Scope and roles

2.1 Roles

With respect to Personal Data submitted to the Service:

  • Customer is the Data Controller (or, where Customer processes data on behalf of a third party, a Data Processor).
  • Saga PM is the Data Processor acting on Customer's documented instructions.

2.2 Documented instructions

Saga PM will process Personal Data only:

  1. To provide the Service in accordance with the Terms of Service and this DPA;
  2. As otherwise instructed by Customer in writing (including via the Service's configuration controls); or
  3. As required by law, in which case Saga PM will (where legally permitted) inform Customer of that requirement before processing.

If Saga PM believes an instruction infringes Applicable Data Protection Laws, it will notify Customer without undue delay.

3. Description of processing

Subject matterProvision of a multi-tenant project-management software-as-a-service platform.
DurationFor the term of the Terms of Service plus the retention period in §11.
Nature and purposeAuthentication, access control, storage and retrieval of Customer Content, transactional notifications, embeddings (where enabled), and operating, securing, monitoring, and supporting the Service.
Categories of Data SubjectsCustomer's Authorized Users; individuals identified within Customer Content.
Categories of Personal DataAccount data (name, email, hashed credentials or SSO identifiers, MFA factor metadata, profile avatar); activity data (entity authorship, comments, edit history); technical metadata (IP address, user agent, session identifiers, request logs); Customer Content placed into the Service.
Special categoriesThe Service is not designed for special categories of Personal Data (GDPR Art. 9) or data relating to criminal convictions (Art. 10). Customer should not submit such data; if Customer does, Customer remains responsible for ensuring lawful basis.
FrequencyContinuous for the term of the Terms of Service.

4. Confidentiality

Saga PM ensures that personnel authorized to process Personal Data are bound by appropriate written confidentiality obligations and receive training on data protection appropriate to their role.

5. Security (Technical and Organizational Measures)

Saga PM implements appropriate technical and organizational measures to protect Personal Data, including:

  • Encryption in transit: TLS 1.2 or higher for all connections, including from end-user browsers and from internal services to the database.
  • Encryption at rest: Storage-level encryption on the production database; tenant secrets envelope-encrypted with AES-256-GCM and HKDF-SHA256-derived per-key material.
  • Access control: Role and team RBAC enforced server-side; multi-factor authentication available; per-tenant SSO via OIDC; production system access subject to least-privilege and periodic review.
  • Tenant isolation: Schema-per-tenant logical isolation in the production database; tenant scoping enforced on every database connection before any query runs.
  • Network security: Production workloads in a private VPC; TLS-terminated ingress.
  • Logging and monitoring: Tenant settings audit log; administrative audit log; centralized structured logging with tenant and actor context; continuous metric and alert monitoring.
  • Vulnerability management: Automated dependency vulnerability scanning in CI; ongoing investment in additional code analysis and external testing as appropriate to scale and risk.
  • SDLC: Mandatory peer review; CI gating; deliberate (manual) production deploys; migration safety validation.
  • Backups: Encrypted backups with point-in-time recovery; documented restore procedures.
  • Personnel: Confidentiality obligations; security training appropriate to role.
  • Endpoint security: Personnel devices with full-disk encryption and screen-lock; centralized device security policies.
  • Incident response: Established incident response process; commitment to timely Personal Data Breach notification per §9.

For a more detailed walkthrough of these measures and the program maturing them, see the Security Overview.

Customer responsibility. Customer is responsible for configuring its workspace appropriately, including assigning roles, enabling MFA where required, and managing the lifecycle of its Authorized Users.

6. Subprocessors

6.1 General authorization

Customer authorizes Saga PM to engage Subprocessors to assist in the provision of the Service, subject to this Section.

6.2 Current Subprocessors

The current list of Subprocessors is published at /trust/subprocessors. Saga PM remains responsible to Customer for the acts and omissions of its Subprocessors.

6.3 Notification of new Subprocessors

Saga PM will provide Customer with at least 30 days' notice before engaging a new Subprocessor (by updating the published list and notifying subscribed contacts). Customer may object on reasonable data-protection grounds within that notice period, in which case the parties will work in good faith to resolve the concern. If a resolution cannot be reached, Customer's exclusive remedy is to terminate the affected portion of the Terms of Service.

6.4 Subprocessor obligations

Saga PM engages Subprocessors only under written agreements imposing data-protection obligations no less protective than those in this DPA, conducts reasonable due diligence before engagement, and remains liable to Customer for the acts and omissions of its Subprocessors as if they were its own.

7. International data transfers

Where Personal Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country not recognized as providing an adequate level of protection, the transfer is made on the basis of the Standard Contractual Clauses (Module Two: Controller to Processor; Module Three where applicable), incorporated by reference into this DPA, together with the UK Addendum issued by the ICO for transfers subject to UK data protection law.

Saga PM has implemented supplementary technical and organizational measures (encryption in transit and at rest, access controls, transparency reporting on government data requests) to address risks identified in Schrems II.

Data location. Saga PM currently hosts production Personal Data in the United States (DigitalOcean NYC3 region). Saga PM will provide reasonable notice of any change to the primary hosting region.

8. Data Subject Rights assistance

Saga PM will assist Customer, taking into account the nature of the processing, in fulfilling Customer's obligation to respond to Data Subject requests under Applicable Data Protection Laws (access, rectification, erasure, restriction, portability, objection, automated decision-making).

Customer can, through the Service, directly: view and edit Personal Data, export workspace data via the GraphQL API, remove Authorized Users, and delete the workspace.

If Saga PM receives a Data Subject request directly relating to Customer's data, Saga PM will not respond other than to acknowledge receipt and direct the Data Subject to Customer (unless legally required), and will promptly forward the request to Customer.

9. Personal Data Breach notification

Saga PM will notify Customer without undue delay, and in any event within 72 hours after becoming aware of a Personal Data Breach affecting Customer's Personal Data. The notification will include:

  • The nature of the breach, including the categories and approximate volume of data and Data Subjects affected;
  • The likely consequences of the breach;
  • Measures taken or proposed to address the breach and mitigate its possible adverse effects;
  • The name and contact details of Saga PM's designated contact for further information.

Saga PM will cooperate with Customer in the investigation, mitigation, and notification of the breach. A notification under this Section is not an admission of fault or liability.

10. Audit rights

10.1 Standard audit information

Saga PM will make available to Customer the information necessary to demonstrate compliance with this DPA, including copies of third-party security audit reports (e.g., SOC 2 Type II, when issued) under appropriate confidentiality obligations, responses to Customer's reasonable security questionnaires, and documentation of the technical and organizational measures listed in §5.

10.2 On-site audits

Where Customer reasonably believes that the standard audit information is insufficient, and subject to (a) at least 30 days' prior written notice, (b) execution of a confidentiality agreement, (c) conducting the audit during normal business hours and in a manner that does not unreasonably interfere with Saga PM's operations, (d) Customer bearing the costs of the audit, and (e) no more than once per 12-month period (except after a confirmed Personal Data Breach), Saga PM will permit a mutually agreed independent auditor (not a competitor of Saga PM) to conduct an audit relevant to the processing under this DPA.

10.3 Regulator audits

Saga PM will cooperate with audits requested by a competent supervisory authority where required by law.

11. Return and deletion of Personal Data

Customer may export Personal Data from the Service at any time using available export and API tools.

Within 30 days after termination or expiry of the Terms of Service, Saga PM will, at Customer's option:

  1. Delete all Personal Data from the production environment, including by deletion of the tenant database schema and zeroing of associated tenant secrets; or
  2. Return all Personal Data to Customer in a commonly used machine-readable format, and then delete it as in (a).

Personal Data may persist in encrypted backups for the standard backup retention period (no longer than 30 days, except as required by law). Such data will not be processed for any purpose during this period and will be deleted on the standard backup expiry schedule.

On Customer's reasonable request, Saga PM will certify deletion in writing.

12. CCPA / CPRA-specific terms

To the extent that Saga PM processes Personal Information of California residents on behalf of Customer:

  • Saga PM acts as a Service Provider as defined in the CCPA/CPRA. Saga PM does not Sell or Share Personal Information.
  • Saga PM will not retain, use, or disclose Personal Information for any purpose other than performing the services specified in the Terms of Service; will not retain, use, or disclose Personal Information outside the direct business relationship between Saga PM and Customer; and will not combine Personal Information received from Customer with Personal Information from any other source, except as permitted by CCPA Regulation §7050(b).
  • Saga PM grants Customer the right to take reasonable steps to ensure Saga PM uses Personal Information consistent with Customer's obligations, and to stop and remediate unauthorized use.

13. General

13.1 Order of precedence

In the event of conflict, the order of precedence is: (1) the Standard Contractual Clauses, where applicable; (2) this DPA; (3) the Terms of Service.

13.2 Term

This DPA takes effect on the date Customer accepts the Terms of Service and remains in effect for so long as Saga PM processes Personal Data on behalf of Customer. Sections that by their nature are intended to survive termination (including §§9, 11, and 13) will survive.

13.3 Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. Nothing in this DPA limits or excludes either party's liability to the extent such liability cannot be limited or excluded under Applicable Data Protection Laws.

13.4 Updates

Saga PM may update this DPA to reflect changes in Applicable Data Protection Laws or in Saga PM's operational practices, provided that no update will materially reduce the protections afforded to Personal Data without Customer's consent. Material changes will be communicated by email to the workspace owner and announced in the Service. The current version is always available at sagapm.io/dpa.

13.5 Notices

Privacy notices to Saga PM should be sent to [email protected]. Security disclosures to [email protected].