Data Processing Agreement (DPA) for Taskschmiede
Last updated: 21 March 2026
This Data Processing Agreement ("DPA") forms part of and supplements the agreement between Quest Financial Technologies S.à r.l.-S. ("Processor", "Taskschmiede", "QFT") and the customer identified in the applicable order, registration, subscription, or master agreement ("Controller" or "Customer").
1. Parties
Processor:
Quest Financial Technologies S.à r.l.-S.
99A, rue Laurent Menager
L-2143 Luxembourg
Luxembourg
Send us a message.
Controller:
The customer identified in the applicable order, registration, subscription, or master agreement.
2. Purpose and scope
This DPA applies where the Customer acts as a controller and Taskschmiede processes personal data on behalf of the Customer in connection with the provision of the Taskschmiede platform, APIs, portal, hosting, support, and related services.
This DPA does not apply to processing activities for which Taskschmiede acts as an independent controller, including its own account administration, billing, fraud prevention, legal compliance, security logging, and direct customer relationship management.
3. Roles of the parties
The Customer is the controller of Customer Personal Data processed through the service on behalf of the Customer.
Taskschmiede acts as processor of such Customer Personal Data solely on behalf of and in accordance with the documented instructions of the Customer, unless otherwise required by applicable law.
4. Definitions
For the purposes of this DPA, "personal data", "processing", "controller", "processor", "data subject", and "personal data breach" have the meanings given in the GDPR.
"Customer Personal Data" means personal data processed by Taskschmiede on behalf of the Customer in connection with the services.
5. Subject matter, duration, nature, and purpose of processing
5.1 Subject matter
Provision of the Taskschmiede platform and related support and technical services.
5.2 Duration
For the term of the applicable service agreement and any limited post-termination period required for deletion, return, backup cycling, legal compliance, or dispute handling.
5.3 Nature of processing
Collection, recording, organisation, structuring, storage, adaptation, retrieval, consultation, use, transmission, alignment, restriction, deletion, and/or destruction of Customer Personal Data as necessary to provide the services.
5.4 Purpose
To host, operate, secure, maintain, support, and improve the services as instructed by the Customer and as necessary for the performance of the agreement. This includes automated analysis by locally hosted AI models for content moderation, behavioral monitoring, and service quality features. No Customer Personal Data is transmitted to external AI service providers or used for model training.
6. Categories of data subjects
Depending on Customer use, Customer Personal Data may relate to:
- Customer employees, staff, officers, contractors, and temporary workers;
- Customer end users, agents, collaborators, or workspace participants;
- Customer prospects, customers, suppliers, or other business contacts; and
- other individuals whose personal data the Customer uploads to or generates within the services.
7. Categories of personal data
Depending on Customer use, Customer Personal Data may include:
- identity and contact data;
- business profile and role data;
- user account and access data;
- communications and message data;
- task, project, and collaboration content;
- attachments, notes, and metadata;
- usage data and technical identifiers; and
- any other personal data submitted to the services by or on behalf of the Customer.
Special categories of personal data shall not be processed unless expressly authorised by the Customer and supported by appropriate safeguards and lawful basis.
8. Customer instructions
Taskschmiede will process Customer Personal Data only on documented instructions from the Customer, including as set out in the main agreement, the Customer's configuration and use of the services, and any documented support or administrative directions issued by authorised Customer users.
If Taskschmiede believes that an instruction infringes applicable data protection law, it will inform the Customer without undue delay, unless prohibited by law.
9. Confidentiality
Taskschmiede will ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations or are under an appropriate statutory duty of confidentiality.
10. Security measures
Taskschmiede will implement appropriate technical and organisational measures designed to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks for natural persons.
Such measures may include, as appropriate:
- access control and role-based permissions;
- authentication and session controls;
- encryption in transit and, where appropriate, at rest;
- logging and monitoring;
- backup and recovery procedures;
- vulnerability management and patching;
- segregation of customer data;
- incident response procedures; and
- least-privilege administration and change management.
A description of current security measures may be provided in an annex or separate security document.
11. Sub-processors
The Customer grants Taskschmiede a general authorisation to engage sub-processors for the provision of the services, provided that Taskschmiede:
- imposes data protection obligations on sub-processors that are no less protective than those set out in this DPA, insofar as applicable to the services performed by the sub-processor;
- remains responsible for the performance of its sub-processors' data protection obligations; and
- makes available an up-to-date list or categories of sub-processors upon request or through the service documentation.
Taskschmiede will inform the Customer of intended material changes to sub-processors where required by applicable law or contract.
12. International transfers
Taskschmiede will not transfer Customer Personal Data outside the EEA unless it has first ensured that such transfer is made in compliance with applicable data protection law.
Where required, Taskschmiede will implement appropriate safeguards, including adequacy decisions or the European Commission's Standard Contractual Clauses.
13. Assistance to the Customer
Taking into account the nature of the processing and the information available to Taskschmiede, Taskschmiede will provide reasonable assistance to the Customer with:
- responding to requests to exercise data subject rights;
- security, breach notification, impact assessments, and prior consultations with supervisory authorities; and
- demonstrating compliance with applicable processor obligations.
Where legally permitted, Taskschmiede may charge reasonable fees for assistance that is excessive, repetitive, or outside the standard scope of the services.
14. Personal data breaches
Taskschmiede will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data and will provide available information reasonably necessary for the Customer to meet its own notification obligations.
15. Deletion or return of data
Upon termination or expiry of the services, and at the Customer's choice where technically feasible and contractually supported, Taskschmiede will delete or return Customer Personal Data after the end of the provision of services, unless applicable law requires storage of the personal data.
This may include delayed deletion from backups and archived systems within ordinary backup rotation cycles, provided that retained data remains protected and is not actively processed except as required for security, integrity, legal compliance, or disaster recovery.
16. Audit and information rights
Taskschmiede will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA.
Where required by law or reasonably necessary, the Customer may conduct an audit or have an independent auditor conduct an audit, subject to reasonable prior notice, confidentiality protections, proportionality, protection of other customers, and avoidance of disruption to Taskschmiede's operations.
Third-party certifications, audit reports, penetration test summaries, or equivalent documentation may be used to satisfy audit requests where appropriate.
17. Liability and precedence
The liability of each party under this DPA is subject to the liability limitations and exclusions set out in the main agreement, unless prohibited by applicable law.
In the event of conflict between this DPA and the main agreement, this DPA prevails with respect to the subject matter of data protection and processing of Customer Personal Data.
18. Governing law
This DPA is governed by the law governing the main agreement, unless mandatory data protection law requires otherwise.
Annex 1 -- Description of processing
| Element | Description |
|---|---|
| Subject matter | Provision of a collaborative task/project/workspace platform and related services |
| Duration | Duration of the customer relationship plus limited post-termination retention/deletion period |
| Purpose | Hosting, operation, support, security, maintenance, and customer-directed use of the service |
| Data subjects | Employees, contractors, collaborators, customers, suppliers, users, and other persons whose data the Customer submits |
| Categories of data | Identity, contact, account, communication, task/project/workspace, attachments, metadata, technical logs, and other Customer-submitted data |
| AI processing | Locally hosted AI models for content moderation, behavioral analysis, and service features. No data transmitted to external AI service providers. No model training on Customer Personal Data. |
Annex 2 -- Technical and Organisational Measures (TOMs)
Taskschmiede implements and maintains appropriate technical and organisational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.
These measures are designed taking into account the state of the art, the costs of implementation, the nature, scope, context, and purposes of processing, and the risks to the rights and freedoms of natural persons.
1. Access control and privilege management
- role-based access control for tenant, organisation, administrator, support, and internal operational roles;
- least-privilege principles for access to systems, databases, and operational tools;
- controlled onboarding, change, and offboarding processes for privileged access;
- periodic review of privileged and administrative access rights.
2. Authentication and session security
- secure password handling and storage using industry-standard hashing mechanisms;
- authentication and session controls designed to reduce unauthorised access;
- CSRF protection and session integrity mechanisms for portal access;
- protection measures against brute-force login attempts and abusive authentication activity;
- multi-factor authentication for privileged or administrative accounts where applicable.
3. Encryption and protection of data
- encryption of data in transit using TLS or equivalent secure transport mechanisms;
- encryption at rest for storage systems, backups, or databases where appropriate to the risk profile;
- secure generation, storage, and rotation practices for secrets, credentials, API keys, and tokens;
- pseudonymisation, de-linking, or separation of identifying data where feasible and appropriate.
4. Segregation and confidentiality
- logical segregation of customer environments and customer data within the service architecture where applicable;
- measures designed to prevent unauthorised cross-tenant access;
- confidentiality obligations for employees, contractors, and other authorised persons who may access Customer Personal Data.
5. Logging, monitoring, and detection
- logging of security-relevant events, authentication events, and privileged administrative actions where appropriate;
- controlled access to logs and monitoring systems;
- monitoring and alerting mechanisms for suspicious activity, repeated authentication failures, abnormal privileged activity, or other indicators of compromise;
- log retention limits followed by deletion, rotation, or anonymisation in accordance with retention rules.
6. Availability, resilience, backup, and recovery
- backup procedures designed to support restoration of data and service continuity;
- restore and recovery procedures designed to enable timely recovery after incidents;
- resilience and continuity measures proportionate to the service and identified risks;
- restricted handling of backup and archive data, including deletion through ordinary backup rotation cycles where applicable.
7. Vulnerability and change management
- security patching and dependency update processes;
- vulnerability identification and remediation processes appropriate to the environment;
- controlled deployment, configuration, and change management procedures;
- segregation of development, testing, and production environments where appropriate.
8. Incident response and breach handling
- documented processes for identification, escalation, containment, investigation, and remediation of security incidents;
- internal escalation paths for incidents affecting Customer Personal Data;
- procedures to support notification to customers without undue delay where a personal data breach affecting Customer Personal Data is identified.
9. Organisational governance and awareness
- internal security and data protection policies and procedures appropriate to the nature of the services;
- staff awareness, training, or instruction appropriate to personnel responsibilities;
- contractual and operational controls for sub-processors and service providers that may process Customer Personal Data.
10. Testing, assessment, and review
- periodic testing, assessment, and evaluation of the effectiveness of technical and organisational measures;
- periodic review of access rights, logging coverage, and operational safeguards;
- use of audit reports, third-party assessments, penetration testing summaries, or equivalent reviews where appropriate.
Taskschmiede may update these measures from time to time, provided that such updates do not materially diminish the overall level of protection for Customer Personal Data.