Data Processing Addendum

Purpose & roles

When you use SpiralDeck, you decide what personal data goes into your workspace and why — so you are the party in control of that data (the "controller"). MicroPyramid processes that data on your behalf and on your instructions (the "processor"). This DPA sets out the commitments that govern that relationship.

Scope

This DPA applies to personal data within your workspace content and the work-tracker signals SpiralDeck processes on your behalf. It is part of the Terms of Service; where this DPA and the Terms conflict on the handling of personal data, this DPA governs. Our handling of data for which we are ourselves responsible — for example, your account and billing details — is covered by the Privacy Policy.

Details of processing

• Subject matter & purpose — providing the SpiralDeck service: project management, collaboration, the desktop work tracker, HR records and reporting.
• Duration — for as long as your workspace is active, plus the bounded retention window described in the Privacy Policy.
• Types of personal data — identifiers and contact details, workspace content you choose to include, and anonymized activity signals (and, where you enable it, screenshots) from the work tracker.
• Categories of data subjects — your members, administrators and any individuals you choose to record in your workspace, such as employees or clients.

Our instructions

We process personal data only to provide and secure the service, and on your documented instructions — which include these terms and your configuration of the product. We will tell you if an instruction appears to require something the law forbids. We do not use your workspace personal data for our own purposes, and we do not sell it.

Confidentiality

Personnel authorised to process your data are bound by confidentiality obligations and are granted access only to the extent their role requires. Access to production data is scoped, logged and audited.

Security measures

We maintain technical and organisational measures appropriate to the risk, including: tenant isolation enforced in the database with row-level security that fails closed; default-deny authorisation re-checked on every request; encryption of data in transit and at rest, with per-tenant keys for captured screenshots and activity data stored apart from their metadata; treating the desktop app as untrusted and validating uploads server-side; and tamper-evident audit logging of privileged actions. The architecture is described on the security page, and we may update these measures provided protection is not materially weakened.

Subprocessors

You authorise us to engage vetted third-party providers — for hosting, infrastructure, payment and communications — to process personal data on our behalf to deliver the service. We keep this set small and deliberate, bind each provider to data-protection obligations no less protective than those in this DPA, and remain responsible for their performance. A current list of subprocessors is available on request via hi@spiraldeck.com, and we give advance notice of additions so you can object on reasonable grounds.

Helping with requests

The product gives you self-serve tools to access, correct, export and delete personal data in your workspace, so you can respond to the people whose data you hold. Where you need more, we'll provide reasonable assistance with those requests, taking into account the nature of the processing.

Incident notification

If we become aware of a breach affecting the personal data we process for you, we'll notify you without undue delay, with the information you reasonably need to meet your own obligations, and we'll describe the steps we're taking in response.

International transfers

SpiralDeck runs on cloud infrastructure and personal data may be processed in more than one region. Where data is transferred across borders, we rely on appropriate, internationally recognised safeguards to protect it. Workspace data-residency options are available as the product reaches general availability.

Return & deletion

During your subscription you can export your data at any time. On termination, you can export it during the bounded window described in the Privacy Policy, after which we delete it from active systems, with deletion propagating to backups within the documented window — unless we're required to retain certain records.

Audits

On reasonable request, we'll make available the information needed to demonstrate compliance with this DPA, including summaries of the results of independent security assessments once available. Any on-site review is by prior arrangement, scoped to avoid disrupting the service or compromising other customers' security.

Liability & term

This DPA takes effect when you start using SpiralDeck and remains in force for as long as we process personal data on your behalf. Liability under this DPA is subject to the limitations in the Terms of Service.

Contact

To request the subprocessor list, raise a data-protection question, or ask about anything in this DPA, email hi@spiraldeck.com. See also our Privacy Policy and Terms of Service.