Tasktra Data Processing Agreement

This Data Processing Agreement (DPA) forms part of the agreement between Tasktra and its clients and creators (each, a 'Data Controller' or simply 'you') governing the processing of personal data. It establishes the respective obligations of Tasktra and you with respect to the collection, processing, and storage of personal data in connection with the Tasktra platform and creator operations services.

Tasktra acts as a Data Processor when processing personal data on behalf of clients, and as a Data Controller when processing creator personal data for platform operations. This DPA applies to all processing of personal data where Tasktra processes such data on behalf of clients in connection with the services.

This DPA is incorporated into and governed by the Tasktra Terms of Service. In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection obligations.

'Personal Data' means any information relating to an identified or identifiable natural person ('data subject') as defined under applicable data protection law, including the General Data Protection Regulation (EU) 2016/679 (GDPR) and the UK GDPR.

'Processing' means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, alignment, restriction, erasure, and destruction.

'Data Controller' means the natural or legal person, public authority, agency, or other body that determines the purposes and means of Processing of Personal Data.

'Data Processor' means a natural or legal person, public authority, agency, or other body that Processes Personal Data on behalf of and under the instructions of a Data Controller.

'Services' means the Tasktra platform, creator workspace, admin tools, campaign management services, and any related services provided to clients and creators.

Tasktra processes Personal Data only to the extent necessary for the provision of the Services and in accordance with documented instructions from the Data Controller. The nature, purpose, and duration of processing vary by context:

Client Personal Data — Tasktra processes client contact information, billing details, campaign content, and campaign instructions to deliver creator operations services. This data is retained for the duration of the client relationship and for a period thereafter as required for financial recordkeeping and dispute resolution.

Creator Personal Data — Tasktra processes creator profile information, platform handles, payout method details, application review data, task submissions, wallet balances, and communication records to evaluate applications, assign tasks, process payouts, and maintain platform quality standards. This data is retained for the duration of the creator account's active period and for a period thereafter as described in the Privacy Policy.

Tasktra does not process Special Category data (as defined under GDPR Article 9), biometric data, or data relating to children. Clients are prohibited from submitting such data through the platform.

Tasktra undertakes the following obligations as a Data Processor: Tasktra will process Personal Data only on the documented instructions of the Data Controller, including as set out in this DPA, the Terms of Service, and any campaign-specific agreements. Tasktra will ensure that all personnel authorized to process Personal Data are subject to binding confidentiality obligations. Tasktra will implement appropriate technical and organizational security measures to protect Personal Data against unauthorized access, alteration, disclosure, or destruction, as described in the Security section of the Privacy Policy. Tasktra will not engage sub-processors without the Data Controller's prior written consent, except for subprocessors that are integral to the delivery of the Services (such as Supabase, Cloudflare, and payment processors), which are deemed pre-authorized.

Upon request, Tasktra will make available all information necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Data Controller or an independent auditor mandated by the Data Controller, subject to reasonable confidentiality and scheduling requirements.

If Tasktra receives a request from a data subject exercising their rights (such as access, correction, erasure, or portability), Tasktra will forward the request to the Data Controller without undue delay, and will provide reasonable assistance in responding to such requests at the Data Controller's expense.

Each Data Controller represents and warrants that: it has all necessary rights, consents, and permissions to submit Personal Data to the Tasktra platform and to authorize Tasktra to process that data for the purposes described in this DPA and the Terms of Service. The Personal Data submitted to Tasktra is accurate, complete, and up to date to the extent necessary for the purposes described herein. The submission and processing of Personal Data through the Tasktra platform complies with all applicable laws and regulations, including GDPR, the California Consumer Privacy Act, and any other applicable data protection legislation. The Data Controller has obtained all necessary consents and provided all required notices to data subjects regarding the processing of their Personal Data by Tasktra.

Clients are solely responsible for ensuring that campaign instructions, content briefs, and target destinations comply with applicable advertising regulations, social media platform rules, and data protection laws in the jurisdictions where campaigns are conducted.

Tasktra uses the following sub-processors to deliver the Services. Each sub-processor is contractually bound to process Personal Data only on Tasktra's instructions and to maintain appropriate security measures:

Supabase — Database, authentication, and storage services. Sub-processes creator profiles, task data, submissions, wallet information, and communication records. Data is processed in accordance with Supabase's privacy policy and data processing agreement.

Cloudflare — DDoS protection, bot management, and content delivery. Sub-processes IP addresses, browser metadata, and request headers for security purposes. Data is processed in accordance with Cloudflare's privacy policy.

Cloudflare Turnstile — Bot protection for the creator application form. Sub-processes browser behavior signals and IP addresses to distinguish human visitors from bots. Data is processed in accordance with Cloudflare's privacy policy.

Payment Processors — Payout processing for creator payments. Sub-processes payout method details and transaction records. Data is processed in accordance with the relevant payment processor's privacy policy.

Tasktra will notify Data Controllers of any changes to sub-processors that materially affect the processing of their Personal Data. Data Controllers may object to the use of a new sub-processor within 30 days of notification, after which the new sub-processor is deemed accepted.

Tasktra implements appropriate technical and organizational security measures designed to protect Personal Data against unauthorized access, unlawful processing, accidental loss, destruction, and damage. These measures include: encryption of data in transit using TLS; role-based access control with least-privilege principles; multi-factor authentication for all administrative access; audit logging of access and modifications to personal data records; regular security reviews and vulnerability assessments; and incident response and breach notification procedures.

No security measure is completely impenetrable. In the event of a Personal Data breach that affects a Data Controller's Personal Data, Tasktra will notify the affected Data Controller without undue delay (and in any event within 72 hours of becoming aware of the breach), describing the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to address the breach.

Personal Data processed under this DPA may be transferred across jurisdictions, including to countries outside the European Economic Area, the United Kingdom, and the United States. Such transfers are conducted under appropriate safeguards as required by applicable law, including Standard Contractual Clauses, adequacy decisions, or other lawful transfer mechanisms.

Tasktra's primary infrastructure is hosted through Supabase. For transfers from the EU or EEA, Supabase relies on the EU-U.S. Data Privacy Framework and Standard Contractual Clauses. For transfers from the United Kingdom, Supabase relies on the UK International Data Transfer Agreement or equivalent safeguards. Detailed information about Supabase's data transfer mechanisms is available in Supabase's privacy policy and data processing agreement.

Tasktra retains Personal Data for no longer than is necessary for the purposes described in this DPA and the Privacy Policy. Specific retention periods are as follows: Creator account and profile data — retained while the account is active and for up to five years after account closure. Task submissions and audit records — retained for a minimum of seven years for accounting, tax, and legal compliance purposes. Client billing records — retained for a minimum of seven years per financial recordkeeping requirements. Notification records — retained for three years from the date of creation.

Upon termination of the Services or at the Data Controller's written request, Tasktra will, at the Data Controller's election, return or securely delete all Personal Data in Tasktra's possession, subject to applicable legal retention requirements. Data that cannot be deleted due to legal obligations will be archived with restricted access and processed only to the extent necessary to comply with those obligations.

Each party's liability under this DPA is governed by the limitation of liability provisions in the Terms of Service. Nothing in this DPA excludes or limits either party's liability for death or personal injury caused by negligence, fraud or fraudulent misrepresentation, or any other liability that cannot be excluded or limited by applicable law.

For GDPR purposes, Tasktra's liability for claims brought under this DPA is subject to the liability provisions agreed between the parties in the Terms of Service. Data Controllers remain liable to data subjects for their own processing activities.

For questions about this Data Processing Agreement, to request an audit, or to submit a data subject rights request on behalf of your users, contact Tasktra at support@tasktra.com with the subject line 'DPA Inquiry'. For EU and UK data subjects, you may also have the right to lodge a complaint with your local data protection authority if you believe your data protection rights have been violated.