Data Processing Agreement

In this Data Processing Agreement ("DPA"):

• "Controller" means the entity that determines the purposes and means of processing Personal Data (you, the Customer).
• "Processor" means the entity that processes Personal Data on behalf of the Controller (BCP Technology).
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, and deletion.
• "Sub-processor" means any third party engaged by BCP Technology to process Personal Data.
• "Data Subject" means the individual to whom Personal Data relates.
• "Services" means the tapioca platform and related services provided by BCP Technology.

This DPA applies when BCP Technology processes Personal Data on your behalf as a Processor. This includes:

• User account information (names, email addresses)
• Project and task data containing personal information
• Time tracking records
• Comments, attachments, and documents
• Financial data you enter into the platform

This DPA supplements our Terms of Service and Privacy Policy.

As your Processor, BCP Technology will:

• Process only on instructions: Process Personal Data only according to your documented instructions, unless required by law.
• Ensure confidentiality: Ensure that personnel authorized to process Personal Data have committed to confidentiality.
• Implement security measures: Implement appropriate technical and organizational measures to protect Personal Data.
• Assist with compliance: Assist you in responding to Data Subject requests and complying with GDPR obligations.
• Notify of breaches: Notify you without undue delay (within 72 hours) after becoming aware of a Personal Data breach.
• Delete or return data: At your choice, delete or return all Personal Data upon termination of services.
• Allow audits: Make available information necessary to demonstrate compliance and allow for audits.

We use the following sub-processors to provide our Services:

We will notify you of any intended changes to sub-processors, giving you the opportunity to object. You may object within 30 days if you have reasonable grounds.

We implement the following technical and organizational measures:

Technical Measures

• Encryption at rest (AES-256) and in transit (TLS 1.3)
• Network segmentation and firewall protection
• Regular security patching and vulnerability scanning
• Automated intrusion detection systems
• Regular encrypted backups with tested recovery

Organizational Measures

• Access control based on least privilege principle
• Employee confidentiality agreements
• Security awareness training
• Incident response procedures
• Regular security audits

We will assist you in fulfilling your obligations to respond to Data Subject requests, including:

• Access: Provide copies of Personal Data we process
• Rectification: Correct inaccurate Personal Data
• Erasure: Delete Personal Data upon request
• Portability: Export Personal Data in machine-readable format
• Restriction: Limit processing when requested
• Objection: Stop processing upon valid objection

If a Data Subject contacts us directly, we will promptly notify you and not respond unless authorized by you.

Personal Data is primarily stored in the European Union (Germany). When transfers outside the EU are necessary:

• We rely on EU Standard Contractual Clauses (SCCs) approved by the European Commission
• We assess the legal framework of the destination country
• We implement supplementary measures where necessary

For self-hosted deployments, you control data location and international transfers.

In the event of a Personal Data breach, we will:

1. Notify you within 72 hours of becoming aware of the breach
2. Provide details including: nature of breach, categories of data affected, approximate number of Data Subjects, likely consequences, and measures taken
3. Cooperate with your investigation and reporting obligations
4. Document all breaches and remediation actions

Notification email: Your account owner email or designated security contact.

You have the right to audit our compliance with this DPA:

• Self-service: Request our latest security certifications, SOC 2 reports (when available), and compliance documentation
• Questionnaires: Submit security questionnaires which we will complete within 10 business days
• On-site audits (Enterprise only): With reasonable advance notice, conduct or commission third-party audits at your expense

Contact [email protected] to request audit information.

Upon termination of our Services:

• You may export your data before account closure using our export functionality
• We will delete your Personal Data within 30 days of account termination
• Upon written request, we will certify deletion in writing
• Backup copies may be retained for up to 90 days before automatic deletion
• We may retain data where required by law, with notification to you

For DPA-related inquiries or to sign a custom DPA:

Enterprise customers may request custom DPA terms as part of their contract.