Data Processing Agreement
Download PDFLast updated: April 1, 2026
This DPA is incorporated into and forms part of the Timezylla Terms of Service. By accepting the Terms of Service, you agree to this DPA.
1. Definitions
- Controller: the organisation subscribing to Timezylla, which determines the purposes and means of processing personal data
- Processor: Timezylla, which processes personal data on behalf of the Controller
- Personal Data: any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1)
- Processing: any operation performed on personal data
- Sub-processor: a third party engaged by Timezylla to process personal data on the Controller's behalf
2. Subject Matter and Duration
Timezylla processes personal data to provide the visual project planning tool service as described in the Terms of Service. Processing continues for the duration of the subscription and ends upon account termination.
3. Nature and Purpose of Processing
Timezylla processes personal data to: display and manage project timelines and team records, generate AI-powered planning recommendations, track project progress, and send product notifications. All processing is on documented instructions from the Controller.
4. Categories of Data and Data Subjects
| Data Category | Data Subjects |
|---|---|
| Name, email, job title | Timezylla workspace users (your team) |
| Support ticket content, message history | Your customers (end-users of your product) |
| Customer name, email, company | Your customers |
| Agent performance metrics | Your support agents |
5. Processor Obligations
Timezylla agrees to:
- Process personal data only on documented instructions from the Controller
- Ensure persons authorised to process personal data are bound by confidentiality
- Implement appropriate technical and organisational security measures (GDPR Article 32)
- Not engage sub-processors without prior authorisation (see Section 7)
- Assist the Controller in responding to data subject rights requests
- Delete or return all personal data upon termination, at the Controller's choice
- Provide all information necessary to demonstrate compliance with GDPR Article 28
6. Controller Obligations
The Controller is responsible for:
- Having a lawful basis for the personal data provided to Timezylla
- Providing all required notices to data subjects about processing via Timezylla
- Ensuring the personal data processed is accurate and up to date
7. Sub-processors
Timezylla uses the following approved sub-processors. We will provide 30 days' notice before adding new sub-processors and give Controllers the right to object.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase | Database | EU (AWS eu-west-1) |
| Vercel | Frontend hosting | EU/US |
| Sentry | Error monitoring | EU |
| PostHog | Analytics | EU |
| Stripe | Billing | US (SCCs) |
| Anthropic | AI processing | US (SCCs) |
| Upstash | Caching / queues | US/EU (SCCs) |
8. International Transfers
Where personal data is transferred outside the European Economic Area (to Anthropic, Stripe, Vercel, or Upstash US), Timezylla ensures transfer is covered by Standard Contractual Clauses (SCCs) as approved by the European Commission.
9. Security Measures
Timezylla implements the following security measures:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row Level Security (RLS) on all database tables
- Role-based access controls (admin / manager / agent)
- Supabase Auth with session management
- API rate limiting and DDoS protection
- Automated error monitoring and incident alerting (Sentry)
10. Contact
For DPA queries: privacy@timezylla.com