TaskFord
Contact Us

TaskFord Data Protection Addendum (DPA)

Effective Date: Mar 20, 2026

This Data Protection Addendum (‘DPA’) forms part of the TaskFord Terms of Use or other agreement (‘Agreement’) between you (‘Customer’) and TaskFord (‘we,’ ‘us,’ or ‘our’) governing the processing of Personal Data by TaskFord on Customer’s behalf. By using TaskFord’s services, Customer agrees to this DPA and confirms its authority to bind itself or its entity. If you cannot agree to this DPA or lack such authority, do not provide us with your personal data.

The Parties (collectively “Parties” individually “Party”) aim to ensure that Personal Data processing complies with Applicable Data Protection Laws including but not limited to the Act on the Protection of Personal Information (APPI) of Japan and respects Data Subjects’ rights.

1. DEFINITIONS

1.1 “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party, where “control” means ownership of more than 50% of the voting equity interests or other equivalent ownership interest of such entity.

1.2 “Agreement” means the TaskFord Terms of Use or any other written agreement between Customer and TaskFord governing the use of the services.

1.3 “Customer” (or “Controller”) means the entity identified as the Customer in the Agreement that determines the purposes and means of processing Customer Personal Data.

1.4 “Data Subject” means the identified or identifiable natural person to whom Customer Personal Data relates.

1.5 “Personal Data” means any information that relates to an identified or identifiable natural person, including but not limited to names, contact information, account details, unique identifiers, IP addresses, and any other information defined as Personal Data or Personally Identifiable Information (PII) under Applicable Data Protection Laws, including ‘Personal Information’ as defined under the Act on the Protection of Personal Information (APPI) of Japan.

1.6 “Processing” (or “Process”) means any operation or set of operations performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

1.7 “Processor” means the entity that processes Personal Data on behalf of the Controller (i.e., TaskFord when providing services to the Customer).

1.8 “Security Incident” means a confirmed or reasonably suspected unauthorized access, disclosure, alteration, loss, destruction, or compromise of Customer Personal Data resulting in a risk to the rights and freedoms of Data Subjects,

1.9 “Subprocessor” means any third-party service provider (including Affiliates) engaged by TaskFord to process Customer Personal Data as part of the services under the Agreement.

1.10 “Third-Party Services” means any software, applications, platforms, or other services that are integrated with or used in conjunction with the TaskFord platform, but are not owned or controlled by TaskFord.

1.11 “Applicable Data Protection Laws” means all laws and regulations applicable to the processing of Personal Data under this DPA, specifically the Act on the Protection of Personal Information (APPI) of Japan.

2. SCOPE AND DURATION

2.1 Roles of the Parties. This Data Protection Addendum (DPA) applies to the processing of Customer Personal Data by TaskFord (Processor) on behalf of the Customer (Controller) in connection with the provision of the TaskFord platform and services. (i) Customer as Controller determines the purposes and means of processing Customer Personal Data. (ii) TaskFord as Processor processes Customer Personal Data only on behalf of and under the instructions of the Customer, as outlined in this Data Protection Addendum and the Agreement. (iii) Subprocessors may be engaged by TaskFord to assist in the processing of Customer Personal Data, subject to the terms in Section 4 of this Data Protection Addendum.

2.2 Scope of Data Processing. TaskFord processes Customer Personal Data strictly to provide its services, including hosting, storage, backup, support, security monitoring, and performance optimization. Customer Personal Data processing includes but is not limited to collecting, storing, and organizing data, accessing, modifying, and retrieving data as requested by the Customer, transmitting data within TaskFord systems, securing, encrypting, and ensuring compliance with Applicable Data Protection Laws, including the APPI. Backup copies may be retained for up to 6 months, or as required by Japan’s APPI and relevant data retention laws.

2.3 Duration of Data Processing. This Data Protection Addendum becomes effective on the Effective Date and remains in effect as long as TaskFord processes Customer Personal Data under the Agreement. TaskFord will process Customer Personal Data for the duration of the Agreement unless required by APPI to retain data for legal compliance.

3. PROCESSING OF PERSONAL DATA

3.1 No Sale of Personal Data and No Targeted Advertising. TaskFord will not sell, rent, or trade Customer Personal Data. TaskFord will not process Customer Personal Data for targeted advertising, cross-context behavioral advertising, or any commercial purposes beyond what is required to provide the services under the Agreement. TaskFord may process anonymized or non-personal data only for analytics purposes, as detailed in our Privacy Policy. If TaskFord is legally required to process Customer Personal Data for any other purposes, it will inform the Customer unless prohibited by law from doing so.

3.2 Customer Instructions. The Customer appoints TaskFord as a processor to process Customer Personal Data solely on behalf of, and in accordance with, the Customer’s documented instructions. The Agreement, including this Data Protection Addendum, along with the Customer’s configurations within the TaskFord platform, constitutes the Customer’s complete and final instructions regarding the processing of Customer Personal Data unless otherwise agreed upon in writing. TaskFord will not process Customer Personal Data in violation of applicable Data Protection Laws. If TaskFord reasonably determines that a Customer instruction infringes applicable laws, it will promptly notify the Customer. TaskFord reserves the right to suspend processing pending resolution if it believes an instruction violates Applicable Data Protection Laws.

3.3 Compliance with Laws. Each Party is responsible for complying with Applicable Data Protection Laws, including the APPI. The Customer is responsible for ensuring it has a lawful basis for collecting, processing, and transferring Customer Personal Data to TaskFord and for obtaining any required Data Subject consents under APPI.

3.4 Changes in Law. If Japan’s APPI undergoes regulatory changes impacting this Data Protection Addendum, both parties will work together in good faith to modify this agreement accordingly. If TaskFord must implement changes for compliance, it will notify the Customer in advance where possible.

3.5 Categories of Personal Data. TaskFord processes Customer Personal Data, which may include:

a. Identifiers such as names, email addresses, and IP addresses

b. Account information such as usernames, roles, and permissions

c. Usage data such as logs, device information, and activity history within the TaskFord platform

d. Other information provided by the Customer in relation to the use of TaskFord services

TaskFord will not process special categories of data (e.g., health, biometric, or racial data) unless the Customer provides prior written notice and TaskFord confirms in writing that appropriate safeguards are in place.

3.6 Customer Responsibilities. The Customer must not provide any “Special Care-Required Personal Information” (as defined by APPI, such as medical, biometric, or criminal record data) unless TaskFord has agreed in writing to process such data and appropriate safeguards are in place.

4. SUBPROCESSORS

4.1 Use of Subprocessors. Customer acknowledges and agrees that TaskFord’s Affiliates and certain third-party service providers may be engaged as Subprocessors to process Customer Personal Data on TaskFord’s behalf to deliver and maintain the services, provided that such transfers comply with APPI’s cross-border data transfer requirements.

TaskFord will impose contractual obligations on each Subprocessor that require them to protect Customer Personal Data with security and privacy standards at least as stringent as those outlined in this Data Protection Addendum.

TaskFord remains fully liable for the performance of its Subprocessors to the same extent that TaskFord is liable for its own compliance under this Data Protection Addendum.

4.2 Right to Object. The Customer may object to the appointment of a new Subprocessor by providing written notice to TaskFord at support@taskford.com within 30 days of receiving notification of the new Subprocessor. Valid objections must be based on reasonable and documented concerns related to data protection compliance or risks to Customer Personal Data.

In the event of an objection:

a. TaskFord will engage in good faith discussions with the Customer to address the concerns. TaskFord may propose alternative measures to mitigate the concerns, such as additional safeguards or adjustments to how the Subprocessor processes Customer Personal Data.

b. If a mutually agreeable resolution cannot be reached within 30 days, the Customer may elect to stop using the affected service by providing written notice, If no resolution is reached, the Customer may terminate the affected service per Section 9.4, without refunds, unless otherwise required by law.

5. SECURITY

5.1. Controls for the Protection of Personal Data. TaskFord shall implement and maintain industry-standard technical and organizational measures (e.g., encryption, access controls, regular security testing) to protect Customer Personal Data against unauthorized or unlawful processing in accordance with APPI security obligations. TaskFord’s security controls and measures are outlined in its Security Documentation, available at Security Policy, which may be updated from time to time to reflect best practices and regulatory changes.

5.2 Excluded Incidents. Security Incidents do not include unsuccessful attempts or activities that do not compromise Customer Personal Data, such as: (i) Unsuccessful login attempts, (ii) Network scanning or probing (e.g., port scans, pings), (iii) Automated denial-of-service (DoS) attacks.

5.3 Security Incident Notification. TaskFord will notify the Customer without undue delay, and in accordance with APPI requirements, upon becoming aware of a Security Incident affecting Customer Personal Data. Such notification will include a description of the incident, the nature of the data affected, and recommended remedial actions where possible.

5.4 Customer Responsibilities

a. Review and Risk Assessment. Customers are responsible for reviewing TaskFord’s security documentation and making an independent determination as to whether TaskFord’s Cloud Services meet their security and legal requirements.

b. Compliance with Notification Laws. Customers are solely responsible for Complying with Security Incident notification laws applicable to them. Providing notices to affected individuals, government authorities, or other parties as required under applicable laws.

6. RETURN AND DELETION OF PERSONAL DATA

6.1 Customer’s Right to Data Access and Export. During the Subscription Term, Customer may, through the features of the TaskFord platform or via written request, access and export its Customer Personal Data in a structured, commonly used, and machine-readable format. If Customer requires assistance exporting its data, TaskFord will provide reasonable assistance, subject to applicable fees (if any), as outlined in the Agreement.

6.2 Deletion Upon Termination or Expiration

a. Deletion of Personal Data. Upon termination or expiration of the Agreement, TaskFord will, in accordance with its data retention policies. Deletion will occur within 30 days of termination, unless otherwise required by law. Securely dispose of backups containing Customer Personal Data following TaskFord’s internal security policies and industry best practices.

b. Customer Request for Deletion. Upon written request by Customer following the termination or expiration of the Agreement, TaskFord will confirm deletion of Customer Personal Data within 30 days, unless legal or regulatory obligations require longer retention.

6.3 Legal and Compliance Exceptions

a. Retention for Legal Purposes. TaskFord may retain Customer Personal Data (i) as required by Applicable Data Protection Laws or regulations (e.g., tax, audit, or legal compliance); (ii) for the duration of any legal disputes, enforcement of agreements, or as required to comply with court orders. Retained data will be anonymized or pseudonymized where possible.

b. Confidentiality Obligations for Retained Data. For any retained data, TaskFord will (i) maintain confidentiality and security protections in accordance with this DPA; (ii) not process the data for any other purpose beyond the necessary legal or compliance requirements.

6.4 Customer Responsibility for Data Retrieval. Customer acknowledges that It is responsible for retrieving any necessary data before termination of the Agreement. TaskFord will not be liable for any data loss due to Customer’s failure to retrieve its data before deletion.

7. AUDITS

7.1 Customer Audit Rights. Upon Customer’s written request, TaskFord will provide information reasonably necessary to demonstrate its compliance with this Data Processing Addendum (DPA), including relevant security certifications, audit reports, and summaries of third-party assessments. Customers may request additional security information or audit rights, subject to the conditions outlined in this section.

7.2 Independent Third-Party Audits. TaskFord engages independent third-party auditors to perform regular security assessments, including SOC 2 type 2 (Certified) security framework and Penetration testing. TaskFord will provide executive summaries or reports of such audits upon Customer’s written request, subject to confidentiality obligations.

7.3 Customer-Requested Audits. If a Customer reasonably believes that TaskFord is not compliant with this DPA, the Customer may request an audit (no more than once per year) by providing at least 30 days’ written notice. Any such audit must (i) be conducted during normal business hours, (ii) not disrupt TaskFord’s operations, (iii) be limited in scope to relevant security, compliance, and processing activities, (iv) be performed by an independent, reputable, third-party auditor who is not a competitor of TaskFord and is bound by confidentiality obligations. TaskFord may charge reasonable fees to cover costs associated with such audits unless required otherwise by applicable law.

7.4 Confidentiality of Audit Findings. All information obtained through audits, including findings, reports, and documentation, must be treated as confidential information under the Agreement. Customers may not disclose audit findings to third parties without prior written approval from TaskFord.

8. CROSS-BORDER DATA TRANSFERS

Customer Personal Data may be transferred outside Japan in accordance with the Act on the Protection of Personal Information (APPI). Such transfers shall comply with APPI’s cross-border data transfer requirements, ensuring that: The recipient country provides an equivalent level of data protection, or the Customer has obtained necessary consent from the Data Subject.

TaskFord shall implement appropriate safeguards to maintain the security and confidentiality of transferred data, in compliance with Japan’s legal standards.

9. OTHER PROVISIONS

9.1 Data Protection Impact Assessment (DPIA). Upon Customer’s reasonable request, TaskFord will provide necessary cooperation to enable the Customer to fulfill its obligations under the APPI regarding Privacy Impact Assessments (PIAs) where required. This assistance will be provided only if the Customer does not otherwise have access to the necessary information and to the extent such information is available to TaskFord. Any assistance provided by TaskFord will be at the Customer’s cost. If required by law, TaskFord will also assist in consultations with supervisory authorities related to DPIAs.

9.2 Modifications by Customer. The Customer may, by providing at least forty-five (45) days’ prior written notice via email to support@taskford.com, request modifications to this DPA due to changes in applicable Data Protection Laws or decisions by regulatory authorities that affect the legality of data processing under this DPA. TaskFord will make commercially reasonable efforts to accommodate such modifications, provided that: (i) The Customer does not unreasonably withhold agreement to any necessary adjustments proposed by TaskFord. (ii) If the modifications introduce new risks, liabilities, or costs, TaskFord may require additional safeguards, indemnifications, or cost adjustments. (iii) If the parties cannot reach an agreement within thirty (30) days, either party may terminate the affected portion of the services without refunds or compensation.

9.3 Modifications by TaskFord. TaskFord may modify this DPA, including compliance mechanisms for APPI, with thirty (30) days’ prior written notice to the Customer. These modifications will be made only when (i) Necessary to ensure compliance with applicable Data Protection Laws. (ii) Required to enhance security or protect TaskFord and its Customers. (iii) Needed to reflect industry best practices or evolving regulatory guidance. If the Customer does not object within the notice period, the changes will be deemed accepted. If the Customer objects, the parties will negotiate in good faith. If they fail to reach an agreement within thirty (30) days, either party may terminate the Agreement for the affected services, without refunds or further liability. Objections must be submitted in writing to support@taskford.com, specifying the concern.

9.4 Termination Rights. If modifications requested by either party cannot be mutually agreed upon, either party may terminate the Agreement to the extent that it relates to the affected service. The Customer acknowledges that no refunds, credits, or compensation will be provided for such terminations.

9.5 Execution of the DPA. This DPA becomes effective upon execution by both parties and forms an integral part of the Agreement. The terms of this DPA supersede any conflicting provisions in the Agreement, but only with respect to the processing of Personal Data.

This Data Protection Addendum (“DPA”) takes effect on the date the Customer accepts the TaskFord Terms of Use or other agreement (“Agreement”) or begins using TaskFord services, whichever is earlier, unless otherwise specified.

www.taskford.com - Data Protection Addendum