TrackProject is currently available by invitation only.
Request access·Book a demo·Sign in
TrackProject
Trust & Compliance · Legal

Data Processing Agreement

The TrackProject Data Processing Agreement (DPA) governs the processing of personal data by TrackProject Ltd as a processor on behalf of Customer controllers.

Versionv3.1Last updated2026-06-25Last audit2026-05-12
UK GDPREU GDPRCCPA / CPRAISO/IEC 27001:2022ISO/IEC 42001 (AI)SOC 2
Contact security Report vulnerability Request data export Request account deletion

1. Parties & roles

The Customer is the data controller. TrackProject Ltd is the data processor. The subprocessors listed on the Subprocessors page act as sub-processors of TrackProject. Where the Customer's End Users are themselves controllers (for example a main contractor passing data to a subcontractor), the Customer remains responsible for ensuring an appropriate downstream chain.

2. Subject matter & duration

Subject matter: provision of the TrackProject platform and ancillary services. Duration: the term of the Customer's subscription, plus any post-termination period reasonably required to return or delete personal data.

3. Nature, purpose & categories

Personal data is processed to host, secure, support and improve the service. Categories typically include workforce identifiers, contact details, role and compliance metadata, project records, audit metadata, AI prompts and any personal data the Customer chooses to include in uploaded content.

4. Documented instructions

TrackProject processes personal data only on the Customer's documented instructions as set out in this DPA, the Order Form and the in-product configuration, except where required by Union or Member State law (in which case TrackProject will inform the Customer unless prohibited).

5. Personnel confidentiality

TrackProject ensures personnel authorised to process personal data are subject to a duty of confidentiality and have received appropriate data-protection training.

6. Security of processing

TrackProject implements appropriate technical and organisational measures as set out in the Security Center, including encryption in transit and at rest, RLS, RBAC, audit logging, vulnerability management, backup and recovery, monitoring, incident response and access governance.

7. Subprocessors

The Customer authorises the engagement of the subprocessors listed on the Subprocessors page. TrackProject will notify workspace administrators at least 30 days before adding or replacing a subprocessor and will impose data-protection obligations on subprocessors no less protective than those in this DPA.

8. International transfers

Transfers outside the UK/EEA rely on the UK International Data Transfer Addendum and the European Commission Standard Contractual Clauses (Decision 2021/914) supplemented by technical and organisational measures appropriate to the destination country as required by Schrems II and EDPB Recommendations 01/2020.

9. Assistance to the controller

TrackProject will assist the Customer (a) in responding to data-subject rights requests, (b) in conducting Data Protection Impact Assessments and prior consultations, and (c) in fulfilling the Customer's obligations under Articles 32–36 GDPR, taking into account the nature of processing and the information available.

10. Incident notification

TrackProject will notify the Customer of a personal data breach affecting their workspace without undue delay and in any case within 72 hours of confirmation, with all information reasonably available to support the Customer's regulatory obligations.

11. Return & deletion

On termination, the Customer may export personal data within 30 days. After that period, personal data is securely deleted from production and purged from backups within the documented rotation window (currently 35 days), except where retention is required by law.

12. Audit rights

TrackProject will make available the information necessary to demonstrate compliance and accept reasonable audits, including third-party audits subject to confidentiality, reasonable notice and adherence to TrackProject's security policies. Audit reports (SOC 2, ISO 27001 once certified) will be made available under NDA.

13. Records of processing

TrackProject maintains a Record of Processing Activities under Article 30(2) GDPR and will provide relevant extracts to the Customer on reasonable request.

14. Liability

Liability under this DPA is subject to the limitations in the Master Subscription Agreement, except where mandatory law (including Article 82 GDPR) provides otherwise.

15. Termination

This DPA remains in effect for the duration of the subscription and any post-termination period required to return or delete personal data.

Questions about this document? Contact legal@track-project.com · Security: security@track-project.com

© 2026 TrackProject Ltd. Version 3.1 · Last updated 2026-06-25.

Version history

  • v3.12026-06-25Added confidentiality, records of processing and liability sections.
  • v3.02026-03-01Restructured for clarity; aligned with SCCs 2021/914.
Trust Center Security Center AI Governance Responsible AI Architecture Integrations Compliance Subprocessors