TrailTrack by Boardrooms to Backroads
Template — review with legal counsel. This document is a starting point and must be reviewed and adapted by a qualified attorney for your jurisdiction(s) before you rely on it.

Data Processing Addendum

Last updated: 22 June 2026

This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the Terms of Service(the “Agreement”) between Boardrooms to Backroads Consulting LLC (“B2BC”, “we”, “us”) and the customer organisation that subscribes to or otherwise uses TrailTrack (the “Service”). It governs the processing of Personal Data that we carry out on the Customer’s behalf when the Customer and its Users submit Content to the Service.

This document is a template provided for transparency and is intended to be reviewed and executed with the assistance of qualified legal counsel before it is relied upon. Some particulars (such as any [EU/UK representative] appointment) may still need to be completed for a given jurisdiction. Where this DPA conflicts with the Agreement on the subject of data protection, this DPA controls; in all other respects the Agreement remains in full force.

1. Definitions

Capitalised terms not defined here have the meaning given in the Agreement. The following definitions apply to this DPA and are intended to align with the EU General Data Protection Regulation (“GDPR”), the UK GDPR, the California Consumer Privacy Act as amended by the California Privacy Rights Act (together, “CCPA/CPRA”), and comparable data-protection laws.

  • “Personal Data” means any information relating to an identified or identifiable natural person, or that constitutes “personal information” or “personal data” under applicable law, that is contained in Content and Processed under the Agreement.
  • “Processing” (and “Process”) means any operation performed on Personal Data, whether or not by automated means, such as collection, storage, use, disclosure, or erasure.
  • “Controller” means the entity that determines the purposes and means of the Processing of Personal Data. The Customer is the Controller (or, where the Customer itself acts as a processor for a third party, the Customer is the relevant intermediary).
  • “Processor” means the entity that Processes Personal Data on behalf of the Controller. B2BC is the Processor (or, under CCPA/CPRA, a “service provider”) with respect to Customer Content.
  • “Subprocessor” means any third party engaged by the Processor to Process Personal Data in connection with the Service.
  • “Data Subject” (or, under CCPA/CPRA, “consumer”) means the individual to whom Personal Data relates.
  • “User” means an individual the Customer authorises to access the Service under the Customer’s account.
  • “Content” means the data, files, text, and other materials that the Customer and its Users submit to or generate within the Service.
  • “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to Personal Data Processed under this DPA.
  • “Standard Contractual Clauses” (“SCCs”) means the clauses approved by the European Commission and, as applicable, the UK International Data Transfer Addendum, used to safeguard cross-border transfers.

2. Roles and scope

As between the parties, the Customer is the Controller and B2BC is the Processor of the Personal Data contained in Content. The Customer determines the purposes and means of the Processing; B2BC Processes Personal Data only to provide, secure, maintain, and support the Service and as otherwise described in this DPA. This DPA applies to all Processing of Personal Data carried out by B2BC, and by its Subprocessors, in the course of providing the Service.

3. Customer instructions

B2BC will Process Personal Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by applicable law (in which case B2BC will, where legally permitted, inform the Customer of that requirement before Processing). The Agreement, this DPA, the Customer’s configuration and use of the features of the Service, and any subsequent written instructions agreed by the parties together constitute the Customer’s complete instructions.

B2BC will inform the Customer if, in its opinion, an instruction infringes applicable data-protection law, though B2BC is not obliged to carry out a legal review of the Customer’s instructions. The Customer is responsible for ensuring that it has a lawful basis to collect and provide the Personal Data and to instruct the Processing.

4. Nature, purpose, and duration of Processing

The following Appendix-style description sets out the particulars of the Processing for the purposes of Article 28(3) GDPR and equivalent provisions:

  • Subject matter and nature: hosting and operation of a project-management and work-collaboration platform, including storage, retrieval, display, transmission, and deletion of Content.
  • Purpose: to provide, maintain, secure, and support the Service in accordance with the Agreement.
  • Duration: for the term of the Agreement, plus any post-termination export window and any period required to comply with applicable law, after which Personal Data is deleted or returned as described in Section 11.
  • Categories of Data Subjects: the Customer’s Users, employees, contractors, clients, and any other individuals whose Personal Data the Customer or its Users choose to include in Content.
  • Categories of Personal Data: identification and contact data (such as names, email addresses, and profile details); account and authentication data; task, project, comment, document, and file Content submitted by Users; usage, log, and device data; and any other Personal Data the Customer chooses to submit. The Customer controls whether special categories of Personal Data are submitted and should avoid submitting them unless appropriate safeguards are in place.

5. Processor obligations

B2BC will, with respect to Personal Data Processed under this DPA:

  • Process Personal Data only on the Customer’s documented instructions as described in Section 3;
  • ensure that personnel authorised to Process Personal Data are bound by appropriate confidentiality obligations and Process Personal Data only as necessary to perform their duties;
  • implement and maintain the technical and organisational security measures described in Section 6 and the Security Overview;
  • taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from Data Subjects to exercise their rights, as described in Section 9;
  • assist the Customer in ensuring compliance with its obligations relating to the security of Processing, Personal Data Breach notification, data-protection impact assessments (DPIAs), and prior consultation with supervisory authorities, taking into account the information available to B2BC; and
  • make available to the Customer information reasonably necessary to demonstrate compliance with this DPA, as described in Section 12.

6. Security measures

B2BC maintains technical and organisational measures designed to protect Personal Data against a Personal Data Breach and appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of the Processing. These measures include encryption in transit and at rest, database row-level security and tenant isolation, invite-only access with optional multi-factor authentication, private file storage with signed access for sensitive buckets, least-privilege server-side service credentials, audit logging, and security headers. A fuller description is set out in the Security Overview, which forms part of this DPA. B2BC may update its measures over time provided that the updates do not materially reduce the overall level of protection.

7. Subprocessors

The Customer provides B2BC with a general authorisation to engage Subprocessors to support delivery of the Service. The current Subprocessors are listed at Subprocessors. Where B2BC engages a Subprocessor, it imposes on that Subprocessor, by written contract, data-protection obligations substantially equivalent to those set out in this DPA (“flow-down” terms), to the extent applicable to the nature of the Subprocessor’s services.

B2BC will provide a mechanism for the Customer to be informed of intended changes concerning the addition or replacement of Subprocessors, thereby giving the Customer the opportunity to object on reasonable data-protection grounds. If the Customer reasonably objects and the parties cannot resolve the objection, the Customer may, as its sole remedy, terminate the affected portion of the Service. B2BC remains responsible for the performance of its Subprocessors’ obligations under this DPA to the same extent B2BC would be liable if performing the services directly.

8. International transfers

Personal Data may be Processed in, or transferred to, the United States and other countries where B2BC or its Subprocessors operate. Where a transfer of Personal Data from the European Economic Area, the United Kingdom, Switzerland, or another jurisdiction with cross-border transfer restrictions occurs, the parties will rely on an appropriate transfer mechanism, such as the SCCs (including, as applicable, the UK International Data Transfer Addendum and the Swiss addendum), an adequacy decision, or another lawful safeguard. The parties agree that the relevant SCCs are incorporated by reference and completed as set out in the relevant transfer particulars (including any [EU/UK representative] details) to be agreed between the parties. B2BC will make available information about the safeguards it applies on request.

9. Data-subject requests

Taking into account the nature of the Processing, B2BC will assist the Customer, insofar as reasonably possible, in fulfilling the Customer’s obligation to respond to requests from Data Subjects to exercise their rights (such as access, rectification, erasure, restriction, portability, and objection). The Service provides self-service tools, including in Settings → Compliance, that the Customer can use to access, export, correct, and delete Personal Data. If B2BC receives a request directly from a Data Subject relating to Content, it will, where permitted by law, advise the Data Subject to submit the request to the Customer and will not respond to the request itself except on the Customer’s instructions.

10. Personal Data Breach notification

B2BC will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Personal Data Processed under this DPA. Such notification will include, to the extent then known and as it becomes available, a description of the nature of the breach, the likely consequences, the measures taken or proposed to address it, and a point of contact for further information. B2BC’s notification is not an acknowledgement of fault or liability. The Customer is responsible for determining whether the breach requires notification to supervisory authorities or Data Subjects and for making any such notifications.

11. Deletion and return of Personal Data

On expiry or termination of the Agreement, B2BC will, at the Customer’s choice, delete or make available for export the Personal Data it Processes on the Customer’s behalf, except to the extent retention is required by applicable law. B2BC will provide a commercially reasonable export window following termination, after which the Personal Data will be deleted from active systems and, in due course, from backups in accordance with B2BC’s retention and backup cycles.

12. Audits and information

B2BC will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, subject to reasonable and proportionate conditions. To the extent available, B2BC may satisfy audit requests by providing relevant documentation, security summaries, or third-party assessments. Audits will be conducted on reasonable prior notice, during normal business hours, no more than once per year (absent a Personal Data Breach or a regulator’s requirement), and in a manner that does not unreasonably disrupt B2BC’s operations or compromise the confidentiality or security of other customers.

13. CCPA/CPRA service-provider terms

To the extent the CCPA/CPRA applies, B2BC acts as a “service provider” with respect to Personal Data it Processes on the Customer’s behalf. B2BC will not: (a) sell or share such Personal Data; (b) retain, use, or disclose it for any purpose other than the specific business purpose of providing the Service, or as otherwise permitted by the CCPA/CPRA; (c) retain, use, or disclose it outside the direct business relationship between the parties; or (d) combine it with Personal Data received from other sources except as permitted by the CCPA/CPRA. B2BC certifies that it understands and will comply with these restrictions.

14. Liability and order of precedence

Each party’s and its affiliates’ total liability arising out of or related to this DPA is subject to the limitations and exclusions of liability set out in the Agreement, and any reference in the Agreement to the liability of a party means the aggregate liability of that party under the Agreement and this DPA together. In the event of a conflict between this DPA and the Agreement regarding the Processing of Personal Data, this DPA prevails; the SCCs, where they apply, prevail over both in the event of a conflict on matters they govern.

15. Term

This DPA takes effect when it is incorporated into the Agreement and remains in force for as long as B2BC Processes Personal Data on the Customer’s behalf. Provisions that by their nature should survive termination, including those relating to confidentiality, deletion and return, audits, and liability, survive termination of this DPA and the Agreement.

16. Governing law

This DPA is governed by the laws of the State of Texas, United States, without regard to its conflict-of-laws rules, except where applicable data-protection law or the SCCs require otherwise. Nothing in this DPA limits any rights that a Data Subject or supervisory authority may have under applicable data-protection law.

17. How to execute and contact

A Customer that requires a countersigned copy of this DPA, or that needs to complete any remaining particulars (such as any [EU/UK representative] details), may contact us to arrange execution. Privacy and data-protection enquiries may be directed to privacy@boardroomstobackroads.com or to our data-protection contact at dpo@boardroomstobackroads.com. For further detail on how we handle Personal Data, see the Privacy Policy, the Security Overview, and the list of Subprocessors.

TrailTrack is a product of Boardrooms to Backroads Consulting LLC. Patent pending.