Data Processing Agreement

Last Updated: February 06, 2026

This Data Processing Agreement, along with its Schedules and Appendices ("DPA"), is integrated into the ByteJoy LLC Terms of Service and Privacy Policy (as revised periodically) or any other relevant contract between ByteJoy LLC ("ByteJoy") and the customer ("Customer") specified in that contract ("Agreement") for accessing CastleHQ ("Services"). Terms capitalized but undefined here carry the definitions from the Agreement. If conflicts arise between this DPA, prior data processing addendums, and the Agreement, this DPA takes priority. For conflicts between the DPA's main text and the UK Addendum or Standard Contractual Clauses (where relevant), the UK Addendum or Standard Contractual Clauses control.

Customer signs this DPA for itself and, where Data Protection Laws and Regulations mandate, for its Authorized Affiliates. In this DPA, "Customer" encompasses Customer and Authorized Affiliates.

This DPA outlines the parties' commitments regarding Personal Data Processing. While delivering Services under the Agreement, ByteJoy may Process Personal Data for Customer, and both parties commit to these terms for all such Personal Data.

Core Terms for Data Processing

1. Key Terms

"Affiliate" refers to any organization that controls, is controlled by, or shares common control with another entity, where "Control" involves owning or directing over 50% of voting shares.

"Authorized Affiliate" includes any Customer Affiliate that (a) falls under data protection rules of the EU, EEA, member states, Switzerland, or UK; (b) can access Services per the Customer-ByteJoy Agreement but lacks its own contract with ByteJoy and isn't defined as "Customer"; and (c) acts as a Controller for Personal Data ByteJoy Processes.

"Controller" is the party deciding Personal Data Processing purposes and methods, including "business" under CCPA.

"Customer Data" covers data described in the CastleHQ Privacy Policy at https://castlehq.app/privacy as "your data", "your information", or equivalent.

"Data Protection Laws and Regulations" encompass all relevant laws for Personal Data Processing under the Agreement, including EU/EEA/member states/Switzerland/UK laws like GDPR (EU) 2016/679; FADP (Swiss); UK GDPR (Data Protection Act 2018); CCPA (Cal. Civ. Code § 1798.100 et seq., with regulations/amendments like CPRA) and other U.S. state privacy laws ("U.S. Privacy Laws").

"Data Subject" is the identifiable individual linked to Personal Data.

"End Users" are Customer's users, like staff, contractors, or invitees accessing CastleHQ through Customer's account.

"Personal Data" is Customer Data relating to an identifiable person or entity (protected as personal data under applicable laws).

"Processing" (and forms) includes operations on Personal Data, automated or not, like collecting, storing, adapting, using, disclosing, restricting, or erasing.

"Processor" is the party Processing Personal Data for the Controller, including "service provider" under CCPA.

"Security, Privacy and Architecture Documentation" includes ByteJoy's Privacy Policy (updated periodically at https://castlehq.app/privacy) or other accessible materials from ByteJoy.

"Standard Contractual Clauses" are clauses from European Commission Decision 2021/914 (June 4, 2021) for transfers to third countries under GDPR, at http://data.europa.eu/eli/dec_impl/2021/914/oj, filled per Section 11.

"Subprocessor" is any Processor ByteJoy engages.

"Supervisory Authority" is an EEA state's GDPR-established public body, UK's ICO, or Swiss FDPIC.

"UK Addendum" is the ICO's International Data Transfer Addendum to EU SCCs (as of Effective Date at https://ico.org.uk/media/for-organisations/documents/4019539/international-data-transfer-addendum.pdf).

2. Handling Personal Data

2.1. Party Roles. Parties confirm: Customer acts as Controller or Processor; ByteJoy as Processor.

2.2. Customer's Duties in Processing. When using Services, Customer must:

2.2.1. Process Personal Data per Data Protection Laws and Regulations, ensuring instructions comply;

2.2.2. Bear full duty for Personal Data's accuracy, quality, legality, and acquisition methods;

2.2.3. Deliver proper notices and secure valid consents from Data Subjects for Processing, disclosure, and cross-border transfers;

2.2.4. Avoid actions or inactions causing ByteJoy to breach laws, notices, or consents via Processing.

2.3. ByteJoy's Duties in Processing.

2.3.1. ByteJoy treats Personal Data confidentially and Processes it only: (1) to meet Agreement obligations, including DPA; (2) for Customer per documented instructions; (3) per Data Protection Laws. DPA/Agreement are Customer's full instructions; extras need separate accord. For UK Addendum/SCCs, instructions include: (i) Agreement-based Processing; (ii) Customer/End User-initiated Processing via Services; (iii) other consistent documented instructions (e.g., email).

2.3.2. Processing subject is Services delivery per Agreement. Duration, nature/purpose, Personal Data types, Data Subject categories detailed in Schedule 1.

2.3.3. Beyond 2.3.1, ByteJoy must:

i. Avoid "selling" or "sharing" Personal Data for "cross-context behavioral" or "targeted advertising" per U.S. Privacy Laws;

ii. Not try to re-identify pseudonymized/anonymized/aggregated/de-identified Personal Data or link Customer Data to other data without authorization;

iii. Limit retention/use/disclosure of Personal Data to the direct Customer-ByteJoy relationship;

iv. Follow U.S. Privacy Laws restrictions on combining Personal Data with data from others or ByteJoy's interactions;

v. Notify Customer immediately if unable to meet DPA/law obligations, upon breach, or if instructions infringe laws.

2.3.4. ByteJoy notifies Customer promptly of government access requests unless prohibited, provides cooperation/assistance, informs if compliance impossible without details if barred, and challenges demands/non-disclosures legally.

2.3.5. ByteJoy offers reasonable aid/cooperation for Customer's data impact assessments (if required), at Customer's expense.

2.3.6. ByteJoy provides reasonable support for Customer's authority consultations on Processing, including ByteJoy's consultation duties.

2.3.7. ByteJoy confirms understanding/compliance with DPA obligations, including Section 2 restrictions.

3. Security Measures

3.1. Data Protection Controls. ByteJoy implements suitable technical/organizational steps for Personal Data security, confidentiality, integrity (against unauthorized/unlawful Processing, loss/damage/disclosure/access), per Security, Privacy and Architecture Documentation. Security levels won't drop materially during term.

3.2. External Audits/Certifications. On reasonable-interval written request, subject to Agreement confidentiality, ByteJoy supplies copies of latest third-party audits/certifications; excludes if Customer/auditor competes with ByteJoy.

3.3. Halting Unauthorized Processing. Customer may take reasonable steps to stop/remediate unauthorized Personal Data Processing, including non-DPA-authorized.

4. Incident Response and Alerts

ByteJoy upholds incident policies/procedures in Security, Privacy and Architecture Documentation/Agreement. ByteJoy alerts Customer promptly (per laws) after awareness of accidental/unlawful loss/alteration/disclosure/access to Processed Personal Data by ByteJoy/Subprocessors ("Personal Data Incident"). ByteJoy reasonably identifies/remediates cause within control; excludes Customer/End User-caused incidents.

5. Data Subject Inquiries

ByteJoy promptly alerts Customer (if permitted) of Data Subject requests to exercise rights (access/rectification/restriction/erasure/portability/objection/no automated decisions) ("Data Subject Request"). Considering Processing nature, ByteJoy aids Customer via measures to meet obligations. If Customer can't handle via Services, ByteJoy provides reasonable assistance on request (if permitted/required); Customer covers costs where allowed.

6. ByteJoy Staff Obligations

6.1. Confidentiality. ByteJoy ensures Processing staff know Personal Data confidentiality, receive training, sign agreements surviving engagement end.

6.2. Reliability. ByteJoy takes reasonable steps for Processing staff reliability.

6.3. Access Limits. ByteJoy restricts Personal Data access to staff needed for Agreement Services.

6.4. Inquiries. Email privacy@castlehq.app for DPA/privacy questions.

7. Engaging Subprocessors

7.1. Subprocessor Authorization. Customer consents to ByteJoy using third-party Subprocessors for Services, with ByteJoy's agreements requiring equivalent (or stronger) protections per Subprocessor Services.

7.2. Current List and New Alerts. ByteJoy provides CastleHQ Subprocessor list on website or request, notifies Customer before new Subprocessors Process Personal Data.

7.3. New Subprocessor Objections. Customer objects in writing within 10 business days of notice. If objected, ByteJoy may reasonably adjust Services or suggest Customer changes to avoid new Subprocessor without burden. If impossible within 30 days, Customer terminates affected Services with notice; ByteJoy refunds prepaid fees for remainder, no penalties.

8. Data Return or Erasure

On Agreement end, ByteJoy returns Personal Data to Customer and deletes (per law) per Security, Privacy and Architecture Documentation procedures/timeframes.

9. Affiliates and Liability Limits

9.1. Affiliate Binding. Each Authorized Affiliate binds to DPA (and Agreement where applicable); access/use complies with Agreement; violations deemed Customer's. Affiliate isn't Agreement party via DPA entry, only DPA party.

9.2. Coordination. Customer handles all DPA communications with ByteJoy on Affiliates' behalf.

9.3. Affiliate Rights. Authorized Affiliates exercise DPA rights/remedies per laws, subject to:

9.3.1. Unless laws require direct exercise, Customer handles on Affiliate's behalf; exercises combined, not per Affiliate.

9.3.2. For audits, Customer minimizes impact by combining Affiliate requests into one.

9.4. Liability Caps. Per laws, party/Affiliate liability from this/all DPAs (contract/tort/other) follows Agreement limits, aggregated across Agreement/all DPAs. ByteJoy/Affiliates' total liability applies collectively, not per Customer/Affiliate.

10. Cross-Border Transfers

10.1. Clause Availability. Per Schedule 1 extras, ByteJoy offers SCCs/UK Addendum for transfers from EEA/member states/Switzerland/UK to inadequate-protection countries, where transfers link to DPA Personal Data Processing and laws apply.

10.2. SCC Execution. If required, Agreement signing deems SCCs signed/integrated (except 10.4/10.5), completed as:

10.2.1. Module 2 for controller-to-processor; Module 3 for processor-to-processor;

10.2.2. Clause 7 docking included;

10.2.3. Clause 9: Option 2 (general auth);

10.2.4. Clause 11: No optional independent redress;

10.2.5. Clause 17: Option 1, Ireland laws;

10.2.6. Clause 18: Ireland courts;

10.2.7. Annex I(A)/I(B): Per Schedule 1;

10.2.8. Annex I(C): Per Clause 13, prefer Irish DPC;

10.2.9. Annex II: Schedule 1;

10.2.10. Annex III: N/A (general auth).

10.3. UK Transfers. For UK-governed transfers, UK Addendum integrates/precedes DPA. Terms: (a) Parties/Affiliates involved; (b) Schedule 1 contacts; (c) Table 2: Executed SCCs; (d) Either ends per Section 19; (e) Agreement signing deems Addendum signed.

10.4. FADP Transfers. For FADP-subject, SCCs apply per 10.2 with: (1) GDPR refs as FADP where exclusive; (2) Include legal entity data until FADP revisions; (3) "Member state" allows Swiss habitual residence suits per Clause 18(c); (4) Supervisor: Swiss FDPIC (FADP-only) or both with SCC-identified (FADP+GDPR).

10.5. Subprocessor Copies. Parties agree ByteJoy redacts commercial/unrelated clauses from Subprocessor agreements for SCCs/Controller/Processor clauses; provides on request, format at discretion.

10.6. Processor-Processor. For Processor-Processor, Customer handles ByteJoy's duties to Customer's Controllers (ByteJoy lacks direct relation).

10.7. Audits/Certs. UK Addendum/SCC audits per DPA Section 3.2.

10.8. Deletion Cert. UK Addendum/SCC deletion certification provided on Customer request.

SCHEDULE 1

ANNEX I

A. PARTIES LIST

Data exporter(s):

Name: Entity as Customer in DPA/Agreement.

Address: Customer's CastleHQ account address.

Contact: CastleHQ account details.

Activities: Per DPA.

Signature/date: Deemed signed via Services use for third-country transfers.

Role: Controller (or sometimes Processor).

Data importer(s):

Name: ByteJoy LLC.

Address: 7901 4th St N, STE 300, St Petersburg, FL 33702, USA.

Contact: privacy@castlehq.app.

Activities: Cloud SaaS provider for project management, Processing per exporter-ByteJoy agreement/instructions.

Signature/date: Deemed signed via Processing on instructions.

Role: Processor.

B. TRANSFER DETAILS

Data subjects categories:

Exporter/subjects (per exporter) may submit data on: prospects/customers/partners/vendors (natural persons); their employees/contacts; exporter's employees/agents/advisors/contractors/members/freelancers; or other exporter-determined categories.

Personal data categories:

Exporter/subjects (per exporter) may submit data; type/extent/detail at exporter/subject discretion.

Sensitive data (if any) and safeguards:

Exporter/subjects may submit; type/extent/detail at discretion. ByteJoy prioritizes security/privacy; safeguards for all (incl. sensitive) in Privacy Policy at https://castlehq.app/privacy (purpose/access limits, trained staff logs, onward restrictions, extra security).

Transfer frequency:

Exporter/subjects may submit once or continuously (e.g., updates); at discretion.

Processing nature:

ByteJoy Processes only for Services, per exporter/subject instructions, Agreement/DPA/Clauses.

Transfer/further processing purpose:

At exporter/subject discretion.

Retention period/criteria:

Per terms/ByteJoy retention (unless earlier deleted by exporter/subject), only Agreement duration.

Subprocessor transfers: subject/nature/duration:

To Subprocessors per Privacy Policy at https://castlehq.app/privacy.

C. SUPERVISORY AUTHORITY

Per GDPR/Clause 13; where possible, Irish DPC.

ANNEX II - SECURITY MEASURES

Measures for appropriate security (considering nature/scope/context/purpose/risks to rights/freedoms) in Privacy Policy at https://castlehq.app/privacy.

ByteJoy requires equivalent/more stringent DPAs from sub-processors handling data. CastleHQ sub-processors: DigitalOcean (hosting/platform); Resend (emails); Paddle (billing); Anthropic/OpenAI (support tools).