The Article 28 agreement between you (as controller) and Monospace (as processor) for any personal data we process on your behalf. This DPA forms part of our Terms of Service and is automatically in force when you use Monospace for business purposes.
Last updated: April 2026
This Data Processing Agreement ("DPA") is entered into between Monospace ("we", "Processor") and the customer or organisation using the Monospace platform ("you", "Controller"). It governs how Monospace processes Personal Data on your behalf in connection with your use of the Monospace service (the "Services").
This DPA is required by Article 28 of the UK GDPR and EU GDPR where you act as a data controller and Monospace acts as a data processor. It takes effect automatically on the date you begin using the Services for business purposes and remains in force for as long as Monospace processes Personal Data on your behalf.
If you need a countersigned copy of this DPA for your own records (for example, for your own auditors), email privacy@monospace.page and we'll return a signed PDF within five business days.
Terms defined in the UK GDPR and EU GDPR (including controller, processor, processing, personal data, data subject, and personal data breach) have the same meaning in this DPA.
For clarity:
In relation to Personal Data processed under this DPA, the Controller determines the purposes and means of the processing and Monospace acts solely as a processor on the Controller's behalf.
Both parties shall comply with their respective obligations under Applicable Data Protection Law. Nothing in this DPA relieves either party of their own direct obligations under Applicable Data Protection Law.
The scope of processing performed under this DPA is set out below.
Subject matter
Provision of the Monospace project-management platform, including boards, tasks, notes, chat, tickets, integrations, and any related features on the Controller's plan.
Nature and purpose
Storage, organisation, retrieval, transmission, and display of the Controller's data to authorised users; delivery of collaboration, notification, integration, and support features.
Duration
For as long as the Controller uses the Services, plus up to 30 days after account deletion for backup clearance.
Categories of data subjects
The Controller's authorised users (employees, contractors, collaborators), end users who submit tickets, and any individual referenced in content the Controller uploads.
Types of personal data
Account identifiers (name, email, avatar), authentication metadata, usage logs, content created by data subjects (board cards, tasks, notes, messages, tickets, attachments), integration tokens where granted, and any personal data the Controller chooses to store within project content.
Special categories
The Services are not designed to process special category data (Article 9 GDPR). The Controller shall not upload such data unless expressly agreed in writing.
Monospace shall:
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, we implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk.
Encryption
AES-256-GCM encryption at rest for sensitive content (notes, project descriptions). TLS 1.3 encryption in transit for all connections.
Hosting
Hosted on Convex (primary data store) and Vercel (application tier), both SOC 2-compliant providers in the EU region.
Access controls
Role-based access internally; principle of least privilege; multi-factor authentication for all administrative access.
Audit logging
Application-level audit trail for sensitive operations (project moves, permission changes, data deletion).
Personnel
Confidentiality obligations in all employment and contractor agreements; access only granted on a need-to-know basis.
Incident response
Documented breach response procedure with notification pathways to the Controller and, where required, to supervisory authorities.
A more detailed description of the current technical and organisational measures is available in Annex I (available on request at privacy@monospace.page).
The Controller authorises Monospace to engage sub-processors to deliver the Services. We take reasonable steps to ensure each sub-processor is bound by written data-protection obligations equivalent to those in this DPA.
Current sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Convex | Primary database and real-time backend | EU (eu-west-1) |
| Vercel | Hosting, edge network, analytics | Global (with EU origin) |
| Clerk | User authentication and account management | USA (SCCs) |
| Resend | Transactional email (password resets, notifications, ticket replies) | USA (SCCs) |
| OpenRouter / Anthropic / OpenAI | AI features (assistant, code review) — only when explicitly invoked by a user | USA (SCCs) |
| Stripe | Subscription billing and payment processing | USA (SCCs) / UK |
We will give the Controller at least 30 days' notice of any new or replacement sub-processor before it begins processing, giving you an opportunity to object. If the Controller has reasonable data-protection grounds to object, we will work in good faith to address the concern or, if no resolution is reached, either party may terminate the Services in accordance with the Terms of Service.
Where processing involves the transfer of Personal Data outside the UK or the European Economic Area, Monospace ensures that an appropriate transfer mechanism is in place, including:
The Standard Contractual Clauses and the UK IDTA are hereby incorporated into this DPA by reference, with Monospace as "data importer" and the Controller as "data exporter" for any transfers where Monospace is outside the Controller's jurisdiction.
Monospace provides tooling within the Services that enables the Controller to respond to data-subject requests (access, rectification, erasure, restriction, portability, objection) without requiring our involvement in most cases.
Where the Controller cannot fulfil a request using the Services directly, we will assist with reasonable technical and organisational measures, taking into account the nature of the processing. Requests received by Monospace directly from data subjects about Controller data will be forwarded to the Controller without substantive response.
Monospace will notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data Breach affecting the Controller's Personal Data. The notification will include:
It is the Controller's responsibility to notify the relevant supervisory authority and, where required, affected data subjects.
On termination of the Services, or earlier on written request, Monospace will — at the Controller's choice — either delete or return all Personal Data processed on behalf of the Controller and delete existing copies, unless applicable law requires further storage.
Deletion from live systems occurs within 30 days. Encrypted backups are rotated and overwritten within a further 30 days. Personal Data retained for legal-obligation purposes (e.g. tax records) is isolated and deleted when the obligation expires.
The Controller may export their own data in machine-readable format at any time using the in-app export tooling prior to account deletion.
Monospace will make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 of the GDPR and allow for and contribute to audits and inspections conducted by the Controller or an auditor mandated by the Controller.
In practice, we satisfy audit requests by providing:
Each party's liability under this DPA is subject to the liability cap and exclusions set out in the Terms of Service. Nothing in this DPA limits either party's liability to data subjects under Applicable Data Protection Law.
This DPA takes effect on the date the Controller begins using the Services for business purposes and remains in force for as long as Monospace processes Personal Data on the Controller's behalf. On termination, Section 11 (Return & Deletion) applies.
This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
We may update this DPA to reflect changes in applicable law, sub-processor arrangements, or our security practices. For material changes we will give at least 30 days' notice via email or an in-app notice. Continued use of the Services after a change takes effect constitutes acceptance of the updated DPA.
For questions about this DPA, data-protection matters, or to request a countersigned copy: