Skip to content
Beta — Todoodah is free during beta. Your data may be reset before launch.

Data Processing Agreement

Last updated: March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Data Controller") and Ofnof ("Data Processor") and governs the processing of personal data in connection with the Todoodah service, in accordance with Article 28 of the General Data Protection Regulation (GDPR).

Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person processed through the Service.
  • "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, and deletion.
  • "Sub-processor" means any third party engaged by the Processor to process Personal Data.

Scope and Purpose

The Processor processes Personal Data on behalf of the Controller for the purpose of providing the Todoodah service, which includes:

  • User account management (registration, authentication, settings).
  • Storage and synchronization of todo items and lists.
  • Enabling collaborative list sharing between users.

Categories of Data Subjects

The Personal Data processed under this DPA relates to the following categories of data subjects:

  • End users who register for and use the Service.
  • Collaborators invited to shared lists by other end users.

Types of Personal Data

  • Email addresses.
  • Hashed passwords.
  • User-created content (todo items, list names).
  • User preferences (theme, sound settings).
  • IP addresses and session data.

Duration

This DPA is effective for the duration of the Controller's use of the Service and terminates upon account deletion.

Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller (i.e., as required to provide the Service). The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes GDPR or other EU/member state data protection law.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures to ensure data security.
  • Not engage another processor without prior written authorization of the Controller (see Sub-processors below).
  • Assist the Controller in responding to data subject requests (access, rectification, erasure, portability).
  • Assist the Controller in ensuring compliance with obligations related to data protection impact assessments and prior consultation with supervisory authorities (Art. 35–36 GDPR).
  • Delete or return all Personal Data upon termination of the Service, at the Controller's choice.

Sub-processors

The Controller authorizes the use of the following Sub-processors:

Sub-processorPurposeLocation
Hetzner Online GmbHApplication server hostingGermany, EU
Scaleway SASPostgreSQL database hostingFrance, EU
Migadu GmbHEmail hostingSwitzerland

All Sub-processors are located within the European Union or Switzerland (recognized as providing adequate data protection under GDPR). The Processor will notify the Controller before adding or replacing a Sub-processor, giving the Controller an opportunity to object. If the Controller objects to a new or replacement Sub-processor, the Controller may terminate the Service by deleting their account.

Data Breach Notification

In the event of a personal data breach, the Processor shall notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach. The notification shall include:

  • The nature of the breach, including categories and approximate number of data subjects affected.
  • The likely consequences of the breach.
  • The measures taken or proposed to address the breach.

Audit Rights

The Processor maintains a document describing its technical and organizational measures ("TOM document"). The TOM document is the primary means of demonstrating the Processor's compliance with this DPA.

If the TOM document does not sufficiently address the Controller's compliance concerns, the Controller may request additional information or, upon reasonable prior notice, conduct or commission an audit. The Processor shall cooperate with such requests in good faith.

Data Transfers

Personal Data is processed and stored within the European Union and Switzerland. Switzerland is recognized by the European Commission as providing an adequate level of data protection. No data is transferred to third countries outside the EU/EEA/Switzerland.

Liability

Each party is liable for damages caused by processing that infringes this DPA or the GDPR, in accordance with Article 82 GDPR. The Processor's total liability under this DPA is limited to the fees paid by the Controller for the Service in the twelve months preceding the claim, except in cases of intentional misconduct or gross negligence.

Contact

For questions regarding this DPA, contact us at contact@todoodah.com.