Astravera

Data Processing Addendum

最后更新于 2026年5月30日 · 版本 1.2

This Data Processing Addendum ("DPA") forms part of the agreement between you (the "Customer", acting as Data Controller) and PegaSync, the company that operates the Astravera suite ("Astravera", acting as Data Processor), under the Terms of Service. It applies to processing of Personal Data subject to the EU General Data Protection Regulation (EU GDPR) and the UK GDPR / Data Protection Act 2018. For Swiss-specific requirements under the revFADP, please contact [email protected] to request a supplementary addendum.

A PDF version of this DPA will be made available for download. Until then, this HTML page is the authoritative version.

1. Definitions

Terms used here have the meanings set out in the GDPR. Specifically:

  • Personal Data — any information relating to an identified or identifiable natural person.
  • Processing — any operation performed on Personal Data.
  • Controller — the entity that determines the purposes and means of processing. For B2B workspaces, this is the Customer.
  • Processor — the entity that processes Personal Data on behalf of the Controller. This is Astravera.
  • Subprocessor — any third party engaged by Astravera to process Personal Data on the Customer's behalf. The current list is at /subprocessors.
  • Data Subject — an end user (typically a workspace member) whose Personal Data is processed.
  • Standard Contractual Clauses (SCCs) — Commission Implementing Decision (EU) 2021/914.

2. Roles and scope

2.1 Controller / processor split

For workspace-owned data (boards, cards, comments, attachments, documents, signed envelopes, audit logs of workspace activity), the Customer is the Controller and Astravera is the Processor.

For account-identity data (a user's name, email, password, profile photo, language preference, MFA settings), Astravera is the Controller in its own right; this DPA does not apply to that processing. Account-identity processing is governed by the Privacy Policy.

2.2 Scope of processing

Astravera processes Personal Data only:

  • To provide the service in accordance with the Customer's documented instructions (the Terms of Service and any executed Order Form are deemed documented instructions);
  • As required by applicable law (in which case Astravera will inform the Customer before processing, unless prohibited from doing so by that law).

2.3 Nature, purpose, duration

  • Nature: hosting, storage, transmission, retrieval, and rendering of Customer Data via the Astravera suite.
  • Purpose: enabling the Customer's authorised users to use the suite.
  • Duration: the term of the Terms of Service plus the retention periods in §10.
  • Categories of Data Subjects: the Customer's employees, contractors, and invitees.
  • Categories of Personal Data: identification data (name, email), workspace activity data (cards, comments, attachments), authentication metadata.

3. Subprocessors

3.1 General authorisation

The Customer gives Astravera general authorisation to engage subprocessors, subject to the conditions of this section.

3.2 Current list

The current list of authorised subprocessors is published at /subprocessors, including each subprocessor's purpose, the categories of data exposed, region, and status.

3.3 Notice of new subprocessors

Astravera will give the Customer at least 30 days advance notice before engaging a new subprocessor or materially changing the scope of an existing one. Notice is given by updating /subprocessors and by email to the Customer's notice contact. The Customer may object during the notice period; if the parties cannot resolve the objection, the Customer may terminate the affected subscription without penalty, with a pro-rata refund of any prepaid fees.

3.4 Flow-down

Astravera ensures that each subprocessor is bound by data-protection obligations no less protective than those set out in this DPA, including by entering into the EU SCCs or relying on an adequacy decision where applicable.

4. Security measures

Astravera implements appropriate technical and organisational measures, including:

  • Encryption of Personal Data in transit (TLS 1.3) and at rest (AES-256 on managed infrastructure).
  • Strong authentication — passkey-first, bcrypt password hashing, rate-limited login endpoints, optional TOTP MFA.
  • Access control — least-privilege role-based access to production systems; access is logged.
  • Network isolation — per-workspace storage isolation; production systems are not directly internet-exposed.
  • Resilience — daily backups with point-in-time recovery; tested restore procedures.
  • Audit logging — every meaningful action is logged with actor and timestamp; admins can export their workspace audit log as CSV.
  • Vulnerability management — dependency scanning, regular patching, and a published security contact at /.well-known/security.txt.

A more detailed description of our security posture is at /security. Astravera will not materially weaken these measures during the term.

5. Personnel

Personnel authorised to process Personal Data are bound by appropriate confidentiality obligations and receive training appropriate to their role.

6. Data Subject requests

Astravera will assist the Customer in responding to Data Subject requests (access, portability, erasure, rectification, restriction, objection) through appropriate technical and organisational measures. Where a Data Subject contacts Astravera directly, Astravera will refer them to the Customer unless required by law to respond directly.

7. Personal Data breach

Astravera will notify the Customer without undue delay and in any event within 72 hours of becoming aware of a Personal Data breach affecting Customer Data, and will provide:

  • A description of the nature of the breach;
  • The categories and approximate number of Data Subjects affected;
  • The likely consequences;
  • The measures taken or proposed to address it.

Notification is given by email to the Customer's notice contact. The Customer remains responsible for any notifications to supervisory authorities and affected Data Subjects under Articles 33 and 34 GDPR.

8. Audit rights

The Customer may, no more than once per year and on at least 30 days advance notice, audit Astravera's compliance with this DPA. The audit may be conducted by the Customer's qualified representative or an independent third-party auditor (not a competitor of Astravera) bound by confidentiality.

In lieu of an on-site audit, Astravera may satisfy this obligation by providing the most recent available third-party reports (e.g. SOC 2 once obtained, generally within 18 months of issuance) and by responding to a reasonable security questionnaire.

The Customer bears the cost of audits it requests, unless the audit reveals a material breach by Astravera.

9. International transfers

Where Personal Data is transferred to a country outside the EEA / UK that has not been the subject of an adequacy decision, the transfer is governed by:

  • The EU Standard Contractual Clauses 2021/914 (Controller-to-Processor module), incorporated by reference; and
  • The UK International Data Transfer Addendum for UK transfers.

The Customer authorises Astravera to enter into the SCCs and IDTA with subprocessors on the Customer's behalf. Astravera relies on AWS's EU-US Data Privacy Framework certification as the primary transfer mechanism for processing on AWS us-east-1, with SCCs as fallback.

10. Retention and deletion

Astravera retains Customer Personal Data only for as long as needed to provide the service and as required by applicable law. On termination, Astravera will, at the Customer's choice:

  • Return Customer Data in a machine-readable format (workspace content export); or
  • Delete Customer Data within 30 days of termination, subject to legal-evidence retention requirements (Nomia signed envelopes are retained for the legally required period — typically 7 years — even after workspace deletion, per the Privacy Policy and GDPR Art. 17(3)(e)).

Backups are pruned on the regular backup cycle; deleted data may persist in backups for up to 90 days before being overwritten. During this period, Astravera will not restore deleted Customer Data from backups except as technically necessary to recover from a failure affecting other customers whose data has not been deleted.

11. Records of processing

Astravera maintains records of processing activities as Processor under GDPR Art. 30(2), and will make them available to a competent supervisory authority on request.

12. Liability and indemnity

The limitations of liability set out in the Terms of Service apply to this DPA. Each party is liable for Personal Data breaches caused by its own non-compliance with the GDPR or this DPA, in proportion to its responsibility.

13. Term and termination

This DPA is in force for as long as Astravera processes Customer Personal Data under the Terms of Service. Termination of the Terms of Service automatically terminates this DPA, except for provisions that by their nature survive (confidentiality, liability, audit rights for the period the records cover).

14. Conflict

In case of conflict between this DPA and the Terms of Service, this DPA prevails for matters of data protection. In case of conflict between this DPA and the EU SCCs, the SCCs prevail.

15. Contact

  • Privacy and data-protection enquiries: [email protected] (we have not appointed a statutory Data Protection Officer under GDPR Art. 37, as we are not currently required to)
  • Notice contact for the Customer is the email address on file in the workspace billing profile; the Customer is responsible for keeping it current.

Annex — Description of processing (SCC Annexes I, II, III)

This Annex consolidates the information required by the EU SCCs (2021/914) and GDPR Art. 28(3) so that this DPA can be relied on without a separate signed schedule.

A. List of parties (SCC Annex I.A)

  • Data exporter / Controller: the Customer (the organisation that owns the workspace), acting through the authorised admin who accepted these Terms. Contact: the workspace billing/notice contact on file.
  • Data importer / Processor: PegaSync, operator of the Astravera suite. Contact: [email protected].

B. Description of transfer (SCC Annex I.B)

  • Categories of data subjects: the Customer's employees, contractors, and invited workspace members.
  • Categories of personal data: identification data (name, email), workspace content (boards, cards, comments, attachments, documents, signed envelopes), authentication metadata, and audit logs.
  • Special categories: none processed as a routine part of the service; any uploaded by the Customer are the Customer's responsibility (see §2 and the Privacy Policy).
  • Frequency of transfer: continuous, for the duration of the subscription.
  • Nature and purpose: hosting, storage, transmission, retrieval, and rendering of Customer Data to provide the Astravera suite.
  • Retention period: per §10 of this DPA.

C. Competent supervisory authority (SCC Annex I.C)

The competent supervisory authority is that of the EU/EEA member state in which the Customer (data exporter) is established or, where the exporter is not EU-established, the authority of the member state in which the exporter's EU representative is located or in which the relevant data subjects are situated.

D. Technical and organisational measures (SCC Annex II)

The measures set out in §4 (Security measures) of this DPA and described at /security constitute Annex II.

E. Subprocessors (SCC Annex III)

The authorised subprocessors, with purpose, categories of data exposed, and region, are listed at /subprocessors and form Annex III.