Data Processing Agreement (DPA)
Effective Date: February 2, 2026
Last Updated: February 2, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Crow’s Nest (“Processor”) and you, the customer (“Controller”), and governs the processing of personal data under the General Data Protection Regulation (GDPR) and other applicable data protection laws.
1. Definitions
1.1 General Terms
The following terms used in this DPA have the meanings set forth below:
-
“Controller” means the natural or legal person which determines the purposes and means of the processing of personal data (i.e., you, the customer).
-
“Processor” means the natural or legal person which processes personal data on behalf of the Controller (i.e., Crow’s Nest).
-
“Data Subject” means the identified or identifiable natural person to whom personal data relates.
-
“Personal Data” means any information relating to an identified or identifiable natural person as defined in applicable data protection laws.
-
“Processing” means any operation or set of operations performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction.
-
“Sub-processor” means any third party appointed by the Processor to process personal data on behalf of the Controller.
-
“Data Protection Laws” means all laws and regulations applicable to the processing of personal data under this DPA, including the GDPR, CCPA/CPRA, and other applicable privacy laws.
-
“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data.
-
“Supervisory Authority” means an independent public authority established by an EU Member State pursuant to the GDPR.
1.2 Incorporated Terms
Terms not defined in this DPA shall have the meaning given to them in the GDPR or other applicable data protection laws.
2. Scope and Application
2.1 Scope of Agreement
This DPA applies to all processing of personal data by Crow’s Nest on behalf of the Controller in connection with the use of Crow’s Nest services (“Services”).
2.2 Relationship to Terms of Service
This DPA supplements and forms an integral part of the Terms of Service. In the event of any conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to data processing matters.
2.3 Application
This DPA shall apply only to the extent that Crow’s Nest processes personal data on behalf of the Controller and acts as a Processor under applicable data protection laws.
Note: With respect to Harvest data, the Controller acknowledges that Harvest (Getharvest.com) is the original data controller. Crow’s Nest accesses Harvest data via OAuth authorization granted by the Controller and processes such data in accordance with Harvest’s Terms of Service (Section 7 - Confidentiality).
3. Details of Processing
3.1 Subject Matter of Processing
The subject matter of processing is the provision of Crow’s Nest’s budget tracking and project management services, which integrate with the Controller’s Harvest time tracking data.
3.2 Duration of Processing
Processing will continue for the duration of the Controller’s use of the Services, plus the retention period specified in Section 8 (Data Retention and Deletion).
3.3 Nature and Purpose of Processing
| Processing Activity | Purpose |
|---|---|
| Account management | Create and maintain user accounts |
| OAuth authentication | Authenticate users via Harvest OAuth |
| Data synchronization | Import clients, projects, and time reports from Harvest |
| Capacity planning | Calculate and display budget vs. actual hours |
| Work week management | Store and display weekly work hour allocations |
| Budget tracking | Track project budget allocations and completion status |
| Reporting | Generate visualizations and reports |
| Customer support | Provide technical support and troubleshooting |
3.4 Type of Personal Data
Crow’s Nest processes the following categories of personal data on behalf of the Controller:
| Category | Data Elements |
|---|---|
| Identity Data | Email address, name (from Harvest OAuth) |
| Authentication Data | OAuth tokens, refresh tokens, token expiration timestamps, OAuth provider, UID |
| Harvest Business Data | Client names and status, project names and codes, project rates and dates, time tracking reports |
| Technical Data | IP address, user agent, session identifiers, timestamps |
| Usage Data | Events (actions performed), pages visited, features used |
| Configuration Data | Work week hour preferences, budget allocations, task items |
3.5 Categories of Data Subjects
Personal data processed under this DPA relates to the following categories of data subjects:
- The Controller (individual user of Crow’s Nest)
- Employees, contractors, or team members whose time tracking data appears in the Controller’s Harvest account (if applicable)
- Clients whose information is stored in the Controller’s Harvest account
4. Processor Obligations
4.1 Processing Instructions
The Processor shall:
a) Process personal data only on documented instructions from the Controller, unless required to do so by applicable law, in which case the Processor shall inform the Controller of such legal requirement before processing (unless prohibited by law).
b) Process personal data solely for the purposes described in Section 3 (Details of Processing) and in accordance with the Controller’s instructions as set forth in:
- This DPA
- The Terms of Service
- The Controller’s use of the Services (e.g., account settings, sync preferences)
c) Immediately inform the Controller if, in the Processor’s opinion, an instruction infringes applicable data protection laws.
d) Not transfer, copy, or otherwise process personal data for the Processor’s own purposes or for any third party without the Controller’s prior written consent.
4.2 Confidentiality
The Processor shall:
a) Ensure that all persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
b) Ensure that access to personal data is limited to those personnel who require such access to perform the Services.
c) Maintain a list of personnel with access to personal data and provide such list to the Controller upon reasonable request.
d) Not disclose personal data to any third party except as permitted under this DPA or as required by law.
4.3 Compliance with Data Protection Laws
The Processor shall:
a) Comply with all applicable data protection laws in its processing of personal data.
b) Not do anything which would cause the Controller to be in breach of applicable data protection laws.
c) Implement and maintain appropriate technical and organizational measures as described in Section 5 (Security Measures).
5. Technical and Organizational Security Measures
5.1 Security Obligations
The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account:
- The state of the art
- The costs of implementation
- The nature, scope, context, and purposes of processing
- The risk of varying likelihood and severity for the rights and freedoms of natural persons
5.2 Technical Measures
| Measure | Implementation |
|---|---|
| Encryption in Transit | HTTPS/TLS 1.3 for all connections |
| Encryption at Rest | OAuth tokens encrypted using Rails encrypted attributes; database encryption for sensitive fields |
| Access Authentication | OAuth 2.0 authentication; HTTP-only, secure session cookies |
| Secure Token Management | Automatic token refresh; token expiration handling; secure token storage |
| Database Security | SQLite with file-level permissions; encrypted backups; access logging |
| Network Security | Firewall protection; intrusion detection; DDoS mitigation |
| Vulnerability Management | Regular security scanning (Brakeman); dependency vulnerability monitoring; timely patching |
| Logging and Monitoring | Security event logging; anomaly detection; performance monitoring (RorVsWild) |
5.3 Organizational Measures
| Measure | Implementation |
|---|---|
| Access Controls | Role-based access control (RBAC); principle of least privilege; multi-factor authentication for administrative access |
| Personnel Security | Background checks; security awareness training; confidentiality agreements (NDAs) |
| Incident Response | Data breach response plan; 72-hour notification procedure; incident investigation and remediation |
| Data Minimization | Collection limited to necessary data; regular review of data retention; automatic deletion of expired data |
| Backup and Recovery | Regular encrypted backups; tested disaster recovery procedures; 90-day backup retention |
| Audit and Compliance | Quarterly security audits; annual penetration testing; compliance monitoring |
| Vendor Management | Sub-processor due diligence; Data Processing Agreements with sub-processors; regular vendor reviews |
5.4 Pseudonymization and Anonymization
Where feasible and appropriate, the Processor shall implement pseudonymization and anonymization techniques to reduce risks to data subjects, particularly for:
- Analytics and performance monitoring
- Error logging and debugging
- Usage statistics and reporting
5.5 Security Updates
The Processor shall regularly review and update security measures to ensure they remain appropriate and effective in light of evolving threats and technological developments.
6. Sub-processors
6.1 Authorized Sub-processors
The Controller grants general authorization for the Processor to engage sub-processors to process personal data, subject to the conditions in this Section 6.
6.2 Current Sub-processors
The Processor currently engages the following sub-processors:
| Sub-processor | Service | Location | Data Processed | Safeguards |
|---|---|---|---|---|
| Harvest (Getharvest.com) | Time tracking data source (via OAuth) | USA | All Harvest business data (clients, projects, time reports) | OAuth 2.0; HTTPS; Harvest DPA and Terms of Service |
| RorVsWild | Performance monitoring | France (EU) | Anonymized error logs, performance metrics (no personal data) | DPA; GDPR compliant; encrypted transit |
| Hetzner Online GmbH | Application hosting infrastructure | Germany (EU) | All application data | Encryption at rest and in transit; access controls; DPA; ISO 27001 certified; GDPR compliant |
Note: Harvest is the original data controller for Harvest data. Crow’s Nest accesses Harvest data via OAuth authorization and processes it in compliance with Harvest’s Terms of Service.
6.3 Sub-processor Requirements
The Processor shall:
a) Ensure that each sub-processor is bound by a written agreement that imposes data protection obligations substantially similar to those in this DPA, including obligations regarding security measures and confidentiality.
b) Conduct appropriate due diligence on sub-processors prior to engagement, including assessment of technical and organizational security measures.
c) Remain fully liable to the Controller for the performance of any sub-processor’s obligations.
6.4 Changes to Sub-processors
a) The Processor shall maintain an up-to-date list of sub-processors, which may be requested by the Controller.
b) The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days prior to such change.
c) If the Controller objects to a new sub-processor on reasonable grounds relating to data protection, the Controller may:
- Request alternative arrangements
- Terminate the Terms of Service with 30 days’ written notice without penalty
d) If the Controller does not object within 30 days of notification, the Controller shall be deemed to have authorized the new sub-processor.
6.5 Sub-processor Audits
The Processor shall ensure that sub-processors provide sufficient guarantees to implement appropriate technical and organizational measures and allow for audits by the Processor or the Controller as provided in Section 10 (Audits and Inspections).
7. Data Subject Rights Assistance
7.1 Processor Assistance
The Processor shall, to the extent legally permitted and taking into account the nature of processing, provide reasonable assistance to the Controller in responding to requests from data subjects exercising their rights under data protection laws, including:
- Right of access (GDPR Art. 15)
- Right to rectification (GDPR Art. 16)
- Right to erasure / “right to be forgotten” (GDPR Art. 17)
- Right to restriction of processing (GDPR Art. 18)
- Right to data portability (GDPR Art. 20)
- Right to object (GDPR Art. 21)
- Rights related to automated decision-making and profiling (GDPR Art. 22)
7.2 Data Subject Requests
a) If the Processor receives a request from a data subject directly, the Processor shall:
- Promptly notify the Controller (within 2 business days)
- Not respond to the request without the Controller’s prior authorization (unless required by law)
- Redirect the data subject to the Controller where appropriate
b) The Processor shall provide the Controller with commercially reasonable cooperation and assistance in responding to data subject requests, including:
- Providing access to personal data
- Correcting inaccurate personal data
- Deleting personal data
- Exporting personal data in a structured, machine-readable format (JSON or CSV)
7.3 Technical Capabilities
The Processor maintains the following technical capabilities to facilitate data subject rights:
| Right | Implementation |
|---|---|
| Access | Data export functionality (email [email protected]) |
| Rectification | Account settings for email updates |
| Erasure | Account deletion functionality (via settings or email request) |
| Portability | JSON/CSV export of all user data |
| Restriction | Ability to disconnect Harvest OAuth and stop data sync |
| Objection | Ability to disable specific features or data collection |
7.4 Timeframes
The Processor shall use reasonable efforts to respond to Controller requests for assistance within:
- Urgent requests: 2 business days
- Standard requests: 5 business days
- Complex requests: 10 business days
8. Data Retention and Deletion
8.1 Retention Periods
The Processor shall retain personal data only for as long as necessary to fulfill the purposes described in Section 3, unless longer retention is required by law.
| Data Type | Retention Period |
|---|---|
| Account information (email) | Until account deletion + 30 days |
| Harvest OAuth tokens | Until disconnection, revocation, or expiration |
| Harvest business data | Until account deletion or manual removal |
| Session data | 30 days after session expiration |
| Event logs (security/support) | 2 years |
| Deleted account data (soft delete) | 30 days (for account recovery) |
| Backup data | Up to 90 days |
8.2 Deletion Upon Termination
Upon termination or expiration of the Terms of Service, the Processor shall, at the Controller’s choice:
a) Delete all personal data (and existing copies) within 30 days of termination, except where retention is required by applicable law; or
b) Return all personal data to the Controller in a structured, commonly used, machine-readable format (JSON or CSV) within 30 days of termination, and then delete all copies.
8.3 Deletion Procedure
Deletion shall include:
- Permanent deletion from production databases
- Deletion from all backup systems (following standard backup rotation of 90 days maximum)
- Deletion from sub-processor systems (where applicable)
- Secure overwriting or destruction of physical media containing personal data
8.4 Exceptions
The Processor may retain personal data to the extent and for such period as required by applicable law, provided that the Processor ensures the confidentiality and security of such personal data and processes it only for the purposes specified by such law.
8.5 Certification of Deletion
Upon request, the Processor shall provide written certification to the Controller that personal data has been deleted in accordance with this Section 8.
9. Data Breach Notification
9.1 Notification Obligation
The Processor shall notify the Controller without undue delay, and in any event within 24 hours of becoming aware of a personal data breach affecting the Controller’s data.
9.2 Breach Notification Contents
The notification shall include, to the extent reasonably available:
a) Description of the nature of the breach, including:
- Categories and approximate number of data subjects affected
- Categories and approximate number of personal data records affected
b) Contact details of the Processor’s data protection officer or other contact point for more information
c) Description of the likely consequences of the breach
d) Description of measures taken or proposed to be taken to:
- Address the breach
- Mitigate its possible adverse effects
9.3 Investigation and Remediation
Upon becoming aware of a personal data breach, the Processor shall:
a) Investigate the breach and provide regular updates to the Controller
b) Take reasonable steps to mitigate the effects of the breach
c) Cooperate with the Controller in the Controller’s handling of the breach, including:
- Notification to supervisory authorities (within 72 hours of discovery, as required by GDPR Art. 33)
- Notification to affected data subjects (if required under GDPR Art. 34)
- Responding to inquiries from supervisory authorities
d) Provide such information and assistance as the Controller may reasonably request
9.4 Documentation
The Processor shall document all personal data breaches, including:
- Facts relating to the breach
- Effects of the breach
- Remedial action taken
Such documentation shall be made available to the Controller and supervisory authorities upon request.
9.5 No Limitation of Liability
The Processor’s notification of or response to a personal data breach shall not be construed as an acknowledgment of fault or liability.
10. Audits and Inspections
10.1 Controller Audit Rights
The Processor shall allow the Controller (or an independent auditor appointed by the Controller) to conduct audits and inspections to verify compliance with this DPA and applicable data protection laws, subject to the conditions in this Section 10.
10.2 Audit Frequency
a) Standard Audits: The Controller may conduct audits once per calendar year upon 30 days’ prior written notice.
b) Triggered Audits: The Controller may conduct additional audits without advance notice if:
- A personal data breach has occurred
- A supervisory authority requests or mandates an audit
- The Controller has reasonable grounds to believe the Processor is not complying with this DPA
10.3 Audit Scope
Audits may include:
- Review of technical and organizational security measures
- Inspection of facilities where personal data is processed
- Review of policies, procedures, and records
- Interviews with personnel
- Review of sub-processor agreements and compliance
10.4 Audit Procedure
a) The Controller shall provide reasonable written notice specifying:
- Scope and duration of the audit
- Identity of auditor (if using third party)
- Proposed date and time
b) Audits shall be conducted:
- During normal business hours
- In a manner that does not unreasonably interfere with the Processor’s operations
- Subject to confidentiality obligations regarding the Processor’s confidential information
c) The Controller shall bear all costs of the audit, unless the audit reveals material non-compliance, in which case the Processor shall reimburse reasonable audit costs.
10.5 Audit Reports
a) The Processor shall cooperate with audits and provide:
- Access to relevant personnel, systems, and records
- Reasonable assistance in conducting the audit
- Responses to audit findings within 30 days
b) The Controller shall provide a copy of the audit report to the Processor.
c) The Processor shall remediate any non-compliance identified in the audit within a mutually agreed timeframe.
10.6 Alternative Compliance Verification
In lieu of an on-site audit, the Processor may provide:
- Third-party security certifications (e.g., SOC 2, ISO 27001)
- Independent audit reports
- Written attestations of compliance
The Controller may accept such documentation in satisfaction of audit rights at its sole discretion.
11. International Data Transfers
11.1 Transfer Mechanism
The Processor may transfer personal data to countries outside the European Economic Area (EEA) only if:
a) The European Commission has issued an adequacy decision for the recipient country; or
b) Appropriate safeguards are in place, such as:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Binding Corporate Rules (BCRs)
- Approved codes of conduct or certification mechanisms
- Other transfer mechanisms permitted under applicable data protection laws
11.2 Current Transfers
Personal data may be transferred to the following locations outside the EEA:
| Recipient | Location | Safeguard | Data Transferred |
|---|---|---|---|
| Harvest | USA | Harvest DPA; Standard Contractual Clauses (where applicable) | All Harvest business data |
| Hetzner Online GmbH | Germany (EU) | EU-based (no transfer outside EEA); encryption; access controls; DPA | All application data |
11.3 Controller Acknowledgment
The Controller acknowledges and agrees that:
a) Harvest is based in the United States and processes Harvest data in the USA.
b) The Controller has authorized the transfer of personal data to Harvest by connecting their Harvest account via OAuth.
c) Crow’s Nest’s access to Harvest data is governed by Harvest’s Terms of Service (Section 7 - Confidentiality) and Harvest’s Privacy Policy.
11.4 Additional Safeguards
In addition to legal transfer mechanisms, the Processor implements:
- Encryption in transit (HTTPS/TLS)
- Encryption at rest for sensitive data
- Access controls and authentication
- Regular security audits
- Incident response procedures
11.5 Changes to Transfers
The Processor shall inform the Controller of any changes to international data transfers, including new recipient countries or changes to safeguards, at least 30 days in advance.
12. Data Protection Impact Assessments
12.1 Processor Assistance
The Processor shall provide reasonable assistance to the Controller in conducting Data Protection Impact Assessments (DPIAs) where required under GDPR Article 35 or other applicable laws.
12.2 Information Provided
Upon request, the Processor shall provide:
- Description of processing operations
- Categories of personal data processed
- Technical and organizational security measures
- Sub-processor information
- International data transfer details
- Data retention periods
- Security incident history (if applicable)
12.3 Prior Consultation
If a DPIA indicates that processing would result in high risk in the absence of measures taken by the Controller to mitigate the risk, the Processor shall cooperate with the Controller in prior consultation with supervisory authorities as required by GDPR Article 36.
13. Liability and Indemnification
13.1 Liability Under GDPR
Each party’s liability under this DPA shall be subject to the limitations and exclusions of liability set forth in the Terms of Service, except where prohibited by applicable data protection laws.
13.2 GDPR Article 82 Liability
Under GDPR Article 82:
a) The Processor shall be liable for damage caused by processing only where it has not complied with obligations specifically directed to processors or where it has acted outside or contrary to lawful instructions of the Controller.
b) The Processor shall be exempt from liability if it proves that it is not in any way responsible for the event giving rise to the damage.
13.3 Chain of Liability
Where the Controller and Processor are involved in the same processing and are jointly liable for damage under GDPR Article 82, each party shall be held liable for the entire damage in order to ensure effective compensation of the data subject.
If one party has paid full compensation for the damage, that party shall be entitled to claim back from the other party that part of the compensation corresponding to the other party’s responsibility for the damage.
13.4 Indemnification
The Processor shall indemnify, defend, and hold harmless the Controller from and against any claims, losses, damages, liabilities, costs, and expenses (including reasonable attorneys’ fees) arising out of or relating to:
a) The Processor’s breach of this DPA
b) The Processor’s violation of applicable data protection laws
c) The Processor’s negligence or willful misconduct in processing personal data
This indemnification shall not apply to the extent that claims arise from the Controller’s instructions, actions, or breaches.
14. Term and Termination
14.1 Term
This DPA shall commence on the Effective Date and shall continue for as long as the Processor processes personal data on behalf of the Controller under the Terms of Service.
14.2 Termination
This DPA shall automatically terminate upon:
- Termination or expiration of the Terms of Service
- Deletion of all personal data in accordance with Section 8
14.3 Survival
The following provisions shall survive termination of this DPA:
- Section 4.2 (Confidentiality)
- Section 8 (Data Retention and Deletion)
- Section 9 (Data Breach Notification) - for breaches discovered post-termination
- Section 10 (Audits) - for audits related to the term of the DPA
- Section 13 (Liability and Indemnification)
15. Governing Law and Jurisdiction
15.1 Governing Law
This DPA shall be governed by and construed in accordance with the laws applicable to the Terms of Service, to the extent consistent with applicable data protection laws.
15.2 GDPR Prevails
To the extent that the GDPR applies to the processing of personal data, the provisions of the GDPR shall prevail over any conflicting provisions in this DPA or the Terms of Service.
15.3 Supervisory Authority Jurisdiction
Data subjects and supervisory authorities shall have the rights granted to them under applicable data protection laws, including the right to lodge complaints with supervisory authorities.
15.4 Dispute Resolution
Any disputes arising out of or in connection with this DPA shall be resolved in accordance with the dispute resolution procedures set forth in the Terms of Service, subject to the supervisory authority rights described above.
16. General Provisions
16.1 Amendment
This DPA may be amended only by written agreement of both parties, except that the Processor may amend this DPA to the extent necessary to comply with changes in applicable data protection laws, provided that:
a) The amendment does not reduce the level of protection afforded to personal data
b) The Controller is given at least 30 days’ notice of the amendment
c) The Controller has the right to terminate the Terms of Service if the amendment materially adversely affects the Controller
16.2 Severability
If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions shall continue in full force and effect. The parties shall negotiate in good faith to replace the invalid provision with a valid provision that achieves the intended purpose.
16.3 Waiver
No waiver of any provision of this DPA shall be effective unless in writing and signed by the party against whom the waiver is sought to be enforced. No failure or delay in exercising any right or remedy shall constitute a waiver of such right or remedy.
16.4 Entire Agreement
This DPA, together with the Terms of Service and Privacy Policy, constitutes the entire agreement between the parties regarding the processing of personal data and supersedes all prior agreements, representations, and understandings.
16.5 Order of Precedence
In the event of any conflict between this DPA, the Terms of Service, and the Privacy Policy:
- This DPA shall prevail regarding data processing matters
- The Terms of Service shall prevail regarding commercial terms
- The Privacy Policy shall govern disclosures to data subjects
16.6 Third-Party Beneficiaries
This DPA does not confer any third-party beneficiary rights, except that data subjects are intended third-party beneficiaries with respect to their rights under applicable data protection laws.
16.7 Notices
All notices under this DPA shall be sent to:
For Crow’s Nest (Processor):
Email: [email protected]
For Controller:
Email address associated with Controller’s account
17. Contact Information
For questions or concerns regarding this Data Processing Agreement:
Processor (Crow’s Nest):
Email: [email protected]
Subject Line: “DPA Inquiry”
Data Protection Officer (if applicable):
To be designated if required under GDPR Article 37
Appendix A: Standard Contractual Clauses (SCCs)
Where international data transfers require Standard Contractual Clauses, the parties agree to enter into the Standard Contractual Clauses approved by the European Commission, which shall be incorporated into this DPA by reference.
Current SCC Version:
The parties shall use the SCCs adopted by European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 (Module Two: Controller to Processor).
Annexes to SCCs:
- Annex I.A (Controller): Information provided by Controller during account setup
- Annex I.B (Processor): Crow’s Nest (see Section 2, Data Controller, of Privacy Policy)
- Annex I.C (Competent Supervisory Authority): The supervisory authority in the Controller’s country
- Annex II (Technical and Organizational Measures): See Section 5 of this DPA
- Annex III (Sub-processors): See Section 6.2 of this DPA
Document Version: 1.0
Effective Date: February 2, 2026
Next Review: August 2, 2026
By using Crow’s Nest services, the Controller agrees to the terms of this Data Processing Agreement.