Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of the Terms of Service between you (the "Customer", acting as Controller of Customer Personal Data) and Tudo, Inc. ("Tudo", acting as Processor on the Customer's behalf).

It applies whenever Tudo processes Personal Data on the Customer's behalf in connection with the Service. Capitalized terms not defined here have the meanings given in our Terms of Service.

The Customer is the Controller of all Personal Data they submit to the Service ("Customer Personal Data"). Tudo is the Processor, acting on the Customer's documented instructions. The Service itself, the Terms, and this DPA constitute those instructions; the Customer may issue additional instructions in writing.

Tudo will process Customer Personal Data only to deliver the Service, to comply with law, and as set out in our Privacy Policy.

The Customer determines the categories of Personal Data and data subjects. Typical:

• Identifiers (name, email, profile picture, locale, role).
• Operational data (board items, comments, files, contacts).
• Usage logs (timestamps, IP, browser, OS).

Typical data subjects are the Customer's employees, contractors, vendors, customers, and end users invited to the Customer's workspace.

Tudo uses the subprocessors listed at /legal/subprocessors. By signing the Terms, the Customer authorizes those subprocessors as of the effective date of this DPA. Tudo will give 30 days' written notice (by email to workspace owners) before adding, removing, or materially changing a subprocessor.

Tudo implements at minimum:

• Transport-layer encryption (TLS 1.2+) for all data in transit.
• Encryption at rest at the database and storage layers.
• Argon2 password hashing; we never see plaintext passwords.
• Least-privilege production access, MFA-enforced, audit-logged.
• Daily encrypted backups with documented restore procedures.
• A vulnerability disclosure program at security@usetudo.com.
• SOC 2 Type I in progress; ISO 27001 on the roadmap.

Tudo's primary hosting is in the United States. For Customer Personal Data of EU/UK residents, this DPA incorporates the EU Standard Contractual Clauses (SCCs, Module 2: Controller-to-Processor) and the UK International Data Transfer Addendum by reference. For Brazilian residents, the transfer relies on the safeguards permitted under LGPD Art. 33.

Tudo will assist the Customer in responding to data subject requests (access, correction, deletion, portability) by providing the export and deletion tools built into the Service, and by responding to written requests at privacy@usetudo.com within 15 calendar days.

If Tudo becomes aware of a Personal Data Breach affecting Customer Personal Data, it will notify the Customer in writing without undue delay and in any event within 72 hours. The notification will include, to the extent then known: the nature of the Breach, the categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed.

On reasonable written notice and no more than once per calendar year (unless a regulator requires more), Tudo will provide the Customer with the most recent SOC 2 Type I report (when available) and a written response to a security questionnaire of reasonable scope. On-site audits may be requested for material concerns and will be conducted at the requesting Customer's expense.

Within 30 days after termination of the Service, Tudo will, at the Customer's option, return all Customer Personal Data in a portable format and/or delete it from production systems. Encrypted backups containing the data will be deleted on the rolling 30-day backup cycle; Tudo will not restore from those backups.

Tudo personnel with access to Customer Personal Data are bound by written confidentiality obligations. Access is granted on a least-privilege, need-to-know basis and is audit-logged.

If anything in this DPA conflicts with the Terms, this DPA controls for matters of Personal Data processing. This DPA is automatically in force for every Customer of the Service. If your jurisdiction requires a counter-signed copy, write to legal@usetudo.com and we'll send one within five business days.