Last Updated: May 28, 2026

This Data Processing Agreement (the "DPA") forms part of the agreement between Lazarus Co Pty Ltd (ABN 53 697 874 258; ACN 697 874 258), the operator of the Ganttastic application (the "Service"), and the enterprise customer that has entered into an order form or written agreement for the Service (the "Customer"). It records the terms on which Lazarus Co Pty Ltd processes personal data on the Customer's behalf. Where this DPA conflicts with the Terms of Service on the subject of data protection, this DPA prevails for that subject.

1. Definitions

• "Controller", "Processor", "Data Subject", "Personal Data", "Processing" have the meanings given in the General Data Protection Regulation (EU) 2016/679 and, in respect of Australian law, the corresponding concepts in the Privacy Act 1988 (Cth) and the Australian Privacy Principles ("APP").
• "Customer Personal Data" means personal data contained in the Customer's projects, charts, tasks, attachments and related content that Lazarus Co Pty Ltd processes solely on the Customer's behalf in providing the Service.
• "Sub-processor" means a third party engaged by Lazarus Co Pty Ltd to process Customer Personal Data.
• "Standard Contractual Clauses" ("SCCs") means the standard data protection clauses adopted by the European Commission, and, where relevant, the United Kingdom International Data Transfer Addendum.
• "Data Protection Laws" means all laws applicable to the processing of Customer Personal Data under this DPA, including the Privacy Act 1988 (Cth), the GDPR and the United Kingdom GDPR.

2. Roles, Subject Matter and Duration

For Customer Personal Data, the Customer is the Controller and Lazarus Co Pty Ltd is the Processor. For account, profile and billing data of the Customer's own administrators and billing contacts, Lazarus Co Pty Ltd is an independent Controller as described in its Privacy Policy. The subject matter of the processing is the provision of the Service. Processing continues for the duration of the Customer's agreement for the Service and ends in accordance with section 11 (Return and Deletion).

3. Nature and Purpose of Processing

Lazarus Co Pty Ltd processes Customer Personal Data only to provide, secure and support the Service, and only on the Customer's documented instructions, which include this DPA, the Terms of Service, the configuration choices the Customer makes in the Service, and any later written instructions the Customer gives. Lazarus Co Pty Ltd will inform the Customer if, in its opinion, an instruction infringes Data Protection Laws. The nature of the processing includes hosting, storage, transmission, display, organisation, backup, and, where the Customer chooses to use optional artificial-intelligence features, transmission of the submitted content to Google to generate the requested output.

4. Categories of Data and Data Subjects

The categories of Customer Personal Data and Data Subjects are determined and controlled by the Customer. They typically include:

• Data Subjects: the Customer's personnel, project team members, contractors, and any individuals the Customer chooses to reference in project content.
• Categories of Personal Data: names, business contact details, role and organisation, task and schedule assignments, comments, and any other personal data the Customer includes in project content.

The Service is not designed for, and the Customer agrees not to submit, special categories of personal data (such as health, biometric or government-identifier data) or children's data.

5. Controller Obligations

The Customer warrants that it has a lawful basis to collect and provide Customer Personal Data, that its instructions comply with Data Protection Laws, and that it has provided any notices and obtained any consents required for the processing contemplated by this DPA, including the use of optional AI features and overseas processing disclosed in the Privacy Policy.

6. Processor Obligations

• Process Customer Personal Data only on the Customer's documented instructions, including for international transfers, unless required by law (in which case, where lawful, Lazarus Co Pty Ltd will notify the Customer first).
• Ensure personnel authorised to process Customer Personal Data are bound by confidentiality.
• Implement and maintain the security measures described in section 7.
• Assist the Customer as described in sections 9, 10 and 12.
• Make available the information necessary to demonstrate compliance with this DPA.

7. Security Measures

Lazarus Co Pty Ltd maintains the technical and organisational measures described in its Privacy Policy under the section titled "Security and Breach Notification", including encryption in transit and at rest, access controls, role-based permissions, least-privilege administration, network segregation, vulnerability management and monitoring. Customer Personal Data is stored at rest in Google Cloud Firestore in Google's Sydney region (australia-southeast1), New South Wales, Australia, with stateless application compute in Google's Singapore region (asia-southeast1) as described in the Privacy Policy.

8. Sub-processors

The Customer authorises Lazarus Co Pty Ltd to engage the Sub-processors listed in Annex B and any later Sub-processors notified under this section. Each Sub-processor is engaged under a written contract imposing data-protection obligations no less protective than those in this DPA. Lazarus Co Pty Ltd remains responsible for its Sub-processors' performance. Lazarus Co Pty Ltd maintains a current Sub-processor list published at ganttastic.com/sub-processors, with version history, and will give the Customer reasonable prior notice (by email to the Customer's billing or administrative contact, or by updating the published Sub-processor list) before adding or replacing a Sub-processor. The Customer may object on reasonable data-protection grounds within thirty days of notice; the parties will work in good faith to resolve the objection, and if they cannot, the Customer may terminate the affected part of the Service.

9. International Data Transfers

Customer Personal Data is stored at rest in Australia. Certain processing occurs outside Australia, namely stateless application compute (Singapore), optional AI features (Google global infrastructure), diagnostic and error telemetry (a Sub-processor in the European Union) and transactional and lifecycle email delivery (a Sub-processor in Tokyo, Japan). For these transfers, Lazarus Co Pty Ltd relies on Australian Privacy Principle 8 and, where personal data of individuals in the European Union or United Kingdom is involved, on the data processing terms of the relevant Sub-processor, which incorporate the Standard Contractual Clauses and, where applicable, the United Kingdom International Data Transfer Addendum, in each case incorporated into this DPA by reference.

10. Assistance with Data Subject Requests

Taking into account the nature of the processing, Lazarus Co Pty Ltd will assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects to exercise their rights of access, rectification, erasure, restriction, portability and objection. The Service also provides self-service controls (including account deletion and the erasure cascade described in the Privacy Policy) that the Customer and its users may use directly. If Lazarus Co Pty Ltd receives a request directly from a Data Subject relating to Customer Personal Data, it will, without undue delay, direct that Data Subject to the Customer rather than respond itself, unless legally required to respond.

11. Personal Data Breach Notification

Lazarus Co Pty Ltd will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to it to help the Customer meet its own notification obligations. This is consistent with the breach-notification commitments in the Privacy Policy, including notification under the Australian Notifiable Data Breaches scheme and, where the GDPR applies, notification within 72 hours of becoming aware of the breach.

12. Return and Deletion on Termination

On termination or expiry of the Customer's agreement for the Service, and on the Customer's request, Lazarus Co Pty Ltd will delete or return Customer Personal Data and delete existing copies, except to the extent it is legally required to retain a copy, in which case it will de-identify the retained records as described in the Data Retention section of the Privacy Policy. Account deletion triggers the erasure cascade described in the Privacy Policy. Copies of deleted Customer Personal Data may persist on Google Cloud Firestore managed daily backups (rolling 7-day retention), managed weekly backups (rolling 14-week retention) and periodic Cloud Storage exports (rolling 90-day retention), in each case in our Sydney region (australia-southeast1), until those backups are overwritten or expire under the configured lifecycle policy.

13. Audit and Information Rights

Lazarus Co Pty Ltd will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by the Customer or an independent auditor appointed by the Customer, on reasonable prior written notice, no more than once in any twelve-month period (unless a regulator or a personal data breach requires otherwise), during business hours, subject to confidentiality and without compromising the security or data of other customers. Lazarus Co Pty Ltd may satisfy this obligation by providing relevant third-party certifications or reports where available.

14. Liability

Each party's liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Terms of Service, and any reference to liability of a party means the aggregate liability of that party under the Terms of Service and this DPA together. Nothing in this DPA limits any liability that cannot be limited under Data Protection Laws or the Australian Consumer Law.

15. General

This DPA is governed by the laws of New South Wales, Australia, consistent with the Terms of Service. If any provision is held invalid, the remaining provisions remain in effect. This DPA, the Privacy Policy and the Terms of Service are the entire agreement between the parties on this subject and supersede prior data-processing arrangements.

Annex A: Details of Processing

• Subject matter: provision of the Ganttastic project planning and Gantt chart Service.
• Duration: the term of the Customer's agreement for the Service, then deletion or return under section 11.
• Nature and purpose: hosting, storage, transmission, display, organisation, backup and support of project content, and optional AI generation, solely to provide and secure the Service.
• Categories of Data Subjects: the Customer's personnel, project team members, contractors and individuals referenced in project content.
• Categories of Personal Data: names, business contact details, role and organisation, task and schedule assignments, comments and other personal data the Customer includes in project content.

Annex B: Approved Sub-processors

The following Sub-processors are authorised. This Annex is generated from the same canonical list rendered at ganttastic.com/sub-processors (version 1, last updated 2026-05-28), so the contract Annex and the public list cannot drift.

• Google Cloud Platform — Firestore (Google LLC) — Primary application data storage at rest, including account, profile and project content. Categories: Account and profile data, Project content, Task and schedule data. Region: Sydney, Australia (australia-southeast1). Contractual terms: Google Cloud Data Processing Addendum. Encryption at rest and in transit.
• Google Cloud Platform — App Hosting (Google LLC) — Stateless application compute that serves requests; reads from and writes to the Sydney database region. Categories: Request data in transit. Region: Singapore (asia-southeast1). Contractual terms: Google Cloud Data Processing Addendum.
• Google Gemini API (Google LLC) — AI-assisted project plan generation and AI chat assistant; processes the content you submit for that request to generate the response. Categories: Content submitted to AI features. Region: Google global infrastructure (may be processed outside Australia). Contractual terms: Google Cloud Data Processing Addendum and Gemini API terms applicable to paid use of the Gemini API.
• Google reCAPTCHA (Google LLC) — Bot and fraud prevention on sign-up (strictly necessary security control). Categories: IP address, Interaction signals. Region: Google global infrastructure. Contractual terms: Google Terms of Service.
• Stripe (Stripe, Inc.) — Subscription payment processing for self-service paid plans. Categories: Billing contact, Payment method token, Card last four digits. Region: Stripe global infrastructure. Contractual terms: Stripe Data Processing Agreement. PCI-DSS Level 1.
• Sentry (Functional Software, Inc.) — Error, crash and performance telemetry to keep the Service reliable. Categories: Diagnostic and crash telemetry, Incidental personal data in error context. Region: Germany, European Union (de ingest region). Contractual terms: Sentry Data Processing Addendum and Standard Contractual Clauses. Personal information minimisation enabled.
• Resend (Resend, Inc.) — Outbound transactional and lifecycle email delivery (verification, password reset, welcome, trial-ending and trial-ended messages). Categories: Recipient email address, Message metadata. Region: Tokyo, Japan (ap-northeast-1 region). Contractual terms: Resend Data Processing Addendum and Standard Contractual Clauses.

Contact

Questions about this DPA, or requests for a countersigned copy to attach to an enterprise order form, should be sent to admin@ganttastic.com.