Data Processing Agreement
Last updated: April 6, 2026
1. Purpose and Applicability
This Data Processing Agreement ("DPA") governs the processing of personal data by Launchpad Developers, Inc. ("Launchpad," "Processor") on behalf of customers ("Controller") who are subject to the EU General Data Protection Regulation (GDPR), the UK GDPR, or other applicable data protection laws that require a data processing agreement.
This DPA is incorporated into and forms part of the ChronoForge Terms of Service. By using ChronoForge, customers who act as data controllers accept the terms of this DPA. For a signed copy of this DPA, please contact hello@launchpaddevs.com.
2. Definitions
Terms used in this DPA have the meanings given to them in GDPR Article 4, unless otherwise defined:
- Data Controller — The natural or legal person who determines the purposes and means of processing personal data (i.e., the ChronoForge customer organization).
- Data Processor — The entity that processes personal data on behalf of the Controller (i.e., Launchpad Developers, Inc.).
- Personal Data — Any information relating to an identified or identifiable natural person.
- Processing — Any operation performed on personal data, including collection, storage, use, disclosure, or deletion.
- Data Subject — The individual whose personal data is being processed.
- Sub-processor — A third party engaged by Launchpad to process personal data.
3. Processing Activities
Launchpad processes the following categories of personal data on behalf of the Controller for the purpose of providing the ChronoForge Service:
- Identity data: First name, last name, email address
- Organizational data: Organization name, user role
- Time and project data: Time entries, project names, task descriptions, timestamps
- Technical data: IP addresses, browser information, authentication tokens
- Consent data: Date and time of Terms of Service acceptance
The duration of processing corresponds to the duration of the customer's active subscription, plus a 90-day retention period after termination.
4. Instructions for Processing
Launchpad processes personal data only on documented instructions from the Controller. The Controller's use of the Service, including configuration of features and user management, constitutes such instructions. Launchpad will not process personal data for any purpose other than providing the Service, unless required by applicable law.
If Launchpad is required by law to process personal data in a manner inconsistent with the Controller's instructions, Launchpad will inform the Controller of this requirement prior to processing (unless prohibited by law).
5. Confidentiality
Launchpad ensures that all personnel authorized to process personal data are bound by appropriate confidentiality obligations and have received training on data protection requirements.
6. Data Security
Launchpad implements appropriate technical and organizational security measures to protect personal data against unauthorized access, disclosure, alteration, or destruction, including:
- TLS encryption for all data in transit
- Encryption at rest for data stored on Microsoft Azure
- Role-based access controls and principle of least privilege
- Regular security reviews and vulnerability assessments
- Secure password hashing (no plaintext passwords stored)
- Audit logging of significant system events
7. Sub-processors
Launchpad uses the following sub-processors to deliver the Service. By agreeing to these terms, the Controller consents to the engagement of these sub-processors:
| Sub-processor | Location | Purpose |
|---|---|---|
| Stripe, Inc. | United States | Payment processing and billing management |
| Microsoft Azure | Global (configurable region) | Cloud infrastructure, application hosting, and database storage |
| Brevo SAS | France / European Union | Transactional email delivery (account and billing notifications) |
Launchpad will provide at least 30 days' notice before engaging any new sub-processors. If the Controller objects to a new sub-processor, they may terminate the Service in accordance with the Terms of Service.
8. Data Subject Rights
Launchpad will assist the Controller in fulfilling its obligations to respond to data subject requests, including requests to access, correct, delete, or port personal data. When Launchpad receives a data subject request directly from a data subject, Launchpad will notify the Controller within 5 business days.
Launchpad will complete data subject rights requests within 30 days of receiving a verified request from the Controller.
9. Data Breach Notification
In the event of a personal data breach, Launchpad will notify the Controller without undue delay, and in any case within 72 hours of becoming aware of the breach. The notification will include:
- A description of the nature of the breach and the categories and approximate number of individuals and records affected
- The likely consequences of the breach
- The measures taken or proposed to address the breach and mitigate its effects
10. International Data Transfers
Where personal data is transferred outside the European Economic Area (EEA), Launchpad ensures that appropriate safeguards are in place, including the use of Standard Contractual Clauses (SCCs) as approved by the European Commission. Transfers to sub-processors in third countries are governed by contractual arrangements that provide equivalent protections.
11. Data Return and Deletion
Upon termination of the customer's subscription, Launchpad will delete all personal data within 90 days, unless retention is required by applicable law. Upon written request, Launchpad will provide the Controller with a copy of their organization's data in a machine-readable format prior to deletion.
12. Audits and Compliance
Launchpad will provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA. The Controller may, with at least 30 days' written notice, conduct or commission an audit of Launchpad's processing activities, subject to reasonable confidentiality requirements. Audit costs shall be borne by the Controller.
13. Liability
Liability under this DPA is subject to the limitations and exclusions set out in the ChronoForge Terms of Service.
14. Contact and Signed DPA
To request a signed copy of this Data Processing Agreement, or if you have questions about how we process personal data on your behalf, please contact us at:
hello@launchpaddevs.com
Launchpad Developers, Inc.
West Virginia, United States