Self-hosted
Feature capabilities
Marketplace
Plan and pricing
Download for Mac
Download for Android
Last updated: March 30, 2026
This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Terms") between Plane Software, Inc., a Delaware corporation ("Plane," "Processor") and the entity identified as the customer under the Terms ("Customer," "Controller"), and governs Plane's processing of Personal Data on behalf of Customer in connection with the cloud-hosted Service.
Capitalized terms not defined in this DPA have the meanings given in the Terms. This DPA applies only to Plane Cloud. For self-hosted and air-gapped deployments, Customer is the sole controller and processor of data stored on its own infrastructure, and this DPA does not apply (except to the limited extent Plane processes Personal Data through support interactions or optional telemetry).
"Applicable Data Protection Law" means all laws and regulations applicable to the processing of Personal Data under this DPA, including the GDPR, UK GDPR, Swiss Federal Act on Data Protection ("FADP"), CCPA/CPRA, and any other applicable privacy or data protection legislation.
"Controller" means the entity that determines the purposes and means of processing Personal Data. Under this DPA, Customer is the Controller.
"Data Subject" means the identified or identifiable individual to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person that is contained within Customer Data and processed by Plane on behalf of Customer through the Service.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed under this DPA.
"Processor" means the entity that processes Personal Data on behalf of the Controller. Under this DPA, Plane is the Processor.
"Processing" (and "process," "processed") means any operation performed on Personal Data, whether or not by automated means, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure, dissemination, alignment, combination, restriction, erasure, or destruction.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
"Sub-processor" means any third party engaged by Plane to process Personal Data on behalf of Customer in accordance with this DPA.
"UK Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the UK Data Protection Act 2018, as may be amended or replaced.
Customer is the Controller and Plane is the Processor with respect to Personal Data processed through the Service. Each party will comply with its respective obligations under Applicable Data Protection Law. Neither party is a joint controller of the Personal Data processed under this DPA, and nothing in this DPA shall be construed to create a joint controllership relationship.
Customer is responsible for: (a) determining the lawful basis for processing Personal Data; (b) ensuring that it has obtained all necessary consents, authorizations, and legal bases required under Applicable Data Protection Law before submitting Personal Data to the Service; (c) ensuring that its instructions to Plane comply with Applicable Data Protection Law; (d) the accuracy, quality, and legality of Personal Data and the means by which it was obtained; (e) ensuring that authorized users are informed of and comply with Customer's privacy obligations under Applicable Data Protection Law; and (f) maintaining its own privacy notice and recording of processing activities to the extent required by Applicable Data Protection Law.
Plane will process Personal Data only on behalf of and in accordance with Customer's documented instructions. Plane will not process Personal Data for any purpose other than providing the Service as described in the Terms, unless required by applicable law (in which case, Plane will inform Customer of that legal requirement before processing, unless prohibited by law).
Plane processes Personal Data for the purpose of providing the Service to Customer. Processing will continue for the duration of the Subscription Term, plus any post-termination period during which Plane retains Personal Data in accordance with Section 10 of this DPA.
Plane processes Personal Data to provide, maintain, and support the cloud-hosted Service, including project management, knowledge management, AI-powered features, storage, search, analytics, and customer support.
Data Subjects may include Customer's Authorized Users, Customer's employees and contractors, and any other individuals whose Personal Data is submitted to the Service by or on behalf of Customer.
Personal Data processed may include names, email addresses, profile information, IP addresses, user-generated content (such as issues, comments, pages, and attachments), and any other Personal Data that Customer or its Authorized Users submit to the Service.
Plane will process Personal Data only in accordance with Customer's documented instructions. The Terms (including this DPA) constitute Customer's initial instructions. Customer may issue additional written instructions consistent with the Terms, provided that such instructions are reasonable, technically feasible, and do not materially alter the scope of the Service.
If Plane believes an instruction from Customer infringes Applicable Data Protection Law, Plane will promptly notify Customer and may, upon written notice, suspend performance of the instruction until Customer modifies or confirms it. Plane shall not be liable for any failure or delay in performance resulting from such suspension.
Plane shall ensure that all Personal Data is treated as confidential information and shall not disclose or otherwise make available Personal Data to any third party except as necessary to perform its obligations or as required by Applicable Data Protection Law.
Plane will ensure that all personnel authorized to process Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
Plane will limit access to Personal Data to those personnel who require access to fulfill Plane's obligations under the Terms and this DPA.
Customer acknowledges that, in connection with the Terms and this DPA, it may receive certain confidential and proprietary information of Plane, including but not limited to information relating to Services, technical systems, security measures, and business operations. Customer shall use confidential information solely for the purpose of receiving and using the Services under the Terms and exercising its rights under this DPA, and shall not disclose such information to any third party except as permitted under this Section.
If either party is required by applicable law, regulation, or court order to disclose confidential information of the other party, such party shall, to the extent legally permitted, provide reasonable prior written notice to the other party to allow it to seek a protective order or other appropriate remedy. The disclosing party shall limit such disclosure to the minimum amount of confidential information required and use reasonable efforts to ensure that such information is afforded confidential treatment.
Plane will implement and maintain appropriate technical and organizational measures designed to protect Personal Data against unauthorized or unlawful processing, accidental loss, destruction, or damage. These measures include, as appropriate: encryption of Personal Data in transit and at rest, measures to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems, processes for regularly testing, assessing, and evaluating the effectiveness of security measures, and access controls that limit access to Personal Data based on role and necessity.
Details of Plane's security practices are described at plane.so/security.
Plane may update its security measures from time to time, provided that such updates do not materially decrease the overall level of protection afforded to Personal Data.
Customer is responsible for: (a) configuring the Service in a secure manner appropriate to Customer's use case; (b) managing access credentials and authentication for Authorized Users; (c) ensuring that Authorized Users access the Service in accordance with Plane's acceptable use policies; and (d) promptly notifying Plane if Customer suspects unauthorized access to Customer's account.
Customer provides general authorization for Plane to engage Sub-processors to process Personal Data, subject to the requirements of this Section 7.
The current list of Sub-processors is maintained at plane.so/legals/sub-processors.
Plane will notify Customer at least thirty (30) days before engaging a new Sub-processor or replacing an existing Sub-processor. Notification will be provided via email to the address associated with Customer's account, or through a mechanism provided by Plane for subscribing to Sub-processor change notifications.
If Customer has a reasonable, good-faith objection to a new Sub-processor based on data protection grounds, Customer will notify Plane in writing within fifteen (15) days of receiving notice. The parties will discuss Customer's concerns in good faith. If Plane cannot reasonably accommodate Customer's objection, Customer may terminate the affected Order Form by providing written notice within thirty (30) days of Plane's notification, and Plane will refund any prepaid fees covering the unused portion of the Subscription Term following the effective date of termination.
Plane will enter into a written agreement with each Sub-processor imposing data protection obligations no less protective than those in this DPA. Plane remains responsible for the acts and omissions of its Sub-processors.
Plane will provide reasonable assistance to Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law (such as access, correction, deletion, portability, restriction, and objection), to the extent Plane is able to do so given its role as Processor. Such assistance shall be limited to processing activities carried out by Plane on behalf of Customer.
If Plane receives a request directly from a Data Subject, Plane will promptly redirect the Data Subject to Customer unless legally prohibited from doing so. Plane will notify Customer of the request unless prohibited by law.
To the extent Customer uses the Service in a way that involves solely automated processing of Personal Data that produces legal or similarly significant effects on Data Subjects, Customer is solely responsible for ensuring compliance with applicable law governing automated decision-making, including GDPR Article 22.
Plane will notify Customer without undue delay (and in any event within seventy-two (72) hours) after becoming aware of a Personal Data Breach. Notification will be provided to Customer's designated security contact, or if none has been designated, to the email address associated with Customer's account.
Notification will include, to the extent known: (a) a description of the nature of the breach, including the categories and approximate number of Data Subjects and Personal Data records affected; (b) the name and contact details of Plane's point of contact for further information; (c) a description of the likely consequences of the breach; and (d) a description of the measures taken or proposed to address the breach and mitigate its effects.
Plane will provide reasonable cooperation and assistance to Customer in investigating, mitigating, and remediating the Personal Data Breach, and in fulfilling Customer's obligations to notify supervisory authorities and Data Subjects under Applicable Data Protection Law.
Plane's notification of a Personal Data Breach under this Section is not an acknowledgment of fault or liability.
Plane will process and retain Personal Data for the duration of the Subscription Term in accordance with the Terms.
Upon termination or expiration of the Subscription Term, Plane will make Customer Data (including Personal Data) available for export for thirty (30) days, consistent with Section 9.5(b) of the Terms. After this period, Plane will delete all Personal Data from its systems within sixty (60) days except to the extent retention is required by applicable law.
Upon Customer's written request, Plane will confirm in writing that it has deleted Personal Data in accordance with this Section 10.
Upon Customer's reasonable written request (no more than once per twelve-month period), Plane will make available information reasonably necessary to demonstrate compliance with this DPA. This may include responses to written questionnaires, summaries of audit reports or certifications (such as SOC 2 reports), and written confirmation of security practices.
If the information provided under Section 11.1 is not sufficient to demonstrate compliance, and Customer is required by Applicable Data Protection Law to conduct a more detailed audit, Customer may request an audit of Plane's processing activities relevant to this DPA, subject to the following: (a) Customer will provide at least thirty (30) days' advance written notice; (b) audits will be conducted during normal business hours, no more than once per year, and at Customer's expense; (c) the scope of the audit will be limited to Plane's processing of Personal Data under this DPA; (d) Customer and its auditor will comply with reasonable confidentiality obligations; (e) Customer will minimize disruption to Plane's operations; (f) any auditor engaged by Customer shall be independent and not a competitor of Plane, and Plane may object to an auditor on reasonable grounds relating to confidentiality, security, or competitive concerns, in which case Customer shall appoint an alternative auditor; and (g) Customer will reimburse Plane for reasonable costs incurred in connection with any audit conducted under this Section, unless such audit reveals a material breach of this DPA by Plane.
Nothing in this Section 11 limits the ability of a supervisory authority to conduct an audit or inspection as authorized by Applicable Data Protection Law.
To the extent that Plane's processing of Personal Data involves a transfer from the EEA, UK, or Switzerland to a country not recognized as providing adequate data protection, Plane will ensure that appropriate transfer mechanisms are in place, including the Standard Contractual Clauses or the UK Addendum, as applicable.
For transfers of Personal Data from the EEA, the parties agree to be bound by the SCCs (Module Two: Controller to Processor), which are incorporated into this DPA by reference. Where the SCCs apply:
(a) Clause 7 (Docking Clause): The optional docking clause is included, permitting additional controllers or processors to join the SCCs as parties.
(b) Clause 9(a) (Sub-processors): Option 2 (general written authorization) applies. Plane will notify Customer of changes to Sub-processors in accordance with Section 7.3 of this DPA.
(c) Clause 11 (Redress): The optional language regarding access to an independent dispute resolution body is not included.
(d) Clause 13 and Annex I.C (Supervisory Authority): The competent supervisory authority will be determined in accordance with Clause 13.
(e) Clause 17 (Governing Law): The SCCs will be governed by the law of the EU Member State in which the data exporter is established, or if the data exporter is not established in the EU, the law of Ireland.
(f) Clause 18(b) (Forum): Disputes will be resolved before the courts of the jurisdiction identified in Clause 17.
For transfers of Personal Data from the United Kingdom, the UK Addendum is incorporated into this DPA by reference and supplements the SCCs as applied under Section 12.2.
For transfers of Personal Data from Switzerland, the SCCs apply with the modifications required by the FADP, including that the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner, and that references to the GDPR are interpreted as references to the FADP where applicable.
Plane will provide reasonable assistance to Customer in conducting data protection impact assessments and prior consultations with supervisory authorities, to the extent required under Applicable Data Protection Law and to the extent such assistance relates to Plane's processing of Personal Data.
To the extent the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA"), applies to Plane's processing of Personal Data under this DPA:
(a) Plane is a "service provider" as defined in the CCPA.
(b) Plane will not sell or share (as defined in the CCPA) Personal Data received from Customer.
(c) Plane will not retain, use, or disclose Personal Data for any purpose other than performing the Service as specified in the Terms, or as otherwise permitted by the CCPA.
(d) Plane will not combine Personal Data received from Customer with personal information received from other sources, except as permitted by the CCPA to perform the Service.
(e) Plane certifies that it understands the obligations set forth in this Section 14 and will comply with them.
In the event of a conflict between this DPA and the Terms, this DPA will prevail with respect to the processing of Personal Data.
Plane may update this DPA from time to time to reflect changes in Applicable Data Protection Law or Plane's processing practices. Material changes will be notified in accordance with Section 16.8 of the Terms.
If any provision of this DPA is held invalid or unenforceable, the remaining provisions will remain in full force and effect.
This DPA is governed by the same law that governs the Terms, except where Applicable Data Protection Law requires otherwise (including with respect to the SCCs).
Each party's liability arising out of or related to this DPA is subject to the limitations of liability set forth in Section 11 of the Terms.
Data Exporter (Controller): The Customer identified in the Terms.
Data Importer (Processor): Plane Software, Inc., a Delaware corporation. Contact: legal@plane.so.
Subject matter: Provision of the cloud-hosted Plane Service to Customer.
Duration: The Subscription Term, plus any post-termination retention period described in Section 10.
Nature and purpose: Processing Personal Data as necessary to provide, maintain, and support the Service, including project management, knowledge management, AI-powered features, storage, search, analytics, and customer support.
Categories of Data Subjects: Customer's Authorized Users, employees, contractors, and other individuals whose Personal Data is submitted to the Service.
Types of Personal Data: Names, email addresses, profile information, IP addresses, user-generated content (issues, comments, pages, attachments), and other Personal Data submitted by Customer or Authorized Users.
Sensitive data (if applicable): None, unless Customer has executed a separate written agreement (such as a BAA) that expressly permits the processing of sensitive data.
The competent supervisory authority will be determined in accordance with Clause 13 of the SCCs.
Plane implements the following categories of security measures, as described in detail at plane.so/security:
Encryption. Personal Data is encrypted in transit using TLS/SSL and encrypted at rest using industry-standard encryption.
Access controls. Role-based access controls limit access to Personal Data to authorized personnel. Multi-factor authentication is enforced for administrative access.
Infrastructure security. The Service is hosted on Amazon Web Services (AWS). Plane leverages AWS security features including network isolation, firewalls, and intrusion detection.
Application security. Regular vulnerability assessments and penetration testing. Secure software development practices. Dependency monitoring and patching.
Organizational measures. Employee background checks (where permitted by law). Security awareness training. Confidentiality agreements. Incident response procedures.
Business continuity. Regular data backups. Disaster recovery procedures. Monitoring and alerting.
Vendor management. Sub-processor due diligence and contractual safeguards. Ongoing monitoring of Sub-processor security posture.