Legal
Data Processing Agreement
Effective: June 2, 2026
This Data Processing Agreement (“DPA”) supplements the Terms of Service between Milestone (“Processor”) and you (“Controller”) and applies to the extent that Milestone processes Personal Data on your behalf within the meaning of the EU General Data Protection Regulation (GDPR) and the UK GDPR.
1. Definitions
- "Personal Data" - any information relating to an identified or identifiable natural person.
- "Processing" - any operation performed on Personal Data.
- "Sub-processor" - any third party engaged by Milestone to process Personal Data on the Controller's behalf.
- "Data Subject" - the individual to whom Personal Data relates.
2. Roles of the Parties
For Personal Data that Milestone processes on your behalf to provide the Service, you are the Controller and Milestone is the Processor. The project content and knowledge graph you create are hosted on Milestone's infrastructure on Amazon Web Services (AWS) and cached on your device for offline use. For certain data, third parties act as independent controllers - in particular, Paddle acts as merchant of record and independent controller for payment and tax data, and the AI providers that power sessions process session content under their own terms.
3. Scope and Purpose
Milestone processes Personal Data solely to provide the Service as described in the Terms of Service and Privacy Policy, and only on your documented instructions (which these documents and your use of the Service constitute). We will not process your data for any other purpose without your prior written consent, unless required by law - in which case we will inform you first, unless the law prohibits it.
4. Processor Obligations
Milestone shall:
- Process Personal Data only on your documented instructions.
- Ensure that personnel authorised to process Personal Data are bound by confidentiality obligations.
- Implement appropriate technical and organisational measures (Article 32 GDPR).
- Notify you if, in our opinion, an instruction infringes the GDPR or other data protection law.
- Assist you, taking into account the nature of processing, in responding to Data Subject rights requests within 30 days.
- Assist you with security, breach notification, and data protection impact assessments as required by Articles 32–36 GDPR.
- Delete or return all Personal Data upon termination of the Service, at your election.
- Make available the information necessary to demonstrate compliance with this DPA.
5. Sub-processors
You authorise Milestone to engage the sub-processors below. We will give you at least 14 days' notice - by email or by updating this page - before adding or replacing a sub-processor, and you may object on reasonable data-protection grounds.
- Amazon Web Services (AWS) - cloud hosting and storage for account data, project content, and the knowledge graph; United States (us-east-1).
- Anthropic - AI model processing (Claude Code), for the AI sessions you run; United States.
- OpenAI - AI model processing for in-app AI features; United States.
- PostHog - product analytics; United States.
- Sentry - error and crash monitoring.
- Paddle - merchant of record for billing, payment, and tax (acting as an independent controller for transaction data).
Claude Code runs locally on your device and communicates directly with Anthropic; Milestone does not route those session prompts through its servers. When you connect an integration such as GitHub or import from Linear, Jira, or Notion, you direct that transfer and it is governed by that provider's own terms.
6. International Transfers
Milestone is based in Israel, which the European Commission has recognised as providing an adequate level of data protection. Where Personal Data is transferred outside the European Economic Area or the UK to a sub-processor, we rely on Standard Contractual Clauses approved by the European Commission (with the UK Addendum where applicable), the EU–US Data Privacy Framework, or another lawful transfer mechanism.
7. Security
We maintain the technical and organisational measures described in our Privacy Policy, including TLS encryption in transit, encryption at rest, and role-based access controls. The desktop app caches data on your device for offline use, so you also remain responsible for the security of that device.
8. Audits
You may request a written security questionnaire once per year. Physical audits are available subject to mutual agreement and reasonable advance notice (at least 30 days).
9. Breach Notification
Milestone will notify you without undue delay (and in any event within 72 hours) after becoming aware of a Personal Data breach affecting your data, and will provide the information you reasonably need to meet your own notification obligations.
10. CCPA
To the extent the California Consumer Privacy Act applies, Milestone acts as a “service provider” and will not sell or share your Personal Data, nor retain, use, or disclose it for any purpose other than providing the Service under the Terms.
11. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service.
12. Contact
To execute a signed DPA or ask questions, email privacy@milestone-app.com.