Roles
For customer workspace data, the customer is normally the controller and Saga Sprint is normally the processor. Saga Sprint may act as controller for account, billing, marketing, and security administration data.
Subject matter and duration
Processing occurs to provide the Saga Sprint platform, enabled modules, support, billing, integrations, AI-assisted workflows, and implementation services for the subscription or contract term.
Personal data categories
- Identity, contact, account, employment, candidate, customer, financial transaction metadata, operational records, documents, messages, and module data.
- Clinic or health-related data only when a customer enables the Clinic module and enters that data.
- AI prompts, retrieved context, generated outputs, tool calls, and audit metadata when AI features are enabled.
Processor obligations
- Process personal data only on documented customer instructions.
- Maintain confidentiality commitments for authorized personnel.
- Use technical and organizational measures including tenant isolation, access controls, encryption in transit, audit logs, backup practices, and incident handling.
- Assist with data subject requests, deletion/export workflows, DPIAs, and regulator inquiries as commercially reasonable.
- Delete or return customer data at the end of service according to the agreement and lawful retention requirements.
Subprocessors and transfers
Current subprocessors are listed on the Subprocessors page. International transfer safeguards are handled through the signed DPA or customer agreement.
