Data Processing Agreement

1. Definitions

The following definitions apply to this DPA in addition to any definitions in the Terms of Service:

• "Applicable Data Protection Law" means all laws and regulations relating to the processing of Personal Data that apply to the Services, including where applicable the EU General Data Protection Regulation (GDPR), the UK GDPR, the Swiss Federal Act on Data Protection (FADP), the California Consumer Privacy Act as amended by the California Privacy Rights Act (CCPA/CPRA), and any other applicable U.S. state privacy laws.
• "Data Breach" means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Workiflow on behalf of the Client.
• "Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
• "Personal Data" means any information relating to a Data Subject that is processed by Workiflow on behalf of the Client in the course of performing the Services. This does not include data that has been anonymized or de-identified such that it can no longer be linked to an identifiable individual.
• "Processing" (and "process," "processed," "processes") means any operation or set of operations performed on Personal Data, whether by automated means or not, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by Workiflow to process Personal Data on behalf of the Client in connection with the Services.
• "Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for the transfer of Personal Data to countries outside the EEA, as applicable.

2. Roles and Scope

2.1 Roles

For the purposes of Applicable Data Protection Law, the Client is the Controller and Workiflow is the Processor with respect to Personal Data processed in connection with the Services.

Where Workiflow collects and processes personal information for its own purposes (such as billing, account management, and website analytics), Workiflow acts as an independent Controller and such processing is governed by our Privacy Policy, not this DPA.

2.2 Scope of Processing

Workiflow will process Personal Data only as necessary to perform the Services described in the applicable Service Agreement (whether a Managed Services Agreement, Statement of Work, or other written agreement) and in accordance with the Client's documented instructions.

The details of the processing, including the categories of Personal Data, categories of Data Subjects, nature and purpose of processing, and duration, are described in Annex A of this DPA.

2.3 Client Responsibilities

Client is responsible for: (a) determining the lawful basis for processing Personal Data; (b) ensuring that it has provided all necessary notices to, and obtained all necessary consents or authorizations from, Data Subjects as required by Applicable Data Protection Law; (c) ensuring that its instructions to Workiflow comply with Applicable Data Protection Law; and (d) the accuracy, quality, and legality of all Personal Data provided to Workiflow.

3. Workiflow's Obligations

Workiflow will:

• (a) Process Personal Data only on documented instructions from the Client, unless required to do so by applicable law. If Workiflow is required by law to process Personal Data for a purpose other than providing the Services, Workiflow will inform the Client of that requirement before processing, unless prohibited from doing so by law.
• (b) Ensure that all Workiflow personnel who access Personal Data are bound by appropriate confidentiality obligations, whether contractual or statutory.
• (c) Implement and maintain appropriate technical and organizational security measures to protect Personal Data, as described in Annex B of this DPA.
• (d) Assist the Client, taking into account the nature of processing, in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law (such as access, rectification, erasure, restriction, portability, and objection). If Workiflow receives a request directly from a Data Subject, Workiflow will promptly notify the Client and will not respond to the request without the Client's instructions, unless required by law.
• (e) Assist the Client in ensuring compliance with its obligations related to security, data breach notification, data protection impact assessments, and prior consultation with supervisory authorities, taking into account the nature of processing and the information available to Workiflow.
• (f) Not make any independent determination regarding the purposes or means of processing Personal Data. Workiflow will not sell Personal Data, share Personal Data for cross-context behavioral advertising, or use Personal Data for any purpose other than performing the Services.

4. Sub-processors

4.1 Authorization

Client provides general written authorization for Workiflow to engage Sub-processors to assist in providing the Services. A current list of Sub-processors is maintained at workiflow.com/sub-processors.

4.2 New Sub-processors

Workiflow will update the sub-processor list at workiflow.com/sub-processors and notify the Client before engaging any new Sub-processor, providing the name of the Sub-processor and the nature of the processing. Client will have fourteen (14) days from receipt of notification to object in writing on reasonable data protection grounds. If the Client objects and the parties cannot resolve the objection within thirty (30) days, either party may terminate the affected portion of the Services.

4.3 Sub-processor Obligations

Workiflow will enter into a written agreement with each Sub-processor that imposes data protection obligations materially consistent with those set out in this DPA. Workiflow remains fully liable to the Client for the performance of each Sub-processor's obligations.

5. Data Security

5.1 Security Measures

Workiflow will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures are described in Annex B and include, at a minimum:

• Encryption of Personal Data in transit (TLS 1.2+) and at rest
• Role-based access controls with least-privilege enforcement
• Continuous vulnerability monitoring and threat detection
• Regular security awareness training for all personnel
• Documented incident response procedures
• Periodic review and testing of security measures

5.2 Certifications

Workiflow's SOC 2 Type II and ISO 27001 audits are in progress, and our controls are aligned to both frameworks today. Details of Workiflow's security posture are available at workiflow.com/security.

6. Data Breach Notification

6.1 Notification

In the event of a Data Breach, Workiflow will notify the Client without undue delay and in any event within seventy-two (72) hours of becoming aware of the breach.

6.2 Content of Notification

The notification will include, to the extent known at the time:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
• The name and contact details of Workiflow's point of contact for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

6.3 Ongoing Cooperation

Workiflow will cooperate with the Client and take reasonable steps to assist in investigating, mitigating, and remediating the Data Breach. Workiflow will provide updated information as it becomes available.

6.4 Notification Limitations

Workiflow's notification of a Data Breach is not an acknowledgment of fault or liability. The obligation to notify does not apply to breaches caused by the Client or the Client's end users.

7. International Data Transfers

7.1 Transfer Mechanisms

Where Personal Data is transferred from the EEA, UK, or Switzerland to a country not recognized as providing an adequate level of data protection, Workiflow will ensure that appropriate safeguards are in place, including:

• Standard Contractual Clauses (SCCs) approved by the European Commission (Module Two: Controller to Processor), supplemented by additional safeguards where required
• UK International Data Transfer Addendum where UK GDPR applies
• Any other legally recognized transfer mechanism under Applicable Data Protection Law

7.2 Additional Safeguards

Workiflow will implement supplementary measures where necessary to ensure that the level of protection of Personal Data is not undermined by the transfer. These may include encryption, pseudonymization, and access controls.

8. Audits and Assessments

8.1 Audit Rights

Client may, no more than once per twelve (12) month period and upon thirty (30) days' prior written notice, request an audit or inspection of Workiflow's data processing activities and security measures to verify compliance with this DPA.

8.2 Audit Process

Audits will be conducted during normal business hours and will not unreasonably interfere with Workiflow's operations. Client will bear its own costs associated with the audit. Workiflow may require the Client or its auditor to execute a confidentiality agreement before any audit.

8.3 Certification Reports

In lieu of an on-site audit, Workiflow may provide Client with: (a) once available, a copy of Workiflow's most recent SOC 2 Type II report (subject to mutual NDA); (b) documentation of Workiflow's ISO 27001 audit status; or (c) responses to a reasonable security questionnaire. If these materials are sufficient to address the Client's concerns, no further audit is required.

9. Data Retention and Deletion

9.1 Duration of Processing

Workiflow will process Personal Data for the duration of the applicable Service Agreement. Upon expiration or termination of the Service Agreement, Workiflow will, at the Client's written election:

• (a) Return all Personal Data to the Client in a commonly used, machine-readable format; or
• (b) Securely delete all Personal Data, including copies, within thirty (30) days and provide written confirmation of deletion upon request.

9.2 Exceptions

Workiflow may retain Personal Data to the extent required by applicable law, regulation, or professional obligations (such as tax or accounting requirements). Any retained data will continue to be protected in accordance with this DPA and will be deleted when the retention obligation expires.

9.3 Backup Systems

Personal Data contained in routine backup systems will be securely overwritten in accordance with Workiflow's standard backup rotation schedule, not to exceed ninety (90) days from the date of deletion.

10. Term and Termination

This DPA takes effect when the Client first engages Workiflow for Services and remains in effect for as long as Workiflow processes Personal Data on behalf of the Client.

Termination of the underlying Service Agreement will automatically trigger the data return and deletion obligations described in Section 9.

Sections 6 (Data Breach Notification), 8 (Audits), 9 (Data Retention and Deletion), and this Section 10 survive termination of this DPA.

11. Limitation of Liability

Each party's liability under this DPA is subject to the limitations of liability set forth in the Terms of Service. This DPA does not create any independent or additional liability beyond what is established in the Terms of Service and the applicable Service Agreement.

12. Contact

For questions about this DPA or to exercise any rights described herein: