Worql
See a sampleAssemble free

Trust

Data Processing Addendum

Effective:
Last updated:

1. Parties and scope

This Data Processing Addendum ("DPA") supplements the Terms of Service between Worql, Inc., a Delaware corporation ("Worql," "Processor"), and the customer identified in the applicable order or account record ("Customer," "Controller"). It governs Worql's processing of Personal Data on Customer's behalf in connection with the Worql Service.

This DPA reflects the requirements of:

  • Regulation (EU) 2016/679 ("GDPR") and the UK General Data Protection Regulation as it forms part of UK law ("UK GDPR"),
  • the California Consumer Privacy Act as amended ("CCPA / CPRA"), and
  • the Digital Personal Data Protection Act, 2023 of India ("DPDPA").

Where any of those frameworks does not apply to a given processing activity, the corresponding obligation in this DPA does not apply to that activity.

2. Definitions

Terms have the meanings given in the applicable law (Controller, Processor, Data Subject, Personal Data, Processing, Sub-processor, Standard Contractual Clauses, Data Principal, Business, Service Provider). Customer is the Controller (or, under CCPA, the Business); Worql is the Processor (or Service Provider). For DPDPA-regulated processing, Customer is the Data Fiduciary and Worql is the Data Processor.

3. Processing details

Subject matter and duration. Processing of Personal Data necessary to provide the Service for the duration of Customer's subscription, plus the retention periods in the Privacy Policy.

Nature and purpose. Hosting, transmitting, storing, generating drafts from, exporting, and supporting access to Customer Personal Data inside the Worql workspace.

Categories of Data Subjects. Customer's authorized users; Customer's counterparties named in SOWs and project records (clients, vendors, employees, contractors).

Categories of Personal Data. Names, business contact information, business roles, project descriptions, deal terms, and other information Customer chooses to enter into the workspace. Customer should not enter special categories of Personal Data (health, biometric, sexual orientation, religious belief, etc.) into the Service; the Service is not designed to process them.

4. Customer's instructions

Customer instructs Worql to process Personal Data only as needed to:

  • provide the Service to Customer and its authorized users,
  • comply with Customer's documented instructions (including via the workspace UI),
  • comply with applicable law,
  • maintain security, prevent abuse, and respond to incidents,
  • as otherwise expressly permitted by the Terms or this DPA.

Worql will inform Customer if it believes an instruction violates applicable data-protection law, unless prohibited from doing so.

5. Confidentiality

Worql will ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality and have received training on data protection commensurate with their role.

6. Security

Worql will implement and maintain technical and organizational measures appropriate to the risk, including the controls described in Section 9 of the Privacy Policy (TLS in transit, encryption at rest, least-privilege secrets management, SSO-gated production access, etc.). Worql will review and update these measures from time to time and will not materially degrade them during the term.

7. Sub-processors

Customer authorizes Worql to engage the Sub-processors listed at /sub-processors, each subject to written terms providing data-protection obligations no less protective than this DPA. Worql will give Customer at least 30 days' advance notice of new or replacement Sub-processors. Customer may object in writing on reasonable data-protection grounds; if Worql and Customer cannot resolve the objection, Customer may terminate the affected portion of the Service and receive a pro-rata refund of prepaid fees.

8. International transfers

Where Customer Personal Data is transferred from the EEA, UK, Switzerland, or India to a country that has not received an adequacy decision, the transfer is governed by:

  • the EU Standard Contractual Clauses (Commission Decision 2021/914), Module 2 (Controller-to-Processor) where Customer is the Controller, or Module 3 (Processor-to-Processor) where Customer is itself a Processor;
  • the UK International Data Transfer Addendum (the IDTA Addendum) for transfers from the UK;
  • the equivalent Swiss FDPIC requirements for transfers from Switzerland;
  • the DPDPA's cross-border transfer framework for transfers from India, as that framework is implemented from time to time.

The SCCs are incorporated into this DPA by reference. Where the SCCs require optional elections, the parties make the following: the optional docking clause does not apply; supervisory authority is the Irish DPC for EEA transfers and the ICO for UK transfers; the law of Ireland governs disputes for EEA Module 2/3 transfers; the law of England and Wales governs for UK transfers; arbitration under SIAC Rules applies to disputes escalated under this DPA consistent with the Terms.

9. Data subject requests

Worql will reasonably assist Customer in responding to Data Subject requests (access, correction, deletion, restriction, portability, objection, DPDPA grievances) through the workspace UI where possible and via support@worql.app where not. Worql will not respond directly to a Data Subject about Customer Personal Data unless required by law or authorized by Customer.

10. Incident notification

If Worql becomes aware of a Personal Data Breach affecting Customer Personal Data, Worql will notify Customer without undue delay and in any event within 72 hours of becoming aware, with the information reasonably available at the time and updates as additional facts emerge. Worql will take reasonable steps to mitigate the breach's effects and assist Customer in meeting Customer's own notification obligations.

11. Audit

Once per twelve-month period, on at least 30 days' notice, Customer (or a third-party auditor reasonably acceptable to Worql, bound to confidentiality) may audit Worql's compliance with this DPA by reviewing Worql's written responses to a reasonable questionnaire. On-site audits are not required and are at Customer's expense; remote inspection through documents, certifications, and follow-up calls will be the default form.

12. Return or deletion

On termination or expiration of the Service, Customer may export its data through the workspace UI. Within 30 days after termination, Worql will delete Customer Personal Data from active systems, subject to backup retention windows in Section 7 of the Privacy Policy and any retention obligation imposed by applicable law.

13. Term and order of precedence

This DPA takes effect when Customer accepts the Terms (or signs an order form referencing this DPA) and continues for the term of the Service. In the event of a conflict between the Terms and this DPA with respect to data protection, this DPA prevails. With respect to the SCCs and any matter falling within them, the SCCs prevail over both.

14. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of the Terms (including Section 11 of the Terms). The SCCs and the UK IDTA's liability provisions apply with respect to claims by Data Subjects against either party arising directly from the transfer mechanisms themselves.

15. Execution

By accepting the Terms or creating a paid Worql account, Customer is deemed to have entered into this DPA without need for separate signature. A counter-signed copy is available on request to legal@worql.app.

Worql signatory: Aayush Chopra, on behalf of Worql, Inc.

16. Contact

Data protection: privacy@worql.app. Legal notices: legal@worql.app. DPDPA grievances: grievance@worql.app.