Data Processing Addendum

When providing our service, Workbase may process personal data on your behalf. In order to outline specifics of how we will perform this processing and what our obligations are as well as the obligations of our users/ customers we’ve developed a Data Processing Addendum (DPA) that we enter into free of charge with anyone that uses our service and requests it.

The terms of this DPA are attached to Workbase's Terms of Service and form part of your agreement with us when you sign up to use our Services.

However, should there be a requirement for you to sign a separate DPA with us, Workbase offers a Data Processing Addendum that supplements the Terms of Service or any other Agreement. Please have an authorized individual execute this DPA. Once you sign the agreement, you will immediately receive a fully executed downloadable copy via email.

This Data Processing Addendum (“DPA”) is incorporated into, and is subject to the terms and conditions of, the Agreement between Workbase Platforms sp. z o.o. (“Workbase”) and the entity or person placing an order for or accessing the Services (“Customer”). All capitalized terms not defined in this DPA shall have the meanings set forth in the Agreement. For the avoidance of doubt, all references to the “Agreement” shall include this DPA (including the SCCs (where applicable), as defined herein).

This DPA governs Workbase's and Customers obligations as to the protection of Personal Data, Content, and other Customer Confidential Information pursuant to Data Protection Law.

1. Definitions

“Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control,” for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.

“Agreement” means Workbase's Terms of Service, or other written or electronic agreement, which govern the provision of the Services to Customer, as such terms or agreement may be updated from time to time.

“CCPA” means the California Consumer Privacy Act, its associated regulations and their successors.

“Controller”, “Data Subject”, “Process” and “Processor” (whether or not capitalized) have the meanings provided in the GDPR and include analogous provisions under Data Protection Laws in other jurisdictions.

“Data Protection Law(s)” means all laws and regulations applicable to Workbase's processing of Personal Data under the Agreement, including CCPA and GDPR.

“GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data.

“Personal Data” means any information relating to an identified or identifiable natural person that is processed by Workbase on Customer’s behalf pursuant to the Agreement.

“Security Incident” means the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Content, User Personal Data or other Customer Confidential Information processed by Workbase on Customer’s behalf pursuant to the Agreement.

2. Processing of personal data

2.1 Roles of the Parties. Customer may be the controller of Personal Data or a processor. Workbase will act as a processor or Sub-processor, as appropriate. Workbase will comply with obligations under Data Protection Laws that govern Workbase's activities when processing Personal Data. Customer shall be solely responsible for compliance with Data Protection Laws regarding the collection of and transfer to Workbase of Personal Data, and for advising Workbase of any obligations imposed on Workbase as a Sub-processor of or service provider to Customer.

2.2 Details of the Processing. The subject-matter of processing of Personal Data by Workbase is the performance of the Workbase Application pursuant to the Agreement. The duration of the processing, the nature and purpose of the processing, the types of Personal Data and categories of Data Subjects processed under this DPA are further specified in Annex A.

2.3 Processing in Accordance with Data Protection Law. Workbase shall only process Personal Data on behalf of and in accordance with Customer’s documented instructions for the following purposes: (a) processing in accordance with the Agreement and applicable Order Form(s); (b) processing initiated by Users in their use of the Workbase Application; and (c) processing to comply with other documented instructions provided by Customer. Workbase will promptly inform Customer if it becomes aware that processing requested by Customer infringes Data Protection Law.

2.4 Processing in Accordance with California Law. In accordance with the CCPA, and with respect to Personal Data to which CCPA applies: (a) Workbase will not “sell” (as defined in the CCPA) any Personal Data; and (b) Workbase will not collect, share or use any Personal Data except as necessary to perform services for Customer.

2.5 Confidentiality of Processing. Workbase will treat Personal Data as Customer’s Confidential Information and protect it in accordance with the confidentiality obligations in the Agreement. Workbase shall ensure that its personnel engaged in the processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities and have executed written confidentiality agreements no less protective of Customer’s rights in such data as this DPA.

2.6 Data Subject Requests; Data Impact Assessments. Workbase shall, taking into account the nature of the processing, assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of the Customer’s obligation to respond to: (a) any request from a data subject to exercise any of its rights under Data Protection Laws; (b) any other correspondence, enquiry or complaint received from a data subject, regulator or other third party in connection with the processing of Personal Data, and (c) any data protection impact assessment that Customer may be required to perform under Data Protection Law. If any such request, correspondence, enquiry or complaint is made directly to Workbase, Workbase will promptly inform Customer providing full details of the same. Workbase shall not respond to a data subject request without Customer’s prior written consent except to confirm that such request relates to Customer.

3. Sub-processors

3.1 Authorized Sub-processors. Customer consents to Workbase engaging Workbase Affiliates and third party Sub-processors to process Personal Data for the purposes described in the Agreement and this DPA. The Sub-processors currently engaged by Workbase are available on https://www.workbase.com/legal/sub-processors. Workbase or a Workbase Affiliate will enter a written agreement with each Sub-processor imposing data protection terms on the Sub-processor substantially equivalent to, and no less protective of data subjects’ rights in Personal Data than, this DPA. Workbase shall notify Customer if it adds or removes Sub-processors within ten (10) business days of such changes if Customer opts in to receive such notifications here. Customer may object to Workbase's appointment or replacement of a Sub-processor, provided such objection is based on reasonable grounds relating to data protection. If Customer does not object to a new Sub-processor within ten (10) business days, Customer will be deemed to have authorized Workbase's use of the new Sub-processor and to have waived its right to object. If Customer objects to a new Sub-processor Workbase will use reasonable efforts to avoid using that Sub-processor to process Personal Data, either by adapting or recommending a change in Customer’s configuration of the Workbase Application. If neither of the foregoing is commercially practicable, Workbase will terminate the applicable subscription with respect to the portion of the Workbase Application that can only be provided by Workbase using that Sub-processor. Customer will not receive a refund of any unused prepaid fees on such termination and if fees remain unpaid for a subscription term, Customer will immediately pay the remaining balance due for the remainder of the subscription term.

3.2 Liability for Sub-processors. Where a Sub-processor fails to fulfil its data protection obligations, Workbase shall remain fully liable to Customer for the performance of that Sub-processor's obligations.

4. Security

4.1 Security Measures. Workbase will use procedural, technical and administrative safeguards designed to ensure the confidentiality, security, integrity, availability and privacy of Content, Personal Data and other Customer Confidential Information stored in the Workbase Application. Workbase may update or modify such measures from time to time provided that such updates and modifications do not result in a material decrease of the overall security of the Workbase Application during Customer’s subscription term. Workbase is not responsible for any breach or loss caused by Customer, Customer’s users or by Customer’s configuration of and deployment specifications for the Workbase Application.

4.2 Audit Rights. Workbase will make available to Customer such information as Customer may reasonably request to demonstrate Workbase's compliance with the obligations under Data Protection Laws. Workbase will further allow for and contribute to audits conducted by Customer or an auditor mandated by Customer so long as it is not a competitor of Workbase. All such information and audit requests and procedures: (a) must be reasonable based on the nature of the Workbase Application and the categories of Personal Data processed, (b) must be subject to an appropriate confidentiality agreement; and (c) may be made no more than once per year unless otherwise required by instruction of a competent data protection authority. Before the commencement of any such audit, Customer and Workbase shall mutually agree upon the scope, timing, and duration of the audit and the reimbursement rate for any travel or other expenses Workbase incurs in the course of such audit. All reimbursement rates shall be reasonable, taking into account the resources expended by Workbase. Customer shall promptly notify Workbase with information regarding any non-compliance discovered during the course of an audit.

4.3 Breach Notice. Workbase will inform Customer via email without undue delay on its discovery of a Security Incident. Workbase will take all actions reasonably necessary to remedy or mitigate the effects of the Security Incident. Workbase will further keep Customer informed of all material developments regarding the incident and provide such information and cooperation as Customer may reasonable require in order to fulfil its data breach reporting obligations under Data Protection Law.

5. Return and deletion of personal data

Upon termination or expiration of the Agreement, Workbase shall (at Customer’s election) delete or return to Customer all Personal Data (including copies) in its possession or control, except that this requirement shall not apply to the extent Workbase is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which Personal Data Workbase shall securely isolate, protect from any further processing and eventually delete in accordance with Workbase's deletion policies, except to the extent required by applicable law. The parties agree that the certification of deletion of Personal Data described in Clause 8.5 and 16(d) of the 2021 Controller-to-Processor Clauses and 2021 Processor-to-Processor Clauses (as applicable) shall be provided by Workbase to Customer only upon Customer’s written request.

6. Europe-specific provisions

6.1 Cross-Border Data Transfer Mechanisms. The transfer mechanisms listed in Annex B shall apply, in the order of precedence below, to any transfers of Personal Data from member states of the European Union, the European Economic Area and the United Kingdom to countries that have not been designated by the European Commission as providing an adequate level of protection for Personal Data.

6.2 To the extent Workbase processes Personal Data originating from member states of the European Union, the European Economic Area or the United Kingdom in a country that has not been designated by the European Commission as providing an adequate level of protection for Personal Data, the Personal Data shall be deemed to have adequate protection by virtue of the unchanged European Commission-approved version of the Standard Contractual Clauses for the Transfer of Personal Data to Processors Established in Third Countries under GDPR, as approved by European Commission Implementing Decision 2021/914 (the “SCCs”) as set out in http://ec.europa.eu/justice/data-protection/international-transfers/transfer/index_en.htm as of the DPA Effective Date, which are incorporated by reference into this DPA. Appendix 1 to this DPA contains certain interpretive and supplementary provisions regarding application of the SCCs. The information required by Annexes 1 and 2 of the SCCs is provided in Annexes A and B of this DPA.

7. Miscellaneous

7.1 Limits of Liability. Each party’s liability to the other under this DPA, whether in contract, tort or under any other theory of liability, is subject to the limitations of liability in the Agreement.

7.2 Construction; Interpretation. This DPA is not a standalone agreement and is only effective while the Agreement is in effect between Workbase and Customer. This DPA and the Agreement are the complete and exclusive statement of the mutual understanding of the parties and supersede and cancel all previous written and oral agreements and communications relating to the subject matter hereof. Headings contained in this DPA are for convenience of reference only and do not form part of this DPA.

7.3 Severability. If any provision of this DPA is adjudicated invalid or unenforceable, this DPA will be amended to the minimum extent necessary to achieve, to the maximum extent possible, the same legal and commercial effect originally intended by the parties. To the extent permitted by applicable law, the parties waive any provision of law that would render any clause of this DPA prohibited or unenforceable in any respect.

7.4 Amendment; Enforcement of Rights. No modification of or amendment to this DPA, nor any waiver of any rights under this DPA, will be effective unless in writing signed by the parties hereto. The failure by either party to enforce any rights under this DPA will not be construed as a waiver of any rights of such party.

7.5 Assignment. This DPA may be assigned only in connection with a valid assignment pursuant to the Agreement. If the Agreement is assigned by a party in accordance with its terms, this DPA will be automatically assigned by the same party to the same assignee.

7.6 Governing Law. This DPA will be governed by and construed in accordance with the laws of the jurisdiction governing the Agreement unless otherwise required by the GDPR, in which case this DPA will be governed by the laws of the Netherlands.

7.7 Counterparts. This DPA may be executed and delivered by facsimile or electronic signature and in two or more counterparts, each of which will be deemed an original, but all of which together will constitute one and the same instrument.

APPENDIX 1: APPLICABLE STANDARD CONTRACTUAL CLAUSES AND SUPPLEMENTAL TERMS

1. Incorporation of SCCs

The parties agree that the SCCs are hereby incorporated by reference into this DPA as follows:

1.1 Module 1: Transfer controller to controller, Clauses 1 to 6, 8 and 10 to 18 apply where Workbase Processes Personal Data as a Controller pursuant to the terms of the Agreement, Workbase and its relevant Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

1.2 Module 2: Transfer controller to processor, Clauses 1 to 6 and 8 to 18 apply where Workbase Processes Personal Data as a Processor pursuant to the terms of the Agreement, Workbase and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

1.3 Module 3: Transfer processor to processor, Clauses 1 to 6 and 8 to 18 apply where Workbase Processes Personal Data as a Processor pursuant to the terms of the Agreement, Workbase and its relevant Sub-Processor Affiliates are located in non-adequacy approved third countries, and Customer and its relevant Affiliates are established in the EEA.

1.4 Module 4: Transfer processor to controller, Clauses 1 to 6, 8, 10 to 12, and 14 to 18 apply where Workbase Processes Personal Data as a Processor pursuant to the terms of the Agreement, and Workbase and its relevant Sub-Processor Affiliates are located in the EEA, and Customer and its relevant Affiliates are located in non-adequacy approved third countries.

2. Standard contractual clause optional provisions

In addition to Section 1.1, where the SCCs identify optional provisions (or provisions with multiple options) the following shall apply in the following manner:

2. Clause 7 (Docking Clause) is omitted;

2.2 In Clause 9(a) (Use of sub-processors) (Module 2) – Option 2 shall apply and the parties shall follow the process and timings agreed in the DPA to appoint sub-processors;

2.3 In Clause 11(a) (Redress) (Module 1, 2 or 4) – the Optional provision shall NOT apply;

2.4 In Clause 16(b) (Suspension of transfers) if Workbase is the data exporter it will suspend transfers of personal data only as required by law and will notify Customer as promptly as possible (before suspension if possible) so that Customer may remedy the condition requiring suspension;

3. EU optional provisions

3.1 In Clause 17 (Governing Law) (Module 1, 2 or 4) – the laws of the Netherlands shall govern; and

3.2 In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2 or 4) – the courts of the Netherlands shall have jurisdiction.

4. UK-specific provisions

4.1 Clause 6 Description of the transfer(s) is replaced with:

“The details of the transfers(s) and in particular the categories of personal data that are transferred and the purpose(s) for which they are transferred) are those specified in Annex I.B where UK Data Protection Laws apply to the data exporter's processing when making that transfer.”

4.2 References to “Regulation (EU) 2016/679” or “that Regulation” are replaced by “UK Data Protection Laws” and references to specific Article(s) of “Regulation (EU) 2016/679” are replaced with the equivalent Article or Section of UK Data Protection Laws.

4.3 References to Regulation (EU) 2018/1725 are removed.

4.4 References to the “Union”, “EU” and “EU Member State” are all replaced with “United Kingdom”.

4.5 In Clause 17 (Governing Law) (Module 1, 2 or 4) – the laws of England and Wales shall govern; and

4.6 In Clause 18 (Choice of forum and jurisdiction) (Module 1, 2 or 4) – the courts in London England shall have jurisdiction.

5. Supplementary terms to SCCs

5.1 Documentation and compliance. For the purposes of Clause 8.9(b) – Module One, Clause 8.9(e) – Module Two and Clause 8.3 – Module Four the review and audit provisions in the Agreement and DPA shall apply.

5.2 Notification and Transparency. The Parties acknowledge and agree that Workbase, where required by the SCCs to notify the competent supervisory authority, shall first provide Customer with the details of the notification, permitting Customer to have prior written input into the relevant notification where Customer so desires to do, and without delaying the timing of the notification unduly. 

5.3 For purposes of Clause 8.2 – Module 1, Clause 8.3 – Module 2 and Clause 15.1(a), the parties agree and acknowledge that it may not be possible for Workbase to make the appropriate communications to data subjects and accordingly, Customer shall (following notification by the Data Importer) have the option to be the party who makes any communication to the data subject, and Workbase shall provide the level of assistance set out in the DPA.

5.4 Liability. For the purposes of Clause 12(a), the liability of the parties shall be limited in accordance with the limitation of liability provisions in the Agreement. 

5.5 Signatories. Notwithstanding the fact that the SCCs are incorporated herein by reference without being signed directly, Workbase and Customer each agrees that their execution of the Agreement is deemed to constitute its execution of the SCCs, and that it is duly authorized to do so on behalf of, and to contractually bind, the Data Exporter or Data Importer (as applicable) accordingly. 

Annex A: Details of the processing

Subject Matter of Processing

Workbase will process Personal Data as necessary to provide the Workbase Application to Customer pursuant to the Agreement.

Duration of Processing

Workbase will process Personal Data for the duration of the Agreement until termination of the Agreement, unless otherwise agreed in writing.

Categories of Data Subjects

Workbase collects Personal Data from Customer’s Users in order to provide the Workbase Application.

Nature and Purpose of Processing

The purpose of processing of Customer Personal Data by Workbase is the provision of the Services pursuant to the Agreement.

Types of Personal Data

Personal Data collected from Customer’s users may include without limitation: Identification Data such as name and email address, and Electronic identification data such as IP address and other online identifiers. Other types of Personal Data includes physical address (for payment purposes), telephone/mobile number, location data, and device ID. Workbase does not monitor content users introduce into the Workbase Application. If users add Personal Data to the Workbase Application (in a Workbase project within the Services), Workbase will automatically process that Personal Data.

Sensitive Personal Data Transferred

Customer will not be required to submit sensitive Personal Data to the Services.

Frequency of Transfer of Data

Continuous

Period for which the Personal Data will be retained

The period for which the Personal Data will be retained is more fully described in the Agreement, DPA, and accompanying applicable Order Forms.

Obligations and rights of the Customer

The obligations and rights of Customer as a controller are set out in the Agreement and this DPA.

Annex B: Security controls

Description of Workbase's Technical and Organizational Security Measures

Workbase establishes data security in accordance with applicable laws. The Technical and Organizational Security Measures implemented are set forth below. The measures taken are designed to guarantee a protection level appropriate to the risk concerning confidentiality, integrity, availability, and resilience of the systems. The state of the art, implementation costs, the nature, scope and purposes of processing, as well as the probability of occurrence and the severity of the risk to the rights and freedoms of natural persons, must also be taken into account. Workbase has set out a number of Technical and Organizational Security Measures and may implement alternative adequate measures from time to time, provided such measures will not materially reduce Workbase's security level. Workbase can provide Customer, upon reasonable request, adequate evidence of compliance with its Data Processing obligations under this Agreement. 

• Measures of pseudonymization and encryption of personal data

• Measures for ensuring ongoing confidentiality, integrity, availability and resilience of processing systems and services

• Measures for ensuring the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident

• Processes for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing

• Measures for user identification and authorization

• Measures for the protection of data during transmission

• Measures for the protection of data during storage

• Measures for ensuring physical security of locations at which personal data are processed

• Measures for ensuring events logging

• Measures for ensuring system configuration, including default configuration

• Measures for internal IT and IT security governance and management

• Measures for certification/assurance of processes and products

• Measures for ensuring data minimization

• Measures for ensuring data quality

• Measures for ensuring limited data retention

• Measures for ensuring accountability

• Measures for allowing data portability and ensuring erasure