Data Processing Addendum (DPA)
The protection of individuals’ personal data is a fundamental right under EU law and currently regulated by the General Data Protection Regulation (Regulation (EU) 2016/679) (the “GDPR”). The GDPR specifies that the processing of personal data by a processor on behalf of a controller shall be governed by a written agreement regulating amongst others the circumstances and conditions under which such processing may take place.
This Data Processing Addendum (the “Addendum” or “DPA”) forms part of the Worksection Terms of Service available at worksection.com/en/agreement.html, (the “Terms of Service”, updated from time to time), or other agreement governing the use of Worksection’s services (“Agreement”) entered by and between you, the Customer (as defined in the Agreement - collectively, “you”, “your”, “Customer”), and Worksection LLC (“Worksection”, “us”, “we”, “our”) to reflect the parties’ agreement with regard to the Processing of Personal Data by Worksection solely on behalf of the Customer. Both parties shall be referred to as the “Parties” and each, a “Party”.
The Parties have agreed that Worksection shall provide Customer with a cloud-based project management tool (hereinafter referred to as the “Services”), under which Worksection will be processing certain personal data on behalf of the Customer in the capacity of processor. As such, the Parties acknowledge the need to enter into this separate Addendum to regulate the processing of personal data by Worksection on behalf of the Customer. By using the Services, Customer accepts this DPA and anyone who is entering into the Terms of Service on behalf of a company or other legal entity, represents to have the authority to bind such entity and its affiliates to these terms and conditions, in which case the terms “you” and “your” herein shall refer to such entity. If you cannot, or do not agree to, comply and be bound by this DPA, or do not have authority to bind the Customer or any other entity, please do not provide Personal Data to us.
In the event of any conflict between certain provisions of this DPA and the provisions of the Agreement, the provisions of this DPA shall prevail over the conflicting provisions of the Agreement solely with respect to the Processing of Personal Data.
Capitalized terms not defined herein shall have the meanings assigned to such terms in the Agreement.
(a) “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the subject entity. “Control”, for purposes of this definition, means direct or indirect ownership or control of more than 50% of the voting interests of the subject entity.
(b) “Authorized Affiliate” means any of Customer’s Affiliate(s) which is explicitly permitted to use the Services pursuant to the Agreement between Customer and Worksection but has not signed its own agreement with Worksection and is not a “Customer” as defined under the Agreement.
(c) “CCPA” means the California Consumer Privacy Act of 2018. Section 1798.100.
(d) The terms, “Controller“, “Member State“, “Processor“, “Processing” and “Supervisory Authority” shall have the same meaning as in the GDPR. The terms “Business”, “Business Purpose”, “Consumer” and “Service Provider” shall have the same meaning as in the CCPA.
For the purpose of clarity, within this DPA “Controller” shall also mean “Business”, and “Processor” shall also mean “Service Provider”, to the extent that the CCPA applies. In the same manner, Processor’s Sub-processor shall also refer to the concept of Service Provider.
(e) “Data Protection Laws” means all applicable and binding privacy and data protection laws and regulations, including such laws and regulations of the European Union, the European Economic Area and their Member States, Switzerland, the United Kingdom, Canada, and the United States of America, as applicable to the Processing of Personal Data under the Agreement including (without limitation) the GDPR, the UK GDPR, and the CCPA, as applicable to the Processing of Personal Data hereunder and in effect at the time of Processor’s performance hereunder.
(f) “Data Subject” means the identified or identifiable person to whom the Personal Data relates.
(g) “GDPR” means the Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation).
(h) “Personal Data” or “Personal Information” means any information that identifies, relates to, describes, is capable of being associated with, or could reasonably be linked, directly or indirectly, to or with an identified or identifiable natural person or Consumer, which is processed by Worksection solely on behalf of Customer, under this DPA and the Agreement between Customer and Worksection.
(i) “Services” means the cloud-based work operating system platform (“Platform”) and any other services provided to Customer by Worksection under the Agreement.
(j) “Security Documentation” means the security documentation specifically applicable to the Processing of Personal Data by Worksection under the Agreement and this DPA, as updated from time to time, and accessible via worksection.com/en/agreement.html, or as otherwise made reasonably available by Worksection.
(k) “Sensitive Data” means Personal Data that is protected under a special legislation and requires unique treatment, such as “special categories of data”, “sensitive data” or other materially similar terms under applicable Data Protection Laws, which may include any of the following: (a) social security number, tax file number, passport number, driver’s license number, or similar identifier (or any portion thereof); (b) credit or debit card number; (c) financial, credit, genetic, biometric or health information; (d) information revealing racial or ethnic origin, political opinions, religious or philosophical beliefs, or trade union membership, genetic data or biometric data for the purpose of uniquely identifying a natural person, data concerning health or a person’s sex life or sexual orientation, or data relating to criminal convictions and offences; and/or (e) account passwords in unhashed form.
(l) “Sub-processor” means any third party that Processes Personal Data under the instruction or supervision of Worksection.
(m) “UK GDPR” means the Data Protection Act 2018, as well as the GDPR as it forms part of the law of England and Wales, Scotland and Northern Ireland by virtue of section 3 of the European Union (Withdrawal) Act 2018 and as amended by the Data Protection, Privacy and Electronic Communications (Amendments etc.) (EU Exit) Regulations 2019 (SI 2019/419).
2. DATA PROCESSING
2.1. Scope and Roles. This Addendum applies when Customer Data is processed by Worksection on behalf of Customer as part of performing the Services.
2.2. Compliance with Laws. Each party will comply with all laws, rules and regulations applicable to it and binding on it in the performance of this Addendum, including all statutory requirements relating to data protection.
2.3. The Nature and Purpose of Data Processing. As long as Customer is using the Services, and as a consequence of Customer using the Services, Worksection will process Customer Data on behalf of Customer. Customer Data includes but is not limited to names, addresses and contact information of the Customer’s invited users, as well as other kind of personal data which Customer will upload to the Services in different project, collections and boards. Customer Data can relate to Customer’s employees, directors, officers, customers and subcontractors, but also to third parties which are somehow part of or related to a project managed by Customer when using the Services. Customer Data may also include technical data, usage data, quality statistics and similar information (including but not limited to device related and location-based metrics) related to Customer’s access to and use of the Services.
2.4. Instructions for Data Processing. Worksection will process Customer Data in accordance with Customer’s documented instructions, including with regard to transfers of personal data to a third country or an international organization, unless required to do otherwise by applicable law. Any additional costs, which arise as a result of such restrictions, shall be borne by Customer. The parties agree that this Addendum is Customer’s complete and final instructions to Worksection in relation to processing of Customer Data. Processing outside the scope of this Addendum (if any) will require prior written agreement between Worksection and Customer on additional instructions for processing, including agreement on any additional fees Customer will pay to Worksection for carrying out such instructions. Customer may terminate this Addendum if Worksection declines to follow instructions requested by Customer that are outside the scope of this Addendum.
2.5. Access or Use. Worksection will not access or use Customer Data, except as necessary to maintain, improve and provide the Services requested by Customer.
2.6. Details of the Processing. The duration of the processing, the nature and purpose of the processing, the types of Customer Data and categories of data subjects processed under this DPA are further specified in Annex 1 (Details of the Processing) to this DPA.
2.7. Assistance. Taking into account the nature of the processing, Worksection shall assist Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the data subject’s rights.
2.8. Disclosure. Worksection will not disclose Customer Data to any government, except as necessary to comply with the law or a valid and binding order of a law enforcement agency (such as a subpoena or court order). If a law enforcement agency sends Worksection a demand for Customer Data, Worksection will attempt to redirect the law enforcement agency to request that data directly from Customer. As part of this effort, Worksection may provide Customer’s basic contact information to the law enforcement agency. If compelled to disclose Customer Data to a law enforcement agency, then Worksection will give Customer reasonable Notice of the demand to allow Customer to seek a protective order or other appropriate remedy unless Worksection is legally prohibited from doing so.
2.9. Worksection Personnel. Worksection restricts its personnel from processing Customer Data without authorization by Worksection. Worksection will impose appropriate contractual obligations upon its personnel, including relevant obligations regarding confidentiality, data protection and data security.
2.10. Customer Controls. Worksection makes available a number of security features and functionalities that Customer may elect to use. Customer is responsible for properly (a) configuring the Services, (b) using the controls available in connection with the Services (including the security controls), and (c) taking such steps as Customer considers adequate to maintain appropriate security, protection, deletion and backup of Customer Data, which may include use of encryption technology to protect Customer Data from unauthorized access and routine archiving of Customer Data.
3. CROSS-BORDER DATA TRANSFERS
3.1. Transfers from the EEA and Switzerland to countries that offer adequate level or data protection. Personal Data may be transferred from EU member states, Norway, Liechtenstein and Iceland (collectively “EEA”), and Switzerland, to countries that offer an adequate level of data protection under or pursuant to the adequacy decisions published by the relevant data protection authorities of the EEA, the European Union, the Member States or the European Commission, or Switzerland as relevant (“Adequacy Decisions”), as applicable, without any further safeguard being necessary.
3.2. Transfers to other countries. If the Processing of Personal Data by Worksection includes transfers (either directly or via onward transfer) from the EEA or Switzerland to other countries which have not been subject to a relevant Adequacy Decision, and such transfers are not performed through an alternative recognized compliance mechanism as may be adopted by Worksection for the lawful transfer of personal data (as defined in the GDPR) outside the EEA or Switzerland, as applicable, then the “2021 Standard Contractual Clauses” (as approved by the European Commission in decision Implementing Decision (EU) 2021/914) and related annexes and appendices shall apply.
4. SECURITY RESPONSIBILITIES
Worksection will implement such technical and organizational measures to protect Customer Data against accidental or unlawful destruction or accidental loss, alteration, unauthorized processing, disclosure and access, which are required by applicable law. Worksection will maintain an information security program (including the adoption and enforcement of internal policies and procedures) designed to (a) help Customer secure Customer Data against accidental or unlawful loss, access or disclosure, (b) identify reasonably foreseeable and internal risks to security and unauthorized access to the Worksection, and (c) minimize security risks, including through risk assessment and regular testing. Worksection will designate one or more employees to coordinate and be accountable for the information security program. The information security program will include measures relating to both network and physical security, and will be reviewed periodically by Worksection to determine whether additional or different security measures are required to respond to new security risks or findings generated by the periodic reviews. If Customer wishes Worksection to take any further measures, Worksection will do so to a reasonable extent, but any additional costs shall be borne by Customer. Customer confirms that it deems the measures set forth in Annex 2 as being appropriate technical and organizational safeguards in relation to the processing of Personal Data.
5. CUSTOMER’S RESPONSIBILITY
Customer is solely responsible for reviewing the information made available by Worksection relating to data security and making an independent determination as to whether the Services meet Customer’s requirements, and for ensuring that Customer’s personnel and consultants follow the guidelines they are provided regarding data security.
Upon the request of Customer and during regular business hours, Worksection will submit its data processing facilities for audit of the processing activities covered by the Addendum which shall be carried out by Customer at Customer’s expense.
7.1. If Worksection becomes aware of either (a) any unlawful access to any Customer Data stored on Worksection’s equipment or in Worksection’s facilities; or (b) any unauthorized access to such equipment or facilities, where in either case such access results in loss, disclosure, or alteration of Customer Data (each a “Security Incident”), Worksection will promptly: (a) notify Customer of the Security Incident; and (b) take reasonable steps to mitigate the effects and to minimize any damage resulting from the Security Incident.
7.2. Customer agrees that:
(i) an unsuccessful Security Incident will not be subject to this Section. An unsuccessful Security Incident is one that results in no unauthorized access to Customer Data or to any of Worksection’s equipment or facilities storing Customer Data, and may include, without limitation, pings and other broadcast attacks on firewalls or edge servers, port scans, unsuccessful log-on attempts, denial of service attacks, packet sniffing (or other unauthorized access to traffic data that does not result in access beyond IP addresses or headers) or similar incidents; and
(ii) Worksection’s obligation to report or respond to a Security Incident under this Section is not and will not be construed as an acknowledgement by Worksection of any fault or liability of Worksection with respect to the Security Incident.
7.3. Notification(s) of Security Incidents, if any, will be delivered to one or more of Customer’s administrators by any means Worksection selects, including via email. It is Customer’s sole responsibility to ensure Customer’s administrators maintain accurate contact information on the Worksection at all times.
8.1. Authorized Sub-processors. Customer agrees that Worksection may use sub-processors to fulfil its contractual obligations under this Addendum or to provide certain services on its behalf, such as providing support services. Worksection maintains a list of sub-processors on its website worksection.com/en/agreement.html. Worksection shall notify Customer of any intended changes concerning the addition or replacement of sub-processors, to which the Customer may object. Customer is notified when Worksection updating the list of sub-processors on its website. If Customer has made no such objection within thirty (30) days from the date of receipt of the notification/date of update on the website, Customer is assumed to have made no objection. In case of an objection from the Customer, Worksection has the right to cure the Customer’s objection at Worksection’s sole discretion. If (i) no corrective option is reasonably available; or (ii) the parties have not been able to find a mutually agreeable solution, and (iii) the objection has not been cured within thirty (30) days after Worksection receiving the objection, either Party may terminate the Terms of Service with immediate effect.
8.2. Sub-processor Obligations. Where Worksection authorizes any sub-processor as described in this Section:
(i) Worksection will restrict the sub-processor’s access to Customer Data only to what is necessary to maintain the Services or to provide the Services to Customer in accordance with the Terms of Service and Worksection will prohibit the sub-processor from accessing Customer Data for any other purpose.
(ii) Worksection will impose appropriate contractual obligations in writing upon the sub-processor that are no less protective than this Addendum, including relevant contractual obligations regarding confidentiality, data protection, data security and audit rights; and
(iii) Worksection will remain responsible for its compliance with the obligations of this Addendum and for any acts or omissions of the sub-processor that cause Worksection to breach any of Worksection’s obligations under this Addendum.
9. OBLIGATIONS TO INFORM
If Customer Data becomes subject to confiscation during bankruptcy or insolvency proceedings, or similar measures by third parties while being processed by Worksection, Worksection will inform Customer without undue delay. Worksection will, without undue delay, notify all relevant parties in such action (e.g. creditors, bankruptcy trustee) that any Customer Data subjected to those proceedings is Customer’s property and area of responsibility and that Customer Data is at Customer’s sole disposition.
10. RETURN AND DELETION OF PERSONAL DATA
Following termination of the Agreement and cessation of the Services, at the choice of Customer (indicated through the Platform or in written notification to Processor), Processor shall delete or return to Customer all the Personal Data it Processes solely on behalf of the Customer in the manner described in the Agreement, and Processor shall delete existing copies of such Personal Data unless Data Protection Laws require otherwise. To the extent authorized or required by applicable law, Processor may also retain one copy of the Personal Data solely for evidence purposes and/or for the establishment, exercise or defense of legal claims and/or for compliance with legal obligations.
ANNEX 1 - DETAILS OF THE PROCESSING
Categories of Data Subjects.
Customer may submit Personal Data to the Service which may include, but is not limited to, Personal Data relating to the following categories of Data Subjects:
● Customer’s invited users
● Employees of Customer
● Consultants of Customer
● Agents of Customer
● Advisors of Customer
● Business partners and vendors of Customer (who are natural persons)
Any other third party individual with whom Customer decides to communicate through the Service.
Categories of data.
Any personal data comprised in Customer Data, i.e. Personal Data that is uploaded by the Customer to the Services under Customer’s Worksection accounts or otherwise processed by Worksection on behalf of Customer, in connection with Customer’s use of the Services.
The Customer acknowledges and understands that the Services are used for collaboration and planning, and that they are not designed for the processing of special categories of personal data.
Duration of Processing.
Subject to any Section of the DPA and/or the Agreement dealing with the duration of the processing and the consequences of the expiration or termination thereof, Worksection will Process Personal Data pursuant to the DPA and Agreement for the duration of the Agreement, unless otherwise agreed upon in writing. Customer will itself delete Personal Data uploaded to the Services, in accordance with its own retention policies.
Processing operations and frequency.
The processing takes place continuously, as Customer avails itself of the Services.
The personal data may be subject to the following processing activities:
● storage and other processing necessary to provide, maintain and improve the Services provided to the Data Exporter;
● to provide customer and technical support to the Data Exporter;
● disclosures in accordance with the Agreement, as compelled by law.
Sub-processors are engaged by Worksection for web analytics, ERP, customer data analytics, customer support, servers and hosting, and email functionalities.
ANNEX 2 – TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES
Measures of pseudonymization and encryption of personal data.
Worksection maintains customer data encrypted at rest using a cipher strength equivalent to 256 bit symmetric crypto or better. Data is encrypted in transit using TLS 1.2 or later.
Measures for ensuring ongoing confidentiality, integrity, and availability and resilience of processing systems and services.
The infrastructure for the Worksection services spans multiple data centres in different EU countries and in Ukraine.
Measures for ensuring the ability to restore availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
Worksection backups up customer data in real time. Backups are retained redundantly across multiple data centres and are encrypted in transit and at rest with industry standard ciphers with cipher strength equivalent to 256 bit symmetric crypto.
Processes for regular testing to ensure the security of processing.
Worksection maintains a security program based on ISO 27001 standards. This includes administrative, organizational, technical and physical security safeguards designed to protect the confidentiality, integrity and availability of customer data. Worksection performs annual third party application and network penetration tests.
Measures for user identification and authorization.
Worksection personnel are required to use unique user credentials and secrets for authentication.
Measures for the protection of data during transmission.
Customer data is encrypted with TLS 1.2 or later encryption during transmission between the customer and Worksection as well as internally between Worksection systems.
Measures for the protection of data during storage.
Customer data is stored encrypted using industry standard 256 bit symmetric ciphers.
Measures for ensuring systems configuration, including default configuration.
Worksection applies Secure Software Development Lifecycle (Secure SDLC) standards to perform numerous security-related activities for the Services across different phases of the product creation lifecycle from requirements gathering and product design all the way through product deployment. These activities include, but are not limited to, the performance of (a) internal security reviews before new services are deployed; (b) annual penetration testing by independent third parties; and (c) threat models for new services to detect any potential security problems.
Last Updated: July 11, 2022