WORKSECTION

Data Processing Addendum (DPA)

The pro­tec­tion of indi­vid­u­als’ per­son­al data is a fun­da­men­tal right under EU law and cur­rent­ly reg­u­lat­ed by the Gen­er­al Data Pro­tec­tion Reg­u­la­tion (Reg­u­la­tion (EU) 2016679) (the GDPR”). The GDPR spec­i­fies that the pro­cess­ing of per­son­al data by a proces­sor on behalf of a con­troller shall be gov­erned by a writ­ten agree­ment reg­u­lat­ing amongst oth­ers the cir­cum­stances and con­di­tions under which such pro­cess­ing may take place.

This Data Pro­cess­ing Adden­dum (the Adden­dum” or DPA”) forms part of the Work­sec­tion Terms of Ser­vice avail­able at work​sec​tion​.com/​e​n​/​a​g​r​e​e​m​e​n​t​.html, (the Terms of Ser­vice”, updat­ed from time to time), or oth­er agree­ment gov­ern­ing the use of Worksection’s ser­vices (“Agree­ment”) entered by and between you, the Cus­tomer (as defined in the Agree­ment — col­lec­tive­ly, you”, your”, Cus­tomer”), and Work­sec­tion LLC (“Work­sec­tion”, us”, we”, our”) to reflect the par­ties’ agree­ment with regard to the Pro­cess­ing of Per­son­al Data by Work­sec­tion sole­ly on behalf of the Cus­tomer. Both par­ties shall be referred to as the Par­ties” and each, a Par­ty”.

The Par­ties have agreed that Work­sec­tion shall pro­vide Cus­tomer with a cloud-based project man­age­ment tool (here­inafter referred to as the Ser­vices”), under which Work­sec­tion will be pro­cess­ing cer­tain per­son­al data on behalf of the Cus­tomer in the capac­i­ty of proces­sor. As such, the Par­ties acknowl­edge the need to enter into this sep­a­rate Adden­dum to reg­u­late the pro­cess­ing of per­son­al data by Work­sec­tion on behalf of the Cus­tomer. By using the Ser­vices, Cus­tomer accepts this DPA and any­one who is enter­ing into the Terms of Ser­vice on behalf of a com­pa­ny or oth­er legal enti­ty, rep­re­sents to have the author­i­ty to bind such enti­ty and its affil­i­ates to these terms and con­di­tions, in which case the terms you” and your” here­in shall refer to such enti­ty. If you can­not, or do not agree to, com­ply and be bound by this DPA, or do not have author­i­ty to bind the Cus­tomer or any oth­er enti­ty, please do not pro­vide Per­son­al Data to us.

In the event of any con­flict between cer­tain pro­vi­sions of this DPA and the pro­vi­sions of the Agree­ment, the pro­vi­sions of this DPA shall pre­vail over the con­flict­ing pro­vi­sions of the Agree­ment sole­ly with respect to the Pro­cess­ing of Per­son­al Data.

1. DEF­I­N­I­TIONS

Cap­i­tal­ized terms not defined here­in shall have the mean­ings assigned to such terms in the Agreement.

(a) Affil­i­ate” means any enti­ty that direct­ly or indi­rect­ly con­trols, is con­trolled by, or is under com­mon con­trol with the sub­ject enti­ty. Con­trol”, for pur­pos­es of this def­i­n­i­tion, means direct or indi­rect own­er­ship or con­trol of more than 50% of the vot­ing inter­ests of the sub­ject entity.

(b) Autho­rized Affil­i­ate” means any of Customer’s Affiliate(s) which is explic­it­ly per­mit­ted to use the Ser­vices pur­suant to the Agree­ment between Cus­tomer and Work­sec­tion but has not signed its own agree­ment with Work­sec­tion and is not a Cus­tomer” as defined under the Agreement.

© CCPA” means the Cal­i­for­nia Con­sumer Pri­va­cy Act of 2018. Sec­tion 1798.100.

(d) The terms, Con­troller“, Mem­ber State“, Proces­sor“, Pro­cess­ing” and Super­vi­so­ry Author­i­ty” shall have the same mean­ing as in the GDPR. The terms Busi­ness”, Busi­ness Pur­pose”, Con­sumer” and Ser­vice Provider” shall have the same mean­ing as in the CCPA.

For the pur­pose of clar­i­ty, with­in this DPA Con­troller” shall also mean Busi­ness”, and Proces­sor” shall also mean Ser­vice Provider”, to the extent that the CCPA applies. In the same man­ner, Processor’s Sub-proces­sor shall also refer to the con­cept of Ser­vice Provider.

(e) Data Pro­tec­tion Laws” means all applic­a­ble and bind­ing pri­va­cy and data pro­tec­tion laws and reg­u­la­tions, includ­ing such laws and reg­u­la­tions of the Euro­pean Union, the Euro­pean Eco­nom­ic Area and their Mem­ber States, Switzer­land, the Unit­ed King­dom, Cana­da, and the Unit­ed States of Amer­i­ca, as applic­a­ble to the Pro­cess­ing of Per­son­al Data under the Agree­ment includ­ing (with­out lim­i­ta­tion) the GDPR, the UK GDPR, and the CCPA, as applic­a­ble to the Pro­cess­ing of Per­son­al Data here­un­der and in effect at the time of Processor’s per­for­mance hereunder.

(f) Data Sub­ject” means the iden­ti­fied or iden­ti­fi­able per­son to whom the Per­son­al Data relates.

(g) GDPR” means the Reg­u­la­tion (EU) 2016679 of the Euro­pean Par­lia­ment and of the Coun­cil of 27 April 2016 on the pro­tec­tion of nat­ur­al per­sons with regard to the pro­cess­ing of per­son­al data and on the free move­ment of such data, and repeal­ing Direc­tive 95/46/EC (Gen­er­al Data Pro­tec­tion Regulation).

(h) Per­son­al Data” or Per­son­al Infor­ma­tion” means any infor­ma­tion that iden­ti­fies, relates to, describes, is capa­ble of being asso­ci­at­ed with, or could rea­son­ably be linked, direct­ly or indi­rect­ly, to or with an iden­ti­fied or iden­ti­fi­able nat­ur­al per­son or Con­sumer, which is processed by Work­sec­tion sole­ly on behalf of Cus­tomer, under this DPA and the Agree­ment between Cus­tomer and Worksection.

(i) Ser­vices” means the cloud-based work oper­at­ing sys­tem plat­form (“Plat­form”) and any oth­er ser­vices pro­vid­ed to Cus­tomer by Work­sec­tion under the Agreement.

(j) Secu­ri­ty Doc­u­men­ta­tion” means the secu­ri­ty doc­u­men­ta­tion specif­i­cal­ly applic­a­ble to the Pro­cess­ing of Per­son­al Data by Work­sec­tion under the Agree­ment and this DPA, as updat­ed from time to time, and acces­si­ble via work​sec​tion​.com/​e​n​/​a​g​r​e​e​m​e​n​t​.html, or as oth­er­wise made rea­son­ably avail­able by Worksection.

(k) Sen­si­tive Data” means Per­son­al Data that is pro­tect­ed under a spe­cial leg­is­la­tion and requires unique treat­ment, such as spe­cial cat­e­gories of data”, sen­si­tive data” or oth­er mate­ri­al­ly sim­i­lar terms under applic­a­ble Data Pro­tec­tion Laws, which may include any of the fol­low­ing: (a) social secu­ri­ty num­ber, tax file num­ber, pass­port num­ber, driver’s license num­ber, or sim­i­lar iden­ti­fi­er (or any por­tion there­of); (b) cred­it or deb­it card num­ber; © finan­cial, cred­it, genet­ic, bio­met­ric or health infor­ma­tion; (d) infor­ma­tion reveal­ing racial or eth­nic ori­gin, polit­i­cal opin­ions, reli­gious or philo­soph­i­cal beliefs, or trade union mem­ber­ship, genet­ic data or bio­met­ric data for the pur­pose of unique­ly iden­ti­fy­ing a nat­ur­al per­son, data con­cern­ing health or a person’s sex life or sex­u­al ori­en­ta­tion, or data relat­ing to crim­i­nal con­vic­tions and offences; and/​or (e) account pass­words in unhashed form.

(l) Sub-proces­sor” means any third par­ty that Process­es Per­son­al Data under the instruc­tion or super­vi­sion of Worksection.

(m) UK GDPR” means the Data Pro­tec­tion Act 2018, as well as the GDPR as it forms part of the law of Eng­land and Wales, Scot­land and North­ern Ire­land by virtue of sec­tion 3 of the Euro­pean Union (With­draw­al) Act 2018 and as amend­ed by the Data Pro­tec­tion, Pri­va­cy and Elec­tron­ic Com­mu­ni­ca­tions (Amend­ments etc.) (EU Exit) Reg­u­la­tions 2019 (SI 2019419).

2. DATA PROCESSING

2.1. Scope and Roles. This Adden­dum applies when Cus­tomer Data is processed by Work­sec­tion on behalf of Cus­tomer as part of per­form­ing the Services.

2.2. Com­pli­ance with Laws. Each par­ty will com­ply with all laws, rules and reg­u­la­tions applic­a­ble to it and bind­ing on it in the per­for­mance of this Adden­dum, includ­ing all statu­to­ry require­ments relat­ing to data protection.

2.3. The Nature and Pur­pose of Data Pro­cess­ing. As long as Cus­tomer is using the Ser­vices, and as a con­se­quence of Cus­tomer using the Ser­vices, Work­sec­tion will process Cus­tomer Data on behalf of Cus­tomer. Cus­tomer Data includes but is not lim­it­ed to names, address­es and con­tact infor­ma­tion of the Customer’s invit­ed users, as well as oth­er kind of per­son­al data which Cus­tomer will upload to the Ser­vices in dif­fer­ent project, col­lec­tions and boards. Cus­tomer Data can relate to Customer’s employ­ees, direc­tors, offi­cers, cus­tomers and sub­con­trac­tors, but also to third par­ties which are some­how part of or relat­ed to a project man­aged by Cus­tomer when using the Ser­vices. Cus­tomer Data may also include tech­ni­cal data, usage data, qual­i­ty sta­tis­tics and sim­i­lar infor­ma­tion (includ­ing but not lim­it­ed to device relat­ed and loca­tion-based met­rics) relat­ed to Customer’s access to and use of the Services.

2.4. Instruc­tions for Data Pro­cess­ing. Work­sec­tion will process Cus­tomer Data in accor­dance with Customer’s doc­u­ment­ed instruc­tions, includ­ing with regard to trans­fers of per­son­al data to a third coun­try or an inter­na­tion­al orga­ni­za­tion, unless required to do oth­er­wise by applic­a­ble law. Any addi­tion­al costs, which arise as a result of such restric­tions, shall be borne by Cus­tomer. The par­ties agree that this Adden­dum is Customer’s com­plete and final instruc­tions to Work­sec­tion in rela­tion to pro­cess­ing of Cus­tomer Data. Pro­cess­ing out­side the scope of this Adden­dum (if any) will require pri­or writ­ten agree­ment between Work­sec­tion and Cus­tomer on addi­tion­al instruc­tions for pro­cess­ing, includ­ing agree­ment on any addi­tion­al fees Cus­tomer will pay to Work­sec­tion for car­ry­ing out such instruc­tions. Cus­tomer may ter­mi­nate this Adden­dum if Work­sec­tion declines to fol­low instruc­tions request­ed by Cus­tomer that are out­side the scope of this Addendum.

2.5. Access or Use. Work­sec­tion will not access or use Cus­tomer Data, except as nec­es­sary to main­tain, improve and pro­vide the Ser­vices request­ed by Customer.

2.6. Details of the Pro­cess­ing. The dura­tion of the pro­cess­ing, the nature and pur­pose of the pro­cess­ing, the types of Cus­tomer Data and cat­e­gories of data sub­jects processed under this DPA are fur­ther spec­i­fied in Annex 1 (Details of the Pro­cess­ing) to this DPA.

2.7. Assis­tance. Tak­ing into account the nature of the pro­cess­ing, Work­sec­tion shall assist Cus­tomer by appro­pri­ate tech­ni­cal and orga­ni­za­tion­al mea­sures, inso­far as this is pos­si­ble, for the ful­fil­ment of Customer’s oblig­a­tion to respond to requests for exer­cis­ing the data subject’s rights.

2.8. Dis­clo­sure. Work­sec­tion will not dis­close Cus­tomer Data to any gov­ern­ment, except as nec­es­sary to com­ply with the law or a valid and bind­ing order of a law enforce­ment agency (such as a sub­poe­na or court order). If a law enforce­ment agency sends Work­sec­tion a demand for Cus­tomer Data, Work­sec­tion will attempt to redi­rect the law enforce­ment agency to request that data direct­ly from Cus­tomer. As part of this effort, Work­sec­tion may pro­vide Customer’s basic con­tact infor­ma­tion to the law enforce­ment agency. If com­pelled to dis­close Cus­tomer Data to a law enforce­ment agency, then Work­sec­tion will give Cus­tomer rea­son­able Notice of the demand to allow Cus­tomer to seek a pro­tec­tive order or oth­er appro­pri­ate rem­e­dy unless Work­sec­tion is legal­ly pro­hib­it­ed from doing so.

2.9. Work­sec­tion Per­son­nel. Work­sec­tion restricts its per­son­nel from pro­cess­ing Cus­tomer Data with­out autho­riza­tion by Work­sec­tion. Work­sec­tion will impose appro­pri­ate con­trac­tu­al oblig­a­tions upon its per­son­nel, includ­ing rel­e­vant oblig­a­tions regard­ing con­fi­den­tial­i­ty, data pro­tec­tion and data security.

2.10. Cus­tomer Con­trols. Work­sec­tion makes avail­able a num­ber of secu­ri­ty fea­tures and func­tion­al­i­ties that Cus­tomer may elect to use. Cus­tomer is respon­si­ble for prop­er­ly (a) con­fig­ur­ing the Ser­vices, (b) using the con­trols avail­able in con­nec­tion with the Ser­vices (includ­ing the secu­ri­ty con­trols), and © tak­ing such steps as Cus­tomer con­sid­ers ade­quate to main­tain appro­pri­ate secu­ri­ty, pro­tec­tion, dele­tion and back­up of Cus­tomer Data, which may include use of encryp­tion tech­nol­o­gy to pro­tect Cus­tomer Data from unau­tho­rized access and rou­tine archiv­ing of Cus­tomer Data.

3. CROSS-BOR­DER DATA TRANSFERS

3.1. Trans­fers from the EEA and Switzer­land to coun­tries that offer ade­quate lev­el or data pro­tec­tion. Per­son­al Data may be trans­ferred from EU mem­ber states, Nor­way, Liecht­en­stein and Ice­land (col­lec­tive­ly EEA”), and Switzer­land, to coun­tries that offer an ade­quate lev­el of data pro­tec­tion under or pur­suant to the ade­qua­cy deci­sions pub­lished by the rel­e­vant data pro­tec­tion author­i­ties of the EEA, the Euro­pean Union, the Mem­ber States or the Euro­pean Com­mis­sion, or Switzer­land as rel­e­vant (“Ade­qua­cy Deci­sions”), as applic­a­ble, with­out any fur­ther safe­guard being necessary.

3.2. Trans­fers to oth­er coun­tries. If the Pro­cess­ing of Per­son­al Data by Work­sec­tion includes trans­fers (either direct­ly or via onward trans­fer) from the EEA or Switzer­land to oth­er coun­tries which have not been sub­ject to a rel­e­vant Ade­qua­cy Deci­sion, and such trans­fers are not per­formed through an alter­na­tive rec­og­nized com­pli­ance mech­a­nism as may be adopt­ed by Work­sec­tion for the law­ful trans­fer of per­son­al data (as defined in the GDPR) out­side the EEA or Switzer­land, as applic­a­ble, then the 2021 Stan­dard Con­trac­tu­al Claus­es” (as approved by the Euro­pean Com­mis­sion in deci­sion Imple­ment­ing Deci­sion (EU) 2021914) and relat­ed annex­es and appen­dices shall apply.

4. SECU­RI­TY RESPONSIBILITIES

Work­sec­tion will imple­ment such tech­ni­cal and orga­ni­za­tion­al mea­sures to pro­tect Cus­tomer Data against acci­den­tal or unlaw­ful destruc­tion or acci­den­tal loss, alter­ation, unau­tho­rized pro­cess­ing, dis­clo­sure and access, which are required by applic­a­ble law. Work­sec­tion will main­tain an infor­ma­tion secu­ri­ty pro­gram (includ­ing the adop­tion and enforce­ment of inter­nal poli­cies and pro­ce­dures) designed to (a) help Cus­tomer secure Cus­tomer Data against acci­den­tal or unlaw­ful loss, access or dis­clo­sure, (b) iden­ti­fy rea­son­ably fore­see­able and inter­nal risks to secu­ri­ty and unau­tho­rized access to the Work­sec­tion, and © min­i­mize secu­ri­ty risks, includ­ing through risk assess­ment and reg­u­lar test­ing. Work­sec­tion will des­ig­nate one or more employ­ees to coor­di­nate and be account­able for the infor­ma­tion secu­ri­ty pro­gram. The infor­ma­tion secu­ri­ty pro­gram will include mea­sures relat­ing to both net­work and phys­i­cal secu­ri­ty, and will be reviewed peri­od­i­cal­ly by Work­sec­tion to deter­mine whether addi­tion­al or dif­fer­ent secu­ri­ty mea­sures are required to respond to new secu­ri­ty risks or find­ings gen­er­at­ed by the peri­od­ic reviews. If Cus­tomer wish­es Work­sec­tion to take any fur­ther mea­sures, Work­sec­tion will do so to a rea­son­able extent, but any addi­tion­al costs shall be borne by Cus­tomer. Cus­tomer con­firms that it deems the mea­sures set forth in Annex 2 as being appro­pri­ate tech­ni­cal and orga­ni­za­tion­al safe­guards in rela­tion to the pro­cess­ing of Per­son­al Data.

5. CUSTOMER’S RESPONSIBILITY

Cus­tomer is sole­ly respon­si­ble for review­ing the infor­ma­tion made avail­able by Work­sec­tion relat­ing to data secu­ri­ty and mak­ing an inde­pen­dent deter­mi­na­tion as to whether the Ser­vices meet Customer’s require­ments, and for ensur­ing that Customer’s per­son­nel and con­sul­tants fol­low the guide­lines they are pro­vid­ed regard­ing data security.

6. AUDIT

Upon the request of Cus­tomer and dur­ing reg­u­lar busi­ness hours, Work­sec­tion will sub­mit its data pro­cess­ing facil­i­ties for audit of the pro­cess­ing activ­i­ties cov­ered by the Adden­dum which shall be car­ried out by Cus­tomer at Customer’s expense.

7. SECU­RI­TY

7.1. If Work­sec­tion becomes aware of either (a) any unlaw­ful access to any Cus­tomer Data stored on Worksection’s equip­ment or in Worksection’s facil­i­ties; or (b) any unau­tho­rized access to such equip­ment or facil­i­ties, where in either case such access results in loss, dis­clo­sure, or alter­ation of Cus­tomer Data (each a Secu­ri­ty Inci­dent”), Work­sec­tion will prompt­ly: (a) noti­fy Cus­tomer of the Secu­ri­ty Inci­dent; and (b) take rea­son­able steps to mit­i­gate the effects and to min­i­mize any dam­age result­ing from the Secu­ri­ty Incident.

7.2. Cus­tomer agrees that:

(i) an unsuc­cess­ful Secu­ri­ty Inci­dent will not be sub­ject to this Sec­tion. An unsuc­cess­ful Secu­ri­ty Inci­dent is one that results in no unau­tho­rized access to Cus­tomer Data or to any of Worksection’s equip­ment or facil­i­ties stor­ing Cus­tomer Data, and may include, with­out lim­i­ta­tion, pings and oth­er broad­cast attacks on fire­walls or edge servers, port scans, unsuc­cess­ful log-on attempts, denial of ser­vice attacks, pack­et sniff­ing (or oth­er unau­tho­rized access to traf­fic data that does not result in access beyond IP address­es or head­ers) or sim­i­lar inci­dents; and

(ii) Worksection’s oblig­a­tion to report or respond to a Secu­ri­ty Inci­dent under this Sec­tion is not and will not be con­strued as an acknowl­edge­ment by Work­sec­tion of any fault or lia­bil­i­ty of Work­sec­tion with respect to the Secu­ri­ty Incident.

7.3. Notification(s) of Secu­ri­ty Inci­dents, if any, will be deliv­ered to one or more of Customer’s admin­is­tra­tors by any means Work­sec­tion selects, includ­ing via email. It is Customer’s sole respon­si­bil­i­ty to ensure Customer’s admin­is­tra­tors main­tain accu­rate con­tact infor­ma­tion on the Work­sec­tion at all times.

8. SUB-PROCES­SORS

8.1. Autho­rized Sub-proces­sors. Cus­tomer agrees that Work­sec­tion may use sub-proces­sors to ful­fil its con­trac­tu­al oblig­a­tions under this Adden­dum or to pro­vide cer­tain ser­vices on its behalf, such as pro­vid­ing sup­port ser­vices. Work­sec­tion main­tains a list of sub-proces­sors on its web­site work​sec​tion​.com/​e​n​/​a​g​r​e​e​m​e​n​t​.html. Work­sec­tion shall noti­fy Cus­tomer of any intend­ed changes con­cern­ing the addi­tion or replace­ment of sub-proces­sors, to which the Cus­tomer may object. Cus­tomer is noti­fied when Work­sec­tion updat­ing the list of sub-proces­sors on its web­site. If Cus­tomer has made no such objec­tion with­in thir­ty (30) days from the date of receipt of the notification/​date of update on the web­site, Cus­tomer is assumed to have made no objec­tion. In case of an objec­tion from the Cus­tomer, Work­sec­tion has the right to cure the Customer’s objec­tion at Worksection’s sole dis­cre­tion. If (i) no cor­rec­tive option is rea­son­ably avail­able; or (ii) the par­ties have not been able to find a mutu­al­ly agree­able solu­tion, and (iii) the objec­tion has not been cured with­in thir­ty (30) days after Work­sec­tion receiv­ing the objec­tion, either Par­ty may ter­mi­nate the Terms of Ser­vice with imme­di­ate effect.

8.2. Sub-proces­sor Oblig­a­tions. Where Work­sec­tion autho­rizes any sub-proces­sor as described in this Section:

(i) Work­sec­tion will restrict the sub-processor’s access to Cus­tomer Data only to what is nec­es­sary to main­tain the Ser­vices or to pro­vide the Ser­vices to Cus­tomer in accor­dance with the Terms of Ser­vice and Work­sec­tion will pro­hib­it the sub-proces­sor from access­ing Cus­tomer Data for any oth­er purpose.

(ii) Work­sec­tion will impose appro­pri­ate con­trac­tu­al oblig­a­tions in writ­ing upon the sub-proces­sor that are no less pro­tec­tive than this Adden­dum, includ­ing rel­e­vant con­trac­tu­al oblig­a­tions regard­ing con­fi­den­tial­i­ty, data pro­tec­tion, data secu­ri­ty and audit rights; and

(iii) Work­sec­tion will remain respon­si­ble for its com­pli­ance with the oblig­a­tions of this Adden­dum and for any acts or omis­sions of the sub-proces­sor that cause Work­sec­tion to breach any of Worksection’s oblig­a­tions under this Addendum.

9. OBLIG­A­TIONS TO INFORM

If Cus­tomer Data becomes sub­ject to con­fis­ca­tion dur­ing bank­rupt­cy or insol­ven­cy pro­ceed­ings, or sim­i­lar mea­sures by third par­ties while being processed by Work­sec­tion, Work­sec­tion will inform Cus­tomer with­out undue delay. Work­sec­tion will, with­out undue delay, noti­fy all rel­e­vant par­ties in such action (e.g. cred­i­tors, bank­rupt­cy trustee) that any Cus­tomer Data sub­ject­ed to those pro­ceed­ings is Customer’s prop­er­ty and area of respon­si­bil­i­ty and that Cus­tomer Data is at Customer’s sole disposition.

10. RETURN AND DELE­TION OF PER­SON­AL DATA

Fol­low­ing ter­mi­na­tion of the Agree­ment and ces­sa­tion of the Ser­vices, at the choice of Cus­tomer (indi­cat­ed through the Plat­form or in writ­ten noti­fi­ca­tion to Proces­sor), Proces­sor shall delete or return to Cus­tomer all the Per­son­al Data it Process­es sole­ly on behalf of the Cus­tomer in the man­ner described in the Agree­ment, and Proces­sor shall delete exist­ing copies of such Per­son­al Data unless Data Pro­tec­tion Laws require oth­er­wise. To the extent autho­rized or required by applic­a­ble law, Proces­sor may also retain one copy of the Per­son­al Data sole­ly for evi­dence pur­pos­es and/​or for the estab­lish­ment, exer­cise or defense of legal claims and/​or for com­pli­ance with legal obligations.

ANNEX 1 — DETAILS OF THE PROCESSING


Cat­e­gories of Data Subjects.
Cus­tomer may sub­mit Per­son­al Data to the Ser­vice which may include, but is not lim­it­ed to, Per­son­al Data relat­ing to the fol­low­ing cat­e­gories of Data Subjects:

● Customer’s invit­ed users
● Employ­ees of Customer
● Con­sul­tants of Customer
● Agents of Customer
● Advi­sors of Customer
● Busi­ness part­ners and ven­dors of Cus­tomer (who are nat­ur­al persons)

Any oth­er third par­ty indi­vid­ual with whom Cus­tomer decides to com­mu­ni­cate through the Service.

Cat­e­gories of data.
Any per­son­al data com­prised in Cus­tomer Data, i.e. Per­son­al Data that is uploaded by the Cus­tomer to the Ser­vices under Customer’s Work­sec­tion accounts or oth­er­wise processed by Work­sec­tion on behalf of Cus­tomer, in con­nec­tion with Customer’s use of the Services.

The Cus­tomer acknowl­edges and under­stands that the Ser­vices are used for col­lab­o­ra­tion and plan­ning, and that they are not designed for the pro­cess­ing of spe­cial cat­e­gories of per­son­al data.

Dura­tion of Processing.
Sub­ject to any Sec­tion of the DPA and/​or the Agree­ment deal­ing with the dura­tion of the pro­cess­ing and the con­se­quences of the expi­ra­tion or ter­mi­na­tion there­of, Work­sec­tion will Process Per­son­al Data pur­suant to the DPA and Agree­ment for the dura­tion of the Agree­ment, unless oth­er­wise agreed upon in writ­ing. Cus­tomer will itself delete Per­son­al Data uploaded to the Ser­vices, in accor­dance with its own reten­tion policies.

Pro­cess­ing oper­a­tions and frequency.
The pro­cess­ing takes place con­tin­u­ous­ly, as Cus­tomer avails itself of the Services.

The per­son­al data may be sub­ject to the fol­low­ing pro­cess­ing activities:

● stor­age and oth­er pro­cess­ing nec­es­sary to pro­vide, main­tain and improve the Ser­vices pro­vid­ed to the Data Exporter;
● to pro­vide cus­tomer and tech­ni­cal sup­port to the Data Exporter;
● dis­clo­sures in accor­dance with the Agree­ment, as com­pelled by law.

Sub-pro­cess­ing operations.
Sub-proces­sors are engaged by Work­sec­tion for web ana­lyt­ics, ERP, cus­tomer data ana­lyt­ics, cus­tomer sup­port, servers and host­ing, and email functionalities.

ANNEX 2TECH­NI­CAL AND ORGA­NI­ZA­TION­AL SECU­RI­TY MEASURES


Mea­sures of pseu­do­nymiza­tion and encryp­tion of per­son­al data.
Work­sec­tion main­tains cus­tomer data encrypt­ed at rest using a cipher strength equiv­a­lent to 256 bit sym­met­ric cryp­to or bet­ter. Data is encrypt­ed in tran­sit using TLS 1.2 or later.

Mea­sures for ensur­ing ongo­ing con­fi­den­tial­i­ty, integri­ty, and avail­abil­i­ty and resilience of pro­cess­ing sys­tems and services.
The infra­struc­ture for the Work­sec­tion ser­vices spans mul­ti­ple data cen­tres in dif­fer­ent EU coun­tries and in Ukraine.

Mea­sures for ensur­ing the abil­i­ty to restore avail­abil­i­ty and access to Per­son­al Data in a time­ly man­ner in the event of a phys­i­cal or tech­ni­cal incident.
Work­sec­tion back­ups up cus­tomer data in real time. Back­ups are retained redun­dant­ly across mul­ti­ple data cen­tres and are encrypt­ed in tran­sit and at rest with indus­try stan­dard ciphers with cipher strength equiv­a­lent to 256 bit sym­met­ric crypto.

Process­es for reg­u­lar test­ing to ensure the secu­ri­ty of processing.
Work­sec­tion main­tains a secu­ri­ty pro­gram based on ISO 27001 stan­dards. This includes admin­is­tra­tive, orga­ni­za­tion­al, tech­ni­cal and phys­i­cal secu­ri­ty safe­guards designed to pro­tect the con­fi­den­tial­i­ty, integri­ty and avail­abil­i­ty of cus­tomer data. Work­sec­tion per­forms annu­al third par­ty appli­ca­tion and net­work pen­e­tra­tion tests.

Mea­sures for user iden­ti­fi­ca­tion and authorization.
Work­sec­tion per­son­nel are required to use unique user cre­den­tials and secrets for authentication.

Mea­sures for the pro­tec­tion of data dur­ing transmission.
Cus­tomer data is encrypt­ed with TLS 1.2 or lat­er encryp­tion dur­ing trans­mis­sion between the cus­tomer and Work­sec­tion as well as inter­nal­ly between Work­sec­tion systems.

Mea­sures for the pro­tec­tion of data dur­ing storage.
Cus­tomer data is stored encrypt­ed using indus­try stan­dard 256 bit sym­met­ric ciphers.

Mea­sures for ensur­ing sys­tems con­fig­u­ra­tion, includ­ing default configuration.
Work­sec­tion applies Secure Soft­ware Devel­op­ment Life­cy­cle (Secure SDLC) stan­dards to per­form numer­ous secu­ri­ty-relat­ed activ­i­ties for the Ser­vices across dif­fer­ent phas­es of the prod­uct cre­ation life­cy­cle from require­ments gath­er­ing and prod­uct design all the way through prod­uct deploy­ment. These activ­i­ties include, but are not lim­it­ed to, the per­for­mance of (a) inter­nal secu­ri­ty reviews before new ser­vices are deployed; (b) annu­al pen­e­tra­tion test­ing by inde­pen­dent third par­ties; and © threat mod­els for new ser­vices to detect any poten­tial secu­ri­ty problems.

Last Updat­ed: July 112022

User Agreement

. . . .

Terms of Service

. . . .

List of sub-processors

. . . .

Cookie Policy

. . . .

Privacy Policy

. . . .

Partnership Agreement

. . . .

Referral Agreement

. . . .