Legal

Data Processing Addendum

Data processing terms for processing personal data on behalf of customers

This Data Processing Addendum (“DPA”) applies when Workbase processes personal data on behalf of a customer under an agreement for Workbase services. It forms part of the applicable agreement unless the parties have signed a separate data processing agreement.

Roles

For customer data processed through the services, the customer is generally the controller and Workbase is generally the processor. The customer determines the purposes and means of processing. Workbase processes personal data only to provide, secure, support, and improve the services, and as otherwise instructed by the customer or required by law.

Subject Matter And Duration

The subject matter of processing is the provision of Workbase services, including workspace operation, integrations, automation, data organization, analytics, support, billing, and security. Processing continues for the term of the agreement and any additional period required for deletion, return, backup retention, legal compliance, or dispute resolution.

Categories Of Data

The services may process:

  • Account and user data.
  • Business contact data.
  • Workspace content and customer-uploaded data.
  • CRM, communication, and integration data.
  • Usage, audit, billing, security, and technical logs.
  • Support and communication records.

The exact categories depend on how the customer configures and uses Workbase.

Categories Of Data Subjects

Data subjects may include customer employees, contractors, administrators, end users, prospects, leads, business contacts, customers, suppliers, and other individuals whose data is submitted to or processed through the services.

Processing Activities

Processing may include collection, recording, organization, structuring, storage, retrieval, consultation, use, transmission, alignment, restriction, deletion, export, and other operations needed to provide the services.

Customer Instructions

Workbase will process personal data only on documented customer instructions unless required by law. The agreement, product configuration, customer actions, support requests, and this DPA are documented instructions. The customer is responsible for ensuring that instructions are lawful.

Confidentiality

Workbase ensures that personnel authorized to process personal data are subject to appropriate confidentiality obligations and receive access only where needed for their role.

Security Measures

Workbase maintains technical and organizational measures designed to protect personal data, including access controls, encryption, logging, monitoring, vulnerability management, secure development practices, backups, incident response processes, and personnel controls. Measures may evolve over time as long as the overall level of protection is not materially reduced.

Subprocessors

Customer authorizes Workbase to use subprocessors to provide the services. Workbase will impose data protection obligations on subprocessors that are materially equivalent to those in this DPA. Workbase remains responsible for subprocessors as required by applicable data protection law.

International Transfers

Where personal data is transferred internationally, Workbase will use appropriate safeguards required by applicable law, such as adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms.

Assistance

Taking into account the nature of processing, Workbase will provide reasonable assistance to help the customer respond to data subject requests, security incidents, data protection impact assessments, and consultations with supervisory authorities where required by applicable law.

Deletion And Return

Upon termination or expiry of the services, Workbase will delete or return personal data according to the agreement, product functionality, customer instructions, backup cycles, and legal retention obligations.

Audits

Workbase will make available information reasonably necessary to demonstrate compliance with this DPA. Audits must be reasonable, limited to relevant controls, protect confidential information, avoid disruption, and comply with Workbase security requirements.

Security Incidents

Workbase will notify the customer without undue delay after becoming aware of a personal data breach affecting customer data, as required by applicable law. Workbase will provide information reasonably available to help the customer meet its notification obligations.

Customer Responsibilities

The customer is responsible for lawful collection and use of personal data, providing required notices, obtaining required consents or other legal bases, configuring the services appropriately, managing users and permissions, and responding to data subjects where the customer controls the data.

Last updated