Legal
Data Processing Addendum
Data processing terms for processing personal data on behalf of customers
This Data Processing Addendum (“DPA”) applies when Workbase processes personal data on behalf of a customer under an agreement for Workbase services. It forms part of the applicable agreement unless the parties have signed a separate data processing agreement.
Roles
For customer data processed through the services, the customer is generally the controller and Workbase is generally the processor. The customer determines the purposes and means of processing. Workbase processes personal data only to provide, secure, support, and improve the services, and as otherwise instructed by the customer or required by law.
Subject Matter And Duration
The subject matter of processing is the provision of Workbase services, including workspace operation, integrations, automation, data organization, analytics, support, billing, and security. Processing continues for the term of the agreement and any additional period required for deletion, return, backup retention, legal compliance, or dispute resolution.
Categories Of Data
The services may process:
- Account and user data.
- Business contact data.
- Workspace content and customer-uploaded data.
- CRM, communication, and integration data.
- Usage, audit, billing, security, and technical logs.
- Support and communication records.
The exact categories depend on how the customer configures and uses Workbase.
Categories Of Data Subjects
Data subjects may include customer employees, contractors, administrators, end users, prospects, leads, business contacts, customers, suppliers, and other individuals whose data is submitted to or processed through the services.
Processing Activities
Processing may include collection, recording, organization, structuring, storage, retrieval, consultation, use, transmission, alignment, restriction, deletion, export, and other operations needed to provide the services.
Customer Instructions
Workbase will process personal data only on documented customer instructions unless required by law. The agreement, product configuration, customer actions, support requests, and this DPA are documented instructions. The customer is responsible for ensuring that instructions are lawful.
Confidentiality
Workbase ensures that personnel authorized to process personal data are subject to appropriate confidentiality obligations and receive access only where needed for their role.
Security Measures
Workbase maintains technical and organizational measures designed to protect personal data, including access controls, encryption, logging, monitoring, vulnerability management, secure development practices, backups, incident response processes, and personnel controls. Measures may evolve over time as long as the overall level of protection is not materially reduced.
Subprocessors
Customer authorizes Workbase to use subprocessors to provide the services. Workbase will impose data protection obligations on subprocessors that are materially equivalent to those in this DPA. Workbase remains responsible for subprocessors as required by applicable data protection law.
International Transfers
Where personal data is transferred internationally, Workbase will use appropriate safeguards required by applicable law, such as adequacy decisions, standard contractual clauses, or other lawful transfer mechanisms.
Assistance
Taking into account the nature of processing, Workbase will provide reasonable assistance to help the customer respond to data subject requests, security incidents, data protection impact assessments, and consultations with supervisory authorities where required by applicable law.
Deletion And Return
Upon termination or expiry of the services, Workbase will delete or return personal data according to the agreement, product functionality, customer instructions, backup cycles, and legal retention obligations.
Audits
Workbase will make available information reasonably necessary to demonstrate compliance with this DPA. Audits must be reasonable, limited to relevant controls, protect confidential information, avoid disruption, and comply with Workbase security requirements.
Security Incidents
Workbase will notify the customer without undue delay after becoming aware of a personal data breach affecting customer data, as required by applicable law. Workbase will provide information reasonably available to help the customer meet its notification obligations.
Customer Responsibilities
The customer is responsible for lawful collection and use of personal data, providing required notices, obtaining required consents or other legal bases, configuring the services appropriately, managing users and permissions, and responding to data subjects where the customer controls the data.
Last updated