Legalv1.0 · Updated 2026-05-08 · 14 pages

Data Processing Agreement

Standard DPA incorporating GDPR Article 28, EU Standard Contractual Clauses (Module 2), and DPDP Act provisions.

Contents

  1. About This Document
  2. 1. Definitions
  3. 2. Scope and Purpose of Processing
  4. 3. Processor Obligations
  5. 4. Sub-processor Management
  6. 5. Data Subject Rights
  7. 6. Data Breach Notification
  8. 7. International Transfers
  9. 8. Security Measures (Annex II Summary)
  10. 9. Audit Rights
  11. 10. Term and Termination
  12. 11. Contact

About This Document

This Data Processing Agreement (DPA) governs WorkSwarm's processing of personal data on behalf of the Customer (Controller). It incorporates EU Standard Contractual Clauses (Module 2: Controller-to-Processor) per European Commission Decision 2021/914 and India's DPDP Act 2023 provisions. This DPA is an addendum to the Master Service Agreement (MSA). It applies automatically when the Customer's use of the Platform involves personal data.

1. Definitions

"Personal Data" means any information relating to an identified or identifiable natural person processed by WorkSwarm on behalf of the Customer. "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, erasure, or destruction. "Data Subject" means the identified or identifiable natural person to whom Personal Data relates. "Sub-processor" means any third party engaged by WorkSwarm to process Personal Data on behalf of the Customer. "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data. "Controller" means the Customer, as the entity determining the purposes and means of processing. "Processor" means WorkSwarm, as the entity processing Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

ElementDescription
Subject matterProcessing of Personal Data as necessary to provide the WorkSwarm Platform services per the MSA
DurationFor the term of the MSA, plus 90 days for data return/deletion
Nature and purposeStorage, organization, retrieval, AI-assisted analysis, workflow automation, communication
Types of Personal DataAs determined by Customer's use: may include names, email addresses, phone numbers, job titles, communications content, file attachments, usage metadata
Categories of Data SubjectsCustomer's employees, contractors, clients, prospects, partners - as determined by Customer's use

3. Processor Obligations

WorkSwarm, as Processor, shall:
  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law. If law requires processing, WorkSwarm will notify the Controller before processing unless law prohibits such notification.
  • Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organizational measures per Article 32 GDPR (detailed in Annex II).
  • Not engage another processor without prior written authorization from the Controller. The current list of authorized sub-processors is in the Sub-processor Register.
  • Assist the Controller with DSR fulfillment, DPIA, prior consultation, breach notification, and security obligations.
  • At the Controller's choice, delete or return all Personal Data after the end of services. Deletion completed within 90 days with certification.
  • Make available all information necessary to demonstrate compliance and allow for audits.

4. Sub-processor Management

WorkSwarm maintains a publicly available Sub-processor Register at /trust/reports/sub-processor-register.
  • New sub-processors: 30-day advance written notice (email to Customer's designated contact).
  • Customer objection: Customer may object within 30 days of notice by emailing trust@workswarm.ai with specific grounds.
  • Resolution: WorkSwarm will engage in good-faith discussion. If unresolved, Customer may terminate the affected services without penalty.
  • Sub-processor DPAs: WorkSwarm executes DPAs with all sub-processors imposing equivalent data protection obligations.
  • Sub-processor audit: WorkSwarm reviews sub-processor security posture annually. Results available on request under NDA.

5. Data Subject Rights

WorkSwarm assists the Controller in fulfilling Data Subject requests.
RightSLAMechanism
Access (Art. 15 GDPR / Sec. 8.1 DPDP)48 hours (automated) / 5 business days (complex)Self-service DSR portal + API
Rectification (Art. 16 / Sec. 8.3)48 hoursIn-product editing + API
Erasure (Art. 17 / Sec. 8.4)30 days (crypto-deletion) / 90 days (backup purge)Automated pipeline + deletion certificate
Restriction (Art. 18)48 hoursProcessing flag in database
Portability (Art. 20)5 business daysExport in JSON, CSV, or machine-readable format
Objection (Art. 21)5 business daysProcessing halt + controller notification

6. Data Breach Notification

In the event of a Data Breach:
  • WorkSwarm will notify the Controller without undue delay and no later than 24 hours after confirming the breach.
  • Notification will include: nature of the breach, categories and approximate number of Data Subjects affected, likely consequences, measures taken and proposed.
  • WorkSwarm will cooperate with the Controller's regulatory notifications (GDPR: 72 hours to supervisory authority; DPDP: 72 hours to Data Protection Board; CERT-In: 6 hours).
  • Post-mortem report provided within 14 days of resolution.
  • WorkSwarm maintains cyber insurance covering data breach response costs.

7. International Transfers

When Personal Data is transferred outside the EEA or India:
  • EU transfers: Standard Contractual Clauses (Module 2: Controller-to-Processor) per Commission Decision 2021/914 are incorporated by reference in Annex I.
  • India transfers: Data residency controls ensure Indian Personal Data is processed within India (Mumbai/Hyderabad regions) unless the Controller explicitly authorizes transfer to a permitted jurisdiction.
  • Transfer Impact Assessment: Available on request, covering: legal framework of destination country, supplementary measures, risk assessment.
  • Supplementary measures: Encryption with customer-managed keys (BYOK/HYOK), access limitations, transparency reports.

8. Security Measures (Annex II Summary)

WorkSwarm implements the following technical and organizational measures:
MeasureImplementation
Encryption at restAES-256-GCM with per-tenant keys. BYOK/HYOK supported.
Encryption in transitTLS 1.3 (external), mTLS (internal). Perfect forward secrecy.
Access controlSSO (SAML/OIDC), MFA required, RBAC+ABAC, least privilege, quarterly reviews.
Audit loggingImmutable, hash-chained, HSM-signed. 7-year retention. SIEM export.
Vulnerability managementAutomated scanning, annual pen test, 24-hour critical patch SLA.
Incident responseDocumented IRP, quarterly testing, P0 response within 15 minutes.
BCP/DRMulti-AZ, RTO 4h, RPO 15m, quarterly DR testing.
Employee securityBackground checks, confidentiality agreements, annual training.

9. Audit Rights

The Controller has the right to audit WorkSwarm's compliance with this DPA.
  • WorkSwarm will make available SOC 2 reports, ISO certificates, pen test summaries, and compliance posture letters as primary audit evidence.
  • If the above documentation is insufficient, the Controller may conduct (or commission) an on-site audit with 30 days' written notice, during business hours, no more than once per year.
  • Audit scope is limited to WorkSwarm's processing of the Controller's Personal Data.
  • Audit costs are borne by the Controller unless the audit reveals material non-compliance, in which case WorkSwarm bears the cost.

10. Term and Termination

This DPA is effective for the duration of the MSA. Upon termination: 1. WorkSwarm will cease processing Personal Data except as required by applicable law. 2. At the Controller's election (within 30 days): return all Personal Data in machine-readable format, or delete all Personal Data. 3. Deletion completed within 90 days, including backup copies. Deletion certificate provided. 4. WorkSwarm may retain Personal Data where required by applicable law, with notification to the Controller.

11. Contact

For DPA-related inquiries: Data Protection Officer: dpo@workswarm.ai Legal Team: legal@workswarm.ai Trust Center: trust@workswarm.ai

Disclaimer:This document is provided for informational purposes and represents WorkSwarm's current security posture and planned controls. Legal templates are provided as starting points and should be reviewed by your legal counsel before execution. Certification timelines are targets and subject to change based on auditor availability and assessment outcomes.

Data Processing Agreement

14 pages · PDF