WorkSwarm
Trust Center - Confidential
Version 1.0
Updated 2026-05-08
Privacyv1.0 · Updated 2026-05-08 · 8 pages
GDPR Control Map
Mapping of WorkSwarm's controls to key GDPR Articles: 5 (Principles), 28 (Processor), 32 (Security), 33–34 (Breach Notification), and 44–49 (Transfers).
Prepared by Data Protection Officer, WorkSwarm, Inc.
Contents
About This Document
This document maps WorkSwarm's data protection controls to the General Data Protection Regulation (GDPR). It demonstrates how WorkSwarm, as a data processor, implements technical and organizational measures to protect personal data of EU/EEA data subjects.
WorkSwarm offers a Standard Data Processing Agreement (DPA) incorporating EU Standard Contractual Clauses (Module 2: Controller-to-Processor) for lawful international data transfers.
1. Article 5 - Principles of Processing
Article 5 establishes the fundamental principles for processing personal data.
| Principle | GDPR Requirement | WorkSwarm Implementation |
|---|---|---|
| Lawfulness, fairness, transparency | Processing must have a lawful basis | WorkSwarm processes data only on customer instructions (processor). Legal basis determination is the controller's responsibility; WorkSwarm provides tooling for consent management and lawful basis documentation. |
| Purpose limitation | Data collected for specified, explicit, legitimate purposes | WorkSwarm processes data strictly per the DPA scope. No secondary use. No data mining. No profiling beyond customer-directed operations. |
| Data minimisation | Data must be adequate, relevant, limited to purpose | Customers control what data enters WorkSwarm. LLM prompts are redacted of unnecessary PII before processing. Data retention is customer-configurable. |
| Accuracy | Data must be accurate and kept up to date | Customers manage data accuracy. WorkSwarm provides DSR tools for rectification. Data synchronization APIs maintain accuracy across systems. |
| Storage limitation | Data kept only as long as necessary | Customer-configurable retention periods (30 days to 7 years). Automated deletion workflows. Cryptographic deletion with verification. |
| Integrity and confidentiality | Appropriate security measures | AES-256-GCM encryption, mTLS, RBAC, audit logging, vulnerability management. Full detail in Section 3 (Article 32) below. |
| Accountability | Controller must demonstrate compliance | WorkSwarm provides: audit logs, ROPA auto-generation, DSR processing records, DPA, sub-processor register, compliance posture letters. |
2. Article 28 - Processor Obligations
Article 28 governs the relationship between data controllers and processors.
| Obligation | WorkSwarm Implementation |
|---|---|
| Process only on documented instructions (28.3a) | WorkSwarm processes personal data exclusively per the customer's documented instructions as defined in the DPA. No independent processing decisions. |
| Confidentiality obligations for personnel (28.3b) | All employees sign confidentiality agreements. Background checks for personnel with data access. Annual data protection training. |
| Implement Article 32 security measures (28.3c) | Full implementation documented in Section 3 below. Independent verification via SOC 2 audit (in progress). |
| Sub-processor approval (28.3d) | 30-day advance notice for new sub-processors. Customer objection right with penalty-free termination. Sub-processor DPAs maintained. |
| Assist with DSR fulfillment (28.3e) | Automated DSR tools: access, rectification, erasure, portability, restriction. SLA: 48 hours for automated DSRs, 5 business days for complex. |
| Assist with DPIA (28.3f) | WorkSwarm provides technical documentation for customer DPIAs. Impact assessment support available for Enterprise tier customers. |
| Delete or return data at contract end (28.3g) | Customer data exported in standard formats (JSON, CSV) within 30 days of contract termination. Cryptographic deletion within 90 days. Deletion certificate provided. |
| Provide audit information (28.3h) | SOC 2 report (when available), ISO 27001 certificate (when available), pen test summary, compliance posture letter. On-site audit rights per DPA (with reasonable notice). |
3. Article 32 - Security of Processing
Article 32 requires appropriate technical and organizational measures to ensure a level of security appropriate to the risk.
| Measure (Art. 32.1) | WorkSwarm Implementation |
|---|---|
| Pseudonymisation and encryption (a) | AES-256-GCM at rest. TLS 1.3 in transit. PII pseudonymisation in LLM prompts. BYOK/HYOK for customer-managed encryption. |
| Confidentiality, integrity, availability, resilience (b) | Confidentiality: RBAC, MFA, encryption, tenant isolation. Integrity: hash-chained audit logs, HSM signatures. Availability: 99.95% SLA, multi-AZ. Resilience: auto-scaling, circuit breakers. |
| Restore availability and access (c) | RTO 4 hours, RPO 15 minutes. Automated failover. Cross-region backup replication. Quarterly DR testing. |
| Regular testing and evaluation (d) | Annual pen test. Quarterly vulnerability scans. Continuous monitoring. Annual security program review. SOC 2 audit cycle. |
4. Articles 33–34 - Breach Notification
Articles 33 and 34 establish breach notification requirements to supervisory authorities and data subjects.
| Requirement | WorkSwarm Implementation |
|---|---|
| Notification to supervisory authority within 72 hours (Art. 33) | WorkSwarm notifies the customer (controller) without undue delay and within 24 hours of confirming a personal data breach. This gives the controller time to notify the supervisory authority within the 72-hour GDPR deadline. |
| Content of notification (Art. 33.3) | Notification includes: nature of breach, categories and approximate number of data subjects, likely consequences, measures taken or proposed. Provided in structured format for controller's use. |
| Communication to data subjects (Art. 34) | WorkSwarm assists the controller in communicating breaches to data subjects when required. Provides templates, affected data subject lists, and communication channel support. |
| Documentation of breaches (Art. 33.5) | All breach assessments documented in incident management system. Retained for regulatory examination. Post-mortem published within 14 days. |
5. Articles 44–49 - International Transfers
WorkSwarm enables lawful international data transfers through multiple mechanisms.
| Mechanism | WorkSwarm Implementation |
|---|---|
| Standard Contractual Clauses (Art. 46.2c) | DPA incorporates EU SCC Module 2 (Controller-to-Processor). Executed per European Commission Decision 2021/914. |
| Data residency controls | Customers select data processing region at signup: EU (Ireland/Frankfurt), India (Mumbai/Hyderabad), US (Virginia/Oregon). Records pinned at write time. |
| Transfer Impact Assessment | WorkSwarm provides Transfer Impact Assessment documentation covering: legal framework of destination country, supplementary measures, risk assessment. |
| Supplementary measures | Encryption in transit and at rest with customer-managed keys (BYOK/HYOK). Access controls limiting WorkSwarm personnel access. Transparency reports on government requests. |
| Sub-processor transfers | All sub-processors with access to EU personal data have executed SCCs. Sub-processor register includes country and DPA status for each. |
6. Contact
For GDPR-specific inquiries, DPA requests, or DSR processing:
Data Protection Officer: dpo@workswarm.ai
Trust Center: trust@workswarm.ai
Disclaimer:This document is provided for informational purposes and represents WorkSwarm's current security posture and planned controls. Legal templates are provided as starting points and should be reviewed by your legal counsel before execution. Certification timelines are targets and subject to change based on auditor availability and assessment outcomes.
© 2026 WorkSwarm, Inc. · Confidential · workswarm.ai/trust
GDPR Control Map
8 pages · PDF