Document ID: WST-AGR-DPA-v1.0 · Effective Date: 2 May 2026 · Governing Law: Delaware, USA (with EU SCCs governed as set out below)
This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between Workestra LLC ("Workestra", the "Processor") and the customer entity that has accepted the Agreement ("Customer", the "Controller"). It governs Workestra's processing of personal data on Customer's behalf in connection with the Service.
By accepting the Terms of Service, Customer accepts this DPA. Customers requiring a counter-signed copy may request one at legal@workestra.app.
1. Definitions
Capitalized terms not defined here have the meaning given in the Agreement, the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the Swiss Federal Act on Data Protection ("FADP"), the California Consumer Privacy Act / CPRA ("CCPA"), or other applicable data protection law ("Data Protection Law"). "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Sub-processor", and "Supervisory Authority" have the meanings given in Data Protection Law.
2. Roles of the Parties
2.1 With respect to Customer Personal Data, Customer is the Controller and Workestra is the Processor, processing only on Customer's documented instructions, including the Agreement, this DPA, and Customer's use of the Service.
2.2 Customer acknowledges that with respect to account, billing, and usage data about Customer's authorized users that Workestra collects directly to operate and bill the Service, Workestra acts as a Controller. That processing is described in the Privacy Policy.
3. Subject Matter and Details of Processing
| Subject matter | Provision of the Workestra platform (the Service) to Customer |
| Duration | Term of the subscription, plus a 30-day post-cancellation grace period |
| Nature and purpose | To enable Customer's business operations across CRM, Recruiting, Projects, Support, Finance, Analytics, People, and platform features (Time, Scheduling, Inbox, Knowledge Base, Automations, Sequences, Voice, AI), pursuant to Customer's instructions |
| Categories of Data Subjects | Customer's employees, contractors, candidates, customers, leads, suppliers, ticket reporters, deal contacts, and other individuals whose data Customer chooses to process in the workspace |
| Categories of Personal Data | Identification (name, role, employer); contact (email, phone, address); professional (title, employment history); content metadata; communications (email, SMS, voice transcripts); audit and usage data; and any other data Customer chooses to upload |
| Special categories | Workestra is not designed for, and Customer should avoid uploading, special categories of Personal Data (Article 9 GDPR) such as health, biometric, or criminal-record data, unless Customer has implemented appropriate safeguards |
4. Customer Instructions
Workestra processes Customer Personal Data only on Customer's documented instructions, which are set out in the Agreement, this DPA, and Customer's use and configuration of the Service. Workestra will inform Customer if it believes an instruction infringes Data Protection Law.
5. Processor Obligations
Workestra agrees to:
- Process Customer Personal Data only as instructed by Customer
- Ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations
- Implement and maintain appropriate technical and organizational measures (Section 7)
- Assist Customer, taking into account the nature of the processing, in fulfilling its obligations to respond to Data Subject requests (Section 9)
- Assist Customer in complying with its obligations regarding security, breach notification, data protection impact assessments, and prior consultation with Supervisory Authorities
- At Customer's choice, return or delete Customer Personal Data at the end of the Service, subject to Section 14
- Make available all information necessary to demonstrate compliance with Article 28 GDPR
6. Sub-processors
6.1 General authorization. Customer grants Workestra a general written authorization to engage Sub-processors, subject to the conditions in this Section 6.
6.2 Current list. The current list of Workestra Sub-processors, their purpose, and processing region is published at /legal/subprocessors. The list is updated as Sub-processors are added, replaced, or removed.
6.3 Notification of changes. Workestra will provide Customer with at least 14 days' prior notice of any addition or replacement of a Sub-processor, by updating the public list and notifying workspace administrators by email.
6.4 Right to object. Customer may object to a new Sub-processor on reasonable data-protection grounds within the notice period. The parties will work in good faith to resolve the objection. If no resolution is possible, Customer may terminate the affected portion of the Service, with a pro-rated refund of pre-paid fees for the unused period.
6.5 Sub-processor obligations. Workestra will impose on each Sub-processor data protection obligations no less protective than those in this DPA. Workestra remains liable to Customer for the acts and omissions of its Sub-processors.
7. Security Measures
Workestra implements and maintains technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, or unauthorized disclosure or access, including:
- Encryption. TLS 1.2+ in transit; AES-256 at rest in the Supabase database and storage layer
- Multi-tenant isolation. Postgres Row Level Security on
workspace_idfor every entity table, plus defense-in-depthworkspace_idfilters in service code - Access control. Role-based access control with optional MFA; least-privilege access for Workestra personnel
- Audit logging. Authentication, admin, API, and MCP activity is logged in
audit_logand retained for at least 12 months - Network security. Hardened Vercel + Supabase production environments; secrets stored in encrypted vaults
- Vulnerability management. Dependency scanning, code review, and periodic security testing
- Backups and disaster recovery. Continuous backups with point-in-time recovery up to 35 days
- Personnel. Confidentiality obligations and security training for personnel with access to Customer Personal Data
A current security overview is available on request from security@workestra.app.
8. Personal Data Breach
8.1 Workestra will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data.
8.2 The notification will include, to the extent known: the nature of the breach, categories and approximate number of Data Subjects and records affected, likely consequences, and measures taken or proposed to address the breach and mitigate adverse effects.
8.3 Workestra will cooperate with Customer in investigating, mitigating, and remediating the breach and, where required, notifying Supervisory Authorities and Data Subjects.
9. Data Subject Requests
Workestra will, taking into account the nature of the processing, provide reasonable assistance to enable Customer to respond to requests from Data Subjects to exercise their rights of access, rectification, erasure, restriction, portability, and objection. Where a Data Subject contacts Workestra directly, we will inform them that the request must be directed to the Customer (Controller) and forward the request where appropriate.
10. Cross-Border Transfers
10.1 EEA, UK, and Swiss transfers. Where Workestra processes Customer Personal Data originating in the EEA, UK, or Switzerland in a country that is not the subject of an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module 2: Controller-to-Processor) of Commission Implementing Decision (EU) 2021/914 ("SCCs") are incorporated by reference into this DPA, with the following selections:
| SCC element | Selection |
|---|---|
| Module | Module 2 (Controller → Processor) |
| Clause 7 (docking) | Optional clause applies |
| Clause 9 (Sub-processors) | Option 2 (general written authorization), 14 days' notice |
| Clause 11 (redress) | Independent dispute resolution body not elected |
| Clause 17 (governing law) | Law of the Republic of Ireland |
| Clause 18 (forum and jurisdiction) | Courts of Ireland |
| Annex I.A | Customer (data exporter) and Workestra LLC (data importer) |
| Annex I.B | Categories described in Section 3 of this DPA |
| Annex I.C | Irish Data Protection Commission |
| Annex II | Security measures described in Section 7 of this DPA |
| Annex III | Sub-processors listed at /legal/subprocessors |
10.2 UK Addendum. For transfers subject to the UK GDPR, the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office applies, with the SCCs above as the Approved EU SCCs. Tables 1–3 are populated by reference to this DPA; Table 4 selects "neither party".
10.3 Swiss transfers. For transfers subject to the FADP, the SCCs apply with the following adjustments: references to GDPR are interpreted as references to the FADP; the competent authority is the Swiss Federal Data Protection and Information Commissioner; and the term "Member State" must not be interpreted to exclude Data Subjects in Switzerland from suing for their rights.
10.4 Conflict. In the event of a conflict between this DPA and the SCCs, the SCCs prevail to the extent of the conflict.
11. CCPA / CPRA — Service Provider Status
For Customer Personal Data subject to the CCPA/CPRA, Workestra acts as a Service Provider as defined in the CCPA/CPRA. Workestra:
- Will not "sell" or "share" (as those terms are defined under the CCPA/CPRA) Customer Personal Data
- Will not retain, use, or disclose Customer Personal Data for any purpose other than the specific business purpose of providing the Service to Customer, except as permitted by the CCPA/CPRA
- Will not retain, use, or disclose Customer Personal Data outside the direct business relationship between Customer and Workestra
- Will not combine Customer Personal Data with personal information received from another source, except as permitted by the CCPA/CPRA
- Certifies that it understands and will comply with the restrictions in this Section 11
12. Audits
12.1 Workestra will make available to Customer, on reasonable written request and no more than once per year (except after a Personal Data Breach), information necessary to demonstrate compliance with Article 28 GDPR.
12.2 Where standard documentation (such as a SOC 2 Type II report, ISO 27001 certificate, or equivalent third-party audit, when available) is sufficient to demonstrate compliance, Customer agrees to accept it in lieu of a direct audit.
12.3 Where additional audit is reasonably required, the parties will agree on scope, schedule, and cost in good faith. Audits must be conducted under reasonable confidentiality obligations and in a manner that does not unduly disrupt Workestra's operations.
13. International Customers Without Cross-Border Concerns
For Customers and Data Subjects located outside jurisdictions covered above, this DPA still applies to set the standard of care; SCCs and CCPA-specific provisions apply only where their respective regimes apply.
14. Return or Deletion of Customer Personal Data
14.1 During the Term, Customer can export workspace data through the Service's export tools and APIs in standard formats (CSV, JSON).
14.2 On termination of the Agreement, Customer Personal Data is retained for 30 days to allow export, then permanently deleted from production systems. Backups roll off within 35 days thereafter.
14.3 Workestra may retain Customer Personal Data to the extent and for the duration required by applicable law, after which it will be deleted.
15. Liability
The parties' liability under or in connection with this DPA is governed by the limitation of liability provisions of the Agreement.
16. Term and Survival
This DPA takes effect on the Effective Date and remains in force for the term of the Agreement and any period during which Workestra retains Customer Personal Data. Sections relating to confidentiality, breach notification, and post-termination return/deletion survive termination.
17. Order of Precedence
In the event of a conflict between this DPA and the Agreement, this DPA prevails with respect to the Processing of Personal Data. The SCCs prevail over both with respect to cross-border transfers in scope of the SCCs.
18. Contact
| Topic | |
|---|---|
| DPA execution and contracts | legal@workestra.app |
| Privacy and data subject rights | privacy@workestra.app |
| EU customers — Data Protection Officer | dpo@workestra.app |
| Security and breach notification | security@workestra.app |
Policy Changelog
| Version | Date | Summary |
|---|---|---|
| v1.0 | 2026-05-02 | Initial publication |