Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer", "Controller") and Flawless Digital FZ-LLC trading as WorkFlawless ("WorkFlawless", "Processor") for the provision of the WorkFlawless services (the "Agreement"). It governs WorkFlawless's processing of personal data on Customer's behalf. If there is a conflict between this DPA and the Agreement on data protection, this DPA prevails.

1. Definitions

Capitalized terms not defined here have the meaning in the Agreement. "Data Protection Laws" means all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss FADP, and U.S. state privacy laws including the California Consumer Privacy Act as amended ("CCPA/CPRA"). "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data contained in Customer Data that WorkFlawless processes on Customer's behalf. "Sub-processor" means any third party engaged by WorkFlawless to process Customer Personal Data.

2. Roles and scope

The parties acknowledge that, for Customer Personal Data, Customer is the Controller (or a processor acting on behalf of a third-party controller) and WorkFlawless is the Processor. Each party will comply with its obligations under Data Protection Laws. This DPA applies where and to the extent WorkFlawless processes Customer Personal Data on Customer's behalf in connection with the Services. Details of the processing are set out in Annex 1.

3. Processing instructions

WorkFlawless will process Customer Personal Data only:

(a) to provide, secure, maintain and improve the Services in accordance with the Agreement and this DPA;

(b) on Customer's documented instructions, including as set out in this DPA and as given through Customer's configuration and use of the Services; and

(c) as required by applicable law, in which case WorkFlawless will (unless prohibited) inform Customer of that legal requirement before processing.

WorkFlawless will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.

4. Confidentiality

WorkFlawless ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as necessary to perform their duties.

5. Security

WorkFlawless implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as described in Annex 2. WorkFlawless regularly reviews and, where appropriate, improves these measures, provided they do not materially reduce the overall level of security.

6. Sub-processors

Customer provides general authorization for WorkFlawless to engage Sub-processors to process Customer Personal Data, subject to this Section. WorkFlawless:

(a) maintains a current list of Sub-processors in Annex 3;

(b) imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA;

(c) remains liable to Customer for each Sub-processor's performance of its data protection obligations; and

(d) will give Customer reasonable prior notice of any intended addition or replacement of a Sub-processor (for example, by updating the list and/or email), during which Customer may object on reasonable data-protection grounds. If the parties cannot resolve a reasonable objection, Customer may terminate the affected Services as its sole remedy.

7. International transfers

WorkFlawless's primary hosting infrastructure is located in the European Union. WorkFlawless is established in the United Arab Emirates and may access and process Customer Personal Data from the UAE to operate, support and secure the Services. Where WorkFlawless transfers Customer Personal Data outside the EEA, the UK or Switzerland to a country without an adequacy decision (including the UAE and the United States), the transfer is governed by an appropriate safeguard, including the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum / Swiss addendum as applicable), which are incorporated into this DPA by reference, and/or the recipient's certification under the EU-US Data Privacy Framework. [Specify SCC modules, docking, and optional clauses with counsel.]

8. Assistance to Customer

Taking into account the nature of the processing, WorkFlawless will assist Customer by appropriate technical and organizational measures, insofar as possible, to:

(a) respond to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection);

(b) ensure compliance with security, breach-notification, and data protection impact assessment / prior-consultation obligations (Articles 32–36 GDPR).

The Services provide Customer with controls to access, correct, export and delete Customer Personal Data; where a request cannot be fulfilled through those controls, WorkFlawless will provide reasonable assistance.

9. Personal Data Breach

WorkFlawless will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its breach- notification obligations. Such notification is not an acknowledgement of fault or liability.

10. Audits

WorkFlawless will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. WorkFlawless may satisfy this obligation by providing relevant third-party audit reports, certifications, or a completed security questionnaire. Audits are subject to reasonable notice, confidentiality, frequency limits, and Customer bearing its own costs, and must not unreasonably disrupt WorkFlawless's operations.

11. Deletion or return

Upon termination or expiry of the Agreement, WorkFlawless will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies unless applicable law requires storage. Residual copies in routine backups are deleted on the ordinary backup-rotation cycle.

12. CCPA / CPRA terms

To the extent WorkFlawless processes Personal Information (as defined by the CCPA/CPRA) on Customer's behalf, WorkFlawless acts as a Service Provider. WorkFlawless will not: (a) sell or share such Personal Information; (b) retain, use or disclose it for any purpose other than performing the Services, or as otherwise permitted by the CCPA/CPRA; (c) retain, use or disclose it outside the direct business relationship; or (d) combine it with Personal Information from other sources except as permitted by the CCPA/CPRA. WorkFlawless certifies that it understands and will comply with these restrictions.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.

14. Term

This DPA takes effect on the effective date of the Agreement and remains in force for as long as WorkFlawless processes Customer Personal Data.


Annex 1 — Details of processing

  • Subject matter: Provision of the WorkFlawless workflow, SOP, onboarding-path and process-management Services.
  • Duration: For the term of the Agreement, plus any deletion/return period.
  • Nature and purpose: Hosting, storage, and processing of Customer Data to provide the Services, including collaboration, notifications, assignments, search and (where enabled) AI-assisted generation and integrations.
  • Categories of Data Subjects: Customer's administrators, employees, and other authorized end users; individuals referenced within Customer Content.
  • Types of Personal Data: Identification and contact data (name, email, job title), account credentials, profile data, team/department membership, content and documents created or uploaded by Customer (which may contain Personal Data Customer chooses to include), usage and log data. Customer should avoid placing special-category data in the Services unless agreed.

Annex 2 — Technical and organizational measures

WorkFlawless maintains measures including: encryption of data in transit (TLS); encryption at rest of sensitive secrets such as OAuth and bot tokens; access controls based on least privilege and role-based permissions; tenant isolation of Customer Data; signed, time-limited URLs for private file access; secure software development practices; network and application security controls; logging and monitoring; regular backups; and incident-response procedures. Hosting is provided on infrastructure located in the European Union; WorkFlawless personnel may access data from the United Arab Emirates under the safeguards described in Section 7.

Annex 3 — Sub-processors

Sub-processor Service Location
Hetzner Cloud hosting (application, database, storage) Germany (EU)
Amazon Web Services (SES) Transactional email delivery EU/US
Paddle Payments and subscription management EU/US
MailerLite Marketing email (account-level) EU/US
OpenAI AI generation and assistant features US
Slack Outbound notifications (where enabled) US
Google SSO, Drive integration, analytics/ads (Site) EU/US
Microsoft SSO, SharePoint/OneDrive integration, ads/analytics (Site) EU/US
Sentry Error and performance monitoring EU

The current Sub-processor list is available on request and may be updated in accordance with Section 6.