This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer", "Controller") and Flawless Digital FZ-LLC trading as WorkFlawless ("WorkFlawless", "Processor") for the provision of the WorkFlawless services (the "Agreement"). It governs WorkFlawless's processing of personal data on Customer's behalf. If there is a conflict between this DPA and the Agreement on data protection, this DPA prevails.
Capitalized terms not defined here have the meaning in the Agreement. "Data Protection Laws" means all laws applicable to the processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR and Data Protection Act 2018, the Swiss FADP, and U.S. state privacy laws including the California Consumer Privacy Act as amended ("CCPA/CPRA"). "Controller", "Processor", "Data Subject", "Personal Data", "Processing", and "Personal Data Breach" have the meanings given in the GDPR. "Customer Personal Data" means Personal Data contained in Customer Data that WorkFlawless processes on Customer's behalf. "Sub-processor" means any third party engaged by WorkFlawless to process Customer Personal Data.
The parties acknowledge that, for Customer Personal Data, Customer is the Controller (or a processor acting on behalf of a third-party controller) and WorkFlawless is the Processor. Each party will comply with its obligations under Data Protection Laws. This DPA applies where and to the extent WorkFlawless processes Customer Personal Data on Customer's behalf in connection with the Services. Details of the processing are set out in Annex 1.
WorkFlawless will process Customer Personal Data only:
(a) to provide, secure, maintain and improve the Services in accordance with the Agreement and this DPA;
(b) on Customer's documented instructions, including as set out in this DPA and as given through Customer's configuration and use of the Services; and
(c) as required by applicable law, in which case WorkFlawless will (unless prohibited) inform Customer of that legal requirement before processing.
WorkFlawless will inform Customer if, in its opinion, an instruction infringes Data Protection Laws.
WorkFlawless ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations and process the data only as necessary to perform their duties.
WorkFlawless implements and maintains appropriate technical and organizational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as described in Annex 2. WorkFlawless regularly reviews and, where appropriate, improves these measures, provided they do not materially reduce the overall level of security.
Customer provides general authorization for WorkFlawless to engage Sub-processors to process Customer Personal Data, subject to this Section. WorkFlawless:
(a) maintains a current list of Sub-processors in Annex 3;
(b) imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA;
(c) remains liable to Customer for each Sub-processor's performance of its data protection obligations; and
(d) will give Customer reasonable prior notice of any intended addition or replacement of a Sub-processor (for example, by updating the list and/or email), during which Customer may object on reasonable data-protection grounds. If the parties cannot resolve a reasonable objection, Customer may terminate the affected Services as its sole remedy.
WorkFlawless's primary hosting infrastructure is located in the European Union. WorkFlawless is established in the United Arab Emirates and may access and process Customer Personal Data from the UAE to operate, support and secure the Services. Where WorkFlawless transfers Customer Personal Data outside the EEA, the UK or Switzerland to a country without an adequacy decision (including the UAE and the United States), the transfer is governed by an appropriate safeguard, including the European Commission's Standard Contractual Clauses (and the UK International Data Transfer Addendum / Swiss addendum as applicable), which are incorporated into this DPA by reference, and/or the recipient's certification under the EU-US Data Privacy Framework. [Specify SCC modules, docking, and optional clauses with counsel.]
Taking into account the nature of the processing, WorkFlawless will assist Customer by appropriate technical and organizational measures, insofar as possible, to:
(a) respond to requests from Data Subjects to exercise their rights (access, rectification, erasure, restriction, portability, objection);
(b) ensure compliance with security, breach-notification, and data protection impact assessment / prior-consultation obligations (Articles 32–36 GDPR).
The Services provide Customer with controls to access, correct, export and delete Customer Personal Data; where a request cannot be fulfilled through those controls, WorkFlawless will provide reasonable assistance.
WorkFlawless will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its breach- notification obligations. Such notification is not an acknowledgement of fault or liability.
WorkFlawless will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. WorkFlawless may satisfy this obligation by providing relevant third-party audit reports, certifications, or a completed security questionnaire. Audits are subject to reasonable notice, confidentiality, frequency limits, and Customer bearing its own costs, and must not unreasonably disrupt WorkFlawless's operations.
Upon termination or expiry of the Agreement, WorkFlawless will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies unless applicable law requires storage. Residual copies in routine backups are deleted on the ordinary backup-rotation cycle.
To the extent WorkFlawless processes Personal Information (as defined by the CCPA/CPRA) on Customer's behalf, WorkFlawless acts as a Service Provider. WorkFlawless will not: (a) sell or share such Personal Information; (b) retain, use or disclose it for any purpose other than performing the Services, or as otherwise permitted by the CCPA/CPRA; (c) retain, use or disclose it outside the direct business relationship; or (d) combine it with Personal Information from other sources except as permitted by the CCPA/CPRA. WorkFlawless certifies that it understands and will comply with these restrictions.
Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
This DPA takes effect on the effective date of the Agreement and remains in force for as long as WorkFlawless processes Customer Personal Data.
WorkFlawless maintains measures including: encryption of data in transit (TLS); encryption at rest of sensitive secrets such as OAuth and bot tokens; access controls based on least privilege and role-based permissions; tenant isolation of Customer Data; signed, time-limited URLs for private file access; secure software development practices; network and application security controls; logging and monitoring; regular backups; and incident-response procedures. Hosting is provided on infrastructure located in the European Union; WorkFlawless personnel may access data from the United Arab Emirates under the safeguards described in Section 7.
| Sub-processor | Service | Location |
|---|---|---|
| Hetzner | Cloud hosting (application, database, storage) | Germany (EU) |
| Amazon Web Services (SES) | Transactional email delivery | EU/US |
| Paddle | Payments and subscription management | EU/US |
| MailerLite | Marketing email (account-level) | EU/US |
| OpenAI | AI generation and assistant features | US |
| Slack | Outbound notifications (where enabled) | US |
| SSO, Drive integration, analytics/ads (Site) | EU/US | |
| Microsoft | SSO, SharePoint/OneDrive integration, ads/analytics (Site) | EU/US |
| Sentry | Error and performance monitoring | EU |
The current Sub-processor list is available on request and may be updated in accordance with Section 6.
Choose which categories of cookies you allow. Necessary cookies are always on.