WORKBENCH DATA PROCESSING ADDENDUM (DPA)

1. Definitions

• "Customer Data" means any data, content, or information uploaded to or processed through the Workbench Service by or on behalf of Customer.
• "Personal Information" means any information relating to an identified or identifiable individual, including employee data uploaded by Customer.
• "Processing" means any operation performed on Personal Information, including storage, use, access, transmission, or deletion.
• "Service" means the software and services provided by Workbench under the Agreement.
• "Subprocessor" means any third party engaged by Workbench to process Personal Information.
• "Controller" refers to Customer.
• "Processor" refers to Workbench.

2. Roles of the Parties

2.1 Controller Instructions

Customer is the Controller of Personal Information. Workbench will process Personal Information only:

• To provide and maintain the Service
• To comply with Customer's written instructions
• As required by law

Workbench will not:

• Sell Personal Information
• Use Personal Information for advertising
• Use Personal Information for its own purposes outside of delivering the Service

2.2 Customer Responsibilities

Customer is responsible for:

• Ensuring it has the lawful right to upload and process all Customer Data
• Providing appropriate privacy notices to employees
• Determining the categories of Personal Information it uploads
• Complying with all applicable privacy laws

Workbench is not responsible for the content or accuracy of Customer Data.

3. Scope of Processing

Workbench may process the following categories of Personal Information:

• Employee names, titles, email addresses
• Compensation and performance review data
• Employment-related notes or attachments
• Login credentials for Customer users
• Usage metadata related to Service operation
• Limited billing information returned by Stripe

Workbench does not process:

• Social Security numbers
• Full payment card numbers
• Biometric data
• Protected health information under HIPAA
• Geolocation data (beyond IP address)

Processing Activities

Workbench may:

• Store Personal Information
• Transmit Personal Information
• Structure and analyze Personal Information for display
• Backup Personal Information
• Delete or return Personal Information at Customer's request

4. Subprocessors

4.1 Authorized Subprocessors

Customer authorizes Workbench to use the following subprocessors:

• Supabase – database, storage, authentication, and email delivery
• Vercel – hosting and server infrastructure
• Stripe – payment processing
• Email infrastructure providers (e.g., Postmark, SendGrid)
• Analytics/logging providers (e.g., Logflare, Sentry, or similar)

4.2 Subprocessor Obligations

Workbench will:

• Ensure subprocessors are bound by written contracts
• Require subprocessors to implement industry-standard security
• Remain responsible for subprocessor performance

5. Security

Workbench uses commercially reasonable technical and organizational measures including:

• Encryption in transit and at rest
• Access controls and authentication
• Monitoring and logging
• Segmented production environments
• Secure hosting infrastructure (Supabase + Vercel)
• Employee confidentiality agreements

Customer is responsible for:

• Securing its own systems
• Managing user roles and permissions
• Protecting access credentials

6. Breach Notification

Workbench will notify Customer without unreasonable delay after becoming aware of unauthorized access to Customer Personal Information.

Notifications will include:

• A description of the incident
• The type of Personal Information affected
• Steps taken to mitigate harm
• Recommended actions for Customer

Workbench will not notify regulators or affected individuals on Customer's behalf unless required by law or agreed in writing.

7. Data Retention and Deletion

7.1 Retention

Workbench retains Personal Information only as long as necessary to provide the Service or comply with legal obligations.

7.2 Deletion or Return

Upon request or at account termination:

• Workbench will delete or return Personal Information within 30 days
• Backups may persist for up to 90 days, after which they are overwritten as part of standard rotation

8. Audits

Workbench will:

• Maintain documentation of its security and privacy practices
• Provide this documentation upon reasonable request

Formal onsite audits require:

• 30 days' notice
• A mutually approved auditor
• Reimbursement by Customer for audit costs
• No disruption to Workbench operations

9. Customer Access Requests

Workbench will assist Customer, at Customer's request, with:

• Access, correction, or deletion of Personal Information
• Responding to employee or consumer privacy requests
• Complying with applicable privacy laws

Workbench will not respond directly to individuals unless legally obligated.

10. Data Transfer

Personal Information may be stored or processed in the United States.

If Customer requires cross-border data transfer mechanisms in the future (e.g., GDPR Standard Contractual Clauses), Workbench will incorporate them upon expansion to the EU.

11. Restrictions on Use

Workbench will not:

• Sell or "share" Personal Information
• Use Personal Information for targeted advertising
• Use Personal Information for model training
• Combine Customer Data with data from other customers

12. Limitations of Liability

Liability under this DPA is subject to the limitations set forth in the Agreement.

This DPA does not increase either party's liability beyond those contractual limits.

13. Term and Termination

This DPA begins when Customer accepts the Terms of Use and continues for as long as Workbench processes Customer Personal Information.

Upon termination of the Agreement:

• The DPA automatically terminates
• Customer Data will be deleted consistent with Section 7

14. Governing Law

This DPA is governed by the laws of the State of Georgia, except to the extent otherwise required by law.

15. Entire Agreement

This DPA, together with the Agreement, forms the entire agreement relating to data processing between the parties.