Data Processing Agreement
Concluded under Article 28(3) GDPR. It forms an integral part of the Terms of Service and applies automatically to every WorkAist Cloud customer.
Effective: 2026-07-10
1. Parties and roles
This Data Processing Agreement ("DPA") is concluded between the customer identified in the WorkAist account (the "Controller") and ILIN & SADOVENKO, LDA, Rua de Xabregas, nº 2, Escritório 3.21, 1900-440 Lisboa, Portugal, NIF 517251876 (the "Processor").
In respect of Customer Data processed in WorkAist Cloud, the Controller determines the purposes and means of processing and the Processor processes on the Controller's behalf. Where the Controller is itself a processor for a third party, the Controller warrants that it has the authority to conclude this DPA and that the instructions it gives reflect that third party's instructions.
This DPA does not apply to WorkAist Self-Hosted, where Customer Data does not reach the Processor's systems, nor to data for which the Processor is itself the controller, which is governed by the Privacy Policy.
2. Order of precedence
Where this DPA conflicts with the Terms of Service, this DPA prevails on matters of data protection. Where it conflicts with an individually negotiated order form or a signed data processing agreement, that document prevails.
3. Subject matter, duration, nature and purpose
The subject matter is the provision of WorkAist Cloud. The nature and purpose of the processing is the hosting, storage, transmission and automated processing of Customer Data so that the Controller's configured agents, connectors and processes can run, together with the support, security, metering and billing activities necessary to deliver the Service.
The processing lasts for as long as the Controller's contract for WorkAist Cloud is in force, plus the deletion periods in clause 11.
4. Categories of data subjects and personal data
The Controller decides what it uploads. Typically the processing concerns:
| Categories of data subjects | Categories of personal data |
|---|---|
| The Controller's employees and authorised users | Name, work email, role, authentication data, audit-log entries |
| The Controller's customers, leads and contacts | Name, email, telephone number, company, correspondence, CRM records, any identifier the Controller chooses to sync |
| The Controller's suppliers and partners | Contact details, contract and invoice data |
| Any data subject appearing in documents or messages the Controller processes | Any personal data contained in files, emails, transcripts, images or messages the Controller submits to the Service |
Special categories of personal data under Article 9 GDPR and personal data relating to criminal convictions and offences under Article 10 GDPR must not be processed in the Service unless the parties have agreed additional safeguards in writing in advance.
Source of the data
Customer Data reaches the Service because the Controller connects external systems, uploads files, or instructs its agents to fetch it. The Controller alone selects those sources and determines what is imported.
The Controller warrants that it has a lawful basis under Article 6 GDPR — and, where applicable, Article 9 — for collecting that personal data and for transferring it to the Processor, and that any information notice or consent required in the source system is in place. The Processor has no access to the Controller's source systems, does not select them, and neither verifies nor is able to verify whether they comply with data-protection law. Determining that is the Controller's obligation as controller.
5. Processing on documented instructions
The Processor processes Customer Data only on the Controller's documented instructions, including as regards transfers to third countries, unless required to do otherwise by Union or Member State law to which the Processor is subject. In that case the Processor informs the Controller of that legal requirement before processing, unless the law prohibits it on important grounds of public interest.
The Terms of Service, this DPA, and the Controller's configuration and use of the Service constitute the Controller's complete documented instructions. Any additional instruction must be in writing and, if it requires effort beyond the Service's standard functionality, may be subject to a reasonable charge agreed in advance.
The Processor informs the Controller without undue delay if, in its opinion, an instruction infringes the GDPR or other Union or Member State data-protection law.
6. Confidentiality
The Processor ensures that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality, and that access is limited to those who need it to perform the contract.
7. Security of processing
Taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of processing, as well as the risk to the rights and freedoms of natural persons, the Processor implements the following technical and organisational measures under Article 32 GDPR.
Annex II — Technical and organisational measures
| Measure | Implementation |
|---|---|
| Encryption in transit | All traffic to and from the Service is served over TLS with automatically renewed certificates. Internal service-to-service traffic does not leave the host network. |
| Encryption of secrets | Customer credentials and connector secrets are encrypted at rest with AES-256-GCM under a key held outside the application database. |
| Pseudonymisation | Telemetry and metering records reference tenants and agents by identifier rather than by name or email wherever the identifier is sufficient. |
| Confidentiality — access control | Role-based access control per workspace. Each agent is scoped to its own storage prefix and its own database schema; cross-tenant access is refused at the data layer, not only in the UI. |
| Confidentiality — staff | Least-privilege administrative access, granted individually and reviewed on change of role. All administrative actions are written to an append-only audit log. |
| Integrity | Input validation and parameterised queries throughout. Every mutation through the operations API records an audit-log row identifying the actor. |
| Availability and resilience | Managed hosting in a Tier III-class data centre in Germany. Automated daily backups of the database, held encrypted and separate from production. |
| Restoration | Documented restore procedure from the most recent backup; restore is exercised as part of infrastructure changes. |
| Testing and evaluation | Dependency vulnerability scanning in continuous integration, code review before merge, and periodic review of these measures at least annually and on material change to the Service. |
| Data-minimisation by design | Connectors sync only the fields the Controller enables. The Controller can delete any synced table at any time. |
The Processor may update these measures as technology develops, provided the level of protection is not reduced. The current version is always the one published on this page.
8. Subprocessors
The Controller gives the Processor general written authorisation to engage subprocessors. The Processor imposes on every subprocessor, by contract, data-protection obligations no less protective than those in this DPA, and remains fully liable to the Controller for the subprocessor's performance.
Annex III — Authorised subprocessors
The following subprocessors are engaged for every WorkAist Cloud customer, because they are part of the infrastructure on which the Service runs.
| Subprocessor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Hetzner Online GmbH | Hosting of application servers, database and backups | Germany (EU) | Not applicable |
| Cloudflare, Inc. | DNS, reverse proxy, TLS termination, DDoS protection | Global edge, including the EU | SCCs; EU-US Data Privacy Framework |
| Stripe Payments Europe, Ltd. | Payment and subscription processing | Ireland (EU) | SCCs for onward group transfers; EU-US Data Privacy Framework |
| Resend, Inc. | Transactional email delivery | United States | SCCs |
Model providers
Large-language-model providers are treated differently, because the Controller chooses them.
- If the Controller supplies its own provider credentials, that provider is engaged by the Controller, on the Controller's instructions and under the Controller's own agreement with it. It is not a subprocessor of the Processor. The Processor merely transmits the request using the credentials supplied and gives no warranty as to that provider's security, location of processing, training practices or compliance.
- If the Controller uses the Processor's managed token billing, the Processor selects the provider and it is a subprocessor of the Processor. The provider currently engaged in that capacity is Anthropic PBC (United States), for large-language-model inference, under Standard Contractual Clauses and contractually barred from training on the data sent to it.
The Controller can see which model provider each of its agents uses, and can change it, at any time inside the Service.
Changes to subprocessors
The Processor gives the Controller at least 30 days' notice by email before adding or replacing a subprocessor. The Controller may object on reasonable data-protection grounds within those 30 days. If the parties cannot resolve the objection, the Controller may terminate the affected part of the Service without penalty and receive a pro-rata refund of prepaid fees.
9. Assistance with data-subject rights
Taking into account the nature of the processing, the Processor assists the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests for exercising the data subject's rights under Chapter III GDPR.
The Service gives the Controller direct access to Customer Data so that it can locate, export, correct and delete personal data itself. Where a request nevertheless requires the Processor's involvement, the Processor responds without undue delay and in any event within 10 business days. If a data subject contacts the Processor directly about Customer Data, the Processor does not respond substantively; it forwards the request to the Controller without undue delay.
10. Assistance with Articles 32 to 36
The Processor assists the Controller in ensuring compliance with the obligations in Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor — in particular with security of processing, personal-data-breach notification, communication to data subjects, data-protection impact assessments and prior consultation.
Personal-data breach
The Processor notifies the Controller without undue delay, and in any event within 48 hours, after becoming aware of a personal-data breach affecting Customer Data. The notification describes the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, the measures taken or proposed, and a contact point. Where the information is not all available at once, it is provided in phases without further undue delay. The Processor does not notify a supervisory authority or data subjects on the Controller's behalf unless instructed to.
11. Deletion and return of Customer Data
At the Controller's choice, the Processor deletes or returns all Customer Data after the end of the provision of services relating to processing, and deletes existing copies, unless Union or Member State law requires storage of the personal data.
- For 30 days after the contract ends, the Controller may export Customer Data from the Service, or request its return in a structured, commonly used, machine-readable format.
- The Processor deletes Customer Data from live systems within 30 days after that export window closes.
- Encrypted backups containing Customer Data are overwritten on their normal rotation and in any event within 90 days of deletion from live systems.
- On written request the Processor confirms deletion in writing.
12. Audits and information
The Processor makes available to the Controller all information necessary to demonstrate compliance with Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller.
In practice, the Processor first provides its current documentation of technical and organisational measures, its subprocessor list, and written answers to a security questionnaire. Where that is not sufficient to demonstrate compliance, the Controller may conduct an on-site or remote audit, on 30 days' written notice, no more than once per calendar year unless a personal-data breach has occurred or a supervisory authority requires it. Audits take place during business hours, must not unreasonably disrupt the Processor's operations, and are subject to confidentiality. The Controller bears its own audit costs; the Processor bears its own, unless the audit reveals a material breach of this DPA.
13. International transfers
The Processor stores Customer Data at rest in Germany. Transfers to subprocessors outside the European Economic Area, as listed in Annex III, take place under the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module Three where the Processor acts as processor engaging a sub-processor, supplemented where appropriate by additional safeguards, and — where the recipient is certified — under the adequacy decision for the EU-US Data Privacy Framework.
By concluding this DPA the Controller mandates the Processor to enter into those Standard Contractual Clauses with each subprocessor in the Controller's name and on its behalf.
14. Liability
Liability under this DPA is governed by the limitation of liability in the Terms of Service, save that nothing limits either party's liability towards a data subject under Article 82 GDPR or towards a supervisory authority.
15. Term, governing law and contact
This DPA takes effect when the Controller's contract for WorkAist Cloud begins and remains in force for as long as the Processor processes Customer Data. It is governed by the laws of Portugal, and the courts of Lisbon have exclusive jurisdiction, without prejudice to Article 79 GDPR.
Contact for all matters under this DPA: [email protected].