Workiflow LLC Last updated: 14 April, 2026
This Data Processing Agreement (“DPA”) is between you (“Controller”) and Workiflow LLC (“Processor”) and forms part of the engagement described in the accompanying proposal. It governs how we process personal data on your behalf under applicable data protection laws, including the General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).
For questions about this DPA, contact us at security@workiflow.com.
1. Scope and Roles
You are the Controller — you determine why and how personal data is processed. We are the Processor — we process personal data on your behalf solely to deliver the services described in your proposal.
We only process personal data based on your documented instructions. If we believe an instruction violates applicable data protection laws, we’ll let you know.
2. How We Access and Handle Data
We work in your systems, not ours. Our standard operating model is to build, configure, and manage solutions within your existing infrastructure. We access your data within your platforms — we don’t independently host or store your core business data. We do use our own engagement management tools (such as project management and communication platforms), which may contain project-related information like task descriptions, contact details, and status updates.
Temporary handling. In limited situations (such as data migrations, imports, exports, or troubleshooting), we may need to temporarily handle your data outside your systems. When this happens, we limit access to only the team members who need it, use the data only for the specific task, and delete all temporary copies promptly — no later than five (5) business days after the task is complete.
What we typically access. The types of personal data and categories of data subjects depend on what you grant us access to as part of the engagement. This typically includes things like employee names, email addresses, contact details, and business records within the systems you ask us to work in.
3. Our Obligations
We will:
- Process personal data only as needed to perform the services and as instructed by you
- Access your data within your systems rather than extracting or storing it in ours, except where temporary handling is necessary to complete a specific task
- Delete any temporary copies of your data promptly upon completion of the task that required them, and no later than five (5) business days
- Ensure that anyone on our team who handles your data is bound by confidentiality agreements and has completed security awareness training
- Implement and maintain appropriate technical and organizational security measures (see Section 6)
- Not engage additional sub-processors without notifying you in advance (see Section 4)
- Assist you in responding to data subject requests (access, deletion, correction, portability, etc.)
- Assist you in meeting your obligations around data protection impact assessments and regulatory consultation, where applicable
- Notify you of any data breach without undue delay and no later than 72 hours after becoming aware of it, with enough detail for you to assess the impact and meet your own notification obligations
4. Sub-processors
We use a limited number of sub-processors to deliver the services. A current list is maintained at workiflow.com/sub-processors.
Before adding a new sub-processor, we’ll give you reasonable advance notice. If you have a legitimate objection to a new sub-processor, let us know within 14 days and we’ll work with you to find a resolution. If we can’t resolve the objection, you may terminate the affected services.
All sub-processors are bound by written agreements with data protection obligations at least as protective as this DPA.
5. International Data Transfers
Our team operates across multiple countries. When team members access your systems from outside your jurisdiction, they do so through your platforms’ existing access controls as well as Workiflow’s own security protocols, including mandatory security training, confidentiality agreements, and secure access practices.
If personal data is temporarily transferred outside your jurisdiction (for example, during a data migration or through sub-processors in other countries), we ensure appropriate safeguards are in place consistent with applicable data protection laws. This may include Standard Contractual Clauses or other recognized transfer mechanisms.
6. Security Measures
Our security practices are aligned with SOC 2 Type II and ISO 27001 controls, and include:
- Encryption of data in transit and at rest
- Role-based access controls — team members only access what they need for their specific tasks
- Regular security assessments and monitoring
- Documented incident response procedures
- Mandatory security awareness training for all team members
- Confidentiality agreements with all employees and contractors
- Secure handling and deletion of any temporarily held data within five (5) business days of task completion
7. Data Return and Deletion
Since we primarily work within your infrastructure, your data is already in your possession. When the engagement ends:
- We’ll revoke all team member access to your systems
- We’ll delete any temporary copies of your data that may exist on our side within 30 days
- Engagement records (invoices, contracts, communications) may be retained for up to seven years for legal and accounting purposes
- We’ll confirm deletion in writing upon request
8. Audits
Upon reasonable written request and no more than once per year, you may audit our compliance with this DPA. We’ll cooperate and provide relevant documentation. Audits will be conducted during normal business hours with reasonable advance notice.
Where possible, we’ll satisfy audit requests by providing copies of relevant certifications, audit reports, or third-party assessments rather than requiring on-site access.
9. Duration and Termination
This DPA remains in effect for the duration of the engagement. Our data processing and deletion obligations survive until we’ve confirmed that all access has been revoked and any temporary data has been deleted.
10. Contact
For any questions or requests related to this DPA:
Workiflow LLC Email: security@workiflow.com