Data Processing Agreement

1. Subject Matter and Duration

1.1 This DPA governs the processing of Personal Data by Workant on behalf of the Customer in connection with the provision of the Workant SaaS services.

1.2 Processing shall continue for the duration of the Agreement, unless otherwise agreed in writing.

2. Nature and Purpose of Processing

2.1 Workant shall process Personal Data solely for the purpose of:

• Providing, operating, maintaining and supporting the Workant HR software and related services;
• Fulfilling contractual obligations under the Agreement;
• Complying with documented instructions from the Customer.

2.2 Processing operations may include collection, recording, organization, structuring, storage, retrieval, use, transmission, and deletion.

3. Categories of Data and Data Subjects

3.1 Data Subjects may include:

• Customer employees
• Job applicants
• Contractors
• Authorized system users

3.2 Personal Data may include:

• Identification data (name, employee ID, username)
• Contact information (email, phone number)
• Employment data (role, department, contract details, working time, absences)
• Authentication data and access logs
• Other HR-related information entered by the Customer

Special categories of personal data shall only be processed where explicitly enabled by the Customer and in compliance with applicable law.

4. Roles of the Parties

4.1 The Customer acts as Data Controller.

4.2 Workant acts as Data Processor.

4.3 Workant shall process Personal Data only on documented instructions from the Customer, unless required to do otherwise by Union or Member State law.

5. Processor Obligations

Workant shall:

• a) Ensure that persons authorized to process Personal Data are bound by confidentiality obligations;
• b) Implement appropriate technical and organizational measures in accordance with Article 32 GDPR;
• c) Assist the Customer in responding to data subject requests;
• d) Assist the Customer with data protection impact assessments and consultations with supervisory authorities where reasonably required;
• e) Engage sub-processors only in accordance with Section 7;
• f) Make available information necessary to demonstrate compliance with this DPA.

6. Confidentiality

Workant shall ensure that all personnel with access to Personal Data are subject to statutory or contractual confidentiality obligations.

7. Sub-Processors

7.1 The Customer authorizes Workant to engage the sub-processors listed in Annex III.

7.2 Workant shall:

• Impose equivalent data protection obligations on all sub-processors;
• Remain fully liable for their performance;
• Inform the Customer in advance of any intended changes and allow reasonable objection.

8. International Transfers

8.1 Personal Data shall be processed within the EU/EEA. Our primary infrastructure is hosted on Vercel's EU region (Frankfurt, Germany).

8.2 Where transfers to third countries are necessary (e.g., certain sub-processors), Workant relies on the following safeguards:

• EU-U.S. Data Privacy Framework: For transfers to certified U.S. organizations
• Standard Contractual Clauses (SCCs): Commission Implementing Decision (EU) 2021/914 for controller-to-processor transfers
• Supplementary measures: Including encryption, access controls, and contractual commitments

8.3 Upon request, Workant will provide copies of executed SCCs and transfer impact assessments for relevant sub-processors.

9. Security Measures

9.1 Workant shall implement appropriate technical and organizational measures, including:

• Encryption in transit and at rest
• Role-based access control
• Logging and monitoring
• Regular backups
• Incident response procedures

Details are described in Annex II.

10. Personal Data Breaches

10.1 Workant shall notify the Customer without undue delay and, where feasible, within 72 hours after becoming aware of a Personal Data Breach.

10.2 The notification shall contain all information required under Article 33 GDPR.

11. Assistance with Data Subject Rights

Workant shall assist the Customer by appropriate technical and organizational measures to fulfill obligations under Articles 12–23 GDPR.

12. Return and Deletion of Data

12.1 Upon termination of the Agreement, Workant shall, at the Customer's choice:

• Return all Personal Data, or
• Securely delete all Personal Data,

unless retention is required by law.

12.2 Workant shall provide written confirmation of deletion upon request.

13. Liability

Liability under this DPA shall be subject to the limitations set forth in the Agreement, unless mandatory applicable law provides otherwise.

14. Governing Law and Jurisdiction

This DPA shall be governed by the laws of Finland. Disputes shall be resolved in the Helsinki District Court.