This Data Processing Addendum (“DPA”) forms part of the agreement between Workroomly and the customer using the Services, and applies where Workroomly processes personal data on behalf of the customer.
This Data Processing Addendum (“DPA”) forms part of the Terms of Service, Master Services Agreement, Order Form, subscription agreement, or other written or electronic agreement between:
This DPA applies where Workroomly processes personal data on behalf of Customer in connection with the Workroomly platform, including customer operations workflows, CRM, support, inboxes, communication features, collaboration features, integrations, AI-assisted features, and related services.
If there is a conflict between this DPA and the main customer agreement regarding personal data processing, this DPA controls to the extent of that conflict.
The parties acknowledge and agree that:
Workroomly will process Customer Personal Data only on documented instructions from Customer, including as set out in the customer agreement, through Customer’s use of the Services, through configuration choices made by Customer in the platform, or as otherwise documented in writing by Customer, unless required to do otherwise by applicable law.
If Workroomly reasonably believes that a Customer instruction violates applicable data protection law, Workroomly may notify Customer and suspend the affected processing until the issue is resolved.
The details of the processing covered by this DPA are described below.
| Item | Description |
|---|---|
| Subject Matter | Provision of the Workroomly platform and related services, including customer operations workflows, CRM, support operations, inbox and communication features, collaboration tools, connected integrations, and related infrastructure and support services. |
| Duration | For the duration of the customer relationship and for any limited retention period that applies under the customer agreement, backup processes, security requirements, or applicable law. |
| Nature of Processing | Collection, storage, organization, retrieval, hosting, consultation, analysis, transmission, disclosure by customer configuration, support access, deletion, export, and other processing necessary to provide the Services. |
| Purpose of Processing | To provide, secure, support, maintain, and improve the Services as requested by Customer, and to enable customer-facing workflows and related business operations configured by Customer. |
| Categories of Data Subjects | Customer personnel, workspace users, leads, prospects, contacts, account stakeholders, support requesters, communication participants, meeting participants, and other individuals whose personal data Customer submits to the Services. |
| Categories of Personal Data | Names, email addresses, phone numbers, job titles, company information, account records, support records, communication metadata, message content, meeting data, uploaded files, CRM records, activity history, and other personal data submitted by or for Customer. |
| Sensitive or Special Data | Customer is responsible for determining whether it submits special category, sensitive, or regulated data into the Services and for ensuring such use is lawful and contractually appropriate. |
Workroomly will ensure that persons authorized to process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual, statutory, or professional.
Workroomly will implement appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature of the processing, the state of the art, implementation costs, and the risks presented by the processing.
Role-based access, permission controls, credential protection, and internal access limitation practices.
Secure hosting, environment controls, infrastructure management discipline, and operational safeguards.
Operational visibility, alerting, and relevant system logging to support platform security.
Backup, recovery, and continuity-oriented measures appropriate to Workroomly’s service model and maturity.
Customer acknowledges that Workroomly may update or modify security measures from time to time, provided such updates do not materially reduce the overall security of the Services.
Customer authorizes Workroomly to engage subprocessors to support the provision of the Services, provided that Workroomly remains responsible for the performance of its subprocessors to the extent required by applicable law and this DPA.
Workroomly’s current subprocessors may include infrastructure and integration providers such as:
Where Workroomly engages a subprocessor for Customer Personal Data, Workroomly will impose data protection obligations on that subprocessor that are no less protective in substance than the obligations Workroomly owes under this DPA, as relevant to the nature of the services provided by the subprocessor.
Workroomly may update its subprocessors from time to time. Material updates may be reflected on Workroomly’s Security & Compliance page or otherwise communicated through reasonable means.
Taking into account the nature of the processing, Workroomly will provide reasonable assistance to Customer, through technical and organizational measures where appropriate, to help Customer respond to requests from individuals exercising their rights under applicable data protection law, including access, correction, deletion, restriction, portability, or objection rights, where applicable.
Taking into account the nature of processing and the information available to Workroomly, Workroomly will provide reasonable assistance to Customer with respect to:
Such assistance may be subject to technical feasibility and reasonable reimbursement where the request goes materially beyond the standard functionality of the Services.
If Workroomly becomes aware of a personal data breach affecting Customer Personal Data, Workroomly will notify Customer without undue delay and provide information reasonably available to Workroomly to help Customer understand the breach and meet its own legal obligations.
To the extent Customer Personal Data is transferred across borders in a way that requires a lawful transfer mechanism under applicable data protection law, the parties will cooperate in good faith to implement an appropriate mechanism where required.
Where applicable, such mechanisms may include standard contractual clauses or other lawful transfer mechanisms recognized under applicable law.
Customer remains responsible for determining whether its use of the Services triggers jurisdiction-specific transfer requirements and whether supplementary contractual or compliance steps are needed for its use case.
Workroomly will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and, where required by applicable law and reasonably justified by Customer, allow for audits or inspections by Customer or an auditor mandated by Customer, subject to reasonable notice, confidentiality obligations, scope limitations, security safeguards, and reasonable cost allocation where appropriate.
Nothing in this section requires Workroomly to disclose confidential information of other customers, internal security secrets, or information that would create unreasonable security risk.
Upon termination or expiry of the customer agreement, and at Customer’s choice where applicable, Workroomly will delete or return Customer Personal Data, unless retention is required by applicable law or reasonably necessary for security, fraud prevention, dispute resolution, backup cycles, or other legitimate retention bases described in the customer agreement or Privacy Policy.
Customer acknowledges that immediate deletion from backups may not always be technically feasible, provided such retained data remains protected and is deleted in accordance with Workroomly’s ordinary retention and deletion processes.
The liability of each party under this DPA is subject to the exclusions, limitations, and allocation of risk set out in the main customer agreement, except to the extent prohibited by applicable law.
This DPA remains in effect for as long as Workroomly processes Customer Personal Data on behalf of Customer under the customer agreement.
Except as expressly modified by this DPA, the main customer agreement remains in full force and effect.
If your legal or procurement team needs a countersigned version, customer-specific revisions, or clarification on Workroomly’s processing role, contact:
Workroomly Legal / Privacy Contact