Data Processing Agreement
Last updated: November 1, 2025
This Data Processing Agreement (“DPA”) forms part of the Client agreement between Workplacer Sweden AB (“Workplacer”) and its clients (“Client”) governing the use of Workplacer's software and related services (the “Client Agreement”).
The purpose of this DPA is to ensure that the processing of personal data by Workplacer on behalf of the Client complies with applicable data protection laws, including the EU General Data Protection Regulation (GDPR).
This DPA applies automatically to all Clients who have entered into a valid Client Agreement with Workplacer.
It does not apply independently and must be read together with the applicable Client Agreement.
1. Scope and Roles
1.1 Workplacer acts as a Data Processor on behalf of the Client, who acts as the Data Controller for all personal data processed under the Client Agreement.
1.2 Workplacer will process personal data solely for the purpose of providing, maintaining, and improving the Workplacer software and related services in accordance with the Client's documented instructions.
2. Applicable Laws
2.1 Workplacer shall process Personal Data in compliance with all data protection and privacy laws that are applicable to the Services and the Parties' roles under this Agreement (“Applicable Data Protection Laws”).
2.2 For clarity, Applicable Data Protection Laws include, where relevant:
- the EU General Data Protection Regulation (GDPR), the UK GDPR, and the Swiss FADP;
- major privacy frameworks in North America, including the California Consumer Privacy Act (CCPA/CPRA) and other applicable U.S. state laws;
- significant international laws such as the Brazil LGPD, the Singapore PDPA, the Hong Kong PDPO, the Japan APPI, and the India DPDP Act; and
- any other laws that, by their terms, apply to Workplacer's processing of Client Data.
2.3 The Client is responsible for informing Workplacer of any specific legal or regulatory requirements that apply to its industry or jurisdiction which may materially affect Workplacer's processing of Personal Data.
2.4 If multiple regimes apply, Workplacer shall comply with the standard that provides the highest level of protection to data subjects for the relevant processing.
3. Subject Matter and Purpose
3.1 Workplacer processes personal data solely for the purpose of delivering the services described in the Client Agreement.
3.2 This includes workplace analysis, reporting, AI-supported features, and related advisory support services.
4. Instructions
4.1 Workplacer shall process personal data only:
- in accordance with the Client's documented instructions,
- to provide the agreed services, and
- in compliance with applicable law.
5. Confidentiality and Security
5.1 Workplacer shall implement appropriate technical and organizational measures to protect personal data against unauthorized or unlawful processing, accidental loss, destruction, or damage.
5.2 Persons authorized to process data shall be subject to confidentiality obligations.
6. Duration
6.1 This DPA shall apply for the duration of the Client Agreement and remain in effect until Workplacer has returned or securely deleted all personal data in accordance with Section 13.
7. Workplacer's Obligations
7.1 Workplacer shall:
- process data only on Client instructions;
- maintain appropriate security measures;
- ensure confidentiality of personnel;
- assist the Client in fulfilling obligations regarding data subject rights, breach notifications, and data protection impact assessments;
- notify the Client without undue delay of personal data breaches;
- make available information necessary to demonstrate compliance and allow for audits upon reasonable notice;
- upon termination, return or securely delete Client Data as set out in Section 13.
8. Client Obligations
8.1 The Client shall:
- ensure it has a lawful basis and necessary consents to provide personal data to Workplacer;
- ensure its use of the services complies with applicable laws and this Agreement.
9. Sub-Processors
9.1 Workplacer may engage sub-processors (e.g., hosting, authentication, AI services) to deliver services.
9.2 Workplacer shall ensure sub-processors are bound by written agreements with safeguards equivalent to this DPA.
9.3 A current list of sub-processors is available in Schedule A (Subprocessor List) and may be updated by Workplacer.
9.4 Certain Services rely on AI subprocessors. The specific terms governing Workplacer's use of AI services, including data sanitization, transparency, opt-out rights, and liability for AI-generated outputs, are set out in Schedule B (Use of AI Services), which forms an integral part of this DPA.
9.5 Workplacer shall notify the Client of material changes, and the Client may object on reasonable grounds, provided such objection does not unreasonably prevent Workplacer from delivering the Services.
10. International Transfers
10.1 Workplacer stores and processes Client Data primarily within the EU/EEA.
10.2 If international transfers are required, Workplacer shall implement appropriate safeguards, including the EU Standard Contractual Clauses (SCCs), the UK International Data Transfer Addendum or Agreement (IDTA), the Swiss FDPIC addendum, or other legally recognized transfer mechanisms under Applicable Data Protection Laws.
11. Data Subject Rights
11.1 Workplacer shall, to the extent reasonably possible, assist the Client in responding to data subject requests (e.g., access, rectification, erasure, portability) under Applicable Data Protection Laws.
12. Audit and Compliance
12.1 Upon reasonable notice, Workplacer shall make available to the Client all information necessary to demonstrate compliance with this DPA and Applicable Data Protection Laws. Where legally required, Workplacer shall allow for on-site inspections or third-party audits, provided such audits are reasonable in scope and frequency, coordinated in advance, and the Client bears associated costs.
13. Deletion or Return of Data
13.1 Upon termination or expiry of the Client Agreement, Workplacer shall, at the Client's choice, either return all personal data in a commonly used machine-readable format or securely delete it, unless retention is required by law.
13.2 The Client may request extraction of its data during the Client Agreement and for thirty (30) days after termination. After that, Workplacer may delete or anonymize the data in accordance with its Privacy Policy.
14. Liability
14.1 Each Party's liability under this DPA is subject to the liability provisions of the Client Agreement.
14.2 Workplacer shall not be responsible for the Client's failure to comply with its obligations as Data Controller, including obtaining lawful bases or consents for processing.
14.3 In case of conflict between this DPA and the Client Agreement with respect to personal data, this DPA shall prevail. For the avoidance of doubt, the limitations of liability set out in the Client Agreement shall apply equally to this DPA.
15. Availability
This DPA, including its schedules, is publicly available at www.workplacer.ai/dpa and applies automatically to all Clients who have entered into a valid Client Agreement with Workplacer.
Schedule A — Subprocessor List
Attachment to the Workplacer Data Processing Agreement (DPA)
Workplacer may engage the following categories of Subprocessors to support delivery of the Services under the Agreement.
Workplacer ensures that all Subprocessors are bound by written agreements imposing obligations that provide at least the same level of protection for Personal Data as required by the DPA.
1. Infrastructure and Hosting Providers
| Subprocessor | Location | Purpose of Processing | Safeguards |
|---|---|---|---|
| Vercel | EU | Frontend and serverless hosting | EU-based hosting |
| Neon | EU | Database storage (PostgreSQL) | EU-based |
2. Authentication and Access Management
| Subprocessor | Location | Purpose of Processing | Safeguards |
|---|---|---|---|
| Better Auth | EU (self-hosted) | Authentication & session management | EU-based, no third-party transfer |
3. AI and Analytics Services
| Subprocessor | Location | Purpose of Processing | Safeguards |
|---|---|---|---|
| Anthropic | US | AI-powered analysis and summarization | SCCs + contractual safeguards |
4. Communication and Notifications
| Subprocessor | Location | Purpose of Processing | Safeguards |
|---|---|---|---|
| Resend | US | Transactional email delivery | SCCs + contractual safeguards |
5. Monitoring and Error Tracking
| Subprocessor | Location | Purpose of Processing | Safeguards |
|---|---|---|---|
| Sentry | EU/US | Error tracking and performance monitoring | SCCs + contractual safeguards |
| Upstash | EU | Rate limiting and caching (Redis) | EU-based |
6. Updates to Subprocessor List
Workplacer may update this list from time to time in accordance with Section 9 of the DPA. Clients will be notified of material changes and may object to new Subprocessors as provided in the DPA.
Schedule B — Use of Artificial Intelligence (AI) Services
Attachment to the Workplacer Data Processing Agreement (DPA)
This Schedule sets out the specific terms governing Workplacer's use of third-party artificial intelligence (“AI”) services.
1. AI Integration
1.1 Workplacer may utilize third-party AI services (including, but not limited to, Anthropic and similar providers) to support features such as data analysis, structuring, summarization, meeting interpretation, and related functionality within the Workplacer platform.
1.2 Such AI providers shall be treated as Subprocessors in accordance with Section 9 of the DPA.
2. Data Sanitization
2.1 Before transmitting any Client Data to AI subprocessors, Workplacer applies internal sanitization logic designed to redact sensitive or unnecessary information.
2.2 While Workplacer takes reasonable steps to ensure effective redaction, the process may not always be fully accurate or complete.
3. Transparency of AI Features
3.1 Features within the Workplacer platform that rely on AI are clearly identified (e.g., through an AI indicator) to provide transparency to end-users.
3.2 Certain features, such as contract abstraction, portfolio insights, and report generation, may rely on AI services automatically.
4. Opt-Out Mechanism
4.1 Clients who do not wish to use AI-supported functionality may disable such features at any time via the Company Admin settings.
4.2 Unless disabled, AI features are enabled by default.
5. Data Protection and Roles
5.1 Workplacer processes data in compliance with Applicable Data Protection Laws as defined in the DPA, including (where relevant) the EU GDPR, UK GDPR, Swiss FADP, the Australian Privacy Act, the Brazil LGPD, and Asian frameworks such as the Singapore PDPA, Hong Kong PDPO, and Japan APPI.
5.2 For the purposes of these laws:
- The Client remains the Data Controller (or equivalent role).
- Workplacer acts as Data Processor.
- AI subprocessors act as sub-processors engaged by Workplacer.
5.3 The Client is responsible for ensuring that no special category data or information subject to heightened protection (e.g., health data, government identifiers, biometric data) is entered into free-text fields or otherwise uploaded to the platform, unless explicitly permitted under Applicable Data Protection Laws.
6. Liability and Use of AI Outputs
6.1 Workplacer provides AI-supported functionality on an “as is” basis and does not warrant that sanitization will remove all sensitive or personal information prior to AI processing.
6.2 Workplacer shall not be liable for any loss, damage, or regulatory exposure arising from:
- the Client's reliance on AI-generated outputs, or
- the inclusion of sensitive information not fully sanitized prior to AI processing.
6.3 The Client acknowledges that AI-generated outputs may be incomplete, inaccurate, or require human review. The Client agrees to use such outputs with appropriate caution and validation.
7. Relationship to the DPA
7.1 This Schedule supplements the DPA. In case of conflict between this Schedule and the DPA, the terms of the DPA shall prevail.
7.2 All liability of Workplacer in relation to the use of AI Services under this Schedule shall be subject to and limited by the liability provisions set out in the Client Agreement and Clause 14 of the DPA.
7.3 For the avoidance of doubt:
- Workplacer provides AI outputs “as is” and does not warrant their accuracy, completeness, or fitness for any particular purpose.
- Workplacer shall not be liable for any reliance placed by the Client on AI-generated outputs or for any errors, omissions, or consequences resulting therefrom.
Workplacer Sweden AB
Gåsgränd 2, 11127 Stockholm, Sweden
Email: info@workplacer.ai