Data Processing Addendum
Effective: May 17, 2026
This Data Processing Addendum (“DPA”) forms part of the agreement between you (“Controller”) and Workzi (“Processor”) for use of Workzi Forge. It applies whenever we process Personal Data on your behalf under the GDPR, UK GDPR, and equivalent regimes.
1. Roles
For Customer Content you submit through the Service, you are the Controller and Workzi is the Processor. For account and billing data, Workzi is an independent Controller.
2. Scope and duration
We process Personal Data only to provide the Service and as documented in the Privacy Policy. Processing continues for the term of your subscription and until deletion of all Customer Content per Section 6.
3. Categories of data subjects and data
- Subjects: your end users, team members, customers referenced in projects.
- Data: identifiers, contact details, project content, usage telemetry.
- Special categories: not knowingly processed; do not submit them.
4. Processor obligations
- Process Personal Data only on documented instructions from the Controller.
- Ensure personnel are bound by confidentiality.
- Implement the security measures listed in Annex II.
- Assist with data subject requests, DPIAs, and breach notifications.
- Notify the Controller of personal data breaches without undue delay and within 72 hours.
5. Sub-processors (Annex III)
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Edge hosting, DDoS protection | Global |
| Supabase, Inc. | Postgres, auth, storage | EU / US (region of choice) |
| OpenAI, L.L.C. | LLM inference (zero-retention API) | US |
| Google LLC (Gemini) | LLM inference (zero-retention API) | US / EU |
| Email provider | Transactional email when configured for Forge | Provider region |
| Payment provider | Payments only after beta paid access approval | Provider region |
We will notify Controllers at least 14 days before adding or replacing a sub-processor. Objections may be raised by emailing forge@workzi.org.
6. Return or deletion
On termination, the Controller may export Customer Content for 30 days; thereafter we delete it from production systems within 30 days and from backups within 35 days.
7. International transfers
Where required, we incorporate the EU Standard Contractual Clauses (Modules 2 and 3, 2021/914) and the UK International Data Transfer Addendum.
Annex II — Security measures
- TLS 1.2+ for all data in transit.
- AES-256 encryption at rest for database and object storage.
- Row-Level Security enforced for every multi-tenant table.
- Service-role keys held only by the server runtime, never exposed to clients.
- IP-based rate limiting on public endpoints and shared links.
- Prompt redaction before persisting AI telemetry.
- Audit log for privileged actions; access reviewed quarterly.
- 35-day encrypted backups with documented restore procedure.
Signing
Accepting our Terms is deemed acceptance of this DPA on your organisation’s behalf. A countersigned PDF is available on request from forge@workzi.org.