Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between WorkPulse ("Processor," "we," "us") and the customer organization ("Controller," "you") that uses the WorkPulse platform. It governs our processing of personal data on your behalf and applies where data protection laws — including the EU/UK GDPR, the California Consumer Privacy Act (CCPA/CPRA), and similar laws — apply to that processing. If there is a conflict between this DPA and the Terms of Service on the subject of data processing, this DPA controls.

1. Roles of the Parties

For personal data relating to your employees, contractors, and other monitored individuals ("Monitored Data"), you are the data controller and WorkPulse is the data processor. You determine the purposes and means of monitoring; we process Monitored Data only to provide the Service and only on your documented instructions. You are responsible for establishing a lawful basis for monitoring, for providing required notices to, and obtaining any required consent from, the individuals you monitor.

For account, billing, website, and support data, WorkPulse acts as an independent controller, as described in our Privacy Policy.

2. Details of the Processing (Annex A)

• Subject matter: provision of the WorkPulse activity-monitoring Service.
• Duration: the term of your subscription, plus the post-termination deletion window in Section 9.
• Nature and purpose: collection, storage, organization, display, and deletion of activity data to enable workforce monitoring and reporting that you configure.
• Types of personal data: input metrics (keystroke counts, click counts, scroll, mouse distance — not the content typed), screenshots, active app/window titles and browser URLs from work sessions, shift and break timestamps, device identifiers (hashed), and — only where you enable them — webcam snapshots and screen recordings.
• Categories of data subjects: your employees, contractors, and other workforce members on whose devices you deploy the agent.

3. Processing on Documented Instructions

We process Monitored Data only on your documented instructions, including the configuration choices you make in the dashboard, unless required to act otherwise by applicable law (in which case we will inform you, unless the law prohibits it). Your instructions are reflected in this DPA, the Terms of Service, and your in-product settings. We will tell you if, in our opinion, an instruction infringes applicable data protection law.

4. Confidentiality

We ensure that personnel authorized to process Monitored Data are bound by confidentiality obligations and process the data only as necessary to provide and maintain the Service.

5. Security Measures (Annex B)

We maintain technical and organizational measures appropriate to the risk, including:

• Encryption in transit (TLS 1.2+) and encryption of local agent data at rest (AES-256-GCM), with agent keys stored in the operating-system keychain.
• Server-side encryption (AES-256) of screenshots and media in Cloudflare R2 object storage, accessed through authenticated API requests using short-lived signed URLs.
• Role-based access control, tenant isolation between organizations, and an immutable audit log of administrative actions.
• Password hashing (bcrypt) and authentication logging.

We do not represent that any security measure is impenetrable. We do not currently hold SOC 2, ISO 27001, HIPAA, or similar certifications unless expressly stated in writing.

6. Sub-processors (Annex C)

You authorize us to engage sub-processors to provide the Service. Each sub-processor is bound by data protection terms no less protective than this DPA. Our current sub-processors are:

• LemonSqueezy — billing and payment processing.
• Resend — transactional email delivery.
• Hostinger — application and database hosting (VPS).
• Cloudflare R2 — storage of screenshots and recordings (S3-compatible object storage).

We will give you advance notice of any new or replacement sub-processor and a reasonable opportunity to object on legitimate data-protection grounds. If you object and we cannot reasonably accommodate the objection, you may terminate the affected Service.

7. Assistance to the Controller

Taking into account the nature of the processing, we will assist you, by appropriate technical and organizational measures and insofar as possible, to:

• respond to requests from data subjects exercising their rights (access, correction, deletion, portability, objection). Because we act on your behalf, requests we receive directly from your workforce will be referred to you as the controller;
• fulfil your obligations to keep Monitored Data secure, notify breaches, and conduct data protection impact assessments (DPIAs) and any required prior consultation with supervisory authorities. Systematic employee monitoring will, in many jurisdictions, require a DPIA — you are responsible for carrying it out.

8. Personal Data Breach Notification

We will notify you without undue delay after becoming aware of a personal data breach affecting Monitored Data, and provide information reasonably available to us to help you meet your own notification obligations. Notification to affected individuals and to authorities is your responsibility as controller.

9. Return and Deletion of Data

On termination or expiry of the Service, we will delete Monitored Data in accordance with your configured retention settings and our standard deletion process: activity data is retained for the period you select (90 days by default, or an extended paid tier), and all Monitored Data is deleted within 30 days after subscription cancellation, except audit logs and security events retained for compliance and security purposes, and data we are required by law to retain.

10. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable confidentiality, security, and scheduling safeguards and to reasonable frequency.

11. International Transfers

Where Monitored Data originating in the European Economic Area, the United Kingdom, or Switzerland is transferred to a country without an adequacy decision, the parties agree that the European Commission's Standard Contractual Clauses (Module Two: controller-to-processor), together with the UK International Data Transfer Addendum where applicable, are incorporated into this DPA by reference and completed using the details in Annexes A–C.

12. Liability and Precedence

Each party's liability under this DPA is subject to the limitations of liability in the Terms of Service. This DPA supplements and, on matters of data processing, prevails over the Terms of Service.

13. Contact

For data-processing questions or to exercise audit and assistance rights under this DPA, contact privacy@getworkpulse.io.