WorqenBack to app

Data Processing Addendum (DPA)

Effective: 2026-04-26Version: 1.0

This document is provided for general information. While drafted to comply with applicable EU, UK, Brazilian, Indian and Ukrainian law, it is not legal advice and does not replace independent counsel. Worqen OÜ recommends consulting a qualified lawyer before relying on this document for any purpose.

1. Overview and incorporation

This Data Processing Addendum (the "DPA") forms part of the agreement between you ("Customer") and Worqen OÜ ("Worqen") for use of the Worqen services (the "Services"), and applies to the extent Worqen processes Personal Data subject to the EU General Data Protection Regulation (Regulation (EU) 2016/679, the "GDPR"), the United Kingdom Data Protection Act 2018 and the UK GDPR (the "UK GDPR"), the Brazilian Lei Geral de Proteção de Dados (Law No. 13,709/2018, the "LGPD"), the Indian Digital Personal Data Protection Act 2023 (the "DPDP Act"), or the Swiss Federal Act on Data Protection (the "FADP"), on behalf of Customer.

This DPA is a starting framework intended for B2B Customers. For the avoidance of doubt, Customer is the controller of Personal Data Worqen processes on its behalf; Worqen is the processor. Where a particular processing activity is performed by Worqen as an independent controller (for example, our own KYC, anti-fraud and security operations on Worqen account-holders), that activity is governed by Worqen's Privacy Policy, not by this DPA.

For execution: please contact legal@worqen.com to receive an executable copy of this DPA. The web version below is provided for transparency and is also incorporated by reference into the principal Services agreement.

2. Definitions

Capitalised terms not defined here have the meaning given in the GDPR. "Personal Data", "Processing", "Controller", "Processor", "Data Subject", "Sub-processor", "Personal Data Breach" and "Supervisory Authority" have the meaning given in Article 4 GDPR.

"Affiliate" means an entity that controls, is controlled by, or is under common control with a party. "EU SCCs" means the Standard Contractual Clauses for the transfer of personal data to third countries adopted by the European Commission Implementing Decision 2021/914, Module Two (Controller to Processor). "UK IDTA" means the United Kingdom International Data Transfer Addendum to the EU SCCs. "Restricted Country" means a country outside the EEA or the United Kingdom that is not the subject of an adequacy decision.

3. Scope and roles

Customer instructs Worqen to process Personal Data only as necessary to provide the Services in accordance with the Services agreement, this DPA, the Worqen documentation, and Customer's lawful written instructions. Annex A sets out the subject-matter, duration, nature and purpose of processing, the categories of Data Subjects and the types of Personal Data processed.

4. Duties of Worqen as processor

Worqen will:

  • Process Personal Data only on documented Customer instructions, including with regard to transfers, unless required to process Personal Data by EU or Member State law to which Worqen is subject (in which case Worqen will inform Customer of that requirement before processing, unless that law prohibits such information on important grounds of public interest);
  • Ensure that personnel authorised to process Personal Data are bound by appropriate confidentiality obligations;
  • Implement and maintain the technical and organisational measures described in Annex B, as updated from time to time, designed to ensure a level of security appropriate to the risk;
  • Engage Sub-processors only in accordance with Section 6;
  • Assist Customer, taking into account the nature of processing, by appropriate technical and organisational measures, in fulfilling its obligations to respond to Data Subject rights requests;
  • Assist Customer in ensuring compliance with Articles 32–36 GDPR (security, breach notification, DPIA and prior consultation), taking into account the information available to Worqen;
  • At Customer's choice, delete or return all Personal Data after the end of the provision of the Services, and delete existing copies, unless Union or Member State law requires storage;
  • Make available to Customer the information necessary to demonstrate compliance with this Article 28 GDPR DPA, and allow for and contribute to audits, including inspections, in accordance with Section 9.

5. Security and breach notification

Worqen will implement and maintain the technical and organisational measures set out in Annex B. We may update those measures from time to time, provided the level of protection is not materially reduced.

Worqen will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data. The notification will include the information set out in Article 33(3) GDPR to the extent then known, and Worqen will provide updates as more information becomes available.

6. Sub-processors

Customer provides general written authorisation for Worqen to engage Sub-processors. The current list of authorised Sub-processors is published at /legal/subprocessors. Worqen will:

  • Notify Customer of any intended addition or replacement of a Sub-processor at least30 days in advance, by updating the Sub-processors page and via the notification mechanism described on that page;
  • Give Customer the opportunity to object on reasonable grounds related to data protection during that 30-day window. If Customer objects on reasonable grounds and the parties cannot reach agreement within a reasonable time, Customer may terminate the affected Services without penalty;
  • Impose on each Sub-processor written terms providing for at least the same level of data-protection obligations as those set out in this DPA;
  • Remain fully liable to Customer for the performance of each Sub-processor's obligations under this DPA.

7. International data transfers

Where Worqen transfers Personal Data from the EEA, the United Kingdom or Switzerland to a Restricted Country, the parties agree that the EU SCCs (Module Two: Controller-to- Processor) are incorporated into this DPA and are deemed entered into and completed as follows:

  • The data exporter is Customer; the data importer is Worqen and / or its Sub-processors;
  • Clause 7 (Docking Clause) does not apply;
  • Option 2 of Clause 9 (general written authorisation) applies, with the 30-day prior- notice period set out in Section 6;
  • The optional language of Clause 11 is not used;
  • The governing law for Clause 17 is the law of the Republic of Estonia;
  • The forum and jurisdiction for Clause 18 are the courts of Estonia;
  • Annex I (description of the transfer) and Annex II (technical and organisational measures) are populated by Annexes A and B of this DPA respectively;
  • Annex III (Sub-processors) is populated by /legal/subprocessors.

For transfers from the United Kingdom, the UK IDTA is incorporated into this DPA and completed in accordance with the table at the end of the IDTA, with reference made to the corresponding EU SCC clauses above. For transfers from Switzerland, the EU SCCs apply with the modifications described in the FDPIC's relevant guidance (including references to the FADP and to the FDPIC).

8. Data Subject rights

Worqen will assist Customer, by appropriate technical and organisational measures described in Worqen documentation, in fulfilling Customer's obligation to respond to requests for the exercise of Data Subject rights. If a Data Subject contacts Worqen directly with a rights request relating to Customer Personal Data, Worqen will, without undue delay, refer the Data Subject to Customer.

9. Audit

Worqen will make available to Customer all information necessary to demonstrate compliance with this DPA. On reasonable prior written notice (and not more than once per year, except where required by a Supervisory Authority), Customer (or a mutually agreed independent third-party auditor bound by confidentiality) may audit Worqen's compliance with this DPA. Audits must be conducted during business hours, with minimum disruption, and at Customer's expense. Worqen may satisfy this obligation by providing third-party audit reports (such as SOC 2 Type II or ISO 27001 certificates) in place of an on-site audit, where reasonably appropriate.

10. Term and termination

This DPA remains in effect for as long as Worqen processes Customer Personal Data. On termination of the Services, Worqen will, at Customer's choice, delete or return all Personal Data, and delete existing copies, except to the extent storage is required by Union or Member State law (including AML retention) or for routine back-up rotation.

11. Liability and order of precedence

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the principal Services agreement. In case of conflict between this DPA and the principal Services agreement, this DPA prevails to the extent of the conflict. In case of conflict between the EU SCCs and any other term of this DPA, the EU SCCs prevail to the extent of the conflict.

Annex A — Description of processing

  • Subject-matter: provision of the Worqen marketplace, identity- verification, escrow, dispute-resolution, communications and related services.
  • Duration: for so long as Customer uses the Services, plus retention periods set out in the Privacy Policy and applicable law.
  • Nature and purpose: hosting, transmission, storage, retrieval, consultation, alignment, restriction and erasure of Personal Data; payment-flow orchestration via Solana smart contracts; identity-verification and sanctions screening; provision of moderation and customer support.
  • Categories of Data Subjects: Customer's account-holders and end-users (Workers, Employers and visitors), and any other Data Subjects whose data Customer submits.
  • Categories of Personal Data: identification data; profile data; authentication data; communications and message content; transaction data; KYC and identity-verification data; technical and device data; location data; tax and sanctions-screening data; any other Personal Data Customer chooses to submit.
  • Sensitive data: biometric data and government-issued identifiers (where KYC is performed); see Identity Verification Policy.
  • Frequency: continuous, for the duration of the Services.

Annex B — Technical and organisational measures (summary)

  • Encryption in transit — TLS 1.2 or higher for all client-server communication; certificate-pinning where appropriate.
  • Encryption at rest — AES-256 / Fernet for sensitive credentials and PII fields; encrypted database volumes.
  • Access controls — role-based access; principle of least privilege; mandatory multi-factor authentication for staff access to production systems.
  • Audit logging — privileged-action logs; tamper-evident retention.
  • Pseudonymisation — pseudonymised identifiers in error-monitoring; no production Personal Data in non-production environments.
  • Resilience — automated back-ups; documented disaster-recovery procedure; defined recovery-time and recovery-point objectives.
  • Incident response — documented incident-response plan; on-call rotation; breach-notification workflow targeting 72 hours.
  • Vendor management — Sub-processor due diligence; written data-protection terms with each Sub-processor.
  • Personnel — background checks where lawful; confidentiality obligations; security and privacy training.
  • Vulnerability management — third-party Vulnerability Disclosure Programme (see VDP); routine security testing.

Contact

DPA execution: legal@worqen.com
Data Protection Officer: dpo@worqen.com