Data Processing Addendum

Effective starting: 01 May, 2025

The following policies supplement the Dotwork Customer Agreement and govern specific aspects of the relationship between Dotwork and Customer. This DPA, including the Standard Contractual Clauses where applicable, is entered into between Dotwork, Inc. ("Dotwork") and the entity identified in the Agreement ("Customer") (each a "Party" and collectively, the "Parties").

This DPA establishes the terms under which Dotwork processes Personal Data on behalf of Customer under the Agreement, ensuring compliance with Applicable Law while safeguarding the rights of individuals whose Personal Data is processed.

1. Definitions

For the purposes of this DPA, the following definitions apply:

1.1 Applicable Law.

"Applicable Law" means all laws, regulations, and legal requirements applicable in any jurisdiction concerning privacy, data protection, security, or the processing of Personal Data including:

  • California Consumer Privacy Act (CCPA) and California Privacy Rights Act (CPRA)
  • General Data Protection Regulation (GDPR) (Regulation (EU) 2016/679)
  • UK Data Protection Act 2018 (UK DPA 2018) and UK GDPR
  • Swiss Federal Data Protection Act (Swiss DPA)
  • Japan’s Act on the Protection of Personal Information (APPI)

Where Dotwork’s processing activities do not fall within the scope of a specific Applicable Law, such law shall not apply for purposes of this DPA.

1.2 Other Key Definitions

  • "Controller," "Processor," "Personal Data," "Processing," "Data Subject" – as defined in Applicable Law.
  • "Customer Personal Data" – Any Personal Data that Customer inputs into the Service for processing by Dotwork. This excludes Restricted Data unless otherwise agreed in writing.
  • "Restricted Data" – Includes special categories of Personal Data (e.g., social security numbers, financial details, health information).
  • "Restricted Transfer" – Any transfer of Personal Data outside the EEA, UK, or Switzerland to a jurisdiction without an adequacy decision by the relevant authority.
  • "Security Incident" – A confirmed breach resulting in accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access to Customer Personal Data.
  • "Standard Contractual Clauses (SCCs)" – The EU, UK, and Swiss SCCs governing Restricted Transfers (as set forth in Section 9).
2. Relationship of the Parties

2.1 Dotwork as a Processor and Service Provider

  • The Customer acts as the Controller (or Business), and Dotwork acts as the Processor (or Service Provider) for Customer Personal Data.

2.2 Dotwork as a Subprocessor

  • If Customer is acting as a Processor, Dotwork shall act as a Subprocessor, without altering either Party’s obligations under this DPA.
3. Customer’s Instructions to Dotwork

3.1 Purpose Limitation

Dotwork will process Customer Personal Data solely for the following purposes:
(a) To provide the Service in accordance with the Agreement.
(b) In compliance with Customer’s lawful instructions, as outlined in Section 3.3.
(c) As necessary to comply with Applicable Law.
(d) As otherwise mutually agreed in writing.

Customer Responsibility:

  • The Customer, as Controller, acknowledges that the Service is not intended for the storage or processing of Restricted Data.
  • Customer solely determines the categories and types of Personal Data submitted to the Service.
  • Customer is responsible for using the Service securely and ensuring a level of security appropriate to the risk associated with Customer Personal Data.
  • Customer agrees that the compliance and security measures outlined in the Agreement and this DPA provide sufficient safeguards for any Restricted Data that Customer chooses to submit.

3.2 No Sale of Personal Data / No Targeted Advertising

  • Dotwork will not sell, share, or process Customer Personal Data for any commercial purpose except as necessary to provide the Service, in compliance with Applicable Law.
  • Dotwork will not: a) share Customer Personal Data for cross-context behavioral advertising or b) use Customer Personal Data for any purpose not explicitly stated in the Agreement, unless legally required to do so.
  • If required by Applicable Law, Dotwork will notify Customer before processing Personal Data outside the agreed scope, unless legally prohibited.
  • Further details on Dotwork’s processing activities are provided in Exhibit A.

3.3 Lawful Instructions

  • Customer appoints Dotwork as a Processor (or Subprocessor) to process Customer Personal Data in accordance with Customer’s instructions.
  • Customer will not instruct Dotwork to process Personal Data in a manner that violates Applicable Law.
  • If Dotwork believes that a Customer instruction would violate Applicable Law, it will promptly notify Customer.
  • The Agreement, including this DPA and Customer’s Service configuration, constitutes the complete and final instructions regarding Customer Personal Data unless otherwise agreed in writing.
4. Subprocessing

4.1 Use of Subprocessors

  • Customer acknowledges and agrees that Dotwork’s Affiliates and authorized third parties may act as Subprocessors to process Customer Personal Data on Dotwork’s behalf to facilitate the provision of the Service.
  • Dotwork’s Subprocessors are listed on Dotwork’s Subprocessors page, which Customer may access to review the current list of Subprocessors.
  • Dotwork will impose contractual obligations on all appointed Subprocessors, ensuring that they implement data protection standards at least as protective as those outlined in this DPA.
  • Dotwork remains fully liable for the performance of its Subprocessors under this DPA, to the same extent as Dotwork is responsible for its own performance.
  • If Customer subscribes to updates from Dotwork’s Subprocessors page, Customer will be automatically notified at least ten (10) business days in advance of any new Subprocessor being authorized to process Customer Personal Data (or, in the case of an emergency, as soon as reasonably practicable).
  • Any subprocessor agreements provided under Clause 9 of the Standard Contractual Clauses (SCCs) may have commercially sensitive or unrelated provisions redacted prior to being shared with Customer, and such copies will be provided only upon Customer’s written request.

4.2 Right to Object

  • Customer may object to a new Subprocessor appointment based on reasonable, data protection-related grounds by notifying Dotwork in writing at dpa@dotwork.com within thirty (30) days of receiving Dotwork’s Subprocessor notice (per Section 4.1).
  • If Customer objects, Dotwork will use commercially reasonable efforts to: a) provide Customer with an alternative configuration or modification of the Service to prevent processing by the objected-to Subprocessor, or b) If no such modification is feasible within a reasonable timeframe (not exceeding thirty (30) days), either Party may, upon written notice, choose to terminate the affected Order Form(s) or the Agreement without penalty.
5. Assistance and Cooperation

5.1 Security Measures

  • Dotwork will implement and maintain appropriate technical and organizational measures to safeguard Customer Personal Data against unauthorized access, disclosure, alteration, or destruction.
  • These measures will be designed based on: a) the state of the art in security practices, b) the costs of implementation, c) the nature, scope, context, and purpose of the processing, d) the potential risks to the rights and freedoms of individuals.
  • Dotwork will ensure that all personnel authorized to process Customer Personal Data are bound by a) written confidentiality agreements; or b) Statutory obligations of confidentiality, which are no less protective than the confidentiality requirements set forth in the Agreement.

5.2 Security Incident Notification and Response

  • Dotwork will notify the Customer without undue delay, or as required by Applicable Law, upon discovering a Security Incident involving Customer Personal Data.
  • The notification, to the extent available at the time, will include: (a) The nature of the Security Incident, including, if possible: 1) The categories and approximate number of affected data subjects, 2) The categories and approximate number of affected personal data records.(b) The likely consequences of the Security Incident. (c) The measures taken or proposed by Dotwork to address the Security Incident, including, where applicable: 1) Mitigation efforts to minimize potential adverse effects.
  • Dotwork will provide periodic updates as additional details about the Security Incident become available.
  • Customer acknowledges that such updates may be based on incomplete information.
  • Dotwork is not responsible for assessing the contents of Customer Data to determine legal obligations under Applicable Law.
  • Nothing in this DPA or the Standard Contractual Clauses (SCCs) shall be interpreted to: a) Require Dotwork to violate any legal obligations concerning Security Incidents, or b) Delay compliance with any applicable security reporting requirements.
6. Responding to Individuals
  • To the extent permitted by Applicable Law, if Dotwork receives a request from an individual seeking to exercise their data protection rights (a “Data Subject Request”), Dotwork will refer the individual back to Customer.
  • Data Subject Requests may include, but are not limited to: a) access to their personal data, b) rectification (correction of inaccurate or incomplete data), c) restriction of processing, d) erasure (“right to be forgotten”), f) data portability (transfer of data to another provider), g) objection to processing, h) not being subject to automated decision-making.
  • If Customer is unable to fulfill a Data Subject Request using the Service, Dotwork will, upon Customer’s request, provide commercially reasonable assistance to help Customer respond to such requests, to the extent legally permitted and if required under Applicable Law.
  • Customer is responsible for any costs associated with Dotwork’s additional support or requested functionality enhancements to facilitate Data Subject Requests.
7. Data Protection Impact Assessments
  • If consultation with supervisory authorities or other regulatory bodies is required, Dotwork will assist Customer by: a) providing publicly available documentation regarding the Service, b) complying with Section 10 (Audits) for any necessary verification processes.
  • If Customer requires additional support beyond what is publicly available, including engagement with regulators, such assistance may be provided subject to mutual agreement on: a) fees associated with the additional support, b) the scope of Dotwork’s involvement, c) any other applicable terms agreed upon by both Parties.
8. Responding to Law Enforcement
  • To the extent permitted by Applicable Law, if Dotwork receives a request for data or records from law enforcement or a governmental entity, Dotwork will respond in accordance with its Law Enforcement Guidelines.
  • Dotwork will only comply with law enforcement requests that: a) adhere to established legal processes, and b) comply with all applicable law.
9. Data Transfers

9.1 Authorization for International Data Transfers

Customer authorizes Dotwork and its Subprocessors to transfer Customer Personal Data internationally as necessary to provide the Service, in compliance with this DPA and Applicable Law.

9.2 Transfer Mechanisms

Dotwork may process Customer Personal Data in any location where Dotwork, its Affiliates, or Subprocessors operate, provided such processing complies with Applicable Law. If a transfer requires appropriate safeguards, the following frameworks and Transfer Mechanisms will apply in order of precedence:

  • Order of Precedence: The first applicable mechanism governs the transfer—(a) Data Privacy Frameworks, (b) Standard Contractual Clauses (SCCs) as outlined in Sections 9.2(3)-(5), or (c) any other alternative Transfer Mechanisms permitted under Applicable Law.
  • Data Privacy Frameworks: If Dotwork processes Customer Personal Data from the EEA, UK, or Switzerland, Dotwork certifies compliance with the Data Privacy Frameworks and will adhere to the Data Privacy Principles.
  • EU Standard Contractual Clauses (EU SCCs): The EU SCCs will govern Restricted Transfers under the GDPR, with the following provisions—(a) Module Two (Controller to Processor) applies when Customer is a Controller and Dotwork is a Processor; (b) Module Three (Processor to Processor) applies when Customer is a Processor and Dotwork is a Subprocessor; (c) Customer is the Data Exporter, and Dotwork is the Data Importer; (d) Clause 7 (Optional Docking Clause) applies; (e) Clause 9 (Use of Subprocessors) follows Option 2, with prior notice per Section 4.1 of this DPA; (f) Clause 11 (Redress Mechanism) does not apply; (g) Clause 17 states that Irish law governs the SCCs; (h) Clause 18(b) designates Irish courts for dispute resolution; (i) Annexes I and II of the SCCs are detailed in Exhibit A.
  • UK International Data Transfer Addendum: The UK Addendum applies to Restricted Transfers protected by the UK GDPR and is completed as follows—(a) Table 1 uses information from Annex I of Exhibit A, (b) Table 2 references the EU SCC modules and clauses in Section 9.2(3), (c) Table 3 incorporates Annexes I and II from Exhibit A and Section 4.1 of this DPA, and (d) Table 4 allows the Importer to terminate the UK Addendum in accordance with its terms.
  • Swiss Standard Contractual Clauses (Swiss SCCs): The EU SCCs apply to Restricted Transfers covered by the Swiss DPA with the following adjustments—(a) references to “Directive 95/46/EC” or “Regulation (EU) 2016/679” are interpreted as referring to the Swiss DPA, (b) references to “EU,” “Union,” or “Member State law” are understood as Swiss law, and (c) references to the “competent supervisory authority” and “competent courts” mean the Swiss data protection authority and Swiss courts. If the EU SCCs cannot lawfully govern these transfers, the Swiss SCCs will be incorporated and applied accordingly.

9.3 SCCs Prevail in Case of Conflict

If any conflict arises between the Standard Contractual Clauses (SCCs) and any provision in the Agreement (including this DPA), the SCCs will take precedence.

9.4 Execution of SCCs

By entering into this DPA, both Parties are deemed to have signed the applicable SCCs, including all relevant Appendices and Annexes.

10. Audits

10.1 Right to Audit

Customer or a mutually agreed-upon independent third-party auditor (“Auditor”) may conduct audits to assess Dotwork’s compliance with this DPA. Audits may involve reviewing documentation, data, certifications, reports, and records related to Dotwork’s processing of Customer Personal Data (“Records”). Audits must be conducted while the Agreement is in effect and will be performed at Customer’s sole expense.

10.2 Audit Requests & Notification

Customer must provide at least fourteen (14) days’ prior written notice before requesting an Audit, with a limit of one audit per year unless a Security Incident occurs, in which case Customer may request an additional Audit within a reasonable timeframe following the incident.

10.3 Additional Information & On-Site Inspections

If the provided Records do not sufficiently demonstrate compliance, Customer may request additional written information, which Dotwork will provide within a reasonable timeframe. If additional information is insufficient, Customer may request an on-site inspection (“Inspection”) with at least twenty-one (21) days’ prior written notice, subject to:
(a) Mutual agreement on the scope, timing, and duration of the Inspection.
(b) Use of an Auditor to conduct the Inspection.
(c) The Inspection taking place during Dotwork’s regular business hours with minimal operational disruption.
(d) Customer covering all costs, including Dotwork’s time billed at Dotwork’s prevailing rates.

Inspections are limited to once per year, except in the event of a Security Incident.

10.4 Confidentiality & Data Protection

Any Auditor conducting an Audit or Inspection must be bound by strict confidentiality obligations at least as protective as those in the Agreement. Auditors may not access data or information belonging to other Dotwork customers or receive Dotwork’s confidential or proprietary information unless it is directly relevant to the authorized scope of the Audit or Inspection.

10.5 Corrective Measures

If an Audit or Inspection identifies material non-compliance, Dotwork will take prompt corrective action to resolve the issue.

11. Return or Deletion of Customer Personal Data

11.1 Data Deletion Upon Termination

Upon termination of the Agreement, Dotwork will delete all Customer Personal Data upon written and verified request from an authorized Customer representative unless retention is required by Applicable Law.

11.2 Authorized Representatives for Deletion Requests

A deletion request must originate from (a) a billing owner or Administrator of the Service, or (b) designated Customer personnel who have submitted prior written confirmation of their authority to act on behalf of Customer.

11.3 Default Data Deletion

If no deletion request is received following termination, Dotwork may delete Customer Personal Data in accordance with its legal and contractual obligations.

EXHIBIT A

A. LIST OF PARTIES

MODULE TWO: Transfer Controller to Processor

MODULE THREE: Transfer Processor to Processor

Data Exporter(s):
Name: Customer, a user of the Service.
Address: As stated in the Agreement.
Contact Person: As listed in the Agreement.
Relevant Processing Activities: As described in Section B below.
Signature & Date: See Section 9.4 of the DPA.
Role: Controller and/or Processor.

Data Importer(s):
Name: Dotwork, Inc., provider of the Service.
Address: 800 Camp Springs LN, Georgetown TX
Contact Person: security@dotwork.com
Relevant Processing Activities: As described in Section B below.
Signature & Date: See Section 9.4 of the DPA.
Role: Processor.

B. DESCRIPTION OF TRANSFER

MODULE TWO: Transfer Controller to Processor

MODULE THREE: Transfer Processor to Processor

Categories of Data Subjects Whose Personal Data is Transferred:

  • Determined solely by Customer.
  • Typically includes: Customer personnel, Customers, Service providers, Business partners, Affiliates, Other End Users.

Categories of Personal Data Transferred:

  • Determined solely by Customer.
  • May include (but is not limited to):Names, Email addresses, Phone numbers, Job titles, Project details, Task lists entered by End Users.

Sensitive Data Transferred & Associated Restrictions/Safeguards:

  • Customer determines all data categories submitted through the Service.
  • Customer is responsible for ensuring that: a) The Service is used securely and b) The security measures outlined in the Agreement and DPA provide sufficient safeguards for processing.

Frequency of Transfer:

  • Continuous with use of the Service.

Nature of Processing:

  • Provision of the Service to Customer in accordance with the Agreement.

Purpose(s) of Data Transfer & Further Processing:

  • To enable Customer's use of the Service, as described in the Agreement.

Retention Period for Personal Data:

  • As long as necessary to: a) Provide the Service, b) Fulfill legal or contractual obligations, and c) Delete upon Customer’s verified request.

Subprocessors & Processing Details:

  • Subject matter, nature, and duration are outlined above and in the Agreement.

C. COMPETENT SUPERVISORY AUTHORITY

MODULE TWO: Transfer Controller to Processor

MODULE THREE: Transfer Processor to Processor

The competent supervisory authority under Clause 13 will be: The Data Protection Commission (DPC) of Ireland.

Annex II to the Standard Contractual Clauses

Technical & Organizational Measures to Ensure Data Security

Dotwork follows key security principles in the design and implementation of its security program, including:

  • Physical and Environmental Security – Preventing unauthorized access, use, or modification of systems.
  • Availability – Ensuring the Service remains operational and accessible.
  • Confidentiality – Protecting Customer Data from unauthorized disclosure.
  • Integrity – Maintaining the accuracy and consistency of data.

Details of Dotwork’s technical and organizational security measures are available in Dotwork’s Data Security Standards.

Specific Security Measures

  • Encryption of Data: TLS 1.2+ encryption for data in transit and AES-256 encryption for data at rest.
  • Confidentiality & Access Controls: Role-based access restrictions, multi-factor authentication (MFA), and user authentication mechanisms.
  • System & Network Security: Firewalls, intrusion detection systems, continuous monitoring, and incident response protocols.
  • Audit Logging: System logs track user actions, timestamps, and security events for monitoring and compliance.
  • Business Continuity & Disaster Recovery: Regular data backups, disaster recovery drills, and resilience planning to ensure service availability.
  • Regular Security Assessments: Ongoing penetration testing, internal security audits, and risk management reviews.
  • Third-Party Security Compliance: Routine evaluations of SOC 2, ISO 27001, and third-party security certifications to ensure compliance.
  • Data Minimization & Retention: Only necessary data is collected and stored, with retention aligned to legal and compliance obligations.

As described in the DPA, Dotwork has measures in place to provide assistance to controllers as needed. Such measures include, but are not limited to, the ability to delete all Customer Personal Data associated with a domain and making available APIs to allow controllers to better manage and control their data. With regard to Data Subject Requests, in the event the controller is unable to address a Data Subject Request in its use of the Service, Dotwork will, upon request, provide commercially reasonable efforts to assist the controller in responding to such Data Subject Request, to the extent Dotwork is legally permitted to do so and the response to such Data Subject Request is required under Applicable Law. Data subjects may also exercise their rights by contacting Dotwork at any time using security@dotwork.com.

Back To Legal Docs