Skip to content
Book a Demo

Data Processing Agreement

Return to Legal Center Homepage

This Work 365 Data Processing Agreement (“DPA”) forms part of the agreement governing the use of the Work 365 platform and related services (the “Agreement”) between you (the “Customer” or “Controller”) and the Work 365 service provider (the “Processor”).

This DPA sets out the parties’ agreement regarding the processing of Customer Personal Data by Work 365 acting as a Processor on behalf of the Customer in connection with the Services, and, where applicable, the processing of Personal Data by each party as an independent Controller, in accordance with applicable data protection laws.

This DPA is entered into pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR) and other applicable data protection laws.

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail to the extent of such conflict.

We may update this DPA from time to time. The most current version will always be available through the Work 365 Legal Center.

The term of this DPA follows the term of the Agreement. Capitalized terms not defined here have the meanings set out in the Agreement.

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set out below. Capitalized terms not otherwise defined herein shall have the meanings given to them in the GDPR or the Agreement.

1.1 “Agreement” means the agreement between Controller and Processor governing the provision and use of the Services, of which this DPA forms an integral part.

1.2 “Anonymized Data” means data that has been processed in such a manner that it can no longer be used to identify a Data Subject, directly or indirectly, and that does not constitute Personal Data under the GDPR, taking into account all means reasonably likely to be used for identification.

1.3 “Controller” means the entity that determines the purposes and means of the Processing of Personal Data, as defined in Article 4(7) GDPR, and as identified in the Agreement.

1.4 “Customer” means the entity entering into the Agreement with the Processor for use of the Services, acting as Controller under this DPA.

1.5 “Data Subject” means an identified or identifiable natural person to whom Personal Data relates, as defined in Article 4(1) GDPR.

1.6 “Personal Data” means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR, that is processed by the Processor on behalf of the Controller under this DPA.

1.7 “Personal Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data, as defined in Article 4(12) GDPR.

1.8 “Processing” or “Process” means any operation or set of operations performed on Personal Data, whether or not by automated means, as defined in Article 4(2) GDPR.

1.9 “Processor” means the entity that processes Personal Data on behalf of the Controller, as defined in Article 4(8) GDPR, and as identified in the Agreement.

1.10 “Services” means the Work 365 platform and related services provided by the Processor to the Controller under the Agreement.

1.11 “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, as adopted by the European Commission and incorporated into this DPA pursuant to Schedule 3.

1.12 “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller in connection with the Services.

1.13 “Supervisory Authority” means an independent public authority established by an EU Member State pursuant to Article 51 GDPR.

1.14 “Technical and Organizational Measures” or “TOMs” means the technical and organizational measures implemented by the Processor to protect Personal Data, as referred to in Article 32 GDPR and described in Schedule 2.

1.15 “Transfer” means a transfer of Personal Data to a country outside the European Economic Area or an act of making Personal Data available to a recipient located in a third country, within the meaning of Chapter V GDPR.

2. Roles of the Parties

2.1 Controller acts as the Data Controller within the meaning of the GDPR.

2.2 Processor acts as the Data Processor and shall process Personal Data solely on documented instructions from the Controller. The Parties agree that the Agreement, this DPA, and the Controller’s use of the Services in accordance with the Agreement constitute the Controller’s documented instructions.

3. Subject Matter and Scope

This DPA applies to all processing of Personal Data by the Processor in connection with the provision of the Work 365 subscription billing, automation, and management platform.

4. Processing Details

The subject matter, duration, nature, purpose of processing, categories of Personal Data, and categories of Data Subjects are described in Schedule 1.

5. Location of Processing and Access

5.1 Customer Personal Data is hosted and processed primarily within the European Union using Microsoft Azure infrastructure located in the EU West region.

5.2 Processor personnel located outside the EU/EEA, including in the United States, may access Personal Data solely as necessary to provide technical support, maintenance, security operations, and incident response, subject to appropriate safeguards. Such access shall constitute a transfer under Chapter V GDPR and shall be subject to the safeguards set out in Clause 7 and Schedule 3.

6. Processor Obligations

Processor shall:

(a) Process Personal Data only on documented instructions from the Controller;

(b) Ensure that persons authorized to process Personal Data are subject to confidentiality obligations;

(c) Implement appropriate technical and organizational measures pursuant to Article 32 GDPR;

(d) Assist Controller in responding to Data Subject rights requests to the extent reasonably required and proportionate to the nature of the processing and the Services;

(e) Assist Controller in complying with Articles 32 to 36 GDPR to the extent reasonably required and proportionate to the nature of the processing and the Services;

(f) Delete or return Personal Data upon termination of the Agreement, unless retention is required by law;

(g) Make available information reasonably necessary to demonstrate compliance with this DPA.

(h) May use anonymized and aggregated data derived from Personal Data for analytics, service improvement, and machine learning purposes, provided such data does not constitute Personal Data under GDPR.

7. Sub-processors

7.1 Controller grants Processor a general authorization to engage sub-processors to process Personal Data in connection with the Services.

7.2 Processor shall maintain an up-to-date list of sub-processors at https://resources.work365apps.com/sub-processors-page and shall notify Controller of any intended changes concerning the addition or replacement of sub-processors, except where such changes are required on an urgent basis to maintain the security or availability of the Services.

7.3 Controller may object to such changes on reasonable and documented data protection grounds by providing written notice within [30] days of notification.

7.4 In the event of a valid objection, the Parties shall use commercially reasonable efforts to address the Controller’s concerns. If no reasonable solution is available, Processor may, at its sole discretion, either

(i) not implement the change, or

(ii) suspend or terminate the affected Services upon written notice

8. International Data Transfers

Where Personal Data is transferred outside the EU/EEA, Processor shall ensure appropriate safeguards in accordance with Chapter V GDPR, including the EU Standard Contractual Clauses and supplementary technical and organizational measures where required.

9. Security of Processing

Processor shall implement appropriate technical and organizational measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure or access, as further described in Schedule 2.

10. Personal Data Breach Notification

Processor shall notify Controller without undue delay after becoming aware of a Personal Data Breach and in any event in accordance with Article 33 GDPR, and shall cooperate with investigation, mitigation, and regulatory notification obligations.

11. Audits and Compliance

Processor shall allow for and contribute to audits, including inspections conducted by the Controller or its mandated auditor, subject to the limitations set out below.

Controller may audit Processor’s compliance with this DPA no more than once per calendar year, upon reasonable prior written notice. Processor may satisfy audit requests by providing relevant third-party audit reports or certifications (e.g., SOC 2, ISO 27001).

Audits shall be conducted during Processor’s normal business hours and shall not unreasonably interfere with Processor’s operations.

12. Data Subject Rights Assistance

Processor shall assist Controller, taking into account the nature of the processing, in fulfilling Controller’s obligation to respond to Data Subject requests to the extent reasonably required and proportionate to the nature of the processing and the Services.

13. Deletion or Return of Data

Upon termination of the Agreement, Processor shall delete or return Personal Data at Controller’s choice within 180 days of termination, unless retention is required by applicable law. This shall not apply to Personal Data stored in backup systems, which shall be securely isolated and deleted in accordance with Processor’s backup retention schedules.

14. Liability

Each Party’s liability arising out of or in connection with this DPA shall be subject to the limitations of liability set forth in the Agreement, except where prohibited by applicable law.

15. Governing Law and Jurisdiction

This DPA shall be governed by the governing law specified in the Agreement. The courts specified in the Agreement shall have jurisdiction over disputes arising out of this DPA.

16. Order of Precedence

In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters.

Schedule 1 – Details of Processing

Subject Matter: Provision of the Work 365 SaaS platform

Duration: Term of the Agreement

Nature of Processing: Hosting, access, storage, billing automation, support

Purpose of Processing: Subscription management, billing automation, service-related analytics and reporting performed solely for the purpose of providing, maintaining, securing, and improving the Services for the Controller.

Types of Personal Data: Names, business email addresses, identifiers, IP addresses, usage and audit logs

Categories of Data Subjects: Customer employees, contractors, authorized users

Schedule 2 – Technical and Organizational Measures

  • Encryption of data in transit and at rest
  • Logical tenant isolation
  • Role-based access controls and least privilege
  • Centralized logging and monitoring
  • Incident response and business continuity procedures
  • Regular vulnerability scanning and security reviews

Schedule 3 – Standard Contractual Clauses

Where applicable, the EU Standard Contractual Clauses (Controller to Processor, Module 2) are incorporated by reference and form an integral part of this DPA.