Last Updated: August 4, 2023
Data Processing Agreement (DPA)
This Data Processing Agreement (“DPA”) forms part of the Terms of Service and any applicable service agreement between Worksnaps and the Customer and applies where Worksnaps processes Personal Data on behalf of the Customer in connection with the Services.
Definitions
For purposes of this DPA:
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Controller" means the entity that determines the purposes and means of processing Personal Data.
- "Processor" means the entity that processes Personal Data on behalf of the Controller.
- "Data Subject" means the identified or identifiable individual.
- "Subprocessor" means any third party engaged by Processor to process Personal Data.
- "Applicable Data Protection Law" includes GDPR and other applicable privacy laws.
Terms not otherwise defined shall have the meaning given in the Terms of Service.
Subject Matter and Duration
This DPA applies to the processing of Personal Data necessary for Worksnaps to provide time tracking, productivity monitoring, reporting, screenshot capture, and related support services.
Processing shall continue for the duration of the Customer’s subscription and for any lawful retention period thereafter.
Nature and Purpose of Processing
Processing may include:
- account creation and administration
- time tracking and reporting
- screenshot capture and storage
- activity monitoring and productivity reporting
- customer support and troubleshooting
- fraud prevention and security monitoring
- service maintenance and operational support
Processor shall process Personal Data only on documented instructions from Customer unless otherwise required by law.
Categories of Personal Data
Depending on Customer configuration, Personal Data may include:
- employee names
- email addresses
- account login details
- work session timestamps
- screenshots
- application and website usage data
- window titles
- activity percentages
- IP addresses
- browser and device information
- billing contact information
- support communications
Processor does not intentionally collect sensitive personal data unless Customer configures or uploads such data.
Categories of Data Subjects
Data Subjects may include:
- employees
- contractors
- freelancers
- managers
- administrators
- customer account users
Customer Responsibilities
Customer is responsible for:
- complying with all applicable employment, workplace monitoring, and privacy laws
- providing required notices to employees and users
- obtaining any required consents
- determining the lawful basis for processing
- configuring privacy and monitoring settings appropriately
- responding to Data Subject requests where Customer acts as Controller
Processor does not provide legal advice regarding Customer’s compliance obligations.
Processor Obligations
Processor shall:
- process Personal Data only on documented instructions from Customer
- ensure persons authorized to process Personal Data are bound by confidentiality obligations
- implement appropriate technical and organizational security measures
- assist Customer with Data Subject requests where reasonably required
- assist Customer with security, breach, and compliance obligations where required by law
- notify Customer of a confirmed Personal Data Breach without undue delay
- delete or return Personal Data upon termination where applicable
- make available information reasonably necessary to demonstrate compliance with this DPA
Security Measures
Processor shall maintain reasonable and appropriate safeguards including, where applicable:
- access controls and role-based permissions
- authentication protections
- encryption in transit
- secure hosting infrastructure
- backup and recovery procedures
- logging and monitoring of critical systems
- vendor security management
- employee confidentiality obligations
A summary of current security measures may be provided upon reasonable request
Subprocessors
Customer authorizes Processor to engage Subprocessors necessary for service delivery.
Processor shall:
- maintain a current list of major Subprocessors
- require Subprocessors to provide data protection obligations substantially similar to this DPA
- remain responsible for Subprocessor compliance where required by law
Current Subprocessors are listed at here.
International Data Transfers
Customer acknowledges that Personal Data may be processed in the United States and other countries where Processor or its Subprocessors operate.
Where required by Applicable Data Protection Law, Processor shall implement appropriate safeguards for international transfers, including Standard Contractual Clauses (SCCs) where applicable.
Additional transfer documentation may be provided upon reasonable request.
Data Subject Requests
Where Processor receives a request directly from a Data Subject relating to Personal Data processed on behalf of Customer, Processor may:
- direct the request to Customer
- notify Customer of the request
- provide reasonable assistance where appropriate and legally required
Customer remains primarily responsible for responding to such requests.
Personal Data Breach
In the event of a confirmed Personal Data Breach affecting Customer Personal Data, Processor shall:
- notify Customer without undue delay
- provide available relevant information regarding the breach
- take reasonable steps to contain, investigate, and remediate the issue
Processor is not responsible for breaches caused by Customer systems, Customer misuse, or third-party systems outside Processor’s control.
Audits and Compliance Information
For small-business SaaS operations, formal on-site audits are generally not supported unless required by law.
Processor shall instead provide reasonable documentation, compliance information, and responses to standard privacy/security questionnaires where appropriate.
Additional audit requests may be subject to reasonable limitations and cost recovery.
Return and Deletion of Data
During the Agreement term, Customer may retrieve Customer Data at any time using the Service’s available controls.
Upon termination of Services and subject to lawful retention requirements, Processor shall:
- delete Customer Personal Data within thirty (30) days, or
- return Customer Personal Data where technically feasible and requested
This requirement shall not apply to the extent Worksnaps is required by applicable law to retain some or all of the Personal Data, or to Personal Data it has archived on back-up systems, which such Personal Data Worksnaps shall securely isolate and protect from any further processing, except to the extent required by applicable law.
Limitation of Liability
The liability of each party under this DPA shall be subject to the limitations and exclusions set forth in the Terms of Service unless otherwise required by Applicable Data Protection Law.
Governing Law
This DPA shall be governed by the laws specified in the Terms of Service unless otherwise required by applicable privacy law.