Data Processing Agreement
Last modified: July 8, 2026
This Data Processing Agreement (“DPA”) forms part of the Terms of Service or other written or electronic agreement between WorkComposer Inc and Customer for the provision of the Services (the “Agreement”).
Parties
- WorkComposer Inc, a Delaware corporation, United States, with its registered office at 651 N Broad St, Suite 206, Middletown, DE 19709, United States, and a mailing address of 9450 SW Gemini Dr, PMB 94875, Beaverton, OR 97008-7105, United States (“WorkComposer”, “we”, “us”, the “Processor”); and
- Customer, the organization that has entered into the Agreement and accepted this DPA (“Customer”, “you”, the “Controller”).
Each a “Party” and together the “Parties”.
Effective date. This DPA takes effect on the date Customer accepts it (by clicking to accept, by executing the Agreement, or by continuing to use the Services after being presented with it), whichever is earliest (the “Effective Date”).
1. Definitions
- “Applicable Data Protection Law” means all laws and regulations applicable to the Processing of Personal Data under this DPA, including, where applicable, Regulation (EU) 2016/679 (“GDPR”), the GDPR as retained in United Kingdom law (“UK GDPR”) together with the UK Data Protection Act 2018, and applicable United States federal and state privacy laws.
- “Authorized Users” means individuals whom Customer permits to access and administer the Services on Customer's behalf (for example, account owners, administrators, and managers).
- “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Personal Data Breach”, and “Supervisory Authority” have the meanings given in the GDPR (and their functional equivalents under other Applicable Data Protection Law).
- “Customer Personal Data” means Personal Data that WorkComposer Processes on Customer's behalf under the Agreement, as described in Annex I. This corresponds to the “Monitoring Data” and account data described in WorkComposer's Terms of Service and Privacy Policy.
- “Monitored Users” means the individuals — typically Customer's employees, workers, or contractors — whose activity is monitored, measured, or recorded through the Services, and who are the Data Subjects of the Customer Personal Data.
- “Services” means WorkComposer's B2B employee time-tracking and workforce-monitoring platform, including time and activity tracking, screenshots, application and URL tracking, and any silent or covert monitoring postures that Customer chooses to enable.
- “Silent Monitoring” means any monitoring posture in which the WorkComposer desktop application collects data while suppressing the interactive on-screen controls that would otherwise be visible to the Monitored User, including the postures WorkComposer markets as “Silent” and “Silent-Extended”.
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision (EU) 2021/914 of 4 June 2021.
- “Subprocessor” means any third party engaged by WorkComposer to Process Customer Personal Data on WorkComposer's behalf in connection with the Services.
2. Roles and scope
2.1 Roles. As between the Parties, Customer is the Controller and WorkComposer is the Processor with respect to the Customer Personal Data. Where Customer itself acts as a processor on behalf of a third-party controller, Customer appoints WorkComposer as a sub-processor and warrants that it has the authority to do so.
2.2 Scope. This DPA applies to WorkComposer's Processing of Customer Personal Data carried out in the course of providing the Services. The subject-matter, duration, nature and purpose of the Processing, the types of Personal Data, and the categories of Data Subjects are set out in Annex I.
2.3 Order of precedence. In the event of a conflict between this DPA and the Agreement regarding the Processing of Customer Personal Data, this DPA prevails. In the event of a conflict between this DPA and the SCCs, the SCCs prevail with respect to the transfers they govern.
3. Customer's obligations and representations (lawful basis, notice, and monitoring)
This Section is central. WorkComposer provides monitoring tools; Customer decides who is monitored, how, and on what legal footing. The obligations below reflect that division of responsibility.
- (a) it is the Controller (or an authorized processor acting on a controller's documented instructions) with respect to the Customer Personal Data;
- (b) it has a valid legal basis under Applicable Data Protection Law (for example, and where applicable, Article 6 GDPR and, for special-category data, Article 9 GDPR) for the collection and Processing of the Customer Personal Data through the Services, including for any monitoring it enables;
- (c) it has provided, or will provide before monitoring begins, all notices, information, and disclosures required by Applicable Data Protection Law and applicable employment, labor, and electronic-communications law to the Monitored Users, including notice that their activity may be monitored, the categories of data collected, the purposes of the monitoring, and how Data Subjects may exercise their rights;
- (d) where required by law, it has obtained any necessary consents, completed any required consultation with or notification to works councils, employee representatives, or co-determination bodies, and completed any required data protection impact assessment; and
- (e) its instructions to WorkComposer, and its configuration and use of the Services, comply with Applicable Data Protection Law and do not cause WorkComposer to be in breach of that law.
3.2 Silent Monitoring. Customer acknowledges that Silent Monitoring reduces the on-device signals a Monitored User would otherwise see. Customer represents and warrants that, before enabling any Silent Monitoring posture, it has independently satisfied the notice and lawful-basis requirements in Section 3.1 with respect to that posture, taking into account that covert or reduced-visibility monitoring attracts heightened legal scrutiny in many jurisdictions (including, for example, under Articles 5, 6, and 88 GDPR, works-council and co-determination law in Germany and France, and electronic-communications and state notice statutes in the United States). WorkComposer's provision of Silent Monitoring functionality is not, and must not be relied on as, advice that any particular use of it is lawful. Guidance on these obligations is provided in WorkComposer's Employer Monitoring-Compliance Guide, which does not constitute legal advice.
3.3 Indemnity reference. Customer's responsibility for the lawfulness of the Processing, and any allocation of liability arising from a breach of the representations in this Section, is governed by the Agreement — in particular the monitoring indemnity (Terms of Service Section 3.5) and the limitation-of-liability provisions (Terms of Service Section 12).
4. WorkComposer's Processing obligations
4.1 Processing on documented instructions. WorkComposer Processes Customer Personal Data only on Customer's documented instructions, including with regard to transfers, unless required to do otherwise by applicable law; in that case, WorkComposer will inform Customer of the legal requirement before Processing, unless that law prohibits such notice on important grounds of public interest. The Agreement, this DPA, and Customer's use and configuration of the Services constitute Customer's complete and final documented instructions. Any additional or different instruction requires prior written agreement.
4.2 Unlawful instructions. WorkComposer will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law. WorkComposer is not obligated to, and does not, review the lawfulness of Customer's monitoring program or its underlying legal basis.
4.3 Purpose limitation. WorkComposer will not Process Customer Personal Data for any purpose other than providing and supporting the Services and as otherwise instructed by Customer, and will not sell Customer Personal Data or use it for its own independent purposes.
5. Confidentiality
5.1 WorkComposer ensures that all personnel authorized to Process Customer Personal Data are bound by an appropriate obligation of confidentiality (whether a contractual duty or a statutory duty of confidentiality) and have received appropriate instruction regarding their obligations.
5.2 WorkComposer limits access to Customer Personal Data to those personnel who need access to provide, support, or maintain the Services.
6. Security
6.1 Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects, WorkComposer implements appropriate technical and organizational measures designed to ensure a level of security appropriate to the risk, as further described in Annex II and consistent with Article 32 GDPR.
6.2 WorkComposer may update the measures in Annex II from time to time provided that the updated measures do not materially reduce the overall level of security of the Services.
7. Subprocessors
7.1 General authorization. Customer grants WorkComposer general authorization to engage Subprocessors to Process Customer Personal Data, subject to this Section. WorkComposer's current Subprocessors are listed on our Subprocessors page (the “Subprocessor List”).
7.2 Flow-down. WorkComposer imposes on each Subprocessor, by written contract, data-protection obligations that are, in substance, no less protective than those in this DPA, in particular sufficient guarantees to implement appropriate technical and organizational measures. WorkComposer remains fully liable to Customer for the performance of each Subprocessor's obligations.
7.3 Change notice. WorkComposer will notify Customer of any intended addition or replacement of a Subprocessor, giving Customer an opportunity to object, by updating the Subprocessor List and, for Customers who subscribe to change notifications, by the notification mechanism described on that page. WorkComposer will provide such notice at least thirty (30) days before the new Subprocessor begins Processing Customer Personal Data.
7.4 Objection. If Customer has a reasonable, data-protection-based objection to a new Subprocessor, Customer may notify WorkComposer in writing within thirty (30) days of the notice. The Parties will work in good faith to resolve the objection. If no resolution is reached, Customer may, as its sole and exclusive remedy, terminate the affected Services in accordance with the Agreement.
8. Assistance to Customer
8.1 Data Subject requests. Taking into account the nature of the Processing, WorkComposer will assist Customer by appropriate technical and organizational measures, insofar as this is possible, in fulfilling Customer's obligation to respond to requests to exercise Data Subject rights under Chapter III of the GDPR (Articles 12–22), including rights of access, rectification, erasure, restriction, portability, and objection. Where WorkComposer receives such a request directly from a Data Subject, it will, unless legally prohibited, promptly forward the request to Customer and will not respond to the request itself except on Customer's documented instructions or as required by law. Customer can access, correct, export, and delete Customer Personal Data through the functionality of the Services and, where self-service functionality is not available, by contacting privacy@workcomposer.com.
8.2 Security, breach, DPIA, and consultation. Taking into account the nature of Processing and the information available to WorkComposer, WorkComposer will provide reasonable assistance to Customer in ensuring compliance with Customer's obligations under Articles 32 to 36 GDPR, namely security of Processing (Art. 32), Personal Data Breach notification (Arts. 33–34), data protection impact assessments (Art. 35), and prior consultation with a Supervisory Authority (Art. 36).
9. Personal Data Breach notification
9.1 WorkComposer will notify Customer without undue delay, and in any event within seventy-two (72) hours, after confirming a Personal Data Breach affecting Customer Personal Data, so that Customer can meet its own notification obligations.
9.2 The notification will, to the extent then known and reasonably available to WorkComposer, describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. Where WorkComposer cannot provide all information at once, it may provide it in phases without undue further delay.
9.3 WorkComposer's notification is not an acknowledgment of fault or liability. Customer is responsible for determining whether the breach requires notification to any Supervisory Authority or Data Subject and for making any such notification.
10. Return and deletion
10.1 Upon termination or expiry of the Agreement, WorkComposer will, at Customer's choice, delete or return all Customer Personal Data, and delete existing copies, unless applicable law requires continued storage.
10.2 In the ordinary course, Customer Personal Data associated with tracking (screenshots, activity, application/URL, and time data) is automatically deleted one (1) year after collection, or on account deletion, whichever occurs first. Customer may delete its account and all associated data at any time through the self-service account-deletion functionality of the Services; upon an Owner-role user's confirmed deletion request, that data is purged promptly. Where an account's invoices remain unpaid for more than approximately two (2) months, WorkComposer may delete the account following at least fourteen (14) days' advance warning notice. All deletion is subject to routine backup cycles from which data is purged in the ordinary course, and subject to Section 10.1.
11. Audits
11.1 WorkComposer makes available to Customer information reasonably necessary to demonstrate compliance with this DPA and with Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by Customer or an auditor mandated by Customer.
11.2 To satisfy audit requests, WorkComposer may provide relevant documentation describing its technical and organizational measures and, where available, third-party assessments or reports, before offering an on-site inspection. Any on-site audit will be conducted on reasonable prior written notice (not less than thirty (30) days, except where a Supervisory Authority requires otherwise), during normal business hours, no more than once per twelve-month period (except following a Personal Data Breach or where required by a Supervisory Authority), subject to confidentiality obligations, and in a manner that does not disrupt WorkComposer's operations or compromise the security or data of other customers.
12. International transfers
12.1 Customer acknowledges that WorkComposer Processes and stores Customer Personal Data on infrastructure located in the United States (Amazon Web Services, region us-east-1).
12.2 To the extent WorkComposer's Processing of Customer Personal Data involves a transfer of that data from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision, the Parties agree that such transfers are governed by the Standard Contractual Clauses, which are incorporated into this DPA by reference and completed as set out in Annex III and in our International Data Transfers note. Module Two (controller to processor) applies where Customer is a Controller, and Module Three (processor to processor) applies where Customer acts as a processor. For transfers subject to the UK GDPR, the SCCs are supplemented by the UK International Data Transfer Addendum. For transfers subject to Swiss law, the SCCs apply with the adaptations required by the Swiss Federal Act on Data Protection.
12.3 Where WorkComposer obtains and maintains certification under the EU–US Data Privacy Framework (and its UK and Swiss extensions), that certification serves as the transfer mechanism for onward transfers within its scope, and the SCCs referenced above continue to apply as a supplementary safeguard and fallback. The completed SCCs and their annexes, together with WorkComposer's transfer-impact assessment, are set out in our International Data Transfers note.
13. General
13.1 Liability. Each Party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Agreement.
13.2 Governing law. This DPA is governed by the law of the State of Delaware, United States, and subject to the jurisdiction specified in the Agreement, except that, for transfers governed by the SCCs, the governing law and jurisdiction of the SCCs (the law and courts of Ireland) apply to the subject-matter of those clauses. The SCC governing-law and forum selections are set out in our International Data Transfers note, Section 4.
13.3 Changes. WorkComposer may update this DPA to reflect changes in Applicable Data Protection Law, the Services, or its Subprocessors, provided that no update materially reduces Customer's protections. Material changes will be notified in accordance with the Agreement.
13.4 Severability and survival. If any provision of this DPA is found unenforceable, the remaining provisions remain in effect. Provisions that by their nature should survive termination (including Sections 5, 9, 10, 11, and 13) survive.
Annex I — Description of Processing
A. Parties. As set out in the preamble: Customer (Controller / data exporter) and WorkComposer Inc (Processor / data importer).
B. Subject-matter of the Processing. WorkComposer's Processing of Customer Personal Data as necessary to provide the Services (B2B employee time-tracking and workforce monitoring).
C. Duration of the Processing. For the term of the Agreement, plus the retention and deletion periods described in Section 10.
D. Nature and purpose of the Processing. Collection, recording, storage, organization, structuring, transmission, display, and deletion of Monitored-User activity data for the purpose of providing time-tracking, productivity, and workforce-monitoring functionality to Customer, including capturing screenshots, measuring activity levels, and recording applications and URLs used, together with account administration, billing, security, and support.
- Identity and account data: name, email address, job title/role, organization, profile settings.
- Time and attendance data: work start/stop times, session durations, timesheets.
- Activity and productivity data: activity levels, keyboard/mouse activity indicators, idle time.
- Application and browsing data: names of applications used, window titles, and URLs/websites visited.
- Screen-content data: periodic screenshots of the Monitored User's screen (which may incidentally contain other Personal Data displayed on screen).
- Device and technical data: IP address, approximate location derived from IP, device/OS identifiers, and log data.
- Billing and payment data (for Authorized Users / account owners): processed via WorkComposer's payment Subprocessor.
F. Special categories of Personal Data. WorkComposer does not intentionally collect special-category Personal Data (Art. 9 GDPR). Screenshots and application/URL data may incidentally capture such data depending on what a Monitored User has on screen. Customer is responsible for configuring the Services (for example, screenshot frequency, blurring, or exclusions where available) and for its lawful basis for any such incidental Processing.
G. Categories of Data Subjects. Monitored Users (Customer's employees, workers, and contractors) and Authorized Users (Customer's administrators and account owners).
H. Frequency of transfer. Continuous, for the duration of the Agreement.
Annex II — Technical and Organizational Measures (Article 32)
WorkComposer implements and maintains the following technical and organizational measures. These measures are described accurately and generically; WorkComposer does not claim to hold any specific security certification unless expressly stated on its website.
- In transit. Personal Data is encrypted in transit using Transport Layer Security (TLS) version 1.3, terminated at the load balancer.
- At rest — database. The database (self-hosted MongoDB) is stored on encrypted Amazon Elastic Block Store (EBS) volumes, with EBS encryption enabled.
- At rest — object storage. Object storage for screenshots and uploaded files (Amazon S3) is protected by server-side encryption, which WorkComposer enforces on stored objects.
- Access to production systems and to Customer Personal Data is restricted to authorized personnel on a need-to-know basis, applying the principle of least privilege.
- Two-factor authentication is enabled on administrative access.
- Administrative access to internal tooling is restricted and, where applicable, network-restricted (for example, VPN-gated administrative interfaces).
- Authentication controls for the Services include password-based sign-in with rate-limiting/throttling, two-factor authentication, and support for third-party OAuth sign-in.
3. Network security. Production systems are deployed within an isolated network environment, and network access is restricted using security groups and firewall rules that permit only the traffic necessary to operate the Services.
4. Pseudonymization and data minimization. WorkComposer Processes Customer Personal Data only as necessary to provide the Services and applies retention limits (see measure 8). The Services provide configuration options through which Customer can limit the data collected (for example, screenshot frequency and, where available, screenshot blurring or exclusions).
5. Backups. Backups of production data are maintained using encrypted Amazon EBS snapshots.
6. Logging and monitoring. WorkComposer maintains logging and monitoring of its production systems, including audit logging of administrative actions, to support the detection and investigation of security events.
7. Organizational measures. Personnel and contractors with access to Customer Personal Data are bound by confidentiality obligations. Subprocessors are engaged under written contracts imposing data-protection and security obligations consistent with this DPA (see Section 7).
8. Retention and deletion. Tracking data (screenshots, activity, and time data) is automatically deleted after one (1) year by a scheduled, regularly running deletion process. Account and Personal Data can be deleted via self-service account deletion.
9. Regular review. WorkComposer reviews and, where appropriate, improves its technical and organizational measures on an ongoing basis.
Annex III — Standard Contractual Clauses (completion)
Where the SCCs apply under Section 12, they are completed in our International Data Transfers note (EU Standard Contractual Clauses, Commission Implementing Decision (EU) 2021/914, Module Two, with annexes filled and a transfer-impact assessment). That note is the operative completed instrument; the summary below tracks it.
- Module(s): Module Two (controller-to-processor) where Customer is a Controller; Module Three (processor-to-processor) where Customer is a processor.
- Clause 7 (docking clause): included.
- Clause 9 (Subprocessors): Option 2 (general written authorization); notice period as in Section 7.3 (30 days).
- Clause 11 (redress): optional independent dispute-resolution body omitted.
- Clause 17 (governing law): the law of Ireland.
- Clause 18 (forum and jurisdiction): the courts of Ireland, tracking Clause 17.
- Annex I.A (Parties): Customer (Controller / exporter) and WorkComposer Inc (Processor / importer) — as in this DPA's preamble.
- Annex I.B (Description of transfer): as in Annex I above and the International Data Transfers note.
- Annex I.C (Competent Supervisory Authority): determined per Clause 13 by the exporter's situation; the recommended lead authority for the importer is the Irish Data Protection Commission (DPC), consistent with the Irish governing-law selection.
- Annex II (Technical and organizational measures): as in Annex II above.
- Annex III (Subprocessors): as in the Subprocessor List, currently: Amazon Web Services (hosting/storage/email/queues, US); Stripe (payment processing, US); Google (reCAPTCHA Enterprise, OAuth, Analytics, US); and Usercentrics (cookie consent, EU/Germany).
WorkComposer Inc — Data Processing Agreement. This document is provided as part of WorkComposer's Services and does not constitute legal advice to Customer.