Workridge Data Processing Addendum
Addendum to the Workridge Terms of Service governing processing of personal data
Last updated: June 17, 2026Version v1.1
1. Introduction and Scope
This Data Processing Addendum (“DPA”) forms part of, and is incorporated into, the Workridge Terms of Service (the “Terms”) between the Customer and Next313, a registered d/b/a of Dignetix Ltd., a Michigan corporation (“Workridge,” “we,” “us”). It applies where, in providing the Service, we process Personal Data on the Customer’s behalf.
If there is a conflict between this DPA and the Terms with respect to the processing of Personal Data, this DPA controls. Capitalized terms not defined here have the meanings given in the Terms.
2. Definitions
This section also serves as the key to abbreviations used throughout this DPA.
- “Applicable Data Protection Laws” — all privacy and data-protection laws applicable to the processing, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA), each as amended.
- “Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Personal Data Breach” — have the meanings in the GDPR, with the corresponding CCPA terms (“business,” “service provider,” “consumer,” “personal information”) applying where the CCPA governs.
- “Customer Personal Data” — Personal Data within Customer Content that we process on the Customer’s behalf.
- “Sub-processor” — a third party engaged by us to process Customer Personal Data.
- “Standard Contractual Clauses (SCCs)” — the contractual clauses approved for transfers of Personal Data to countries without an adequacy decision.
3. Roles of the Parties
For Customer Personal Data, the Customer is the Controller (or a processor acting on behalf of another controller) and we act as Processor and, where the CCPA applies, as a Service Provider. Where the Customer is itself a processor, it warrants that it has authority to engage us as a Sub-processor on its controller’s behalf. The subject matter and details of processing are described in Annex 1.
4. Processing Instructions
We process Customer Personal Data only on the Customer’s documented instructions — including as set out in the Terms, this DPA, and through the Customer’s configuration and use of the Service — unless required by law, in which case we will inform the Customer unless legally prohibited. We will inform the Customer if, in our reasonable opinion, an instruction infringes Applicable Data Protection Laws.
5. Confidentiality
We ensure that personnel authorized to process Customer Personal Data are bound by appropriate obligations of confidentiality.
6. Security
We implement and maintain appropriate technical and organizational measures (TOMs) designed to protect Customer Personal Data, as described in Annex 2, including encryption in transit and at rest, tenant isolation, and access controls.
7. Sub-processors
The Customer provides general written authorization for us to engage Sub-processors to process Customer Personal Data. Our current Sub-processors are listed in Annex 3.
We impose data-protection obligations on each Sub-processor that are no less protective than those in this DPA, and we remain responsible for their performance. We will give the Customer notice of any intended addition or replacement of a Sub-processor (for example, through the Service or by email), and the Customer may object on reasonable data-protection grounds within ten (10) days of notice. If the parties cannot resolve the objection in good faith within a reasonable period, the Customer may terminate the affected portion of the Service and receive a pro rata refund of prepaid fees for the unused term.
8. Data Subject Requests
Taking into account the nature of the processing, we will assist the Customer by appropriate measures, insofar as reasonably possible, to respond to requests from Data Subjects exercising their rights (including Data Subject Access Requests, or “DSARs”). If we receive such a request directly, we will forward it to the Customer and will not respond except on the Customer’s instructions or as legally required.
9. Personal Data Breach
We will notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information reasonably available to help the Customer meet its own notification obligations. Our notification is not an acknowledgment of fault or liability.
10. Data Protection Impact Assessments
Taking into account the nature of processing and the information available to us, we will provide reasonable assistance to the Customer with data protection impact assessments (DPIAs) and any required prior consultations with a supervisory authority.
11. International Transfers
Where the provision of the Service involves transfer of Customer Personal Data from the European Economic Area (EEA), the United Kingdom, or Switzerland to a country without an adequacy decision, the parties agree that the applicable SCCs (together with the UK Addendum and Swiss amendments, as relevant) apply and are incorporated by reference.
The parties agree that Module Two (Controller to Processor) and, where applicable, Module Three (Processor to Sub-processor) of the Standard Contractual Clauses apply.
12. CCPA Terms
To the extent the CCPA applies, we act as a Service Provider. We will not sell or share Customer Personal Data; will not retain, use, or disclose it except as necessary to perform the Service or as otherwise permitted by the CCPA; and will not combine it with other personal information except as the CCPA permits. We certify that we understand and will comply with these restrictions.
13. Audit and Compliance
We will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA and, where available, relevant third-party audit reports (including those of our infrastructure providers).
Customer audit rights will be satisfied primarily through documentation, including this DPA, security summaries, and available third-party audit reports (such as SOC 2 or equivalent reports of our infrastructure providers).
On-site audits may be conducted only where legally required or where such documentation is insufficient, subject to reasonable advance notice, confidentiality obligations, limits on frequency (no more than once annually), and reimbursement of our reasonable costs.
14. Return and Deletion of Customer Personal Data
Upon termination of the Service and at the Customer’s choice, we will delete or return Customer Personal Data and delete existing copies, except where retention is required by law. Consistent with our Privacy Policy, the Customer may export its Customer Content during a 30-day window after termination; we delete workspace content within 90 days of account closure; and backups containing deleted data are purged within 30 days.
15. Liability
Each party’s liability under this DPA is subject to the exclusions and limitations of liability set out in the Terms.
16. Term, Precedence, and Governing Law
This DPA takes effect when the Customer accepts the Terms and remains in effect while we process Customer Personal Data. This DPA is governed by the laws of the State of Michigan, USA, except that the SCCs are governed by the law they specify. As between this DPA and the Terms, this DPA prevails on matters of Personal Data processing. This DPA assigns together with the Terms; any permitted assignment or transfer of the Terms includes this DPA.
17. Contact
Privacy and data-protection inquiries: privacy@next313.com. The Customer should provide a data-protection contact in Annex 1.
Annex 1 — Details of Processing
Subject matter: provision of the Workridge project-tracking and billing Service.
Duration: the subscription term, plus the export, deletion, and backup-purge periods described in Section 14.
Nature and purpose: hosting, storage, processing, transmission, display, backup, and support of Customer Content in order to provide the Service and as instructed by the Customer.
Categories of Data Subjects: the Customer’s personnel and Users; external collaborators (vendors, clients, guests, and viewers); and any individuals referenced within Customer Content.
Categories of Personal Data: account data such as names, email addresses, Microsoft Entra ID identifiers, organization and role/permission assignments, and preferences; and, within workspace content, project and task data, comments, billing, time, expense and mileage records, addresses entered for mileage features, and uploaded files that may contain Personal Data.
Special category data: none intended. The Customer should not submit special-category Personal Data except where expressly agreed in writing.
Customer data-protection contact: privacy@next313.com
Annex 2 — Technical and Organizational Measures
- Encryption of Customer Personal Data in transit (TLS) and at rest.
- Tenant isolation using PostgreSQL row-level security with restrictive isolation policies.
- Role- and tenant-based access controls and least-privilege principles; staff authentication via Microsoft Entra ID single sign-on (SSO).
- Access-controlled storage buckets for uploaded files.
- Logging, monitoring, and incident-response procedures.
- Backups with defined retention and purge schedules.
- Multi-factor authentication (MFA) for administrative access;
- Role-based access controls and least-privilege enforcement;
- Vendor risk management and reliance on audited infrastructure providers;
- Business continuity and disaster recovery procedures;
Annex 3 — Sub-processors
As of the effective date, we engage the following Sub-processors to process Customer Personal Data:
- Supabase — database, authentication, and file storage — United States.
- Microsoft Azure — application hosting — United States.
- Microsoft Entra ID — single sign-on for staff users — United States.
- Mapbox — address autocomplete and driving-distance calculation; receives IP address and entered addresses when mileage features are used — United States.
- Stripe — payment processing, when billing is enabled — United States.
Workridge is a product of Next313, a registered d/b/a of Dignetix Ltd. © 2026 Dignetix Ltd. All rights reserved.