Legal

Data Processing Agreement

How WorkSwarm processes your data as a Processor under GDPR, DPDP Act, and applicable data protection laws.

Effective 22 May 2026 · Last updated 22 May 2026 · v1.0

Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement between Workswarm and the Customer for the provision of the WorkSwarm platform.

1. Definitions

  • "Controller" means the Customer, the entity that determines the purposes and means of processing personal data.
  • "Processor" means Vriksha AI Technologies Pvt Ltd ("Workswarm"), which processes personal data on behalf of the Controller.
  • "Data Protection Laws" means all applicable data protection and privacy legislation, including the Indian Digital Personal Data Protection Act 2023 ("DPDP Act"), the EU General Data Protection Regulation 2016/679 ("GDPR"), the UK GDPR, the California Consumer Privacy Act ("CCPA"), and any successor legislation.
  • "Personal Data" means any information relating to an identified or identifiable natural person that is processed by Workswarm as part of the Service.
  • "Sub-processor" means a third party engaged by Workswarm to process Personal Data on behalf of the Controller.
  • "Processing" means any operation performed on Personal Data, whether or not by automated means.

2. Scope and Roles

  • The Customer is the Controller of all Personal Data submitted to the Service.
  • Workswarm is the Processor, processing Personal Data solely to provide the Service under the Customer's instructions.
  • This DPA applies to all Personal Data processed by Workswarm on behalf of the Customer in connection with the Service.

3. Processing Instructions

  • Workswarm will process Personal Data only on the documented instructions of the Customer, unless required to do so by applicable law.
  • The Customer's instructions are documented in the Terms of Service, this DPA, and any Order Form or configuration the Customer applies through the Service.
  • If Workswarm becomes aware that an instruction from the Customer infringes Data Protection Laws, Workswarm will promptly inform the Customer.

4. Confidentiality

  • Workswarm ensures that all personnel authorised to process Personal Data are bound by appropriate confidentiality obligations.
  • Access to Personal Data is limited to personnel who require it for the performance of the Service, on a need-to-know basis.

5. Security Measures

Workswarm implements and maintains appropriate technical and organisational measures to protect Personal Data, including:

  • Encryption of data in transit (TLS 1.2+) and at rest (AES-256).
  • Logical tenant isolation enforced by row-level security policies at the database layer.
  • Automated PII redaction at every outbound boundary (LLM provider, connector, audit destination).
  • KMS-managed encryption keys for credential storage.
  • Regular security assessments and penetration testing.
  • Access controls with multi-factor authentication for all administrative access.
  • Comprehensive audit logging of all data access and modifications.

6. Sub-processors

  • Workswarm may engage Sub-processors to assist in providing the Service. A current list of Sub-processors is available at https://workswarm.ai/trust.
  • Workswarm will notify the Customer of any intended changes to Sub-processors at least 30 days before they take effect.
  • The Customer may object to a new Sub-processor on reasonable data protection grounds. If the objection cannot be resolved, the Customer may terminate the affected subscription on prorated refund per the Terms of Service.
  • Workswarm imposes data protection obligations on each Sub-processor that are no less protective than those in this DPA.

7. Data Subject Rights

  • Workswarm will assist the Customer in fulfilling its obligations to respond to data subject requests (access, rectification, erasure, portability, objection, restriction) within the applicable statutory deadlines.
  • The Service provides self-service tools for the Customer to export, correct, and delete Personal Data without requiring Workswarm's manual intervention.
  • Where a data subject contacts Workswarm directly, Workswarm will redirect the request to the Customer without undue delay.

8. Data Breach Notification

  • Workswarm will notify the Customer of a Personal Data breach without undue delay and in any event within 72 hours of becoming aware of the breach.
  • The notification will include the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed to address the breach.

9. Data Transfers

  • Personal Data is stored in AWS ap-south-1 (Mumbai, India) by default.
  • Where Personal Data is transferred outside the Customer's jurisdiction, Workswarm ensures that appropriate safeguards are in place, such as Standard Contractual Clauses (EU), the UK International Data Transfer Agreement, or equivalent mechanisms recognised by Data Protection Laws.
  • The Customer may configure data residency preferences through the Service where supported by the subscription tier.

10. Data Retention and Deletion

  • Workswarm retains Personal Data for the duration of the subscription and deletes or anonymises it within 30 days of subscription termination, unless retention is required by applicable law.
  • The data retention schedule is published in the Privacy Policy.
  • Upon request, Workswarm will provide the Customer with a certificate of deletion.

11. Audits

  • The Customer may audit Workswarm's compliance with this DPA once per year, with 30 days written notice.
  • Workswarm will make available all information necessary to demonstrate compliance and allow for and contribute to audits and inspections.
  • As an alternative to on-site audits, Workswarm will provide current SOC 2 Type II reports, ISO 27001 certificates, and penetration test summaries upon request under NDA.

12. Term and Termination

  • This DPA remains in effect for the duration of the Customer's subscription.
  • Obligations regarding Personal Data survive termination until all Personal Data is deleted or returned.

13. Governing Law

This DPA is governed by the same law that governs the Terms of Service. For EU/EEA data subjects, any dispute regarding GDPR compliance may be brought before the competent supervisory authority.

Contact: dpo@workswarm.ai

See also: Privacy Policy · Terms of Service · Trust Center