1. Purpose and structure
This Data Processing Agreement (the “DPA”) forms part of the Terms of Service between Workraft Ltd. (together with its affiliates, “Workraft”, “we”, “us”, or “our”) and the customer that has accepted those Terms (“Customer”). It describes the terms under which Workraft processes Personal Data on behalf of Customer when Customer uses the Workraft platform (the “Service”).
This DPA is designed to comply with Article 28 of the EU General Data Protection Regulation (GDPR), the equivalent provisions of the UK GDPR, and the corresponding provisions of the Israeli Privacy Protection Law as amended by Amendment 13 (2024).
In the event of any conflict between this DPA and the Terms of Service with respect to the processing of Personal Data, this DPA prevails.
2. Definitions
Terms used in this DPA have the meanings given in the GDPR. In particular:
- “Personal Data” means any information relating to an identified or identifiable natural person that Customer uploads to or generates within the Service
- “Data Subject” means the individual to whom Personal Data relates, including End Users (field workers, supervisors, and other individuals whose data Customer processes through the Service)
- “Controller” means Customer, who determines the purposes and means of processing Personal Data
- “Processor” means Workraft, who processes Personal Data on behalf of Customer
- “Sub-processor” means a third party engaged by Workraft to process Personal Data on Customer’s behalf, as listed in Annex B of this DPA
- “Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries, as approved by the European Commission in Decision (EU) 2021/914 of 4 June 2021
- “Personal Data Breach” has the meaning given in Art. 4(12) GDPR
3. Roles and responsibilities
Key distinction
Customer is the Controller of the Personal Data it uploads to the Service. Workraft is the Processor, acting solely on Customer’s documented instructions. Customer is responsible for determining the lawful basis for processing, providing required notices to Data Subjects, and obtaining any consents required by law.
Customer acknowledges that it is the Controller of the Personal Data it uploads to the Service, including all Personal Data of End Users. Customer is responsible for:
- Ensuring that the Personal Data uploaded to the Service has been collected lawfully and that Customer has all rights, permissions, and consents necessary to process it through the Service
- Providing all notices required by applicable law to Data Subjects, including notice of automated and AI-driven processing, GPS tracking, and any other feature Customer enables
- Responding to Data Subject requests received by Customer directly
- Complying with all applicable labor, employment, and data-protection laws in the jurisdictions where Customer operates
Workraft acts as a Processor and processes Personal Data only on the documented instructions of Customer, including the instructions incorporated in these Terms, the Service configuration made by Customer, and any further written instructions reasonably given by Customer from time to time. Workraft will not process Personal Data for its own purposes except as strictly necessary to provide the Service, comply with law, or detect fraud and abuse.
4. Subject matter, duration, nature, and purpose of processing
- Subject matter: provision of the Workraft workforce management platform, including scheduling, attendance, compliance, document management, and AI-driven features
- Duration: for as long as Customer uses the Service, plus the 90-day grace period described in Section 10
- Nature: storage, retrieval, processing, analysis, transmission, and display of Personal Data uploaded by Customer
- Purpose: enabling Customer to manage its field workforce operations
- Types of Personal Data: identification data (name, email, phone), employment data (role, site, certifications, shift history), location data (GPS events where enabled), document data (uploaded files and images), communication metadata
- Categories of Data Subjects: Customer’s administrators, supervisors, and field workers, as well as other individuals whose data Customer uploads to the Service
5. Workraft’s obligations
Workraft will:
5.1 Follow instructions
Process Personal Data only on Customer’s documented instructions, unless required otherwise by applicable law. Workraft will inform Customer before processing on any other legal basis, unless the law prohibits such notification on important grounds of public interest.
5.2 Ensure confidentiality
Ensure that persons authorized to process Personal Data are bound by written confidentiality obligations or are under an appropriate statutory duty of confidentiality.
5.3 Implement security measures
Implement the technical and organizational measures described in Annex A of this DPA, including encryption of data in transit and at rest, access controls, and regular security testing.
5.4 Assist Customer
Assist Customer, taking into account the nature of the processing and the information available to Workraft, in:
- Responding to requests from Data Subjects exercising their rights under applicable law
- Ensuring compliance with security obligations, breach notification, data protection impact assessments, and prior consultation with supervisory authorities
5.5 Notify Customer of breaches
Notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. The notification will describe the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
5.6 Cooperate with supervisory authorities
Make available to Customer all information necessary to demonstrate compliance with Art. 28 GDPR and cooperate with supervisory authorities in the performance of their tasks, on reasonable notice and during normal business hours.
5.7 Delete or return data
Upon termination of the Service, delete or return all Personal Data to Customer in accordance with Section 10.
6. Sub-processors
6.1 General authorization
Customer authorizes Workraft to engage Sub-processors to support the provision of the Service. The current list of Sub-processors is published and maintained in Annex B below.
6.2 Contractual obligations
Workraft will enter into a written agreement with each Sub-processor that imposes data-protection obligations substantially equivalent to those set out in this DPA, in particular obligations with respect to appropriate technical and organizational measures.
6.3 Liability
Workraft remains fully liable to Customer for the performance of each Sub-processor’s obligations to the same extent as Workraft would be liable under this DPA.
6.4 Right to object
Workraft will provide Customer with reasonable prior notice (no less than 30 days, where practicable) before adding or replacing a Sub-processor. Customer may object in writing within 15 days of notification if Customer has a reasonable data-protection concern. If Workraft cannot accommodate the objection, Customer may terminate the affected part of the Service by written notice to Workraft.
7. International transfers
7.1 Transfer mechanisms
Where the provision of the Service involves a transfer of Personal Data out of the European Economic Area, the United Kingdom, Switzerland, or Israel to a jurisdiction not recognized as providing an adequate level of data protection, the transfer is governed by the Standard Contractual Clauses (2021/914, Module 2 or Module 3 as applicable), which are hereby incorporated into this DPA by reference and executed by the parties.
7.2 Israeli transfers
For transfers involving Israel, the parties rely on the Transfer of Data to Databases Abroad Regulations, 5761-2001, as amended. Where Workraft transfers Personal Data on behalf of an Israeli Customer, the transfer is made subject to equivalent contractual protections.
7.3 Supplementary measures
In addition to the SCCs, Workraft applies the supplementary measures described in Annex A, including encryption, access controls, and a commitment to challenge any unlawful request for data access from public authorities.
8. Audit rights
Workraft will make available to Customer all information necessary to demonstrate compliance with the obligations set out in Art. 28 GDPR and will allow for and contribute to audits, including inspections, conducted by Customer or a mutually agreed third-party auditor, no more than once per year, on reasonable prior notice and during normal business hours, subject to reasonable confidentiality obligations.
Customer acknowledges that Workraft may satisfy its obligations under this Section 8 by providing, where available, third-party audit reports (such as ISO 27001 or SOC 2 reports) in response to audit requests, except where the Customer can demonstrate that such reports are insufficient for its compliance needs.
9. Data Subject requests
Taking into account the nature of the processing, Workraft will assist Customer by appropriate technical and organizational measures, insofar as this is possible, to fulfill Customer’s obligation to respond to requests from Data Subjects exercising their rights under the GDPR, the UK GDPR, the Israeli Privacy Protection Law, or equivalent laws.
If Workraft receives a Data Subject request directly, Workraft will redirect the Data Subject to Customer and inform Customer of the request without undue delay, unless legally prohibited.
10. Return and deletion of Personal Data
Upon termination of the Service, Workraft will:
- Provide Customer with a 90-day grace period during which Customer may export its Personal Data using the Service’s export tools
- Upon expiry of the grace period, permanently delete all Personal Data from production systems within 30 days
- Delete Personal Data from backup systems in accordance with the standard backup retention cycle, typically within 35 days of production deletion
- Where retention is required by applicable law, retain only the minimum data necessary for the shortest required period, subject to ongoing confidentiality and security obligations
Workraft will, on Customer’s written request, certify in writing that it has complied with this Section 10.
11. Liability
The liability provisions of the Terms of Service apply to each party’s liability under this DPA.
12. Term and termination
This DPA takes effect on the date Customer accepts the Terms of Service and remains in effect for as long as Workraft processes Personal Data on Customer’s behalf. Termination of this DPA does not relieve a party of obligations that by their nature survive termination, including confidentiality and liability.
13. Governing law
This DPA is governed by the laws of the State of Israel, without regard to conflict-of-laws principles. Notwithstanding the foregoing, where mandatory provisions of Customer’s local data-protection law apply to the processing under this DPA, those provisions prevail to the extent necessary to ensure compliance.
Annex A — Technical and organizational measures
Workraft implements the following technical and organizational measures (TOMs) to protect Personal Data:
Confidentiality
- Access to production systems is restricted to authorized personnel who need access to perform their duties
- Multi-factor authentication is required for access to production systems
- Access rights are reviewed on a recurring basis and revoked promptly upon role change or departure
- All staff are bound by written confidentiality agreements and are trained on data protection at hire and annually
Integrity
- All data in transit between the Customer and the Service is encrypted using TLS 1.2 or higher
- All data at rest in Workraft’s primary production database is encrypted using industry-standard algorithms
- Code changes are reviewed by at least one other engineer before deployment to production
- Vulnerability scans and dependency checks run continuously against the codebase
Availability
- Production databases are backed up on a regular schedule, with backups encrypted and retained according to our retention policy
- Workraft maintains an incident response plan and regularly tests recovery procedures
- The Service is hosted on infrastructure that provides redundancy and regional failover
Monitoring and response
- Security events are logged and monitored
- Incident response procedures define roles, escalation paths, and external notification timelines
- Workraft will notify Customer within 72 hours of becoming aware of a Personal Data Breach affecting Customer’s data, as required by Art. 33 GDPR
Organizational
- Privacy and security responsibilities are documented and assigned
- A Data Protection Officer (DPO) has been appointed and can be reached at legal@workraft.ai
- Workraft maintains a record of processing activities as required by Art. 30 GDPR
- New features are subject to privacy-by-design review before release
Annex B — Sub-processors
Workraft engages the Sub-processors listed below to support the provision of the Service. Each Sub-processor has a written agreement with Workraft that includes data-protection obligations substantially equivalent to those we owe Customer under this DPA. Workraft will notify Customer of material changes to this list at least 30 days in advance where practicable, in accordance with Section 6.4.
Infrastructure and hosting
| Sub-processor | Purpose | Location | Data categories |
|---|---|---|---|
| Vercel Inc. | Website hosting and serverless compute for the marketing site | United States (with EU edge regions) | IP address, HTTP request data, aggregated usage data |
| Railway Corp. | Application hosting and customer database for the Workraft platform | United States / selected regions | Customer Data (full scope: worker profiles, shifts, attendance, documents, GPS events, AI-generated outputs) |
| Cloudflare Inc. | DNS, CDN, and edge protection (DDoS, WAF) for workraft.ai and related subdomains | Global (including EU points of presence) | IP address, HTTP request data |
Communications
| Sub-processor | Purpose | Location | Data categories |
|---|---|---|---|
| Resend.com | Transactional and contact-form email delivery | United States | Email address, name, message content from the contact form |
AI model providers
| Sub-processor | Purpose | Location | Data categories |
|---|---|---|---|
| Anthropic PBC | Primary large language model for AI Shift Manager, AI Shift Analyzer, and AI View Builder features | United States | Prompts and context sent from the Service — processed per-tenant, not used to train shared models, not retained beyond the request |
| Google LLC (Gemma 4) | Secondary open-weight model used for specific AI features where lower latency is required | United States and EU | Prompts and context sent from the Service — same per-tenant boundary as Anthropic |
Analytics
| Sub-processor | Purpose | Location | Data categories |
|---|---|---|---|
| Vercel Analytics | Aggregated, privacy-friendly page-view and performance metrics (loaded only with analytics consent) | United States | Anonymized page visits, referrer, viewport — no cross-site tracking, no IP storage |
Data hosting location
The primary hosting region for Customer Data is the Railway production environment (United States or selected regions, exact region configurable per Customer on enterprise plans).
For EU Customers whose data-protection requirements include data residency in the EEA, Workraft offers an EEA-hosted configuration on request, subject to a separate data-residency addendum.
International transfer mechanism
Transfers of Personal Data from the European Economic Area, the United Kingdom, Switzerland, or Israel to Sub-processors in countries without an EU adequacy decision are made under the Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module 2 or Module 3 as applicable), incorporated into each Sub-processor agreement.
Transfers of Personal Data from Israel are made under the Israeli Privacy Protection Regulations (Transfer of Data to Databases Abroad), 5761-2001, as amended by Amendment 13 (2024).
All Sub-processors are contractually required to implement appropriate technical and organizational measures and to process Personal Data only on Workraft’s documented instructions.
Contact
For any question relating to this DPA, contact:
Workraft Ltd. Tel Aviv, Israel Email: legal@workraft.ai