Effective 13 May 2026 — applies to all new data processing agreements concluded with Workheld GmbH from this date onwards.
This page makes the current Workheld GmbH Data Processing Agreement (DPA) template publicly available pursuant to Art. 28 GDPR. Existing individually concluded DPAs (for example as an annex to a Cloud Service Agreement or Enterprise Contract) remain in force unchanged; this template is the standard text we use for future or newly concluded agreements.
Note: The signed, binding language version of the agreement is German (Austrian law). This English version is provided for convenience; in case of conflict, the German wording on workheld.com/auftragsverarbeitung prevails.
Agreement
concerning the processing of personal data on behalf of the Controller pursuant to the Austrian Data Protection Act (DSG) and Art. 28 of the EU General Data Protection Regulation (GDPR)
concluded between
[Company name of the Controller]
[Address]
[Postal code, City, Country]
(hereinafter “Controller”)
and
Workheld GmbH
Rotensterngasse 5/3
1020 Vienna, Austria
FN 432744 p, Commercial Court Vienna
VAT ID ATU69753046
(hereinafter “Processor”)
jointly referred to as the “Parties”
1. Preamble / Subject Matter
1. Based on a separately concluded contract (hereinafter “Main Agreement”), the Processor provides services to the Controller which consist of, or involve, the processing of personal data within the meaning of Art. 4 (1) and (2) GDPR. This supplementary agreement constitutes the specific legal basis for the data processing pursuant to Art. 28 (3) GDPR, with the Controller acting as the (sole) “Controller” and the Processor as “Processor”.
2. The Main Agreement remains unaffected to the extent that its terms do not contradict this agreement; in case of conflict, the present agreement prevails in its entirety and shall be interpreted in a manner that preserves its validity under the GDPR and accompanying national laws (Austrian Data Protection Act — DSG).
3. Annex 1 forms an integral part of this agreement. Independently of the lists and definitions contained therein, this agreement covers all personal data that the Processor processes in any form for the Controller in fulfilment of the Main Agreement or to which the Processor has, or may obtain, access in this context.
2. Specific Data Processing / Restrictions
4. The outermost scope of the data applications under this agreement is determined by the contents of the Main Agreement. Annex 1 to this agreement supplements this by summarising the subject matter, duration, nature and purposes of the processing, the personal data transmitted or made accessible to the Processor for the performance of the contract, and the categories of data subjects concerned.
5. Unless the Processor is legally obliged to carry out particular processing, it shall use the personal data exclusively to fulfil its contractual obligations towards the Controller — i.e., as agreed here or as instructed by the Controller. It shall inform the Controller in advance of any further statutory processing obligations to the extent permitted.
6. The Processor shall under no circumstances use the data for its own or third-party purposes or pass them on to third parties without written instruction or authorisation from the Controller, unless Section 5 of this agreement permits such disclosure. Copies or duplicates of the data shall only be created without separate consent of the Controller to the extent necessary to ensure proper processing (backups) or for statutory retention obligations.
7. The data shall be processed within the European Economic Area (EEA). A transfer to third countries is only permitted if (i) an adequacy decision of the European Commission exists — in particular the EU-U.S. Data Privacy Framework pursuant to Decision (EU) 2023/1795 for DPF-certified recipients in the USA —, (ii) appropriate safeguards pursuant to Art. 46 GDPR (in particular Standard Contractual Clauses under Art. 46 (2) (c) GDPR) supplemented by appropriate additional measures within the meaning of CJEU case law (in particular Case C-311/18, “Schrems II”) are in place, or (iii) a derogation under Art. 49 GDPR applies. The Controller shall be informed in writing of every transfer to a third country.
8. Data processing shall be carried out in a manner that supports the Controller at all times in fulfilling its data protection obligations towards data subjects and authorities.
9. Upon completion of the agreed service (at the latest upon termination of the contract) or upon prior request by the Controller, the Processor shall return to the Controller all information, documents, processing and usage results and data sets relating to the engagement (including test material and rejected output) in a structured, common and machine-readable file format (e.g. JSON or CSV) within thirty (30) days of the end of the contract, or, with the Controller’s prior consent, demonstrably destroy them. Statutory retention obligations (in particular § 132 BAO and § 212 UGB) remain unaffected; data stored on this basis shall be processed in a blocked manner until the expiry of the respective retention period.
3. Rights and Obligations of the Controller
10. The Controller expressly declares to be the controller pursuant to Art. 4 (7) GDPR with respect to the personal data provided, and therefore decides alone within this contractual relationship on the purposes and means of their processing. The Controller is responsible for the lawfulness of the commissioned data processing and the legitimacy of its purposes, and shall ensure compliance with all data protection regulations and the protection of data subjects’ rights vis-à-vis third parties.
11. The Controller therefore has a comprehensive right to issue instructions to the Processor regarding the nature and scope of data processing. If, in the Processor’s view, such an instruction may violate applicable data protection law, the Processor shall immediately notify the Controller (Art. 28 (3) last sentence GDPR) and may suspend execution until confirmation or modification; manifestly unlawful instructions shall not be followed.
12. The decision to restrict, delete or rectify data covered by this agreement lies exclusively with the Controller. The Processor shall never act on its own authority in this regard, but only on documented instruction from the Controller. If data subjects approach the Processor directly in this regard, the Processor shall forward such requests to the Controller without culpable delay.
13. To the extent covered by the Main Agreement, the Processor shall assist with deletion or “right to be forgotten”, rectification, data portability and data access requests (Art. 15–22 GDPR); the corresponding communication and execution with data subjects, however, remains the responsibility of the Controller.
4. Obligations of the Processor
14. The Processor is responsible for processing the data on behalf of the Controller in compliance with applicable data protection law. It confirms knowledge of all relevant regulations and, in particular, observes the principles of lawful data processing pursuant to Art. 5 GDPR.
15. Specific obligations or detailed behavioural requirements that do not directly result from the Main Agreement or objective law are recorded in Annex 1 as “Instructions for Data Processing”. The Controller reserves the right to make demand-driven adjustments and to issue further or different individual instructions at any time.
16. The Processor warrants that all persons used or authorised for the commissioned data processing are suitable and have been bound to confidentiality or are subject to an appropriate — in particular statutory — duty of confidentiality (Art. 28 (3) (b) GDPR). The confidentiality obligation shall continue after termination of this agreement. The Processor regularly instructs, trains and raises awareness among relevant staff regarding data protection, data security and confidentiality, and monitors compliance.
17. The Processor undertakes, within the meaning of Art. 32 GDPR, to take all measures necessary for the security of data processing (Art. 28 (3) (c) GDPR). In particular, it shall take all organisational and technical precautions to ensure the integrity of the processing and to prevent loss of personal data and unauthorised third-party access. The measures implemented by the Processor are set out in Annex 1 and correspond to an information security management system aligned with ISO/IEC 27001:2022. The Processor is certified to ISO/IEC 27001:2022 by the accredited Proks Certification GmbH (certificate number AT-IS-20260241, valid from 5 February 2026 to 4 February 2029). The certificate and the ISMS Policy (POL-6) are publicly available at workheld.com/information-security-at-workheld and will be made available to the Controller on request at any time.
The Processor shall regularly review and document the effectiveness of its processes and measures and shall make or initiate any modifications that become necessary or appropriate due to technical progress. Any resulting costs shall be invoiced to the Controller only on the basis of a separate agreement.
Where the Controller itself is an essential or important entity within the meaning of Directive (EU) 2022/2555 (NIS-2) or its national implementation, the provision of these measures, the ISO/IEC 27001 documentation and the incident notification pursuant to clause 20 of this Agreement serves to support the Controller’s supply-chain security obligations under Art. 21(2)(d) NIS-2; any further contractual or organisational measures shall be governed by the Main Agreement or a separate arrangement.
18. The Processor shall assist the Controller in fulfilling its information obligations and in responding to data subject rights claimed (Art. 28 (3) (e) GDPR). In particular, it shall create the technical and organisational conditions enabling the Controller to comply with its obligations towards data subjects pursuant to Art. 15 ff. GDPR (access, rectification, erasure / “right to be forgotten”, data portability, objection) within the applicable deadlines. The Processor shall in any event provide the Controller with the information that can be obtained with reasonable technical and economic effort, where the Controller is technically unable to obtain it itself.
19. Taking into account the nature of the processing and the information available to it, the Processor shall also assist the Controller in fulfilling its obligations under Art. 32–36 GDPR (security of processing, notification and communication of personal data breaches, data protection impact assessment, prior consultation) (Art. 28 (3) (f) GDPR).
19a. Data Protection Officer of the Processor. The Processor designates as Data Protection Officer: Dipl.-Inf. Christine Geier, MBA, contactable via Workheld GmbH, Rotensterngasse 5/3, 1020 Vienna, or by e-mail to hallo@workheld.com with the subject line “Data Protection”. She is the point of contact for all data protection-related enquiries by the Controller in the context of this agreement.
19b. AI processing (Workheld AI / Azure OpenAI Service). Where the Controller uses the Workheld AI component within the Workheld platform, the following provisions apply in addition:
(i) For the AI functionality, Workheld engages Microsoft Azure OpenAI Service as a sub-processor in the EU West Europe tenant (see Annex 1, Section 3.A). Inputs submitted are not used to train the underlying language models; no transfer to OpenAI Inc. takes place.
(ii) The Controller acts as deployer within the meaning of Regulation (EU) 2024/1689 (AI Act) vis-à-vis its end users and complies with the transparency obligation under Art. 50(1) AI Act itself. Workheld supports the Controller by providing appropriate notice texts and UI elements within the platform.
(iii) Intellectual property rights in inputs and AI-generated outputs remain, as between the parties, with the Controller, to the extent legally permissible. Workheld derives no usage rights from the AI processing beyond what is necessary to perform the Main Agreement and this Agreement.
(iv) The Controller ensures that its inputs into the AI functionality do not contain special categories of personal data under Art. 9 GDPR unless expressly agreed in the Main Agreement, and that the use does not fall within a prohibited use case under Art. 5 or a high-risk use case under Annex III of the AI Act.
19c. IIoT telemetry (Workheld Sense / Luna). Where the Controller uses the Workheld Sense component, including the edge component “Luna”, within the Workheld platform, the following provisions apply in addition:
(i) The machine and plant data (“product data” within the meaning of Article 2(15) Regulation (EU) 2023/2854) collected by Luna and the Workheld Sense platform are generally non-personal. To the extent they have no personal reference, they fall outside the scope of this Agreement; the related data rights and obligations are governed by Part IV of the General Terms and Conditions.
(ii) To the extent the data referred to in (i) contains personal components (in particular operator identifiers, RFID authentications, shift assignments) or is linked to personal data, those components fall within the scope of this Agreement and are subject to the provisions of Annex 1.
(iii) Luna connects exclusively via an outbound, TLS-secured MQTT connection to the HiveMQ MQTT broker operated within the Processor’s Microsoft Azure infrastructure in the West Europe region (see Annex 1, Section 3.A). No inbound connection to the Controller’s OT network is established.
20. Notification of Personal Data Breaches. The Processor shall inform the Controller (or its designated Data Protection Officer or the contact point named in Annex 1) about relevant breaches of the protection or security of data covered by this agreement within its area of responsibility without undue delay, but at the latest within 24 hours of becoming aware of the relevant event, so that the Controller can comply with its notification obligations under Art. 33 GDPR within the 72-hour deadline. The initial notification may be made informally by e-mail; a complete notification with the contents required under Art. 33 (3) GDPR — in particular the scope of the affected records / categories and persons, the expected consequences of the breach, the measures already taken or planned, contact details of the responsible person at the Processor — shall follow without undue delay once the information is available.
5. Use of Further (Sub-)Processors
21. The Processor is entitled to engage (sub-)processors to fulfil this agreement in relation to data processing, where the main service(s) — with regard to data processing — are themselves to be contractually shifted or delegated. Auxiliary services provided by third parties (such as telecommunications, shipping/transport, IT maintenance (e.g. vendor support), user services, etc.) do not qualify as sub-processing relationships in this sense, although appropriate risk-based and legally compliant contractual arrangements and control measures shall be ensured in those cases too.
22. For the sub-processors listed in Annex 1, consent to sub-engagement is deemed to have been granted on the conditions that they are objectively suitable for the specific contractual activity — in particular by providing sufficient guarantees of the necessary technical and organisational measures — and have committed in demonstrably concluded agreements pursuant to Art. 28 (3) GDPR to at least the level of data protection set by this agreement. Where the sub-processor performs the agreed service outside the EU or EEA, the Processor shall ensure an adequate level of data protection on the basis of an adequacy decision (in particular the EU-U.S. Data Privacy Framework) or Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR — supplemented by appropriate additional measures.
23. The Controller shall be informed in good time of any intended change (addition or replacement) in the use of sub-processors, so that the Controller can raise any objections to particular further processors before implementation in the event of a material increase in risk for the Controller; notification by e-mail is sufficient. The Controller shall notify the Processor within 14 days of being informed whether it objects to the change or approves it. The Processor shall examine the Controller’s objection. At its own discretion, the Processor may either provide the service itself, engage another sub-processor, or nevertheless engage the originally intended sub-processor. In the latter case, the Controller has an extraordinary right to terminate the Main Agreement (and, automatically, this agreement).
24. The Processor shall provide the Controller with appropriate information to demonstrate compliance with its obligations and shall allow audits within the meaning of Art. 28 (3) (h) GDPR. The current ISO/IEC 27001 certificate together with the Statement of Applicability, as well as further security or audit reports, in particular qualify as appropriate evidence. Without specific cause, the Controller shall not exercise these powers more than once per contract year.
6. Liability
25. The statutory liability provisions under the GDPR apply. As between the Parties, the Processor’s liability towards the Controller is governed by the liability arrangements agreed in the Main Agreement.
7. Term / Termination
26. This agreement enters into force upon signature by both Parties or upon express agreement (e.g. by electronic correspondence) and is accessory to the Main Agreement — i.e., it applies for as long as the Processor provides the data processing-related services identified in the Main Agreement for the Controller. It ends, without need for any further declaration, on full termination of the underlying legal relationship (regardless of the reason). The obligations regarding return or destruction of data pursuant to Section 9 remain unaffected.
8. Final Provisions
27. Amendments and additions to this agreement, including any mutual departure from the requirement of written form, must be made in writing, with electronic messages sent to the most recently specified (e-mail) contact address being sufficient.
28. If individual parts of this agreement are or become invalid, this shall not affect the validity of the remaining provisions. Any provision that has fallen away shall be replaced by the admissible or valid provision that comes closest to the economic content or purpose pursued by the Parties. The same applies to gaps in the agreement.
29. This agreement is governed exclusively by Austrian substantive law and substantively relevant Union law, in particular the GDPR. Exclusive place of jurisdiction is Vienna, Inner City.
Annex 1
1) Data Processing Specifications
Data Protection Officer / Privacy Contact:
- On the Controller side: ……………………………………………………
- On the Processor side: Dipl.-Inf. Christine Geier, MBA, Workheld GmbH, Rotensterngasse 5/3, 1020 Vienna, Austria, hallo@workheld.com (Subject: “Data Protection”)
Reference to the Main Agreement (designation, date, term): …………………………………………………
Subject of the processing under this agreement:
☒ Master personal data: ☒ Name ☐ Academic title ☐ Date of birth ☐ Address
☒ Contact data: ☒ Telephone number ☒ E-mail address
☒ Contract data: ☒ Orders ☒ Correspondence ☒ Contract content ☐ Customer history
☒ Consent declarations
☒ Billing and payment data
☒ Communication and behaviour data: ☒ IP address ☒ Electronic connection data ☒ Movement and usage data
☐ Other information about the person or their behaviour: ………………………………
The data subjects concerned are, in relation to the Controller:
☒ Employees and authorised representatives of the Controller (e.g. dispatchers, technicians, workers, administrators)
☒ Service recipients / customers of the Controller, where their data is captured in the workflow
☐ Suppliers
☐ Other: ………………………………………………………….
The specific processing of this data consists of:
☒ Collection/recording ☒ Storage ☒ Organisation/structuring ☒ Adaptation/rectification/supplementation ☒ Retrieval ☒ Transmission/disclosure to authorised recipients (e.g. among the Controller’s staff, to sub-processors listed in Annex 1 Section 3) ☒ Alignment/combination ☒ Restriction ☒ Erasure/destruction
☐ Other use: …………………………………………….
Purpose of the processing: Provision of the SaaS, consulting or development services of the Workheld Platform (Workheld Flow, Workheld Sense, Workheld AI) as agreed in the Main Agreement, and related support and maintenance services.
Duration of the processing: For the term of the Main Agreement; on termination, the return/destruction obligations pursuant to Section 9 of this agreement apply.
Specific instructions for data processing: …………………………………………
2) Technical and Organisational Measures (Art. 32 GDPR)
The Processor shall ensure a level of data security appropriate to the processing risk and the state of the art with respect to the confidentiality, integrity and availability of the data, as well as the resilience of the systems. The following measures are implemented, documented and regularly audited as part of the Processor’s ISO/IEC 27001:2022-certified ISMS (certificate number AT-IS-20260241, Proks Certification GmbH).
Physical Access Control
- Video surveillance of entrances
- Restricted access to office and business premises
- Security locks, manual lock system with key control policy
- Securing of building shafts, back doors, side entrances
- Visitor access policy (registration, logging)
System Access Control
- Password-based login, password security policy
- Authorisation concept with unique user IDs (single sign-on via Microsoft Entra ID / Auth0)
- Multi-factor authentication for administrative access
- Authentication via username, password plus MFA
- Secure connection for remote maintenance
- Logging of access (sign-in and sign-off) to data processing systems
- Account lockout on failed login attempts
- Automatic screen lock on temporary absence
- Regular forced password changes and lockout of departing users
- Privilege management by system administrator; secure storage of administrative credentials in a password manager
- Intrusion detection / anti-virus software, Endpoint Detection and Response
- Firewall isolation, segmented networks
- Disk/storage encryption on mobile devices
- Mobile Device Management on smartphones and tablets
- Regular updates of protective software and operating systems
Data Access Control
- Access restriction for computer systems and network drives to authorised users
- Access restriction for backup media to system administrators
- Authorisation concept following the purpose-limitation principle with differentiated permissions (read, modify, profiles, roles, transactions, objects)
- Authorisation administration by system administrator
- Reporting and evaluation of completed/attempted security violations
- Proper destruction of data media; overwriting before reuse
- Encryption of data media
Transmission Control
- Monitoring of data traffic
- Encrypted programmatic transfer of data
- Data transfer over secured connections (e.g. HTTPS/TLS 1.2+, SFTP)
- Logging of retrieval and transmission events
- VPN procedures for administrative access
- Use of passwords and password security; separate transmission paths for password delivery
Input Control
- Traceability of access by individual usernames
- Traceability of access by user groups
- Logging of input, modification and deletion of data in the Workheld Platform (audit trail)
- Authenticity (data attributable to its origin at any time)
Order Control
- Selection of further (sub-)processors based on data security guarantees
- Commitment of all sub-processors pursuant to Art. 28 (3) GDPR
- Ensuring return or proper destruction of all data on termination of the contract
- Observance of the GDPR requirements for data processing in third countries (DPF / SCCs)
Availability Control
- Data backup concept with geo-redundant storage in Microsoft Azure (West Europe region)
- Emergency / recovery plan
- Use of specific protection measures (DDoS protection, WAF)
- Uninterruptible power supply and fire protection in the data centres (at cloud provider level)
- Temperature/humidity monitoring in the data centres (at cloud provider level)
- Regular restore testing
- Minimisation of entry points for malware
Separation Principle
- Tenant separation of the Workheld Platform (logical separation per tenant)
- Separation of development, test and production systems
- Database privileges (access barriers)
- Role separation of users
- Authorisation concept with separate administration by system administrator
Organisation
- Appointment of a Data Protection Officer (Dipl.-Inf. Christine Geier, MBA)
- Commitment of employees to data confidentiality
- Commitment of external staff (external development partners) to data confidentiality; NDA
- Regular data protection and security training for employees
- IT and security policies as part of the ISMS (ISO/IEC 27001:2022)
- Documented data protection and information security concept
- Annual external audits by the accredited certification body
It is noted that the measures listed apply and are implemented within the operating premises and the sphere of access of the Processor and its sub-processors. The Processor assumes no responsibility or liability for technical or organisational measures necessary and/or applicable within the Controller’s sphere of authority and influence.
3) List of Sub-Processors Engaged
The providers listed below process personal data on behalf of the Processor in connection with the Workheld Platform. Data processing agreements pursuant to Art. 28 GDPR or equivalent contractual safeguards are in place with all of these providers. Transfers to third countries are based on an adequacy decision (e.g. EU-U.S. Data Privacy Framework pursuant to Decision (EU) 2023/1795) or on Standard Contractual Clauses pursuant to Art. 46 (2) (c) GDPR, supplemented by appropriate additional measures.
A. Core Infrastructure and SaaS Platform
| Provider | Location | Purpose | Processing Location | Transfer Mechanism |
|---|---|---|---|---|
| Microsoft Ireland Operations Limited (Azure) | Dublin, Ireland | Cloud hosting of the Workheld Platform | EU (West Europe / Netherlands) | Art. 28 GDPR; SCCs Art. 46 (2) (c) GDPR for third-country access |
| Microsoft Ireland Operations Limited (Azure OpenAI Service) | Dublin, Ireland | AI chatbot within the platform; model calls without training use of the transmitted data | EU (same region as platform); no transfer to OpenAI Inc. | Art. 28 GDPR; SCCs Art. 46 (2) (c) GDPR for third-country access |
| Okta, Inc. (Auth0) | San Francisco, USA | Authentication and user management | EU hosting; US parent company | EU-U.S. Data Privacy Framework (DPF); SCCs Art. 46 (2) (c) GDPR |
| Functional Software, Inc. (Sentry) | San Francisco, USA | Crash and error reporting (sendDefaultPii: false) | EU hosting (ingest.de.sentry.io); US parent company | EU-U.S. Data Privacy Framework (DPF); SCCs Art. 46 (2) (c) GDPR |
| Twilio Ireland Limited (SendGrid) | Dublin, Ireland | Transactional e-mails (notifications) | EU; US parent company Twilio Inc. | EU-U.S. Data Privacy Framework (DPF); SCCs Art. 46 (2) (c) GDPR |
| Twilio Ireland Limited | Dublin, Ireland | Notification services (SMS, push, voice) | EU; US parent company | EU-U.S. Data Privacy Framework (DPF); SCCs Art. 46 (2) (c) GDPR |
| Mixpanel, Inc. | San Francisco, USA | Product analytics (pseudonymised usage data) | EU hosting; US parent company | EU-U.S. Data Privacy Framework (DPF); SCCs Art. 46 (2) (c) GDPR |
| 84codes AB (CloudAMQP) | Stockholm, Sweden | Message queue service between services | EU (Sweden) | Art. 28 GDPR |
| HiveMQ GmbH | Landshut, Germany | MQTT broker for IIoT telemetry (Workheld Sense / Luna); no personal data | EU (Microsoft Azure West Europe, self-hosted by the Processor) | Licensed software, self-hosted; HiveMQ GmbH has no access to the processed data |
| TigerData Inc. (TimescaleDB) | New York, USA | Storage of time-series data; no personal data | EU (Microsoft Azure West Europe, self-hosted by the Processor) | Licensed software, self-hosted; TigerData Inc. has no access to the processed data |
Note on classification: HiveMQ GmbH and TigerData Inc. are listed in the table above for transparency, although they do not legally constitute sub-processors within the meaning of Art. 28 GDPR. Both provide licensed software only, which the Processor operates exclusively within its own Microsoft Azure environment (West Europe); no data processing by these vendors takes place.
B. Development, Test and Operations
| Provider | Location | Purpose | Processing Location | Transfer Mechanism |
|---|---|---|---|---|
| GitHub, Inc. | San Francisco, USA | Source code management | USA | EU-U.S. Data Privacy Framework (DPF); SCCs Art. 46 (2) (c) GDPR |
| Docker, Inc. | Palo Alto, USA | Containerisation software | USA | EU-U.S. Data Privacy Framework (DPF); SCCs Art. 46 (2) (c) GDPR |
| SonarSource SA (SonarCloud) | Geneva, Switzerland | Code analysis | EU/Switzerland (adequacy decision) | Art. 28 GDPR; adequacy decision Switzerland |
| JetBrains s.r.o. | Prague, Czech Republic | Developer IDE (IntelliJ IDEA Ultimate) | EU | Art. 28 GDPR |
| BrowserStack Inc. | Plano, TX, USA | Virtual test devices for app testing | USA | EU-U.S. Data Privacy Framework (DPF); SCCs Art. 46 (2) (c) GDPR |
| Lokalise, Inc. | Dover, DE, USA | Translation/localisation | USA | EU-U.S. Data Privacy Framework (DPF); SCCs Art. 46 (2) (c) GDPR |
| Bryntum AB | Lund, Sweden | Scheduler software package (Team Planner, Shift Planner) | EU (Sweden) | Art. 28 GDPR |
C. External Development Partners
Workheld engages the external development partners listed below for the further development and maintenance of the platform. They work under strict instructions, non-disclosure agreements (NDA) and the Workheld ISMS requirements. Access to personal data is granted only to the extent necessary and subject to the same security standards as for our own employees.
| Partner | Location | Activity |
|---|---|---|
| Stift IT Solutions e.U. | Röschitz, Austria | Software development |
| CoreSoft s.r.o. | Bratislava, Slovakia | Software development |
| QATestLab Ltd. | Nicosia, Cyprus | Software testing |
D. Internal Administration of the Processor (no access to Controller’s platform data)
The following providers are used by the Processor exclusively for the internal administration of Workheld GmbH and have no access to the Controller’s personal data from the Workheld Platform. They are listed here for information only.
| Provider | Purpose |
|---|---|
| Microsoft Ireland Operations Limited / Microsoft Österreich GmbH | Office 365 (internal communication) |
| Deel, Inc. | Employer of Record / contract management for external developers |
This template is the unchanged basis for future DPA execution. On request, we provide the DPA as a signature-ready Word document — the download above contains the identical version. For questions, please contact our Data Protection Officer via hallo@workheld.com (subject “Data Protection”).