Data Processing Agreement

1. Definitions

"Personal Data"

Any information relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).

"Special Category Data"

Personal data revealing health information, as defined in GDPR Article 9(1). In the context of this DPA, this includes employee burnout risk assessment responses and derived health-related insights.

"Controller"

The Customer (employer organization) that determines the purposes and means of processing employee Personal Data through the Workforce AI platform.

"Processor"

Workforce AI (Healo), which processes employee Personal Data on behalf of and under the instructions of the Controller.

"Data Subject"

The employee whose Personal Data is processed through the Workforce AI platform.

"Sub-Processor"

Any third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor shall process Personal Data on behalf of the Controller for the purpose of providing the Workforce AI employee burnout risk assessment platform, including the collection, analysis, and aggregated reporting of employee wellbeing data.

2.2 Nature and Purpose of Processing

• Collection of employee burnout risk assessment questionnaire responses
• AI-driven analysis of assessment responses to generate risk scores
• Aggregation and anonymization of individual responses for team-level and department-level reporting
• Storage and secure management of assessment data
• Provision of anonymized insights and recommendations to the Controller

2.3 Categories of Data Subjects

• Employees of the Controller who participate in burnout risk assessments
• Manager and administrator users of the Controller

2.4 Types of Personal Data

• Employee email addresses
• Burnout risk assessment responses (special category health data)
• Consent records (timestamps, IP addresses, user agents)
• Manager/administrator account information (name, email, organization)

2.5 Duration of Processing

Processing shall continue for the duration of the subscription agreement between the Controller and the Processor, plus any retention periods specified in Section 8 of this DPA.

3. Controller Obligations

The Controller shall:

• Ensure that there is a lawful basis for the processing of employee Personal Data, including obtaining explicit consent from employees for the processing of special category health data pursuant to GDPR Article 9(2)(a), using the consent mechanism provided by the Processor.
• Provide clear and transparent information to Data Subjects about the processing of their Personal Data, including the Controller's and Processor's roles and responsibilities.
• Ensure that instructions given to the Processor regarding the processing of Personal Data comply with applicable data protection laws.
• Respond to Data Subject requests and, where applicable, instruct the Processor to assist in fulfilling such requests.
• Notify the Processor without undue delay if the Controller becomes aware of any data breach affecting Personal Data processed under this DPA.

4. Processor Obligations

The Processor shall:

• Process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law (GDPR Article 28(3)(a)).
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (GDPR Article 28(3)(b)).
• Take all measures required pursuant to GDPR Article 32, including implementing appropriate technical and organizational security measures as described in Section 6 of this DPA.
• Not engage another processor (sub-processor) without prior specific or general written authorization of the Controller, subject to Section 5 of this DPA (GDPR Article 28(3)(d)).
• Assist the Controller in fulfilling its obligation to respond to Data Subject requests for exercising their rights under Chapter III of the GDPR, including by providing appropriate technical mechanisms and API endpoints for data export, deletion, and rectification.
• Assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.
• At the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services, and delete existing copies unless EU or Member State law requires storage of the Personal Data (GDPR Article 28(3)(g)).
• Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR, and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (GDPR Article 28(3)(h)).

5. Sub-Processors

5.1 General Authorization

The Controller hereby grants the Processor general authorization to engage sub-processors for the processing of Personal Data, subject to the conditions set out in this Section. The Processor shall maintain an up-to-date list of sub-processors as specified in Section 5.3.

5.2 Notification of Changes

The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 30 days prior to such change, giving the Controller the opportunity to object. If the Controller objects and the objection is not resolved within 14 days, the Controller may terminate the subscription agreement.

5.3 Current Sub-Processors

5.4 Sub-Processor Obligations

Where the Processor engages a sub-processor, the Processor shall impose on the sub-processor, by way of a contract, the same data protection obligations as set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR. The Processor shall remain fully liable to the Controller for the performance of the sub-processor's obligations.

6. Technical and Organizational Security Measures

The Processor shall implement and maintain the following security measures in accordance with GDPR Article 32, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity for the rights and freedoms of Data Subjects:

6.1 Encryption

• All data in transit encrypted using TLS 1.3
• All data at rest encrypted using AES-256
• Database connections secured with SSL/TLS

6.2 Access Control

• OAuth 2.0 authentication with enterprise identity providers (Google Workspace, Microsoft Entra ID) — no password storage
• Stateless JWT session management with httpOnly secure cookies
• Role-based access control (RBAC) with distinct roles for employees, managers, and administrators
• Individual employee assessment responses are never directly accessible to the employer — only aggregated, anonymized reports
• Database access restricted with separate read-only and read-write connections

6.3 Data Minimization and Pseudonymization

• Only data necessary for the stated purposes is collected (data minimization principle)
• Individual responses are pseudonymized before aggregation for reporting
• AI analysis operates on anonymized, aggregated data wherever possible

6.4 Availability and Resilience

• Regular automated database backups with encrypted storage
• Geographic redundancy for critical infrastructure
• Monitoring and alerting for system availability and performance

6.5 Audit Logging

• Comprehensive audit logging for all consent operations, data access, data exports, deletions, and rectifications
• Tamper-evident audit trail for GDPR compliance demonstration
• Audit logs retained in accordance with Section 8

7. Data Breach Notification

7.1 Notification to Controller

The Processor shall notify the Controller without undue delay, and in any event within 36 hours after becoming aware of a personal data breach, as defined in GDPR Article 4(12). This notification shall include:

• A description of the nature of the breach, including the categories and approximate number of Data Subjects and records affected
• The name and contact details of the Processor's contact point for further information
• A description of the likely consequences of the breach
• A description of the measures taken or proposed to address the breach, including measures to mitigate its possible adverse effects

7.2 Cooperation

The Processor shall cooperate with the Controller and take reasonable commercial steps as directed by the Controller to assist in the investigation, mitigation, and remediation of the data breach. The Processor shall assist the Controller in meeting the Controller's obligations to notify the supervisory authority and affected Data Subjects under Articles 33 and 34 of the GDPR.

8. Data Retention and Deletion

8.1 Retention Periods

• Employee assessment responses: Retained for 24 months from the date of collection, then automatically and permanently deleted.
• Consent records and GDPR audit logs: Retained for the duration of the subscription plus 5 years, as required for compliance demonstration.
• Aggregated, anonymized data: May be retained indefinitely as it cannot be linked to individual Data Subjects.

8.2 Deletion Upon Termination

Upon termination or expiration of the subscription agreement, the Processor shall, at the Controller's choice:

• Return all Personal Data to the Controller in a structured, commonly used, and machine-readable format (JSON export); or
• Permanently delete all Personal Data and certify such deletion in writing.

The Controller must exercise this choice within 30 days of termination. If no choice is communicated, the Processor shall delete all Personal Data within 60 days of termination, except where retention is required by applicable law.

9. Assistance with Data Subject Rights

The Processor shall assist the Controller in fulfilling its obligation to respond to Data Subject requests under Chapter III of the GDPR. The Processor provides the following technical mechanisms:

• Data Export API (Right to Access / Data Portability): Enables the export of all Personal Data held about a Data Subject in structured JSON format.
• Data Deletion API (Right to Erasure): Enables the permanent deletion of all Personal Data associated with a Data Subject.
• Data Rectification API (Right to Rectification): Enables correction of inaccurate Personal Data.
• Consent Management (Right to Withdraw Consent): Enables employees to withdraw consent, triggering data anonymization.

The Processor shall respond to Controller instructions regarding Data Subject requests within 10 business days.

10. Audits and Inspections

The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with this DPA and Article 28 of the GDPR. The Controller or its authorized third-party auditor may conduct audits of the Processor's data processing activities, subject to the following conditions:

• Audits shall be requested with at least 30 days' advance written notice.
• Audits shall be conducted during normal business hours and shall not unreasonably interfere with the Processor's operations.
• The Controller shall bear its own costs for audits, unless the audit reveals material non-compliance by the Processor.
• Audit results and any information obtained during the audit shall be treated as confidential.

11. Liability

Each party's liability under this DPA shall be subject to the limitations and exclusions of liability set out in the Terms of Service, except that no limitation shall apply to liability arising from either party's willful breach of its data protection obligations or its obligations under GDPR Articles 82 and 83.

12. Term and Termination

This DPA shall commence on the date the Controller first subscribes to the Workforce AI platform and shall remain in effect for as long as the Processor processes Personal Data on behalf of the Controller. The obligations of the Processor regarding data retention and deletion (Section 8) and confidentiality shall survive termination of this DPA.

Either party may terminate this DPA by terminating the underlying subscription agreement in accordance with its terms. In the event of a material breach of this DPA by the Processor that is not remedied within 30 days of written notice, the Controller may terminate both this DPA and the subscription agreement with immediate effect.

13. Governing Law

This DPA shall be governed by and construed in accordance with the laws of the jurisdiction specified in the Terms of Service, without prejudice to the mandatory provisions of the GDPR and applicable national data protection laws.