Data Processing Addendum (DPA)

Last Updated: 8th of May 2025

This Data Processing Addendum ("DPA") is entered into and between Virtualworkforce.ai., a company incorporated in the Netherlands with offices at Marconistraat 16 3029 AK Rotterdam ("Virtualworkforce.ai", "we", "us", "our") and the Customer identified in the relevant Order Form ("Customer") (each a "Party" and together the "Parties"). This DPA supplements, and forms an integral part of ,the existing contract and the Terms of Service or any other written agreement between Virtualworforce.ai and the customer (together referred to as the “Agreement”) This DPA becomes legally binding on the date Virtualworkforce.ai receives the confirmation that the customer starts using the service and complies with the signing up procedure where it's asked to confirm the legal documents.

1. Definitions

In this DPA, the following terms have specific meanings:

• "Affiliate" means any entity that directly or indirectly controls, is controlled by, or is under common control with a Party to this agreement
• "Applicable Data Protection Law" refers to all data protection and privacy laws relevant to the respective Party in its role in the Processing of Personal Data under the Agreement, including the GDPR, UK Data Protection Laws, Swiss Data Protection Laws, and any other relevant data protection laws.
• "Controller" means the entity which determines the purposes and means of the Processing of Personal Data.
• "Customer Data" means all electronic data, content, or information that the Customer submits to the Services.
• "Data Subject" refers to an identified or identifiable natural person whose Personal Data is processed.
• "Personal Data" means any information relating to an identified or identifiable natural person.
• "Processing" refers to any operation or set of operations performed upon Personal Data, whether or not by automatic means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, or otherwise making available, alignment, combination, restriction, erasure, or destruction.
• "Processor" refers to the entity that Processes Personal Data on behalf of the Controller.
• "Sub-processor" refers to any entity engaged by Virtualworkforce.ai AI or its Affiliates to Process Personal Data in connection with the Services.

Capitalized terms not defined in this DPA will have the meanings given to them in the Agreement or under applicable Data Protection Laws.

Virtualworkforce.ai identifies as processor in the relation of this DPA.

2. Processing of Personal Data

• Customer Obligations:.The Customer agrees to process Personal Data in compliance with all Applicable Data Protection Laws when using the Services and providing instructions to Virtualworkforce.ai. The Customer remains solely responsible for the accuracy, quality, and legality of the Personal Data, as well as for the method by which such data has been obtained.
• Virtualworkforce.ai’s Processing of Personal Data: Virtualworkforce.ai shall Process Personal Data only for the following purposes:
  • Processing in accordance with the Agreement and applicable Order Form(s);
  • Processing initiated by Authorized Users in their use of the Services;
  • Processing to comply with instructions provided by the Customer, where such instructions are consistent with the terms of the Agreement.
• Personnel:Virtualworkforce.ai will ensure that any employee or agent authorized to process Personal Data is bound by an appropriate duty of confidentiality
• Zero data retention at AI model providers:.When handling Customer Data through third-party AI model providers on behalf of paying clients, Virtualworkforce.ai will ensure that zero data retention settings are activated and enforced wherever supported. This means that Customer Data will not be stored or retained beyond what is required for immediate processing. A similar approach applies to non-paying users; however, in those cases, Virtualworkforce.ai applies these standards on a best-effort basis without formal guarantees.

3. Sub-processors

• Appointment of Sub-processors: Customer acknowledges and agrees that Virtualworkforce.ai may engage third-party Sub-processors to assist in processing Process Personal Data. Virtualworkforce.ai will enter into written agreements with Sub-processors that impose data protection obligations that provide the same level of protection for Personal Data as those in this DPA.
• List of Sub-processors: A current list of Sub-processors for the Services, including the identities of those Sub-processors and their country of location, is accessible via our Trust Center. Customer consents to these Sub-processors, their locations, and Processing activities as they pertain to Personal Data.
• Objection Right for New Sub-processors: If Virtualworkforce.ai intends to appoint a new Sub-processor, the Customer will be notified and may raise a reasonable written objection within ten (10) business days of receiving notice. If no mutually acceptable resolution is found, the Customer may terminate the portion of the Services affected by the new Sub-processor.
• European Data Residency Option: For Customers on paid plans, Virtualworkforce.ai offers the option to restrict data processing to subprocessors hosted exclusively within the European Union. Upon written request, Virtualworkforce.ai will disable any subprocessors that are hosted outside of the EU area for Customer's instance of the Services. Customer acknowledges that selecting this option may limit certain features and functionalities of the Services, particularly those dependent on non-EU based integration partners such as Pipedream.
• Liability: VirtualWorkforce remains responsible for the performance of its Sub-processors and shall be liable for their acts or omissions as if those acts or omissions were Virtualworkforce.ai’s own under this DPA.

4. Data Subject Rights

• Data Subject Requests:.Virtualworkforce.ai will, to the extent permitted by applicable law, notify the Customer if it receives a request from a Data Subject seeking to exercise their rights under Data Protection Laws (such as access, rectification, or erasure). Where required and feasible, Virtualworkforce.ai will assist the Customer in responding to such requests in accordance with applicable data protection obligations.
• Regulator Correspondence:.Virtualworkforce.ai shall promptly inform the Customer of any inquiries, investigations, or other correspondence from a Supervisory Authority or regulatory body that pertains to the processing of Personal Data, unless disclosure is legally restricted.

5. Security

• Security Measures: Virtualworkforce.ai will implement appropriate technical and organizational measures to protect the security, confidentiality, and integrity of Personal Data. These measures include encryption, access controls, and regular security assessments. Virtualworkforce.ai will not materially decrease the overall security of the Services during the subscription term.
• Security Incidents If a breach occurs that results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data (“Security Incident”), Virtualworkforce.ai will notify the Customer without undue delay. We will also take reasonable steps to contain and mitigate the impact of the incident and to prevent recurrence.

6. Data Transfers

• Restricted Transfers: Where the Customer transfers of Personal Data subject to EU, Swiss, or UK Data Protection Laws, the Parties agree to rely on to be bound by the applicable Standard Contractual Clauses, which shall be incorporated into this DPA.

7. Audits and Certifications

• Third-Party Certifications: At the Customer’s request, Virtualworkforce.ai will provide information regarding its compliance with the obligations set forth in this DPA in the form of third-party certifications (such as ISO 27001 or SOC-2) or audit reports. Summaries of these are always accessible through the Trust Center.
• Customer Audits: The Customer may, at its own cost, conduct an audit to verify Virtualworkforce.ai’s compliance with this DPA. Such audits must be conducted in a manner that does not unreasonably interfere with Virtualworkforce.ai’s day-to-day operations.

8. Return and Deletion of Personal Data

Upon termination of the Services, and at the Customer’s written request, Virtualworkforce.ai shall, at the, return all Personal Data or delete all Personal Data from its systems, unless applicable law requires the retention of such data.

9. Governing Law and Jurisdiction

This DPA shall be governed by and construed in accordance with the laws of the Netherlands. Any disputes arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts located in Rotterdam, Netherlands.