DPA for agencies serving EU clients.

A standing Data Processing Agreement covering Workhouse's role as a processor under the GDPR and similar regimes. For agencies whose clients are in the EU or who need formal DPA paperwork for procurement, this is the document.

For a counter-signed PDF with your agency's name on it, email security@workhouse.app. We'll send the executable version within 2 business days.

• → Controller. You (the agency / workspace owner). You decide what data is entered into Workhouse and on whose behalf.
• → Processor. Workhouse, operated by Conversion Factory. We process the data you instruct us to, to deliver the service.
• → Sub-processors. Listed below — Vercel, Neon, Resend, Anthropic (via Vercel AI Gateway). Each processes data on our behalf, under contracts that pass through equivalent obligations.

Workhouse processes personal data on your behalf for the duration of your active workspace, plus the deletion / backup retention period described in the privacy policy. The data processed is the workspace content you enter (tasks, comments, attachments) plus the personal data of users and client contacts.

• → Storing workspace content for retrieval and display.
• → Authenticating users and enforcing access control.
• → Delivering transactional email (notifications, password reset, verification, digest emails).
• → Generating AI-drafted status reports from your workspace activity (where you've enabled the feature).
• → Operational logging and monitoring for service reliability.

• → Your agency's team members (internal users).
• → Your client contacts (portal users).
• → Any third parties referenced in workspace content (e.g., a person named in a task description).

• → Identification data (name, email).
• → Authentication data (password hashes, session tokens).
• → Workspace content (task data, comments, file attachments, status reports).
• → Audit log entries (who did what, when).
• → Operational metadata (timestamps, IP addresses on auth events).

Workhouse does not require and does not encourage entry of special-category data (health, biometric, political affiliation, etc.). If your engagement involves such data, contact security@workhouse.app before storing it in Workhouse.

Workhouse uses the following sub-processors to deliver the service:

• → Vercel Inc. (United States) — hosting, edge network, Blob storage.
• → Neon, Inc. (United States) — managed Postgres database.
• → Resend, Inc. (United States) — transactional email delivery.
• → Anthropic, PBC (United States) — AI inference for status-report generation, accessed via the Vercel AI Gateway. The Gateway's policy is zero data retention; inputs and outputs are not retained for training.

We'll notify workspace owners at least 30 days before adding or replacing a sub-processor. You can object within that window by emailing security@workhouse.app; if we can't accommodate the objection, you can terminate the agreement.

Workhouse's primary infrastructure and all sub-processors listed above are located in the United States. For transfers of personal data from the EEA/UK/ Switzerland to the United States, we rely on the EU-US Data Privacy Framework (where the sub-processor is certified) and Standard Contractual Clauses (where the framework doesn't apply).

EU data residency is on the roadmap. Email security@workhouse.app if this is blocking your adoption.

See the security page for the working summary. Highlights: TLS-in-transit, AES-256 at-rest via the database and blob storage providers, bcrypt password hashing (cost 12), authentication rate limits, immutable audit log, role-based access control with scope enforcement at the SQL layer.

• → Access. You can access all workspace data through the product or by exporting.
• → Rectification. Edit any data your team or your clients have entered directly in the product.
• → Erasure. Delete individual records via the product, or delete the entire workspace from settings. Data is removed from primary storage within 30 days; backups age out within 90.
• → Portability. Export the workspace as CSV / JSON anytime.
• → Data subject requests. If your client's end user (a data subject) contacts you with a GDPR request that requires our action, forward to security@workhouse.app — we'll respond within 30 days.

If we become aware of a personal-data breach affecting your workspace, we'll notify you in writing within 72 hours of confirming the incident, with the information GDPR Article 33 requires. We'll cooperate with your own notification obligations to your clients and to supervisory authorities.

On reasonable notice and no more than once a year, you may request information demonstrating our compliance with this DPA. During beta, we don't have a SOC 2 report to share — that's on the roadmap. Until then, we'll respond to specific written questions about our processing activities.

On termination of your workspace, we'll return or delete your data at your choice. Deletion timeline is described in the privacy policy. Audit log entries are deleted with the workspace.

Email security@workhouse.app with your agency name and the entity name your client's procurement team requires. We'll send a counter-signed PDF within 2 business days, no fee during beta.