WORKetc & GDPR

On May 25^th, 2018 the European Union (EU) introduced new legislation to protect the personal information of EU citizens – these new regulations are known as The General Data Protection Regulation (GDPR).

From a top-level view, the new GDPR laws have a few simple goals:

• Make sure that all EU citizens (including our customers) have more privacy by giving individuals more control over when, where and how a Businesses (like WORKetc) uses their data.
• Force all businesses that operate in the EU to be transparent about how they use individual’s personal data.
• Give regulation authorities the power to peruse businesses that breach the new regulations.

You can find some useful GDPR Resources here:

• Full text of EU GDPR
• Useful resources for complying with EU GDPR

We understand that you may have a few questions regarding WORKetc & GDPR. Below we answered a few of the most common questions we have received about our Data Privacy Policy.

• What technical & security policies does WORKetc have in place protect personal data?
• How will WORKetc notify me of a data breach?
• Who from WORKetc has access to your data and what security measures are in place?
• What are the data retention & data backup policies for WORKetc?
• Does WORKetc encrypt Customer Personal Data?
• What is a Data Processing Addendum (DPA), and where can I find it?
• What Personal Data can I use WORKetc to process?
• Where can I find the Sub-Processors for WORKetc?
• Is WORKetc a Data Processor or Data Controller?
• Does data stored in WORKetc ever leave European Economic Area (EEA)?

WORKetc host all the data that we collect on Amazon Web Services (AWS).

AWS is a global leader in Infrastructure as a Service (IaaS) and they take physical and network security seriously. Their data centres are housed in nondescript facilities. Physical access is strictly controlled both at the perimeter and at building ingress points by professional security staff, video surveillance, intrusion detection systems, and other electronic means. Access to their data centre floors requires two-factor authentication a minimum of two times.

AWS Maintains several industry compliance certificates that guarantee the safe transfer, storage, and access to your data.

All AWS Infrastructure is GDPR compliant and adheres to the following international certification standards:

• ISO 27001 – Security management best practices and comprehensive security controls
• ISO 27017 – Information security aspects of cloud computing.
• ISO 27018 – Code of practice that focuses on protection of personal data in the cloud
• SOC 1, SOC 2 & SOC 3 –  Independent third-party examination reports that demonstrate how AWS achieves key compliance controls and objectives.
• PCI DSS Level 1 – PCI DSS applies to all entities that store, process, or transmit cardholder data (CHD) or sensitive authentication data (SAD)

All AWS Infrastructure also adheres to the following EU specific certification standards:

• Common Cloud Computing Controls Catalogue (C5) – Scheme introduced in Germany by the Federal Office for Information Security (BSI) to help organizations demonstrate operational security against common cyber-attacks
• CISPE Code of Conduct – Helps customers ensure that their cloud infrastructure provider is using appropriate data protection standards to protect their data consistently
• EU – US Privacy Shield Framework – Enables the compliant transfer of personal data from data controllers in the EU to data controllers (or processors) in the US.

You can find a full list of AWS Compliance Programs here. You can also press on any certificate above to receive more details on the specific certificate.

An annual Security Vulnerability Audit is conducted by Synopsys (A company worth $2 Billion USD & listed on Nasdaq 100 Leading Security Company). Any potential threats or vulnerabilities identified by the audit are fully addressed by WORKetc as a matter highest priority priority and resolved in the shortest time possible.

WORKetc is dedicated to ensuring your data stays secure. In the extremely unlikely event of a data breach. We guarantee that we will advise you within 72-hours of the time we became aware of the data breach.

Within the data breach notification, we will provide you with all the required incident details as indicated in Article 33 of the GDPR (found here).

• You will receive a data breach notification with-in 72 hours of WORKetc being aware of the breach
• You will receive all other information related to the data breach within the four (4) week time allowed by the GDPR Regulations

WORKetc will send the incident notification the account owner listed on the WORKetc account.

Members of our Product Support team often require access to the systems that are used to manage personal customer data.

We ensure that all WORKetc staff with any access to any customer personal data have signed a Non-Disclosure and Confidentiality Agreement prior to allowing said employees any access to your data.

WORKetc also maintains a comprehensive off-boarding process to ensure that if an employee’s employment is terminated, they lose all access to all WORKetc systems.

A member of the WORKetc Support team will never access personal customer data unless they are given specific instruction from the customer to-do so (this can either be done by phone, email or online webform).

When any member of the WORKetc support team accesses your Customer Personal Data, we have the following security systems in place:

1.) Establish an encrypted connection via TLS 1.2 (2048 bit) encryption layer to the database server through specified access in the AWS proprietary firewall.

2.) Establish a console session or connect using SQL Management Studio and query data as needed.

In addition to our security system, WORKetc logs all instances when a WORKetc employee accesses any Customer Personal Data and stores those logs securely on our encrypted database.

For additional security, the account owner can choose to remove all WORKetc support access to all Customer Personal Data. The Help Article with instructions on this feature can be found here.

WORKetc understands the importance of ensuring that your data is never lost. For this reason, our systems automatically backup our entire WORKetc database every 5 hours.   When a backup is created, it is automatically deleted after 14 days.

To back up our systems in a secure and efficient manner, we use a backup method known as a data snapshot. This method of data backup ensures that the data remains anonymous. After your WORKetc account is closed, all customer personal data we hold is fully removed from our database and the archived backups are fully removed 90 days after account closure.   We retain this data for the stated period for your peace of mind – making it available during this period should you require your own discrete copy.

If you wish to request the immediate removal of all your customer personal data, you can do so by submitting this form.

You also have the option of creating a backup of your WORKetc account by going to Settings -> Manage Account -> Backup Account, this will allow you to create a SQL Server 2016 database backup.

Please Note: that WORKetc cannot be held responsible for what you choose to do with your data after you export it out of WORKetc.

WORKetc has several systems to ensure the security of all data that we process:

• Secure Socket Layer technology (SSL) – standard security technology for establishing an encrypted link between a server and a client
• 256-bit encryption during storage on our severs – A hacker will require 2²⁵⁶ different combinations to break a 256-bit encrypted message.
• HTTP Strict Transport Security – web security policy mechanism that helps to protect websites against protocol downgrade attacks and cookie hijacking.
• Content Security Policy – an added layer of security that helps to detect and mitigate certain types of attacks

You can read more about each point above by pressing on any of the system names above.

WORKetc also utilizes Amazon Web Services (AWS) to host all our data, you can read more about the security and encryption capabilities of AWS.

A DPA is an agreement between WORKetc and our customers that regulates the processing of customer personal data that we perform on your behalf.

The DPA outlines the commitments that WORKetc (Data Processor) and you (Data Controller) have agreed to in order to ensure the lawful processing of your customer personal data.

WORKetc has updated our Terms of Service (found here) on May 25th, 2018 to incorporate the DPA, therefore, you will not require to sign a DPA agreement as you have already agreed to our Terms of Service when you signed up for WORKetc.

For your convenience, you can download a copy of the DPA here.

WORKetc does not provide any limitations to the personal data that you choose to store in WORKetc, with the exception of data that may include questionable legal or moral content (for example pornography, illegal drug use, hate crimes), or which has been obtained by fraudulent activities or indirect methods (for example, third-party data that you are not authorised to use, purchased email lists or contact records).

However, you have the sole responsibility for the legality, reliability, integrity, accuracy and quality of your Customer Data.

Please Note: Even though WORKetc allows users to store custom data on our platform, we do not allow you to store Sensitive Personal Data (as defined by the EU Data Commission Office).

WORKetc makes use of several third-party providers to ensure our quality of service.

You can find a full list of our Sub-Processors here. On this page you will also be able to:

• Object to a new-sub-processor
• Request to receive an email notification when a WORKetc introduces a new sub-processor

WORKetc operates our infrastructure using several servers provided by Amazon Web Services (AWS). Below is a breakdown of where your data is stored based on region:

• All European Customers have their data hosted on our AWS Server in Frankfurt, Germany.
• All North American Customers have their data hosted on our AWS Server in Oregon, Michigan USA.
• All our Asia Pacific Customers have their data hosted on our AWS Server in Sydney, Australia.

If you are in the EEA your data will be hosted in Frankfurt, Germany. However, AWS has all the appropriate certifications in place to allow your data to be transferred to any one of our other servers without breaching the applicable data protection regulations.

Should your data move outside of the EEA zone, for the purposes of providing geographic redundancy to ensure the maximum protection possible of your data, the servers your data will be stored on will still be compliant with the applicable data protection regulations.

The GDPR regulations that a business must meet are broken down into two different roles:

1. Data Controller: The organization that decides why someone’s personal data is collected and how the data will be collected.
2. Data Processor: The organization that actually processes the personal data of individuals on behalf of the controller.

When our customers accept the WORKetc Terms of Service, they permit WORKetc to maintain the data from our customers on their respective WORKetc accounts. In this case, our customers are the data controllers (as they determine how and why they collect data) and WORKetc is the data processor as we actually maintain the data the controller collects on our system, so we act as the data processor.

A data flow map shows how data and information move through WORKetc.

To gather this data, our team answered the Who, What, When, Where and Why of the data we collect and process.

If you would like to obtain a copy of this document, simply fill in the form below and we will send it to you via email:

A DPA is an agreement entered into by WORKetc and our customers that regulates the processing of customer personal data that we perform on your behalf.

The DPA outlines the commitments that WORKetc (Data Processor) and you (Data Controller) have agreed to in order to ensure the lawful processing of your customer personal data.

WORKetc has changed our Terms of Service on May 25th, 2018 to incorporate the DPA, therefore, you will not require to sign a DPA agreement as you have already agreed to our Terms of Service when you signed up for WORKetc.

For your convenience, you can download a copy of the DPA here.</

The WORKetc Terms of Service have been updated on May 25th, 2018 to account for changes in Data Privacy Regulations. You can review the updated language by pressing here.

Please contact support@worketc.com if you have any questions.

The WORKetc Privacy Policy has been updated on May 25th, 2018 to account for changes in Data Privacy Regulations. You can review the updated language by pressing here.

Please contact support@worketc.com if you have any questions.

A sub-processor is identified as a third-party company (Data Processor) engaged by WORKetc who has or potentially will have access to or process data (which may contain Customer Personal Data) of our customers.

As per our Terms of Service, WORKetc is happy to provide our customers with a list of Sub-Processors that we utilize to provide our services.

Below you will find the most recent list of WORKetc Sub-Processers:

This listing was last updated on May 25th, 2022.

Please Note: The Integrations, API, and payment services we provide are NOT classified as Sub-Processors. The customer personal data that is provided to these services is done directly by our customers.

Customers are responsible for arranging all required agreements directly with these services in order to meet the data protection laws that apply to them. WORKetc will not be held liable for the personal customer information that you provide to these services.

By default, no direct notification will be provided for any updates to this listing. Customers are responsible for checking this listing regularly.

If you wish to receive an email notification everytime we make a modification to our Sub-Processors, you can do so by submitting the form below (please note, you will have to login using your WORKetc account credentials to access this form):

WORKetc will update this list every time we introduce a new Sub-Processor. If you have any objections about a new Sub-Processor that we are using to provide our services, we ask that you fill out the following form within 30 days of the new Sub-Processor being added to this list:

To file a request to receive personal data that we hold about you or on your behalf, please fill out the form below.

Please Note:

• • If you are filing this form to request personal data that WORKetc (as a Data Controller) holds about you as a WORKetc customer, then you are considered to be the Data Subject.
  • If you are filing this form to request personal data that WORKetc (as a Data Processor) holds about your customers on your behalf, then you are a considered to be acting on behalf of the Data Subject.

Please be sure to fill out the form carefully to ensure the efficient processing of your request:

Correcting Information – If after you have received the information you have requested you believe that:

• • • • The information is inaccurate or out of date; or
      • We should no longer be holding that information; or
      • We are using your information for a purpose of which you were unaware;
      • We may have passed inaccurate information about you to someone else;

Then you should send an email to support@worketc.com.

As stated within the WORKetc DPA, WORKetc as the Data Processor is encouraged to address any required regulations relating to the processing of Personal Data.

This includes (if deemed necessary) to allow Data Controllers (our customers) to request an audit of how we store their personal data. If you believe a data audit is required, please fill in the form below.

Prior to filing the form below, please be aware of the following:

•  WORKetc uses Amazon Web Services to facilitate the storage of your data, we do not have access to the AWS Data Farms where your data is physically stored.
  • You will find more details on the data privacy measures we have in place to ensure the security of personal data here.
• WORKetc relies on AWS to provide certain security measures (as per our sub-processing agreement with them) & if your audit request puts those security measures into question, WORKetc may refuse the audit request.
• The Individual requesting the data audit will be expected to cover all costs associated with the said audit. This is outlined in our DPA.