This Data Processing Addendum (“DPA”) forms part of, and is incorporated by reference into, the Software as a Service Agreement or Agentic Automation Agreement (each, the “Agreement”) between ENSARC, LLC (DBA CoWorQ, LLC) (“CoWorQ”) and the customer that is party to it (“Customer”), and applies wherever CoWorQ Processes Personal Data on Customer’s behalf, including under the CoWorQ Hosted Service Terms. It reflects the Parties’ agreement on the Processing of Personal Data. Capitalized terms not defined here have the meanings given in the Agreement. In the event of a conflict on data-protection matters, this DPA controls over the Agreement.
1. Versioning
Each version of this DPA is identified by a version number and effective date. The version that governs Customer is the version in effect on the Effective Date of Customer’s Agreement or, for a renewal term, the version in effect at the start of that renewal term, and it continues to govern Customer for the duration of the then-current term. CoWorQ maintains prior versions at dated, version-specific URLs (for example, https://legal.co-worq.com/dpa/v1.0) and the then-current version at https://legal.co-worq.com/dpa. Updated versions apply to Customer only prospectively, on renewal or by written agreement, and do not retroactively change the terms of an existing committed term.
2. Definitions
“Applicable Data Protection Laws” means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including the EU General Data Protection Regulation 2016/679 (“GDPR”), the UK GDPR and Data Protection Act 2018 (“UK GDPR”), the Swiss Federal Act on Data Protection (“FADP”), and U.S. state privacy laws including the California Consumer Privacy Act as amended by the CPRA (“CCPA”).
“Controller,” “Processor,” “Data Subject,” “Personal Data,” “Processing,” and “Special Categories of Personal Data” have the meanings given in the GDPR; “Business,” “Service Provider,” “Sell,” “Share,” and “Consumer” have the meanings given in the CCPA. As used here, Customer is the Controller/Business and CoWorQ is the Processor/Service Provider.
“Customer Personal Data” means Personal Data contained in Customer Content or otherwise Processed by CoWorQ on Customer’s behalf under the Agreement.
“De-Identified Data” means data that cannot reasonably be used to infer information about, or otherwise be linked to, an identified or identifiable individual, and that is maintained and used in accordance with Applicable Data Protection Laws.
“Security Incident” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by CoWorQ.
“Sub-processor” means any third party engaged by CoWorQ to Process Customer Personal Data.
“Standard Contractual Clauses” or “SCCs” means the standard contractual clauses for the transfer of personal data to third countries adopted by the European Commission in Decision 2021/914, together with the UK International Data Transfer Addendum where applicable.
3. Roles and Scope of Processing
3.1 Roles. As between the Parties, Customer is the Controller (and Business) and CoWorQ is the Processor (and Service Provider) with respect to Customer Personal Data. Where Customer acts as a Processor on behalf of a third-party Controller, Customer is CoWorQ’s counterparty and represents that it is authorized to instruct CoWorQ as set out in this DPA.
3.2 Scope and instructions. CoWorQ will Process Customer Personal Data only on Customer’s documented instructions, including as set out in the Agreement, this DPA, and Annex I, and as necessary to provide and support the Services and Hosted Service. Customer’s use of the Services constitutes an instruction to Process Customer Personal Data for that purpose. CoWorQ will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Laws, unless legally prohibited from doing so.
3.3 Details of Processing. The subject matter, duration, nature and purpose of the Processing, the categories of Personal Data and Data Subjects, and any Special Categories of Personal Data are described in Annex I.
4. CoWorQ Obligations
CoWorQ will:
Process Customer Personal Data only on Customer’s documented instructions, including for international transfers, unless required by law, in which case CoWorQ will inform Customer of that legal requirement before Processing, unless the law prohibits such notice;
ensure that personnel authorized to Process Customer Personal Data are bound by appropriate confidentiality obligations;
implement and maintain the technical and organizational measures described in Annex II;
not sell or share Customer Personal Data, and not retain, use, or disclose it for any purpose other than providing the Services, or outside the direct business relationship, except as permitted by Applicable Data Protection Laws;
not combine Customer Personal Data with Personal Data from other sources, except as permitted by the CCPA to provide the Services; and
assist Customer as described in Sections 7 through 9.
4.1 De-Identified and aggregated data. Notwithstanding the foregoing, CoWorQ may create and use De-Identified Data and aggregated statistical data derived from the Processing to operate, secure, analyze, and improve its products and services, provided CoWorQ does not attempt to re-identify such data, maintains it as De-Identified, and does not disclose it in a manner that identifies Customer or any Data Subject. CoWorQ does not use Customer Personal Data in identifiable form to train or improve models.
5. Customer Obligations
Customer is responsible for the lawfulness of the Customer Personal Data and of Customer’s instructions, including having a valid legal basis, providing required notices, and obtaining any required consents for the Processing. Customer will not provide CoWorQ with Special Categories of Personal Data except as described in Annex I and subject to any additional measures the Parties agree in writing. Customer’s instructions will comply with Applicable Data Protection Laws.
6. Security and Security Incidents
6.1 Security measures. CoWorQ will implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. The current measures are described in Annex II. CoWorQ may update them provided the level of protection is not materially reduced.
6.2 Notification. CoWorQ will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of a Security Incident affecting Customer Personal Data, and will provide information reasonably available to it and take reasonable steps to mitigate and remediate. CoWorQ’s notification is not an acknowledgment of fault or liability.
7. Sub-processing
7.1 General authorization. Customer provides general written authorization for CoWorQ to engage Sub-processors to Process Customer Personal Data. A current list of Sub-processors is set out in Annex III and maintained at CoWorQ’s designated URL.
7.2 New Sub-processors. CoWorQ will inform Customer of any intended addition or replacement of a Sub-processor at least thirty (30) days in advance, giving Customer the opportunity to object on reasonable data-protection grounds. If Customer reasonably objects and the Parties cannot resolve the objection, Customer may, as its sole remedy, terminate the affected Service by written notice.
7.3 Flow-down and liability. CoWorQ will impose data-protection obligations on each Sub-processor that are substantially similar to those in this DPA and remains responsible for each Sub-processor’s performance of its obligations.
8. Data Subject Requests
Taking into account the nature of the Processing, CoWorQ will assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests by Data Subjects to exercise their rights under Applicable Data Protection Laws. If CoWorQ receives such a request directly, it will, unless legally prohibited, promptly forward it to Customer and will not respond except on Customer’s instructions or as legally required.
9. Assistance and Records
Taking into account the nature of Processing and the information available to it, CoWorQ will provide reasonable assistance to Customer with data protection impact assessments, prior consultations with supervisory authorities, and Customer’s obligations regarding security and Security Incidents under Articles 32 through 36 of the GDPR and equivalent provisions of Applicable Data Protection Laws. CoWorQ will maintain records of its Processing as required by law.
10. International Transfers
10.1 Transfer mechanism. To the extent CoWorQ Processes Customer Personal Data subject to the GDPR, UK GDPR, or FADP in a country that does not ensure an adequate level of protection, the SCCs are incorporated into this DPA by reference and apply to that transfer. The Parties agree to the following selections:
Module: Module Two (Controller to Processor). Where Customer acts as a Processor, Module Three (Processor to Processor) applies instead.
Clause 7 (Docking): included.
Clause 9 (Sub-processors): Option 2 (general written authorization), with the thirty (30) day notice period in Section 7.2.
Clause 11 (Redress): the optional independent dispute-resolution language is not used.
Clause 17 (Governing law): the law of Ireland.
Clause 18 (Forum): the courts of Ireland.
Annexes: Annexes I, II, and III of this DPA populate the corresponding annexes of the SCCs.
10.2 UK and Switzerland. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the SCCs applies, with the SCCs completed as above, UK information populated from the Annexes, and the UK as the governing jurisdiction. For transfers subject to the FADP, the SCCs apply with references to the GDPR read as references to the FADP, the Swiss Federal Data Protection and Information Commissioner as supervisory authority, and Switzerland as the applicable forum for Swiss transfers.
10.3 Order of precedence. If there is a conflict between the SCCs and this DPA or the Agreement, the SCCs prevail with respect to the transfers they govern. Where CoWorQ adopts an alternative lawful transfer mechanism, that mechanism applies in place of the SCCs to the extent it provides an adequate safeguard.
11. California (CCPA) Terms
With respect to Customer Personal Data subject to the CCPA, CoWorQ acts as a Service Provider. CoWorQ will not: (a) Sell or Share such data; (b) retain, use, or disclose it for any purpose other than the business purposes specified in the Agreement, including retaining, using, or disclosing it outside the direct business relationship; or (c) combine it with Personal Data from other sources, except as the CCPA permits a Service Provider to do to perform the Services. CoWorQ certifies that it understands and will comply with these restrictions. CoWorQ will assist Customer in responding to verifiable Consumer requests as described in Section 8. De-Identified Data is handled as described in Section 4.1.
12. Return and Deletion
On termination or expiration of the Agreement, and at Customer’s choice, CoWorQ will delete or return Customer Personal Data and delete existing copies, unless retention is required by law. For the Hosted Service, this is effected through the data-export window described in the Hosted Service Terms, after which CoWorQ may delete the data. Copies retained under routine backup or as required by law remain subject to this DPA for as long as they are retained.
13. Audits
CoWorQ will make available to Customer information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates. To minimize disruption, Customer will first rely on any applicable certifications, third-party audit reports, and security summaries CoWorQ makes available. Any on-site audit will occur no more than once per year (absent a Security Incident or regulator requirement), on at least thirty (30) days’ prior written notice, during business hours, subject to confidentiality, and without access to other customers’ data or CoWorQ’s trade secrets. Customer bears its own costs and CoWorQ’s reasonable costs for audit assistance.
14. Liability
Each Party’s liability arising out of or related to this DPA is subject to the limitations and exclusions of liability in the Agreement, and any reference in the Agreement to a Party’s liability means the aggregate liability of that Party under the Agreement and this DPA together. This Section does not limit either Party’s liability to Data Subjects under the third-party-beneficiary provisions of the SCCs where those provisions apply and cannot be limited by contract.
15. General
This DPA is part of and subject to the Agreement. Except as expressly modified here, the Agreement remains in full force. In the event of a conflict, this DPA controls on data-protection matters, and the SCCs control over this DPA for the transfers they govern. This DPA is governed by the governing law and dispute-resolution terms of the Agreement, except where Applicable Data Protection Laws or the SCCs require otherwise. If any provision is unenforceable, it will be reformed to the minimum extent necessary and the remainder remains in effect. This DPA may be executed together with, or separately from, the Agreement, including electronically.
Agreed and accepted:
| ENSARC, LLC (DBA CoWorQ, LLC) | CUSTOMER |
| By: | By: |
| Name: | Name: |
| Title: | Title: |
| Date: | Date: |
ANNEX I — DETAILS OF PROCESSING
| Data Exporter | Customer (the Controller/Business identified in the Agreement). |
| Data Importer | ENSARC, LLC (DBA CoWorQ, LLC) (the Processor/Service Provider). |
| Subject Matter | Provision of the Services and, where elected, the CoWorQ Hosted Service, including building, hosting, and operating the Automation. |
| Nature and Purpose | Hosting, storage, execution, transmission, and related Processing of Customer Personal Data as necessary to provide, support, secure, and operate the Services on Customer’s instructions. |
| Duration | The term of the Agreement, plus any post-termination retention period described in the Agreement, this DPA, or the Hosted Service Terms. |
| Categories of Data Subjects | As determined by Customer, which may include Customer’s employees, contractors, representatives, customers, and end users whose data is submitted to the Services. |
| Categories of Personal Data | As determined and controlled by Customer through its use of the Services, which may include identifiers, contact details, business records, and content Customer submits or that the Automation Processes. |
| Special Categories | None, unless expressly identified by Customer in writing and agreed by the Parties. Customer should not submit Special Categories of Personal Data except as so agreed. |
| Frequency | Continuous, for the duration of the Agreement, as determined by Customer’s use of the Services. |
| Competent Supervisory Authority | As determined under the SCCs based on the data exporter’s establishment or representative (e.g., the lead EU supervisory authority; the ICO for UK transfers; the FDPIC for Swiss transfers). |
ANNEX II — TECHNICAL AND ORGANIZATIONAL MEASURES
CoWorQ maintains a security program with measures appropriate to the risk, including the following. CoWorQ may update these measures provided the overall level of protection is not materially reduced.
Access control: Role-based access on a least-privilege, need-to-know basis; unique credentials; multi-factor authentication for administrative access; timely revocation of access on role change or departure.
Encryption: Encryption of Customer Personal Data in transit over public networks and at rest, using industry-standard algorithms and key management.
Network and infrastructure security: Firewalls, network segmentation, and hardened configurations; use of reputable cloud infrastructure providers with recognized security certifications.
Application security: Secure development practices, code review, dependency management, and testing prior to deployment of material changes.
Logging and monitoring: Logging of relevant events, monitoring for anomalous activity, and alerting to support detection and response.
Personnel: Confidentiality obligations for personnel; security-awareness training; background checks where permitted by law.
Resilience and backup: Backup of data and measures designed to restore availability and access in a timely manner after an incident.
Incident response: A documented incident-response process, including assessment, containment, remediation, and notification consistent with Section 6.
Vendor management: Diligence and contractual data-protection obligations for Sub-processors, consistent with Section 7.
Physical security: Reliance on cloud provider data-center physical and environmental controls, including access restrictions and monitoring.
ANNEX III — SUB-PROCESSORS
CoWorQ engages the categories of Sub-processors below to provide the Services. The current, itemized list (including entity names and locations) is maintained at CoWorQ’s designated URL and updated in accordance with Section 7.
| Category | Purpose | Location |
| Cloud infrastructure / hosting provider | Hosting and running the Services and the Automation | United States |
| LLM / AI model provider(s) | Model inference used by the Automation | United States |
| Supporting service providers | Monitoring, logging, communications, and billing | United States |
Current Sub-processor list: https://legal.co-worq.com/subprocessors
