Data Processing Agreement
Last updated: April 12, 2026 · Based on the Common Paper DPA v1.1 (CC BY 4.0)
This Data Processing Agreement (“DPA”) supplements the Terms of Service(“Agreement”) between Sidefort Inc. (“Plainwork”, “Provider”) and you (“Customer”). It governs the processing of personal data by Plainwork on your behalf in connection with the Plainwork cloud service (“Service”).
1. Processor and Subprocessor Relationships
1.1 Provider as Processor
In situations where Customer is a Controller of the Customer Personal Data, Plainwork will be deemed a Processor that is Processing Personal Data on behalf of Customer.
1.2 Provider as Subprocessor
In situations where Customer is a Processor of the Customer Personal Data, Plainwork will be deemed a Subprocessor of the Customer Personal Data.
2. Processing
2.1 Processing Details
The subject matter, nature, purpose, and duration of Processing, as well as the categories of Personal Data collected and categories of Data Subjects, are described in Annex I at the end of this DPA.
2.2 Processing Instructions
Customer instructs Plainwork to Process Customer Personal Data: (a) to provide and maintain the Service; (b) as may be further specified through Customer’s use of the Service; (c) as documented in the Agreement; and (d) as documented in any other written instructions given by Customer and acknowledged by Plainwork. Plainwork will abide by these instructions unless prohibited from doing so by Applicable Laws. Plainwork will immediately inform Customer if it is unable to follow the Processing instructions. Customer has given and will only give instructions that comply with Applicable Laws.
2.3 Processing by Provider
Plainwork will only Process Customer Personal Data in accordance with this DPA. If Plainwork updates the Service to include new products, features, or functionality, Plainwork may change the categories of Data Subjects, categories of Personal Data, or nature and purpose of Processing as needed to reflect the updates by notifying Customer.
2.4 Customer Processing
Where Customer is a Processor and Plainwork is a Subprocessor, Customer will comply with all Applicable Laws that apply to Customer’s Processing of Customer Personal Data. Customer’s agreement with its Controller will similarly require Customer to comply with all Applicable Laws that apply to Customer as a Processor.
2.5 Consent to Processing
Customer has complied with and will continue to comply with all Applicable Data Protection Laws concerning its provision of Customer Personal Data to Plainwork, including making all disclosures, obtaining all consents, providing adequate choice, and implementing relevant safeguards required under Applicable Data Protection Laws.
2.6 Subprocessors
Plainwork will not provide, transfer, or hand over any Customer Personal Data to a Subprocessor unless Customer has approved the Subprocessor. The current list of Approved Subprocessors is available upon request and includes the identities, countries of location, and anticipated Processing tasks of each Subprocessor.
Plainwork will inform Customer at least 10 business days in advance and in writing of any intended changes to the Approved Subprocessors, whether by addition or replacement. Customer has 30 days after notice of a change to object, otherwise Customer will be deemed to accept the changes. If Customer objects within 30 days, Customer and Plainwork will cooperate in good faith to resolve the objection.
When engaging a Subprocessor, Plainwork will have a written agreement with the Subprocessor ensuring the Subprocessor only accesses and uses Customer Personal Data (a) to the extent required to perform the obligations subcontracted to it, and (b) consistent with the terms of the Agreement.
If the GDPR applies, the data protection obligations described in this DPA (as referred to in Article 28(3) of the GDPR) are also imposed on the Subprocessor. Plainwork remains fully liable for all obligations subcontracted to its Subprocessors, including their acts and omissions in Processing Customer Personal Data.
3. Restricted Transfers
3.1 Authorization
Customer agrees that Plainwork may transfer Customer Personal Data outside the EEA, the United Kingdom, or other relevant geographic territory as necessary to provide the Service. If Plainwork transfers Customer Personal Data to a territory for which an adequacy decision has not been issued, Plainwork will implement appropriate safeguards consistent with Applicable Data Protection Laws.
3.2 Ex-EEA Transfers
If the GDPR protects the transfer of Customer Personal Data from within the EEA to Plainwork outside of the EEA, and the transfer is not governed by an adequacy decision, then by entering into this DPA, Customer and Plainwork are deemed to have signed the EEA Standard Contractual Clauses (EEA SCCs) and their Annexes, which are incorporated by reference:
- Module Two (Controller to Processor) applies when Customer is a Controller and Plainwork is Processing as a Processor.
- Module Three (Processor to Sub-Processor) applies when Customer is a Processor and Plainwork is Processing as a Subprocessor.
- The optional docking clause in Clause 7 does not apply.
- In Clause 9, Option 2 (general written authorization) applies, with a minimum 10 business-day notice period for Subprocessor changes.
- In Clause 11, the optional language does not apply.
- In Clause 17 (Option 1), the EEA SCCs will be governed by the laws of Ireland.
- In Clause 18(b), disputes will be resolved in the courts of Ireland.
3.3 Ex-UK Transfers
If the UK GDPR protects the transfer of Customer Personal Data from within the United Kingdom to Plainwork outside of the United Kingdom, and the transfer is not governed by an adequacy decision, then by entering into this DPA, Customer and Plainwork are deemed to have signed the UK International Data Transfer Addendum (UK Addendum), which is incorporated by reference. Neither party may end the UK Addendum as set out in Section 19; to the extent the ICO issues a revised Approved Addendum under Section 18, the parties will work in good faith to revise this DPA accordingly.
3.4 Other International Transfers
For Personal Data transfers where Swiss law applies to the international nature of the transfer, references to the GDPR in Clause 4 of the EEA SCCs are, to the extent legally required, amended to refer to the Swiss Federal Data Protection Act, and the concept of supervisory authority will include the Swiss Federal Data Protection and Information Commissioner.
4. Security Incident Response
Upon becoming aware of any Security Incident, Plainwork will: (a) notify Customer without undue delay when feasible, but no later than 72 hours after becoming aware of the incident; (b) provide timely information about the incident as it becomes known or as is reasonably requested by Customer; and (c) promptly take reasonable steps to contain and investigate the incident. Plainwork’s notification of or response to a Security Incident will not be construed as an acknowledgment of any fault or liability for the incident.
5. Audit & Reports
5.1 Audit Rights
Plainwork will give Customer all information reasonably necessary to demonstrate its compliance with this DPA and will allow for and contribute to audits, including inspections by Customer, to assess Plainwork’s compliance. However, Plainwork may restrict access to data or information if Customer’s access would negatively impact Plainwork’s intellectual property rights, confidentiality obligations, or other obligations under Applicable Laws. Plainwork will maintain records of its compliance with this DPA for 3 years after the DPA ends.
5.2 Security Reports
Plainwork is regularly audited against its security standards by independent third-party auditors. Upon written request, Plainwork will give Customer, on a confidential basis, a summary copy of its then-current audit report so that Customer can verify compliance.
5.3 Security Due Diligence
Plainwork will respond to reasonable requests for information made by Customer to confirm compliance with this DPA, including responses to information security, due diligence, and audit questionnaires. All such requests must be in writing and may only be made once a year.
6. Coordination & Cooperation
6.1 Response to Inquiries
If Plainwork receives any inquiry or request from anyone else about the Processing of Customer Personal Data, Plainwork will notify Customer about the request and will not respond without Customer’s prior consent (unless required by Applicable Law). If a data subject makes a valid request under Applicable Data Protection Laws, Plainwork will assist Customer in fulfilling the request.
6.2 DPIAs and DTIAs
If required by Applicable Data Protection Laws, Plainwork will reasonably assist Customer in conducting any mandated data protection impact assessments or data transfer impact assessments and consultations with relevant data protection authorities.
7. Deletion of Customer Personal Data
7.1 Deletion by Customer
Plainwork will enable Customer to delete Customer Personal Data in a manner consistent with the functionality of the Service. Plainwork will comply with this instruction as soon as reasonably practicable except where further storage is required by Applicable Law.
7.2 Deletion at DPA Expiration
After the DPA expires, Plainwork will return or delete Customer Personal Data at Customer’s instruction unless further storage is required or authorized by Applicable Law. If return or destruction is impracticable or prohibited, Plainwork will make reasonable efforts to prevent additional Processing and will continue to protect the data. If the EEA SCCs or UK Addendum form part of this DPA, Plainwork will only provide certification of deletion if Customer requests it.
8. Limitation of Liability
8.1 Liability Caps and Damages Waiver
To the maximum extent permitted under Applicable Data Protection Laws, each party’s total cumulative liability to the other party arising out of or related to this DPA will be subject to the waivers, exclusions, and limitations of liability stated in the Agreement.
8.2 Related-Party Claims
Any claims made against Plainwork or its affiliates arising out of or related to this DPA may only be brought by the Customer entity that is a party to the Agreement.
8.3 Exceptions
This DPA does not limit any liability to an individual about the individual’s data protection rights under Applicable Data Protection Laws. In addition, this DPA does not limit any liability between the parties for violations of the EEA SCCs or UK Addendum.
9. Conflicts Between Documents
This DPA forms part of and supplements the Agreement. If there is any inconsistency between this DPA, the Agreement, or any of their parts, the part listed earlier will control over the part listed later for that inconsistency: (1) the EEA SCCs or the UK Addendum, (2) this DPA, and then (3) the Agreement.
10. Term
This DPA will start when you accept the Agreement and will continue until the Agreement expires or is terminated. However, both parties will remain subject to the obligations in this DPA and Applicable Data Protection Laws until Customer stops transferring Customer Personal Data to Plainwork and Plainwork stops Processing Customer Personal Data.
11. Definitions
- “Applicable Laws” means the laws, rules, regulations, court orders, and other binding requirements of a relevant government authority that apply to or govern a party.
- “Applicable Data Protection Laws”means the Applicable Laws that govern how the Service may process or use an individual’s personal information, personal data, or other similar term.
- “Controller” has the meaning given in the Applicable Data Protection Laws for the company that determines the purpose and extent of Processing Personal Data.
- “Customer Personal Data” means Personal Data that Customer uploads or provides to Plainwork as part of the Service and that is governed by this DPA.
- “EEA SCCs”means the standard contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021.
- “EEA” means the member states of the European Union, Norway, Iceland, and Liechtenstein.
- “GDPR” means European Union Regulation 2016/679 as implemented by local law in the relevant EEA member nation.
- “Personal Data” has the meaning given in the Applicable Data Protection Laws for personal information, personal data, or other similar term.
- “Processing” or “Process” has the meaning given in the Applicable Data Protection Laws for any use of, or performance of a computer operation on, Personal Data.
- “Processor” has the meaning given in the Applicable Data Protection Laws for the company that Processes Personal Data on behalf of the Controller.
- “Restricted Transfer” means a transfer of personal data from the EEA or UK to a country not subject to an adequacy determination.
- “Security Incident” means a Personal Data Breach as defined in Article 4 of the GDPR.
- “Service” means the Plainwork cloud service as described in the Agreement.
- “Subprocessor” has the meaning given in the Applicable Data Protection Laws for a company that, with the approval and acceptance of Controller, assists the Processor in Processing Personal Data on behalf of the Controller.
- “UK GDPR”means European Union Regulation 2016/679 as implemented by section 3 of the United Kingdom’s European Union (Withdrawal) Act of 2018.
- “UK Addendum” means the international data transfer addendum to the EEA SCCs issued by the Information Commissioner under S119A(1) Data Protection Act 2018.
Annex I — Processing Details
A. Parties
| Data Exporter (Customer) | The entity identified in the Agreement |
| Data Importer (Provider) | Sidefort Inc., operating as Plainwork |
B. Processing Details
| Subject matter | Processing of Customer Personal Data in connection with the Plainwork cloud service |
| Nature and purpose | Storage, retrieval, synchronization, and display of notes, documents, and related content; user authentication; collaboration features; service analytics |
| Duration | For the duration of the Agreement plus any retention period required by law |
| Categories of Data Subjects | Customer’s end users and any individuals whose data is included in Customer Content |
| Categories of Personal Data | Email addresses, names, profile information, IP addresses, device identifiers, and any personal data contained in Customer Content |
| Special Category Data | None, unless Customer includes such data in Customer Content (not recommended; see Section 3.2 of the Terms of Service) |
C. Technical and Organizational Measures (Annex II)
- Encryption of data at rest and in transit (TLS 1.2+)
- Access controls with role-based permissions
- Multi-factor authentication for administrative access
- Regular security assessments and vulnerability testing
- Automated backup and disaster recovery procedures
- Incident response and breach notification procedures
- Employee security training and confidentiality agreements
- Logging and monitoring of access to Customer Personal Data
Contact
Questions about this DPA? Email privacy@plainwork.app.