Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Terms") between WBSync Ltd (CRO no. 817394, registered office Irishtown, Ardee, Co. Louth, Ireland) ("WBSync", "Processor") and the Customer ("Controller"). It is incorporated into the Terms automatically when the Controller accepts the Terms; no separate signature is required, although WBSync may make a separately signable copy available on request. It governs WBSync's processing of personal data contained in Customer Data on the Controller's behalf when providing the Service. Where the Terms and this DPA conflict on data-protection matters, this DPA prevails.

"Data Protection Law" means, as applicable, the EU GDPR (Regulation 2016/679), the UK GDPR and Data Protection Act 2018, the Irish Data Protection Acts 1988–2018, and the Irish ePrivacy Regulations (S.I. 336/2011) — each as amended or replaced. Terms such as "controller", "processor", "personal data", "processing", "data subject", "personal data breach" and "supervisory authority" have the meanings given in Data Protection Law. Capitalised terms not defined here have the meanings given in the Terms.

1. Roles and scope

The Controller is the controller and WBSync is the processor for the Customer Data (the personal data described in Schedule 2). WBSync acts only on the Controller's documented instructions, which are set out in Schedule 1, the Terms, the configuration choices the Controller makes in the Service, and any further written instructions the Controller gives that WBSync agrees to (WBSync may charge for instructions that go beyond the standard functionality of the Service). WBSync is a separate controller for account, billing, marketing and operational-telemetry data, governed by the Privacy Policy and not by this DPA.

2. WBSync's obligations as processor

WBSync will:

1. Process only on instructions — process Customer Data only on the Controller's documented instructions, including as regards transfers, unless required to do otherwise by law (in which case, where the law permits, WBSync will inform the Controller first). WBSync will inform the Controller if, in its opinion, an instruction infringes Data Protection Law (without obligation to provide legal advice or to monitor the Controller's compliance).
2. Confidentiality — ensure that persons authorised to process Customer Data are bound by an appropriate duty of confidentiality.
3. Security — implement and maintain the technical and organisational measures in Schedule 3 (Article 32), and may update them provided the level of protection is not materially reduced.
4. Subprocessing — engage subprocessors only in accordance with §4.
5. Assist the Controller — taking into account the nature of the processing and the information available to WBSync, provide reasonable assistance to the Controller (at the Controller's cost, save where the assistance is required because of WBSync's breach) with: data-subject requests (§5); security, breach notification and communication (§6); and data protection impact assessments and prior consultation (Articles 35–36), primarily through the self-service tooling and documentation WBSync makes available.
6. Deletion or return — at the end of the Services, delete or return Customer Data in accordance with §7.
7. Audit — make available the information described in §8.
8. No other use — never sell Customer Data, and never use it for advertising or to train AI/ML models.

3. Controller's obligations

The Controller warrants and undertakes that: it has, and will maintain, a valid lawful basis and all notices and consents necessary to provide Customer Data to WBSync and to have it processed as contemplated by the Terms; its instructions comply with Data Protection Law; it will not load special-category (Article 9) data into free-text fields contrary to WBSync's guidance; and it will comply with its own obligations as controller, including informing workers and other data subjects about tracking/monitoring where required. The Controller is responsible for the accuracy, quality and legality of Customer Data and the means by which it acquired it. The Controller will indemnify WBSync against claims and losses arising from the Controller's breach of this §3, as provided in the Terms.

4. Subprocessors

The Controller gives WBSync general written authorisation to engage subprocessors to process Customer Data. WBSync's current subprocessors are listed and kept current at our subprocessor page, which forms Schedule 4.

WBSync will: (a) impose data-protection obligations on each subprocessor that are, in substance, no less protective than those in this DPA (Article 28(4)); (b) remain liable to the Controller for the performance of each subprocessor's obligations, to the same extent and subject to the same limitations as apply to WBSync's own performance under the Terms; and (c) give the Controller at least 30 days' advance notice of adding or replacing a subprocessor, by the notice mechanism on that page. The Controller may object on reasonable, documented data-protection grounds within the notice period. The parties will work in good faith to resolve the objection; if they cannot, the Controller's sole and exclusive remedy is to terminate the affected part of the Service and receive a pro-rata refund of any fees pre-paid for the terminated, unused portion of the then-current term.

5. Data-subject requests

Taking into account the nature of the processing, WBSync will assist the Controller by appropriate technical and organisational measures, so far as reasonably possible, to respond to data-subject requests. The Service provides self-service tooling (including data export and deletion) that the Controller can use directly, and which the parties agree generally constitutes sufficient assistance. If WBSync receives a request directly from a data subject relating to Customer Data, it will not respond to the substance of the request (other than to acknowledge it or direct the individual to the Controller) and will promptly inform the Controller.

6. Personal data breaches

WBSync will notify the Controller without undue delay (and, where feasible, within 72 hours) after WBSync becomes aware of and confirms a personal data breach affecting Customer Data. The notification will include the information reasonably available to WBSync that the Controller needs to meet its Articles 33–34 obligations (the nature of the breach, the categories and approximate numbers of data subjects and records affected, likely consequences, and the measures taken or proposed), provided in instalments as it becomes available. WBSync maintains a documented breach-response runbook and will cooperate in good faith. WBSync's notification is not an acknowledgement of fault or liability.

7. Return and deletion

On termination or expiry of the Service, and at the Controller's choice, WBSync will delete or return Customer Data and delete existing copies, unless retention is required by law. The Service allows the Controller to export Customer Data before access ends; the Controller is responsible for doing so. WBSync's standard practice: Customer Data becomes inaccessible at the end of the Subscription and is purged from active systems within a defined window (generally up to 30 days), with residual copies expiring from encrypted backups within the backup-retention period (currently up to 120 days). WBSync will provide written confirmation of deletion on the Controller's written request.

8. Audits

WBSync will make available to the Controller the information reasonably necessary to demonstrate compliance with Article 28 and this DPA. The Controller may audit WBSync's compliance, subject to the following: audits take place no more than once in any 12-month period (except where required by a supervisory authority or following a personal data breach affecting the Controller's Customer Data); on at least 30 days' prior written notice; during business hours; without unreasonably disrupting WBSync's operations; subject to confidentiality; and at the Controller's own cost. WBSync may satisfy an audit request, in whole or in part, by providing up-to-date third-party certifications and audit reports (for example SOC 2) and written responses to reasonable questions, where these reasonably address the request.

9. International transfers

Customer Data is hosted in the EU (Frankfurt, Germany). Where WBSync or a subprocessor transfers Customer Data outside the EEA, the transfer is protected by an appropriate Article 46 safeguard — the EU-US Data Privacy Framework (where the recipient is certified) and/or the European Commission's Standard Contractual Clauses (2021/914), with the UK International Data Transfer Addendum where UK GDPR applies — as detailed on the subprocessor page. The relevant Standard Contractual Clauses are incorporated into this DPA by reference, with the parties' details, modules and selections completed by reference to this DPA and Schedules 1–4; where required by the SCCs they prevail over conflicting terms. A copy of the relevant safeguards is available from dpo@wb-sync.com on request.

10. Liability

Each party's liability arising out of or in connection with this DPA is subject to, and counts towards, the exclusions and the aggregate liability cap set out in the Terms. Any claim relating to data protection (including under this DPA, the SCCs, or Data Protection Law) is included within that single aggregate cap and is not a separate or uncapped category of liability, except to the extent the cap cannot lawfully apply.

11. Duration and changes

This DPA applies for as long as WBSync processes Customer Data on the Controller's behalf. WBSync may update this DPA to reflect changes in Data Protection Law, guidance, or its practices, on reasonable notice, provided no update materially reduces the protection of Customer Data.

Schedule 1 — Subject-matter and details of processing (Art. 28(3))

• Subject-matter: provision of the WBSync construction labour- and productivity-tracking SaaS.
• Duration: the term of the Subscription plus the deletion period in §7.
• Nature and purpose: hosting, storage, organisation, retrieval, analysis (earned-value/KPI computation), display, transmission and deletion of Customer Data to provide the Service, including ingesting clock events from the Controller's third-party time system.
• Frequency: continuous, for the duration of the Subscription.

Schedule 2 — Categories of data subject and personal data

• Data subjects: the Controller's Authorised Users (administrators, PMs, foremen, QSs) and its workforce/operatives, and where applicable subcontractors and site visitors recorded in diaries.
• Personal data: names and worker references; work email and account credentials (Authorised Users); role and permissions; labour hours, cost-code allocations and approvals; clock events ingested from the Controller's time system; site-diary entries (which may include free-text narrative, safety observations and visitor names); claims and notes; audit-log activity; uploaded files/photos the Controller chooses to store.
• Special categories: not intended. The Controller must not enter Article 9 data into free-text fields; any incidental special-category data is processed only as an unavoidable incident of storing the Controller's free text.

Schedule 3 — Technical and organisational measures (Art. 32)

• Data residency: Customer Data hosted in the EU (Frankfurt).
• Encryption: AES-256 at rest; TLS 1.2+ in transit.
• Tenant isolation: strict per-tenant scoping of all business data, enforced per-request, with cross-tenant access tests.
• Access control: role-based permissions with least privilege; audit logging of security-relevant actions; production/infrastructure access limited to the founder(s); no shared accounts.
• Application security: authentication hardening, rate limiting and abuse protection on auth and write endpoints, idempotent write handling, security headers and content-security-policy, regular automated security scanning with timely remediation.
• Resilience: nightly encrypted backups with integrity verification and SHA-256 sidecars; defined RPO/RTO and restore drills.
• Monitoring: error monitoring with PII scrubbing and IP dropping; uptime/status monitoring.
• Breach management: documented breach-response runbook aligned to Articles 33–34.
• Sub-processing: written data-protection terms with each subprocessor (Article 28(4) flow-down).

Schedule 4 — Subprocessors

The current list is published at our subprocessor page and is incorporated into this DPA. It includes Railway (EU hosting), Stripe (billing) and Resend (email), together with the change-notification and objection mechanism described there.