Data Processing Addendum (DPA)

Last Updated: February 1, 2026

This Data Processing Addendum ("DPA") forms part of the Master Terms of Service between StaffrWorks, Inc. ("Processor") and the Customer ("Controller") regarding the processing of personal data.

1. Definitions

"Data Protection Laws" means all applicable laws and regulations regarding the processing of Personal Data, including GDPR (EU), CCPA/CPRA (California), and other relevant US state privacy laws.

2. Roles and Responsibilities

The parties acknowledge and agree that with regard to the Processing of Personal Data, Customer is the Controller and StaffrWorks is the Processor. StaffrWorks will process Personal Data only in accordance with Customer's documented instructions.

3. Data Security

StaffrWorks shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest.
• Ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems.
• Regular testing and evaluation of the effectiveness of security measures.

4. Sub-processors

Customer grants StaffrWorks general authorization to engage sub-processors (e.g., AWS, Supabase, Stripe) to provide the Service. StaffrWorks remains fully liable for the user of any sub-processors.

5. Data Subject Rights

StaffrWorks shall assist Customer coverage, insofar as this is possible, for the fulfillment of Customer's obligation to respond to requests for exercising the data subject's rights (e.g., right to access, rectification, deletion).

6. International Transfers

StaffrWorks processes data primarily in the United States. By using the Service, Customer consents to the transfer of data to the US.

7. Contact

For any privacy or data processing related inquiries, please contact privacy@staffrworks.com.