Effective date: June 9, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Verified Workflows Inc. ("Processor") and the customer ("Controller") and governs the processing of personal data in connection with the Service.
Terms not defined herein shall have the meaning given in the GDPR. "Personal Data", "Processing", "Data Subject", "Controller", and "Processor" shall have the meanings ascribed in Regulation (EU) 2016/679 (GDPR).
This DPA applies when Processor processes Personal Data on behalf of Controller in connection with the Verified Workflows review platform. The subject matter is the human-in-the-loop review of AI-generated content submitted by Controller.
| Category | Data Subjects | Data Types |
|---|---|---|
| Account data | Controller's employees and agents | Name, email, role |
| Task content | Individuals whose data appears in task payloads | Text, audio, structured data submitted for review |
| Review data | Reviewers | Reviewer decisions, corrections, certifications |
Processor shall process Personal Data only on Controller's documented instructions, unless required by EU or member state law.
Processor shall ensure that all persons authorized to process Personal Data are bound by confidentiality obligations.
Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
Controller grants Processor general authorization to engage the following sub-processors:
Processor shall inform Controller of any intended changes concerning the addition or replacement of sub-processors, giving Controller the opportunity to object.
Processor shall assist Controller by implementing appropriate measures to fulfill Controller's obligations to respond to Data Subject requests under Chapter III of the GDPR.
Processor shall notify Controller without undue delay (and in any event within 48 hours) after becoming aware of any personal data breach.
Processor shall assist Controller in conducting data protection impact assessments where required, providing necessary information about the processing.
Where Processor transfers Personal Data outside the EEA, it shall ensure appropriate safeguards are in place, including Standard Contractual Clauses (SCCs) approved by the European Commission.
Upon termination of the Service, Processor shall, at Controller's choice, delete or return all Personal Data and delete existing copies, unless EU or member state law requires storage of the Personal Data.
Processor shall make available to Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits, including inspections, conducted by Controller or another auditor mandated by Controller.
Each party's liability under this DPA shall be subject to the limitation of liability provisions in the Terms of Service.
This DPA is governed by the laws of the State of California, without regard to conflict of law principles, except to the extent the GDPR applies mandatorily.