Last updated: 2026-02-18
1. Introduction and Scope
This Data Processing Agreement ("DPA") forms part of the Platform Terms of Service between Jeremy Kidder ("Processor," "we," or "us") and the Subscriber ("Controller" or "you") who has subscribed to the MyWork platform ("Service").
This DPA applies to the processing of personal data that you, as a Subscriber, enter into or collect through the Platform about your customers, contacts, and business relationships ("Subscriber Data"). It is intended to ensure compliance with applicable data protection legislation, including the EU General Data Protection Regulation (GDPR), the UK GDPR, and the California Consumer Privacy Act (CCPA).
In plain terms: You (the Subscriber) decide what customer data to put into MyWork and why. We (MyWork) store and process it on your behalf, following your instructions, to provide the service you subscribed to. You are the data controller. We are the data processor.
2. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person.
- "Processing" means any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
- "Controller" means the Subscriber who determines the purposes and means of processing Personal Data.
- "Processor" means Jeremy Kidder (MyWork), which processes Personal Data on behalf of the Controller.
- "Sub-processor" means a third-party service provider engaged by the Processor to assist in processing Personal Data.
- "Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
3. Data Processing Details
3a. Categories of Data Subjects
- Subscriber's customers and contacts
- Subscriber's employees, contractors, and team members
- End-users of the customer portal
3b. Types of Personal Data Processed
| Category | Data Types |
|---|
| Identity data | Names, usernames, titles |
| Contact data | Email addresses, phone numbers, physical addresses |
| Business data | Company names, job titles, project details |
| Financial data | Invoice amounts, payment records, estimates (no credit card numbers) |
| Communication data | Messages sent through the Platform's messaging system |
| File data | Documents, images, and files uploaded to the Platform |
| Scheduling data | Appointment dates, times, and service details |
| Technical data | IP addresses and session data of portal users |
3c. Purpose of Processing
We process Subscriber Data solely for the following purposes:
- Providing and operating the Service as described in our Terms of Service
- Storing and displaying data as directed by the Controller through use of the Platform
- Enabling customer portal access, messaging, and file sharing
- Generating reports and analytics for the Controller
- Maintaining system security, including malware scanning of uploaded files
- Providing technical support when requested by the Controller
3d. Duration of Processing
We process Subscriber Data for the duration of the Subscriber's active subscription, plus a 90-day retention period after account cancellation or termination (to allow for data export and potential reactivation).
4. Processor Obligations
As the Processor, we commit to the following:
- Process only on instructions: We will process Subscriber Data only on the Controller's documented instructions (which includes the instructions given through normal use of the Platform), unless required by law.
- Confidentiality: We ensure that persons authorized to process Subscriber Data are bound by confidentiality obligations.
- Security measures: We implement and maintain appropriate technical and organizational measures to protect Subscriber Data (detailed in Section 5).
- Sub-processor management: We will not engage new sub-processors without providing the Controller notice and opportunity to object (detailed in Section 6).
- Cooperation: We will assist the Controller in responding to data subject rights requests, data protection impact assessments, and consultations with supervisory authorities, to the extent reasonably possible.
- Data return and deletion: Upon termination, we will make Subscriber Data available for export and, after the retention period, delete it in accordance with Section 8.
- Audit support: We will make available information necessary to demonstrate compliance with this DPA (detailed in Section 9).
5. Security Measures
We implement the following technical and organizational measures to protect Subscriber Data:
Technical Measures
- Encryption in transit: All data transmitted between users and the Platform is encrypted using HTTPS/TLS.
- Tenant isolation: Multi-tenant architecture with strict logical separation. Every database query is scoped to the authenticated tenant. Cross-tenant data access is architecturally prevented.
- Authentication security: Passwords hashed with bcrypt. Session fingerprinting (user agent + IP subnet hash) to detect hijacking. 30-minute idle session timeout.
- HTTP security headers: Content Security Policy, HSTS, X-Frame-Options, X-Content-Type-Options, Referrer-Policy, Permissions-Policy.
- Input validation: CSRF token protection with timing-safe comparison. Parameterized database queries to prevent SQL injection. Output encoding to prevent XSS.
- Upload security: MIME type validation, path traversal prevention, and ClamAV antivirus scanning on all file uploads.
- API protection: Sliding-window rate limiting to prevent abuse and denial-of-service.
- Backups: Regular automated backups of database and files to a separate storage volume.
Organizational Measures
- Access to production systems is restricted to authorized personnel.
- Role-based access control within the Platform (Owner, Admin, Editor, Viewer roles).
- Security measures are reviewed and updated as the Platform evolves.
6. Sub-processors
We use the following sub-processors to assist in providing the Service:
| Sub-processor | Purpose | Data Processed | Location |
|---|
| Stripe, Inc. |
Payment processing for Subscriber billing |
Subscriber billing information (name, email, payment method). Does not process end-customer data. |
United States |
| Resend, Inc. |
Transactional email delivery |
Recipient email address and email content for account notifications, password resets, and verification emails. |
United States |
| ip-api.com |
IP geolocation for public website analytics |
Visitor IP addresses (public website only). Does not process Subscriber Data. |
Germany |
| Linode / Akamai |
Infrastructure hosting |
All Platform data is hosted on Linode servers. |
United States |
Changes to Sub-processors
We will notify Subscribers at least 30 days before engaging a new sub-processor that will have access to Subscriber Data. Notification will be provided via email or in-platform notice. If you object to a new sub-processor, you may contact us to discuss alternatives. If no resolution is reached, you may terminate your subscription.
7. Data Breach Notification
In the event of a Data Breach affecting Subscriber Data:
- Notification timeline: We will notify the affected Controller without undue delay, and no later than 72 hours after becoming aware of the breach.
- Notification content: Our notification will include, to the extent available:
- A description of the nature of the breach, including categories and approximate number of data subjects affected.
- The name and contact details of our point of contact for further information.
- A description of the likely consequences of the breach.
- A description of the measures taken or proposed to address the breach, including measures to mitigate its effects.
- Cooperation: We will cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
- Documentation: We will document the breach, its effects, and the remedial actions taken.
8. Data Deletion and Return
During Subscription
You may delete individual records, contacts, files, and other Subscriber Data at any time through the Platform's interface.
After Termination
- Upon cancellation or termination of your subscription, you may request an export of all Subscriber Data. We will provide the data in a standard, machine-readable format (such as CSV and/or JSON) within 30 days of the request.
- Subscriber Data is retained for 90 days after account termination to allow for export requests and potential reactivation.
- After the 90-day retention period, all Subscriber Data will be permanently deleted from our active systems, including files, database records, and backups (backups may take up to an additional 30 days to cycle out).
Deletion Verification
Upon request, we will confirm in writing that Subscriber Data has been deleted in accordance with this section.
9. Audit Rights
To the extent required by applicable data protection law:
- We will make available to you all information reasonably necessary to demonstrate our compliance with this DPA.
- We will allow for and contribute to audits, including inspections, conducted by you or an auditor mandated by you, subject to reasonable advance notice (at least 30 days), scope limitations, and confidentiality agreements.
- Audits shall be conducted during normal business hours and shall not unreasonably disrupt our operations.
- If multiple Controllers request audits, we may arrange a joint audit or provide an audit report or certification that addresses common concerns.
10. International Data Transfers
The Platform and its infrastructure are hosted in the United States. If you are located outside the United States, Subscriber Data will be transferred to and processed in the United States.
For transfers of personal data from the EEA or UK to the United States, we rely on:
- The EU-U.S. Data Privacy Framework, where applicable to our sub-processors.
- Standard Contractual Clauses (SCCs) as approved by the European Commission, where required.
If you require executed Standard Contractual Clauses, please contact us.
11. Controller Obligations
As the Controller, you are responsible for:
- Ensuring that you have a lawful basis for collecting and processing the personal data you enter into the Platform.
- Providing appropriate privacy notices to your customers and data subjects regarding your use of the Platform.
- Responding to data subject rights requests from your customers (with our assistance as needed).
- Ensuring that your use of the Platform complies with applicable data protection laws.
- Not entering into the Platform any data categories that the Platform is not designed to handle (such as health records, financial account numbers, government ID numbers, or other sensitive data categories requiring specialized protections).
12. Liability
Each party's liability under this DPA is subject to the limitations of liability set out in the Platform Terms of Service. This DPA does not create liability beyond what is established in the Platform Terms of Service, except as required by applicable data protection law.
13. Term and Termination
This DPA takes effect when the Subscriber begins using the Service and remains in effect for as long as we process Subscriber Data on the Controller's behalf. The obligations in this DPA survive termination to the extent necessary to fulfill their purpose (e.g., data deletion, breach notification for incidents discovered after termination).
14. Modifications
We may update this DPA to reflect changes in our processing activities, sub-processors, or applicable law. Material changes will be communicated to Subscribers at least 30 days before taking effect, via email or in-platform notification. Continued use of the Service after the effective date constitutes acceptance of the updated DPA.
16. Contact
For questions about this DPA, data processing, or to exercise your rights, contact us: