Data Processing Addendum (DPA)

Last updated: April 10, 2026

1. Purpose and Scope

This Data Processing Addendum forms part of the WorkStudio.Online contract for business customers to the extent Objective Online Company S.R.L. processes personal data on behalf of the customer when providing the service.

This DPA is intended for business use. It does not apply where Objective Online Company S.R.L. acts as an independent controller, such as for its own account administration, security logs, compliance records, or payment and invoicing data processed by Paddle as merchant of record.

2. Parties and Roles

Customer is the controller or processor that determines the purposes and means of processing personal data submitted to WorkStudio.Online for its own use.

Objective Online Company S.R.L. is the processor to the extent it processes such personal data on behalf of the customer in providing WorkStudio.Online.

3. Subject Matter, Duration, Nature, and Purpose

• Subject matter: provision of the hosted WorkStudio.Online service and related support.
• Duration: for the period the customer uses the service and for any limited retention period needed for legal, security, or backup reasons.
• Nature of processing: hosting, storage, organization, retrieval, transmission, backup, deletion, support, and security monitoring.
• Purpose: to provide the functionality requested by the customer under the applicable plan.

4. Categories of Data and Data Subjects

Depending on how the customer uses the service, processed data may include account details, user profile data, documents, file metadata, collaboration data, prompts sent to optional AI features, and support-related communications. Data subjects may include the customer's users, employees, contractors, clients, or other persons whose data the customer chooses to upload or process.

5. Customer Instructions

Objective Online Company S.R.L. will process personal data only on documented instructions from the customer, as reflected in the customer's use of the service, the applicable contract documents, and lawful support requests.

The customer is responsible for ensuring that it has a valid legal basis for the processing it carries out through the service and for providing any notices required by law to its users or other data subjects.

6. Confidentiality

Objective Online Company S.R.L. will ensure that persons authorized to process personal data are bound by appropriate confidentiality obligations.

7. Security Measures

Objective Online Company S.R.L. will implement and maintain reasonable technical and organizational measures appropriate to the nature of the service and the risks presented. These may include account authentication controls, password hashing, access controls, logging, request protections, encrypted transport where supported, and infrastructure security controls provided through our hosting providers.

8. Subprocessors

Objective Online Company S.R.L. may use subprocessors to provide the service. As of the date of this DPA, the main subprocessors are:

• Google Cloud Platform (GCP) for hosting and infrastructure.
• Brevo for transactional email delivery.
• OpenAI for optional AI-backed features that the customer or its users choose to use inside the service.

Paddle acts as merchant of record for checkout, billing, invoicing, and tax handling. Paddle is not used as a subprocessor for customer workspace content under this DPA.

Objective Online Company S.R.L. may add or replace subprocessors where reasonably necessary to operate the service. The current public processor information is reflected in the Privacy Policy.

9. International Transfers

Where personal data is transferred outside the EEA or another restricted jurisdiction, Objective Online Company S.R.L. will rely on an appropriate transfer mechanism and safeguards as required by applicable law.

10. Assistance to Customer

Taking into account the nature of the processing and the information available to us, Objective Online Company S.R.L. will provide reasonable assistance to the customer for:

• responding to data subject requests;
• security incident response and breach-related obligations where applicable;
• data protection impact assessments and consultations with supervisory authorities where reasonably required.

11. Deletion and Return

Upon termination of the applicable service, Objective Online Company S.R.L. will delete or make inaccessible customer personal data in accordance with the service's ordinary deletion and retention processes, unless applicable law requires longer retention or the data must be retained for security, dispute-resolution, backup, or compliance reasons for a limited period.

12. Audit and Information Rights

Objective Online Company S.R.L. will make available reasonable information necessary to demonstrate compliance with this DPA. Any audit right should, unless the law requires otherwise, be exercised through reasonable documentation requests first and, if still necessary, through a coordinated and proportionate review that does not unreasonably disrupt the service. The customer may be required to bear reasonable third-party or internal costs for unusually burdensome audit requests.

13. Liability and Order of Precedence

This DPA supplements the main WorkStudio.Online contract. If there is a direct conflict between this DPA and another contract term regarding processing on behalf of the customer, this DPA controls to that extent. Liability remains subject to the main contract, except where applicable data-protection law requires otherwise.

14. Contact

Questions about this DPA or business-customer privacy terms should be sent to mail@workstudio.online.