Data Processing Agreement

1. Parties

This DPA is between you (“Controller”) and Forge Workflow Holdings (“Processor”), registered at [to be set before deploy],[to be set before deploy], company number [to be set before deploy].

2. Subject matter and duration

The Processor processes personal data on behalf of the Controller for the duration of the Controller's use of ClientNest365 plus any retention period in our Privacy Policy.

3. Nature, purpose, and types of personal data

Nature: storage, organisation, retrieval, and consultation of personal data uploaded into the Controller's ClientNest365 workspace.

Purpose: enabling the Controller to share files, messages, invoices, and approvals with their own clients.

Categories of data subjects: the Controller's clients and their authorised users.

Categories of personal data: name, email, files containing personal data (uploaded by Controller or the Controller's clients), messages, invoice line items.

4. Obligations of the Processor

The Processor will:

• Process personal data only on documented instructions from the Controller (which include the Controller's use of the service).
• Ensure that personnel authorised to process the data are bound by confidentiality.
• Implement the security measures set out in section 7.
• Notify the Controller of a personal-data breach without undue delay (within 72 hours of becoming aware).
• Assist the Controller in responding to data-subject requests where the data is held in the Controller's workspace.
• Delete or return all personal data on termination, except where retention is required by law.
• Make available all information necessary to demonstrate compliance with this DPA.

5. Sub-processors

The Controller authorises the Processor to use the sub-processors listed in the Privacy Policy. The Processor will notify the Controller at least 30 days in advance of any new sub-processor. The Controller may object to a new sub-processor by writing to privacy@clientnest365.com; if the objection cannot be resolved, the Controller may terminate the relevant subscription and obtain a pro-rated refund.

6. International transfers

Where personal data is transferred outside the EU/EEA, the Processor relies on Standard Contractual Clauses (SCCs) approved by the European Commission and ensures sub-processors do the same.

7. Security measures

• Encryption of personal data in transit (TLS 1.2+) and at rest (R2 server-side encryption, Postgres at-rest encryption).
• Access controls: per-workspace row-level security on the database; short-lived signed URLs for file downloads.
• Audit logging on every action in the workspace.
• Personnel access on a least-privilege basis with separate environments for development, staging, and production.
• Regular backups (daily, retained 30 days) with restore testing.
• Incident response process with a 72-hour breach-notification target.

8. Data-subject requests

The Controller is responsible for handling data-subject requests from its own clients. The Processor will, on request and at the Controller's cost, assist with export and deletion of specific records.

9. Audits

The Controller may request annual evidence of compliance (security questionnaires, sub-processor list, SCC copies). Physical site audits are subject to reasonable scope and notice and are at the Controller's cost.

10. Liability

Liability under this DPA is capped per the limitation-of-liability clause in the main Terms of Service.

11. Termination

On termination of the underlying agreement, the Processor will delete the Controller's personal data within 30 days, except where retention is required by law (e.g. tax records retained for 7 years).

12. Contact

Data-protection contact: privacy@clientnest365.com.