GDPR Compliance

Last Updated: January 28, 2025

Our Commitment to Data Protection

At WorkiDoc, we are committed to protecting the privacy and security of personal data. We fully support the principles of the General Data Protection Regulation (GDPR) and have implemented comprehensive measures to ensure compliance with its requirements.

This page explains how we process personal data in accordance with GDPR and outlines your rights as a data subject.

Table of Contents

1. Data Controller Information

For the purposes of the GDPR, the data controller responsible for your personal data is:

Workicient Technologies

Role: Data Controller

Email: privacy@workidoc.com

Website: www.workidoc.com

When you use WorkiDoc as part of an organization's subscription, your organization may also act as a data controller for certain personal data. In such cases, WorkiDoc acts as a data processor on behalf of your organization.

Under the GDPR, we must have a valid legal basis for processing your personal data. The legal bases we rely on depend on the specific processing activity:

Processing Activity Legal Basis GDPR Article
Providing the Service (account management, document storage, email sync) Performance of contract Article 6(1)(b)
AI-powered email classification Performance of contract / Legitimate interest Article 6(1)(b) / 6(1)(f)
Security monitoring and fraud prevention Legitimate interest Article 6(1)(f)
Marketing communications Consent Article 6(1)(a)
Analytics and Service improvement Legitimate interest Article 6(1)(f)
Billing and payment processing Performance of contract / Legal obligation Article 6(1)(b) / 6(1)(c)
Responding to legal requests Legal obligation Article 6(1)(c)
Customer support Performance of contract / Legitimate interest Article 6(1)(b) / 6(1)(f)

Legitimate Interests

Where we rely on legitimate interests as the legal basis for processing, we have conducted a legitimate interests assessment to ensure our interests do not override your fundamental rights and freedoms. Our legitimate interests include:

  • Improving and optimizing our Service
  • Preventing fraud and ensuring security
  • Understanding how customers use our Service
  • Marketing our products and services to existing customers

3. Your Rights as a Data Subject

Under the GDPR, you have the following rights regarding your personal data:

Right of Access

You can request a copy of the personal data we hold about you and information about how it is processed.

Right to Rectification

You can request correction of inaccurate or incomplete personal data.

Right to Erasure

You can request deletion of your personal data under certain circumstances ("right to be forgotten").

Right to Restriction

You can request restriction of processing in certain situations, such as while we verify accuracy.

Right to Data Portability

You can receive your data in a structured, commonly used format and transfer it to another controller.

Right to Object

You can object to processing based on legitimate interests, including profiling and direct marketing.

Right to Withdraw Consent

Where processing is based on consent, you can withdraw consent at any time without affecting prior processing.

Rights Related to Automated Decisions

You have rights related to automated decision-making and profiling that produces legal effects.

4. Data We Process

We process the following categories of personal data:

4.1 Identity and Contact Data

  • Name, email address, phone number
  • Job title, department, company name
  • Account credentials (username, hashed password)

4.2 Service Usage Data

  • Email content and attachments (for classification and storage)
  • Documents and correspondences created in the Service
  • Workflow actions, approvals, and audit logs
  • User preferences and settings

4.3 Technical Data

  • IP address, browser type, device information
  • Access times and pages viewed
  • Cookies and similar identifiers

4.4 Billing Data

  • Payment card details (processed by our payment provider)
  • Billing address and invoice history

5. International Data Transfers

Your personal data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States, where our servers and some of our service providers are located.

When we transfer personal data outside the EEA, we ensure appropriate safeguards are in place:

5.1 Standard Contractual Clauses

We use Standard Contractual Clauses (SCCs) approved by the European Commission for transfers to third countries that do not have an adequacy decision. These clauses ensure that your personal data receives the same level of protection as within the EEA.

5.2 Additional Safeguards

In addition to SCCs, we implement supplementary measures where necessary, including:

  • Encryption of data in transit and at rest
  • Pseudonymization and data minimization
  • Contractual commitments from recipients
  • Transfer impact assessments

5.3 Sub-Processors

We use the following sub-processors that may process personal data outside the EEA:

  • Amazon Web Services (AWS) - Cloud infrastructure (United States, with EU region options)
  • OpenAI - AI classification processing (United States)
  • Google - OAuth authentication (United States)
  • Microsoft - OAuth authentication (United States)

6. Data Protection Officer

We have appointed a Data Protection Officer (DPO) to oversee our data protection strategy and ensure compliance with GDPR requirements.

Data Protection Officer

Workicient Technologies

Email: dpo@workidoc.com

You may contact our DPO directly for any questions or concerns about our data protection practices or to exercise your data subject rights.

7. How to Exercise Your Rights

You can exercise your data subject rights by contacting us through any of the following methods:

Submit a Data Subject Request

To exercise your rights, please send a request to:

  1. Email: privacy@workidoc.com
  2. DPO: dpo@workidoc.com

Please include the following information in your request:

  • Your full name and email address associated with your account
  • A description of the right you wish to exercise
  • Any additional information to help us locate your data
  • Proof of identity (we may request this to verify your identity)

7.1 Response Time

We will respond to your request within one month of receipt. This period may be extended by two further months where necessary, considering the complexity and number of requests. We will inform you of any extension within one month of receiving your request.

7.2 Verification

To protect your privacy, we may need to verify your identity before processing your request. This helps ensure that personal data is not disclosed to unauthorized persons.

7.3 Fees

We will not charge a fee to exercise your data subject rights. However, we may charge a reasonable fee for manifestly unfounded or excessive requests, or refuse to comply with such requests.

8. Supervisory Authority and Complaints

If you believe that our processing of your personal data violates the GDPR, you have the right to lodge a complaint with a supervisory authority. You may do so in the EU member state of your habitual residence, place of work, or place of the alleged infringement.

We encourage you to contact us first so we can address your concerns. However, this does not affect your right to lodge a complaint with a supervisory authority.

8.1 Relevant Supervisory Authorities

A list of EU data protection authorities can be found on the European Data Protection Board website: https://edpb.europa.eu/about-edpb/about-edpb/members_en

9. Data Processing Agreement

For customers whose organizations use WorkiDoc to process personal data of their employees, clients, or other individuals, we offer a Data Processing Agreement (DPA) that outlines:

  • The subject matter and duration of processing
  • The nature and purpose of processing
  • The types of personal data processed
  • The categories of data subjects
  • Our obligations as a data processor
  • Your obligations as a data controller
  • Sub-processor arrangements
  • Data security measures
  • Audit rights

To request a Data Processing Agreement, please contact us at legal@workidoc.com.

10. Technical and Organizational Measures

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

10.1 Technical Measures

  • Encryption of personal data in transit (TLS 1.2+) and at rest (AES-256)
  • Pseudonymization and anonymization where applicable
  • Regular security testing and vulnerability assessments
  • Access controls and authentication mechanisms
  • Intrusion detection and prevention systems
  • Backup and disaster recovery procedures
  • Secure development practices

10.2 Organizational Measures

  • Data protection policies and procedures
  • Staff training on data protection
  • Confidentiality agreements with employees
  • Vendor due diligence and contractual protections
  • Incident response procedures
  • Regular compliance audits
  • Data protection impact assessments for high-risk processing

10.3 Breach Notification

In the event of a personal data breach, we will notify the relevant supervisory authority within 72 hours of becoming aware of the breach, unless the breach is unlikely to result in a risk to the rights and freedoms of individuals. Where a breach is likely to result in a high risk to your rights and freedoms, we will also notify you directly.

Contact Information

For any questions about this GDPR Compliance page or our data protection practices, please contact us:

Workicient Technologies

Privacy Inquiries: privacy@workidoc.com

Data Protection Officer: dpo@workidoc.com

Legal Team: legal@workidoc.com