Legal
Data Processing Addendum
The controller/processor commitments Workclave makes when handling personal data on behalf of enterprise customers — security measures, subprocessors, data subject rights, breach notification, and deletion.
1. Roles of the parties
- For workspace data that customers upload or generate while using Workclave (employee records, sessions, approvals, payroll inputs), the customer is the data fiduciary/controller and Workclave acts as the data processor.
- For our own website, sign-up, billing, and marketing data, Workclave acts as the controller, as described in our Privacy Policy.
- This Addendum forms part of the agreement between the customer and Workclave (operated by Mecverse) and governs the processing of personal data on the customer's behalf.
2. Scope and subject matter
- Subject matter: provision of the Workclave session-based workforce management platform and related support.
- Duration: for the term of the customer's subscription, plus the retention and deletion windows described below.
- Nature and purpose: attendance and session tracking, approval workflows, leave and shift management, reporting, and payroll input processing.
- Categories of data subjects: the customer's employees, contractors, managers, and administrators.
- Categories of personal data: identity and contact data, work session and attendance records, leave and shift data, and — where the customer uses payroll — salary, tax declaration, and bank-transfer details.
3. Workclave's processing obligations
- Workclave processes personal data only on documented instructions from the customer, including for international transfers, unless required by law.
- Personnel authorised to process personal data are bound by confidentiality obligations.
- Workclave implements and maintains the technical and organisational security measures described in Annex A (below) and in our Security policy.
- Workclave assists the customer in meeting its own obligations: responding to data subject requests, security, breach notification, and data protection impact assessments.
4. Subprocessors
- The customer authorises Workclave to engage subprocessors (e.g. cloud hosting and transactional email providers) to deliver the service.
- Subprocessors are bound by written terms imposing data protection obligations no less protective than this Addendum, and receive only the minimum data required for their function.
- Workclave maintains a current list of subprocessors and will provide it, and reasonable notice of intended changes, on request at hello@mecverse.com.
- Workclave does not sell customer personal data and does not use it to train third-party models.
5. Data subject rights assistance
- The platform provides self-service tooling so that the customer (and, where enabled, individual users) can exercise access, export, correction, and erasure rights directly.
- Individuals can download a machine-readable export of their personal data and request erasure of their account from Settings → Privacy & Data, and via the mobile app.
- Where a request cannot be fulfilled in-product, Workclave assists the customer in responding within the timelines required by applicable law (GDPR, India's DPDP Act, CCPA).
6. Personal data breach notification
- Workclave maintains a documented incident response plan and monitors for security events.
- On becoming aware of a personal data breach affecting customer data, Workclave notifies the customer without undue delay and within 72 hours, with the nature and scope of the incident and remediation steps.
- Workclave cooperates with the customer's own regulatory notification obligations.
7. Return and deletion of data
- On termination, customer workspace data is retained for a 90-day grace period to allow final export, then permanently deleted from production systems and purged from backup rotation within 30 days.
- Individual account deletions requested in-product are soft-deleted immediately (direct identifiers scrubbed) and hard-purged after a 30-day grace window by an automated retention job.
- Audit log records are retained for 12 months to meet compliance and billing-audit requirements, then purged.
8. International transfers
- Workclave's primary processing region is India. Where personal data is transferred across borders, Workclave relies on appropriate safeguards as required by applicable law.
- The customer is informed of the processing location so it can meet its own transparency and transfer obligations.
Annex A — Technical and organisational measures
- Encryption of data in transit and at rest using strong, industry-standard methods, with an additional layer of application-level encryption for particularly sensitive financial details such as bank information.
- Role-based access control, with payroll and salary data restricted to authorised roles, and least-privilege production access protected by multi-factor authentication.
- Append-only audit logging of sensitive data access and administrative actions, retained for 12 months.
- Short-lived, rotating session tokens; strong one-way password hashing; and hardened session-cookie attributes.
- Server-side input validation, protection against common web vulnerabilities, rate limiting, and security headers.
- Consent capture at sign-up, automated retention enforcement, and configurable deletion workflows.
9. Requesting the executed DPA
- This page summarises the commitments in Workclave's Data Processing Addendum. Procurement and legal teams can request the countersignable DPA package through the contact form or at help@mecverse.com.
- Final legal terms in the executed DPA and the customer agreement govern in the event of any conflict with this summary.
Need the countersignable DPA for procurement? Request it at help@mecverse.com.