Compliance Agreements

Data Processing Agreement

Effective Date: May 19, 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between Brandstrek, the provider of WorkHex (“Processor”, “Service Provider”, “WorkHex”, “we”, “our”, or “us”), and the customer using WorkHex (“Customer”, “Controller”, “Client”, or “you”). This DPA governs the processing of personal and business data through the WorkHex platform.

1Parties

Data Controller (“Customer”)

The organization, company, institution, or entity using WorkHex and determining the purposes and means of processing personal data.

Data Processor (“WorkHex”)

Brandstrek, operating the WorkHex platform, processes personal data on behalf of the Customer solely for delivering subscribed services.

Company Name

Brandstrek

Product Suite

WorkHex

Website URL

workhex.com

Support Channel

support@workhex.com

2Purpose of this Agreement

This DPA defines and sets clear guidelines on:

✦How WorkHex processes customer databases

✦Direct customer & processor data responsibilities

✦Infrastructure and structural security obligations

✦Strict data retention and structural deletion timelines

✦International cross-border data transfer structures

✦Subcontractor & subprocessor engagement rules

3Scope of Processing

WorkHex processes Customer Personal Data solely to deliver SaaS platform modules, including:

CRM Management

HRM Operations

Employee Attendance

Payroll Processing

Recruitment & ATS

Accounting & Finance

Project Milestones

Workflow Automation

AI-powered Assistants

Processing activities are performed strictly as necessary to sustain and run the requested service instances.

4Categories of Data Processed

Depending on which platform components you activate, we may process:

A. Employee Data

Full name & contactsAttendance selfie/photosGPS location dataPayroll & Wage detailsUploaded documents

B. Customer & CRM Data

Lead informationContact detailsSales historyCall & Communication logsMeeting notes

C. Recruitment & ATS Data

Candidate CVs & resumesInterview notes & reportsATS evaluation scoresRecruitment pipeline status

D. Financial Data

Client InvoicesCorporate expensesGeneral ledger recordsPayments & TaxesAccounting summaries

E. Technical & Usage Data

Access timestamps & logsBrowser & Device infoIP addressesAudit logs & Actions performed

5Nature of Processing

Processor operations comprise basic technical activities including:

CollectionRecordingOrganizationStorageStructuringRetrievalAnalysisUpdatingTransmissionHostingBackupPurging

6Customer Responsibilities (Controller Obligations)

The Controller maintains exclusive responsibility and liability for:

1. Legal Basis

Establishing concrete legal basis and authority to capture and upload data to WorkHex.

2. Employee Consent

Securing proper consents and notifying workers of GPS tracking, selfie attendance, and monitoring actions.

3. Compliance

Abiding by local employment guidelines, labor policies, tax rules, and local privacy regulations.

7WorkHex Responsibilities (Processor Obligations)

The Processor agrees to strictly comply with the following mandates:

✓ Instructions Only

Process customer databases solely under explicit instruction and configuration.

✓ Strict Confidentiality

Preserve full, unconditional data confidentiality across operations.

✓ Access Safeguards

Restrict internal system operations to authorized, verified personnel only.

✓ Account Isolation

Maintain logical, rigid isolation between customer databases in the multi-tenant architecture.

8Employee Monitoring & Attendance Data

WorkHex provides tracking modules containing GPS-based time tracking, selfie attendance verification, and login logs.

The client remains strictly liable for employee disclosures, statutory notices, and compliance with local tracking regulations. WorkHex serves solely as the technical developer supplying database storage.

9Payroll & Sensitive HR Data

Compensation, employee bank accounts, and HR structures represent highly sensitive operations.

WorkHex enforces role-based access filtering (RBAC) to isolate wage details and payroll calculations, meaning only administrators or assigned staff roles within your organization can view these panels.

10AI Processing & Automation

WorkHex features smart assistants, resume parsing scoring, and automated pipelines.

✨ Strictly Private Data Processing

We maintain secure, custom processing paths. Customer databases and private CV uploads are never used to train public, generalized AI engines.

All automated metrics, score reports, and suggestion lists represent recommendations. The customer is solely responsible for auditing and validating hiring choices and financial decisions.

11Audit Logs & Activity Monitoring

To secure user databases, prevent unauthorized access, and match compliance guidelines, WorkHex records major modifications, including login tracking, database modification, payroll tuning, and administrative permission changes.

12Subprocessors & Third-Party Services

WorkHex partners with verified infrastructure vendors (“Subprocessors”) to deliver core services (such as cloud hosting, mail distribution, SMS gateways, and Meta integrations).

We bind all subprocessors to data protection requirements equivalent to those in this DPA.

13Data Storage & Hosting

Client databases are securely hosted and backed up inside cloud infrastructure primarily located in **India**.

We apply rigid technical precautions to prevent data loss or hardware failovers across all hosting locations.

14Security Measures

We execute reasonable technical protocols, including:

🛡️ Network Encryption

Full TLS/SSL wrapping for in-transit platform communication.

🚪 Granular Access Control

Strict logical division separating multi-tenant databases.

🔑 Credential Hashing

Industry standard salting and encryption of active passwords.

💾 System Backups

Automated backup schedules to prevent hardware failure losses.

15Security Incident & Data Breach Notification

If we identify a verified data breach impacting your account, WorkHex will promptly:

Initiate immediate containment procedures.
Notify Controller representatives with relevant details where required.
Supply updates on our mitigation plans.

16International Data Transfers

For hosting backups or syncing with external subprocessors (such as calendar integrations), data may be transmitted or saved outside your primary operational territory. We ensure all such transfers adhere to standard contractual clauses.

17Data Retention & Deletion

Upon cancellation, client databases are kept in secure backups for up to **90 days** to support emergency recovery or compliance checks, after which they are permanently wiped.

The Controller holds the sole responsibility to export all internal lists and bookkeeping ledgers before account termination.

18Customer Data Requests

If you need to execute access, export, correction, or structural deletion requests, please contact our support desk directly at support@workhex.com.

19Limitation of Liability

WorkHex operates exclusively as a data processor. The Controller holds complete liability for establishing consent, payroll accuracy, legal compliance, and defining access roles. WorkHex is not liable for structural fines, employment conflicts, or legal infractions caused by customer settings.

20Governing Law

This Data Processing Agreement is governed by the laws of **India**. Any disputes shall be subject exclusively to the courts of **Kozhikode, Kerala, India**.

21Contact Information

For any technical questions, data compliance queries, or DPA clarifications, please connect with the Brandstrek help desk:

Brandstrek Data & Compliance Desk

Email:support@workhex.com

Website:workhex.com

Corporate Address

Metromax Apartments N, On the road to H. Thondayad Bypass, Nellikkode, Kozhikode, Kerala – 673016, India.