# DPA checklist — Workload (legal drafting aid)

**Important** : this file is a **checklist of typical topics** to support discussions between your legal / security teams and Workload. **It is not a DPA**, creates no contractual obligation, and **is not legal advice**.

---

## 1. Parties and subject matter

- [ ] Identification of **controller** (customer) and **processor** (Workload).  
- [ ] Description of **processing** (purposes, data types, data subjects).  
- [ ] Term / termination and **fate of data**.

---

## 2. Documented instructions

- [ ] Processor processes personal data **only on documented instructions** from the controller (unless required by law).  
- [ ] Mechanism for **additional processing** or changes (support / DPO contact).

---

## 3. Security measures

- [ ] Reference to **technical and organisational measures** (encryption, access control, logging, etc.) — may point to the public security overview and product documentation.  
- [ ] **Sub-processors** : notification / prior authorization as required by your framework (GDPR Art. 28.2 / 28.4).

---

## 4. Transfers outside the EU/EEA

- [ ] If transfers occur: **legal mechanism** (SCCs, adequacy decision, etc.) and countries involved.  
- [ ] Link to the **Subprocessors** page for transparency.

---

## 5. Sub-processing

- [ ] List or criteria for **authorized sub-processors**; process to add / remove.  
- [ ] Same protection obligations for onward sub-processors.

---

## 6. Assistance to the controller

- [ ] Assistance for **data subject rights** (access, erasure, portability, restriction, objection).  
- [ ] Assistance for **DPIA** where applicable.  
- [ ] **Personal data breach** notification within agreed timelines.

---

## 7. Deletion and return of data

- [ ] At end of contract: **deletion** or **return** of personal data (and copies), except where law requires retention.  
- [ ] Timeline and format for return if export is requested.

---

## 8. Audits and evidence

- [ ] Controller’s right to **audit** or receive reasonable security certifications / questionnaires.  
- [ ] Confidentiality of audit results.

---

## 9. Liability and termination

- [ ] Allocation of **liability** for GDPR breaches.  
- [ ] **Termination** for serious breach of processor obligations (GDPR Art. 28.3(h)).

---

*To be completed and validated with your counsel.*