Novaworks, Inc. | Total Workforce Management

Data Processing Agreement

Data Processing Agreement

Novaworks, Inc.

Total Workforce Management

Data Processing Agreement

Document

Data Processing Agreement (DPA)

Version

2.0 v070226

Effective Date

June 9, 2025

Governing Law

Delaware (primary); EU SCCs in Annex C

Processor

Novaworks, Inc. — Delaware corporation, 218 Tourney Loop, Los Gatos, California 95030

Controller

Customer entity identified in the MSA or Order Form

Includes

Annex A: Description of Processing and Technical/Org Measures; Annex B: Authorized Sub-Processor List; Annex C: EU SCCs (Module Two), UK IDTA, CCPA, DPDPA

Contact

privacy@novaworks.ai | dpo@novaworks.ai | www.novaworks.ai/legal/dpa

How this DPA works

This DPA is incorporated by reference into the Master Subscription Agreement (MSA) or Order Form between Novaworks and Customer. It governs all processing of personal data Novaworks performs on Customer’s behalf. By executing an Order Form or MSA referencing this DPA, both parties agree to its terms.

Part 1 — Data Processing Agreement

1. Definitions

Capitalized terms not defined here have the meanings given in the MSA or Order Form.

  • Controller— Customer: the entity determining purposes and means of Personal Data processing.

  • Processor— Novaworks, Inc.: processes Personal Data on behalf of the Controller.

  • Personal Data— Any information relating to an identified or identifiable natural person processed by Novaworks on behalf of Customer.

  • Processing— Any operation on Personal Data: collection, storage, use, disclosure, erasure, or destruction.

  • Sub-Processor— Any third party engaged by Novaworks to process Personal Data in delivering the Services. Current Sub-Processors are listed in Annex B.

  • Services— The Novaworks Total Workforce Management platform, AI agent infrastructure, APIs, and related services per the MSA or Order Form.

  • Security Incident— Accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data processed by Novaworks.

  • GDPR— Regulation (EU) 2016/679 (General Data Protection Regulation).

  • UK GDPR— GDPR as retained in UK law by the European Union (Withdrawal) Act 2018.

  • SCCs— Standard Contractual Clauses per Commission Decision 2021/914.

  • CCPA— California Consumer Privacy Act of 2018, as amended by CPRA.

  • DPDPA— India Digital Personal Data Protection Act, 2023.

  • Restricted Transfer— Transfer of Personal Data to a country not providing equivalent data protection.

2. Scope and Roles

2.1 Controller and Processor

Customer is the Controller of Personal Data submitted to the platform. Novaworks is the Processor, acting solely on Customer’s documented instructions. Nothing in this DPA grants Novaworks independent rights over Customer Personal Data.

2.2 Subject Matter

Novaworks processes Personal Data to deliver the Services as described in Annex A. The nature, categories of Data Subjects, and types of Personal Data are detailed in Annex A.

2.3 Duration

This DPA commences on the effective date of the MSA or Order Form and terminates upon expiry or termination of all applicable Order Forms, subject to post-termination obligations in Section 10.

2.4 Independent Controller Carve-Out

Novaworks processes certain data as an independent Controller for its own legitimate business purposes (account management, billing, security operations, aggregated analytics). Such processing is governed by the Novaworks Privacy Policy and is outside the scope of this DPA.

3. Customer Instructions

3.1 Documented Instructions

Novaworks shall process Personal Data only on Customer’s documented instructions, unless required to do so by applicable law. The Agreement, this DPA, and written instructions from Customer’s authorized administrators constitute Customer’s complete instructions.

3.2 Unlawful Instructions

If Novaworks reasonably believes a Customer instruction violates applicable data protection law, Novaworks shall notify Customer promptly. Novaworks may suspend processing under that instruction until Customer confirms, modifies, or withdraws it.

4. Novaworks Obligations

4.1 Confidentiality of Processing

Novaworks shall ensure all personnel authorized to process Personal Data are bound by confidentiality obligations no less protective than those in this DPA. Personnel receive data protection training at least annually.

4.2 Security Measures

Novaworks shall implement and maintain the technical and organizational security measures (TOMs) described in Annex A, Section A.2. Novaworks reviews and updates TOMs at least annually and following any Security Incident or material architecture change.

4.3 Multi-Tenant Isolation

Customer Personal Data is isolated within Customer’s ServiceNow scoped application environment through ACLs and role-based access controls. No Customer tenant can access another Customer’s Personal Data.

4.4 AI Processing Obligations

Where Novaworks uses AI agents (including AWS Bedrock inference) to process Personal Data on Customer’s behalf:

  • AI agent transactions, prompts, and input metadata are stored within Customer’s ServiceNow tenant scope and accessible to Customer administrators via audit logs.

  • Novaworks does not use Customer Personal Data to train, fine-tune, or improve any AI foundation model, including those provided via AWS Bedrock.

  • AI outputs are advisory. Novaworks does not make fully automated decisions producing legal or similarly significant effects on Data Subjects without Customer’s instruction and human oversight.

  • Novaworks shall notify Customer if it becomes aware that an AI processing instruction would, in its reasonable opinion, violate applicable law including the EU AI Act.

4.5 Assistance to Customer

Novaworks shall provide reasonable assistance to Customer in fulfilling Controller obligations, including:

  • Responding to Data Subject rights requests (access, rectification, erasure, restriction, portability, objection, AI explanation, human review) within 10 business days of Customer’s written request.

  • Providing information necessary for Customer to conduct and document Data Protection Impact Assessments (DPIAs) under GDPR Article 35.

  • Cooperating with Customer’s reasonable audit requests as described in Section 9.

5. Sub-Processors

5.1 General Authorization

Customer grants Novaworks general authorization to engage Sub-Processors to deliver the Services. Current authorized Sub-Processors are listed in Annex B.

5.2 Sub-Processor Obligations

Novaworks shall impose data protection obligations on each Sub-Processor no less protective than this DPA by written contract. Novaworks remains fully liable to Customer for Sub-Processors’ acts and omissions.

5.3 30-Day Change Notice

Novaworks shall provide at least 30 days’ prior written notice before adding or replacing any Sub-Processor. Notice will be sent to Customer’s registered privacy/security contact and posted to www.novaworks.ai/legal/sub-processors.

5.4 Right to Object

Customer may object to a new Sub-Processor within 14 days of notice by emailing privacy@novaworks.ai with detailed grounds. The parties shall negotiate in good faith for 30 days. If unresolved, Customer may terminate the affected Services on 30 days’ written notice without penalty, as its sole remedy.

6. International Data Transfers

6.1 US-Based Processing

The Novaworks platform is hosted on AWS infrastructure primarily in the United States (us-east-1, with DR in us-west-2). Customer acknowledges that Personal Data will be transferred to and processed in the United States.

6.2 EU/EEA and UK Transfers

For EU/EEA or UK Personal Data, transfers are governed by the SCCs (Annex C, Part 1) and UK IDTA Addendum (Annex C, Part 2) respectively, both incorporated by reference. SCCs apply as Module Two (Controller to Processor). The parties agree Irish law governs the SCCs per Clause 17.

6.3 California (CCPA)

Novaworks acts as a Service Provider under CCPA. See Annex C, Part 3 for CCPA commitments.

6.4 India (DPDPA)

For Indian Data Principals, processing shall comply with DPDPA 2023 as its rules come into force. See Annex C, Part 4.

6.5 Other Jurisdictions

For Personal Data from other jurisdictions with transfer restrictions, the parties will cooperate in good faith to implement additional required safeguards.

7. Security Incident Notification

7.1 Notification Timeline

Upon confirming a Security Incident affecting Customer Personal Data, Novaworks shall notify Customer’s registered security contact without undue delay and, where feasible, within 72 hours of confirmation. Initial notification may precede full investigation.

7.2 Notification Content

Notification shall include, to the extent known: (a) nature of the incident and categories/approximate number of Data Subjects and records affected; (b) Novaworks DPO/security contact details; (c) likely consequences; (d) measures taken or proposed. Novaworks shall provide updates as the investigation progresses.

7.3 Customer Notification Obligations

Customer determines whether the Security Incident triggers regulatory notification obligations (e.g., GDPR Articles 33-34, CCPA) and is responsible for any required notifications to authorities and Data Subjects. Novaworks cooperates fully.

7.4 Incident Tracking

All Security Incidents are tracked through Novaworks’ incident management system to closure, per the Novaworks Incident Response Plan.

8. Data Subject Rights

If Novaworks receives a Data Subject request directly (access, erasure, portability, restriction, objection, AI explanation, or human review), Novaworks shall forward it to Customer’s registered privacy contact within 3 business days and shall not respond directly to the Data Subject unless authorized by Customer or required by law.

Novaworks provides Customer with technical means to fulfill Data Subject rights requests, including data export tools and deletion workflows within the ServiceNow environment.

9. Audit Rights

9.1 Documentation

Novaworks shall provide its most recent SOC 2 Type 2 report (under NDA), third-party penetration test summaries, and responses to Customer security questionnaires to demonstrate compliance with this DPA.

9.2 On-Site / Remote Audit

Customer may conduct or commission audits of Novaworks’ data processing activities up to once per calendar year, on 30 days’ written notice, during normal business hours, subject to reasonable confidentiality obligations. Customer bears the cost unless the audit reveals material non-compliance by Novaworks.

9.3 Regulatory Requests

Novaworks shall notify Customer within 72 hours of receiving any supervisory authority request for access to or information about Customer Personal Data, and shall follow Customer’s reasonable instructions unless prohibited by law.

10. Data Retention and Deletion

10.1 Retention During the Term

  • Active workforce data— Duration of subscription + 90 days post-termination for export

  • AI agent transaction logs— 90 days within ServiceNow tenant (configurable per Customer)

  • Security and audit logs— Minimum 12 months; high-sensitivity 24 months

10.2 Post-Termination

Within 30 days of termination, Customer may request return of Personal Data in machine-readable format. Novaworks will securely delete all copies of Customer Personal Data within 90 days of termination and provide written certification. Novaworks may retain data beyond these periods only where required by law, and will notify Customer of the legal basis and duration.

11. Liability

Each party’s liability under this DPA is subject to the limitations in the MSA. Where this DPA is entered independently, each party’s aggregate liability for DPA claims shall not exceed the greater of: (a) USD $500,000; or (b) total fees paid by Customer in the 12 months preceding the claim.

This limitation does not apply to: (i) death or personal injury by negligence; (ii) fraud; (iii) liability not limitable by law; or (iv) Customer’s obligation to pay fees. For Security Incident claims by Data Subjects or supervisory authorities, each party is liable for damage caused by its own non-compliance with this DPA.

12. General

12.1 Order of Precedence

On data protection matters, this DPA prevails over the MSA. The SCCs in Annex C prevail over this DPA for EU/EEA and UK Personal Data transfers.

12.2 Governing Law

This DPA is governed by the laws of the State of Delaware, without regard to conflict-of-law principles, except the SCCs are governed by Irish law (Clause 17) and the UK IDTA by English law.

12.3 Amendments

Novaworks may update this DPA with 30 days’ written notice. Updates required to comply with changes in data protection law take effect on the legally required date. Continued use of Services after the effective date constitutes acceptance.

12.4 Severability

If any provision is unenforceable, remaining provisions continue in full effect.

Annex A — Description of Processing and Technical/Organizational Measures

A.1 Description of Processing

  • Subject matter— Delivery of the Novaworks Total Workforce Management platform: an AI-native HCM system on ServiceNow with AI on AWS Bedrock.

  • Duration— Subscription term per Order Form.

  • Nature of processing— Collection, storage, retrieval, use, disclosure to authorized users, AI-assisted analysis, deletion, and archiving.

  • Purpose— Workforce management: onboarding/offboarding, scheduling, performance, contingent worker management, HR analytics, AI-assisted decision support.

  • Data Subjects— Customer employees; contingent workers; contractors; job candidates (where applicable); HR and management personnel.

Categories of Personal Data Processed

  • Identity— Full name, employee ID, job title, department, employment type

  • Contact— Work email, phone, office location

  • HR and employment— Compensation, performance records, leave, org hierarchy, workforce planning

  • Authentication— Usernames, encrypted passwords, MFA device IDs

  • AI interaction data— Prompts to AI agents, agent outputs, SuperAgent orchestration logs (stored per tenant in ServiceNow)

  • Sensitive data (if applicable)— National IDs (payroll); immigration status (contingent workforce), on Customer instruction with lawful basis only

  • Technical/log data— IP addresses, access timestamps, audit logs (sanitized; no sensitive data in system logs)

A.2 Technical and Organizational Measures (TOMs)

  • Encryption in transit— TLS 1.2+ for all data in motion between clients, ServiceNow, and AWS.

  • Encryption at rest— AES-256 for all data at rest in S3, RDS, MongoDB, Elasticsearch, and ServiceNow data stores.

  • Access control— RBAC via ServiceNow ACLs; principle of least privilege; quarterly access reviews.

  • Multi-tenant isolation— ServiceNow architecture ensures complete logical tenant separation. Cross-tenant access is architecturally prevented.

  • MFA— Required for all administrative accounts and production access.

  • Vulnerability management— Weekly automated web app scanning (Qualys WAS); annual third-party penetration testing; critical/urgent findings remediated within 1-2 business days.

  • Incident response— 24-hour breach notification; dedicated IR team; NIST-framework procedures; all incidents tracked to closure in JIRA.

  • Backup and recovery— Daily encrypted backups to S3 with cross-region replication; RTO 1 hr (API Monitoring), 1 day (Data Lake/Hunter); tested annually.

  • SOC 2 Type 2— Annual SOC 2 Type 2 audit by independent auditor; reports available to Customers under NDA.

  • Personnel security— Background checks prior to production access; annual security awareness training; contractual confidentiality for all personnel.

  • AI-specific controls— Agent transactions logged per tenant; no Customer data used for model training; human-in-the-loop for employment decisions.

  • SDLC security— Secure SDLC policy enforced; production data prohibited in non-production environments; peer-reviewed code changes; no sensitive data in logs.

Annex B — Authorized Sub-Processor List

Living document

This Annex reflects Sub-Processors as of the effective date. Novaworks notifies Customers at least 30 days before adding or replacing any Sub-Processor (Section 5.3). Current list also at www.novaworks.ai/legal/sub-processors.

B.1 Core Platform Infrastructure

ServiceNow, Inc.— Santa Clara, CA

  • Category: Platform system of record

  • Data location: US (primary), EU (optional)

  • Purpose: HCM platform: ACLs, roles, workflows, REST APIs, decision tables, business events. Stores HR records, AI agent transactions, prompts, and audit logs within Customer’s scoped tenant.

Amazon Web Services (AWS)— Seattle, WA

  • Category: Cloud infrastructure + AI

  • Data location: us-east-1 (primary), us-west-2 (DR)

  • Purpose: Infrastructure hosting. AWS Bedrock: LLM inference for AI agents. S3: encrypted backups. RDS: relational database. CloudWatch: monitoring. AWS does not use Customer data to train foundation models.

B.2 Security and Monitoring

Qualys, Inc.— Foster City, CA

  • Category: Security scanning

  • Data location: US

  • Purpose: Web application vulnerability scanning. Processes app metadata; does not receive Customer HR Personal Data.

Atlassian (Jira)— Sydney, Australia

  • Category: Incident tracking

  • Data location: US / AU

  • Purpose: Security incident and vulnerability tracking. Ticket metadata only; no Customer Personal Data in tickets per Novaworks policy.

B.3 Business Operations

Microsoft 365 / Azure AD— Redmond, WA

  • Category: Email + identity

  • Data location: US / EU

  • Purpose: Internal communications; support email (support@, privacy@novaworks.ai). May receive Customer contact data (name, email, company) for support interactions only.

Hubspot— CRM

  • Data location: TBD

  • Purpose: Customer account management. Customer contact data only. No Employee/Worker Personal Data.

Billing provider (to be confirmed)— Payments

  • Data location: TBD

  • Purpose: Subscription billing. Customer billing contact and payment data only. No Employee/Worker Personal Data.

TBD entries

Entries marked to be confirmed will be confirmed and notified to Customer before activation. 30-day notice and right to object apply per Section 5.

B.4 Sub-Processor Change Log

  • June 9, 2025— Initial list: ServiceNow, AWS (Bedrock, S3, RDS, CloudWatch), Qualys, Atlassian, Microsoft 365 authorized.

  • Next update— Recorded upon each sub-processor change with 30-day Customer notice.

Annex C — International Transfer Mechanisms

Part 1: EU Standard Contractual Clauses (Module Two — Controller to Processor)

Applicability

Part 1 applies where Customer submits Personal Data of EU/EEA Data Subjects. It incorporates the EU SCCs (Commission Decision 2021/914, Module Two) by reference, supplemented by the specifics below.

  • Clause 7 — Docking— Third-party controllers/processors may accede with parties’ written agreement.

  • Clause 8.1 — Instructions— Documented in this DPA and MSA. Novaworks notifies Customer of any instruction it believes violates applicable law.

  • Clause 8.3 — Purpose limitation— Novaworks processes EU Personal Data only for Service delivery without Customer’s prior written consent.

  • Clause 8.6 — Security— TOMs per Annex A, Section A.2.

  • Clause 8.8 — Sub-processors— Listed in Annex B. General authorization per Section 5.1. 30-day notice and right to object per Sections 5.3-5.4.

  • Clause 13 — Supervision— Competent supervisory authority is that of Customer’s EU Member State of establishment.

  • Clause 17 — Governing law— Republic of Ireland.

  • Clause 18 — Jurisdiction— Courts of the Republic of Ireland.

Annex I to SCCs — Parties and Transfer Description

  • Data Exporter— Customer (Controller). EU/EEA establishment identified in MSA/Order Form.

  • Data Importer— Novaworks, Inc., 218 Tourney Loop, Los Gatos, California 95030. Processor.

  • Categories of Data Subjects— Per Annex A, Section A.1.

  • Categories of Personal Data— Per Annex A, Section A.1.

  • Sensitive data— Processed only on Customer instruction with lawful basis (Annex A, A.1).

  • Frequency of transfer— Continuous during subscription term.

  • Nature and purpose— Per Annex A, Section A.1.

  • Retention period— Per Section 10 of this DPA.

  • Supervisory authority— Authority of Customer’s EU Member State of establishment.

Annex II to SCCs: The TOMs in Annex A, Section A.2 are incorporated by reference as Annex II to the SCCs.

Part 2: UK International Data Transfer Agreement (IDTA) Addendum

For UK Personal Data transfers, the UK IDTA Addendum to the EU SCCs (as issued by the ICO and laid before Parliament on 2 February 2022) applies. Mandatory IDTA tables:

  • Table 1 — Parties— Data Exporter: Customer (UK establishment or UK Data Subjects). Data Importer: Novaworks, Inc., USA.

  • Table 2 — Selected SCCs— EU SCCs Module Two per Part 1 of this Annex C.

  • Table 3 — Appendix Information— Per Annex A of this DPA.

  • Table 4 — Ending the Addendum— Either party may terminate if the Approved Addendum changes per IDTA Section 19.

  • Governing law— England and Wales.

  • Jurisdiction— Courts of England and Wales.

Part 3: CCPA Service Provider Terms

Where Customer is a “Business” under CCPA and Novaworks processes California consumer “Personal Information” on Customer’s behalf, Novaworks is a “Service Provider” and certifies:

  • Novaworks will not sell or share Personal Information received from Customer.

  • Novaworks will not retain, use, or disclose Personal Information for any purpose other than delivering the Services to Customer, as permitted by the CCPA Business Purpose exception.

  • Novaworks will not combine Personal Information from Customer with information from other sources except as CCPA permits.

  • Novaworks understands and will comply with these CCPA Service Provider restrictions.

Part 4: India DPDPA Compliance

Where Novaworks processes Personal Data of Data Principals in India on Customer’s behalf, Novaworks shall comply with the Digital Personal Data Protection Act, 2023 (DPDPA) as a data processor (Service Provider). The parties shall update this Annex as required by DPDPA rules issued by the Data Protection Board of India. Customers with Indian Data Principals may request a DPDPA-specific addendum at privacy@novaworks.ai.

Execution

This DPA is effective upon execution of the MSA or Order Form incorporating it, or upon both parties signing below if entered as a standalone agreement.