1. Background and parties
This Data Processing Agreement (“DPA”) supplements the Called 2 Work Terms of Service or any executed master services agreement (the “Service Agreement”) between Called 2 Work DBA Zia Code LLC(“Called 2 Work,” the “Processor”) and the customer identified on the executed signature page (“Customer,” the “Controller”).
This DPA reflects the parties' agreement on the processing of personal data by Called 2 Work on behalf of the Customer in the course of providing the Called 2 Work service. Where this DPA conflicts with the Service Agreement on a data-protection matter, this DPA prevails.
Called 2 Work's registered office is 7428 Via Desierto NE, AlbuquerqueNM 87113USA. Notices under this DPA may be served by email to [email protected].
2. Definitions
Capitalized terms not defined in this DPA take their meaning from the EU General Data Protection Regulation 2016/679 (“GDPR”). “Applicable Data Protection Law” means the GDPR, the UK GDPR + Data Protection Act 2018 (when the UK geo-block is lifted), the California Consumer Privacy Act / California Privacy Rights Act (“CCPA/CPRA”), and any other privacy or data-protection law applicable to either party in connection with the processing.
For purposes of the CCPA/CPRA, Called 2 Work acts as a “service provider” to the Customer. Called 2 Work does not “sell” or “share” personal information for cross-context behavioral advertising as those terms are defined under the CCPA/CPRA.
3. Scope and roles
With respect to personal data the Customer submits to or generates within the service, the Customer is the controller and Called 2 Work is the processor (or, where applicable under CCPA/CPRA, the Customer is the “business” and Called 2 Work is the “service provider”).
The subject matter, duration, nature, purpose, categories of data subjects, and categories of personal data are described in Annex I below.
4. Documented instructions
Called 2 Work processes personal data only on documented instructions from the Customer, including the instructions embodied in this DPA, the Service Agreement, and the Customer's in-product configuration of the service. Called 2 Work immediately informs the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.
5. Confidentiality
Called 2 Work ensures that personnel authorized to process personal data are bound by appropriate written confidentiality obligations and receive periodic security-awareness training commensurate with their role.
6. Security of processing
Called 2 Work implements the technical and organizational measures set out in Annex II below to ensure a level of security appropriate to the risk per GDPR Art. 32. These measures may evolve over time provided that the level of protection is not materially diminished.
7. Sub-processors
The Customer provides general written authorization for Called 2 Work to engage the sub-processors listed at /legal/sub-processors, which is incorporated here by reference and forms Annex III to this DPA.
Called 2 Work will give the Customer at least 30days' advance notice before authorizing a new sub-processor or a material change to an existing one. The Customer may object to the change during that notice period on reasonable data-protection grounds, in which case the parties will work in good faith to resolve the objection; if no resolution is reached, the Customer may terminate the affected portion of the service without penalty.
Called 2 Work remains responsible to the Customer for the acts and omissions of its sub-processors to the same extent as for its own acts and omissions under this DPA, and ensures that each sub-processor is bound by data-protection obligations no less protective than those in this DPA.
8. International transfers
To the extent personal data of EU/EEA data subjects is transferred outside the EU/EEA in connection with the service, the parties agree that the transfer is governed by Module Two (controller-to-processor) of the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), which are incorporated by reference and completed by reference to Annex I and Annex II of this DPA. The optional clauses are handled as follows: Clause 7 (docking clause) applies; Clause 9(a) Option 2 (general written authorization) applies with the notice period in Section 7 above; Clause 11(a) (independent dispute resolution) is not selected; Clause 17 (governing law) is the law of an EU Member State that allows third-party beneficiary rights, defaulted to Ireland; Clause 18 (forum and jurisdiction) is the courts of Ireland.
For UK data transfers, the parties incorporate the UK International Data Transfer Addendum to the EU SCCs once Called 2 Work appoints a UK Article 27 representative and the UK geo-block is lifted (see /legal/privacy for the current jurisdictional posture).
9. Data subject requests
Taking into account the nature of the processing, Called 2 Work assists the Customer by appropriate technical and organizational measures, insofar as this is possible, in the fulfillment of the Customer's obligation to respond to data-subject requests under Applicable Data Protection Law. End-user-initiated requests for export, deletion, and consent management are handled directly through the user-facing endpoints documented in the privacy policy ( /api/me/export, /api/me/delete, /api/me/consents); requests routed through the Customer are honored under this Section.
10. Personal data breaches
Called 2 Work notifies the Customer without undue delay, and in any event within 72hours, after becoming aware of a personal data breach affecting the Customer's personal data. The notification will include, to the extent known at the time, the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.
11. DPIA assistance
Taking into account the nature of the processing and the information available, Called 2 Work provides reasonable assistance to the Customer with data protection impact assessments and prior consultations with supervisory authorities under GDPR Arts. 35 and 36.
12. Audit rights
On reasonable prior written notice and not more than Once per twelve-month period (without prejudice to audits triggered by a personal data breach or supervisory-authority order), Called 2 Work makes available to the Customer information reasonably necessary to demonstrate compliance with this DPA and allows for and contributes to audits, including inspections. Audits are conducted during regular business hours and on terms that preserve the confidentiality and operation of Called 2 Work and its other customers.
13. Return or deletion on termination
On termination of the Service Agreement, Called 2 Work, at the Customer's choice, returns or deletes the personal data processed on behalf of the Customer within 30 days, unless retention is required by Applicable Data Protection Law. Backups containing personal data are overwritten in the ordinary course consistent with the schedule published at /legal/retention.
14. Liability
Each party's liability under or in connection with this DPA is subject to the limitations and exclusions of liability set out in the Service Agreement. Nothing in this DPA limits a data subject's rights under Applicable Data Protection Law, including the right to receive compensation directly from either party where required by law.
15. Term and survival
This DPA takes effect on the date the Customer accepts it (whether by signature, click-through, or by continued use of the service after a notified update) and remains in force for as long as Called 2 Work processes personal data on the Customer's behalf. Sections that by their nature should survive termination (including Sections on confidentiality, return or deletion, and liability) survive.
16. Governing law
This DPA is governed by the laws of the State of New Mexico, USA, without regard to its conflict-of-laws principles, except that Section 8 (International transfers) is governed by the law specified in the SCCs as completed by this DPA.
17. How to execute this DPA
To request an executed copy of this DPA, email [email protected] with your organization name, registered address, and the name and email of your authorized signatory. Called 2 Work will counter-sign and return a PDF for your records. You may also print this page using your browser's print or save-as-PDF feature.
Annex I — Description of the processing
This Annex describes the processing carried out by Called 2 Work on behalf of the Customer.
| Item | Description |
|---|---|
| Subject matter of the processing | Operation of the Called 2 Work invitation-gated job-posting platform on behalf of the Customer, including authentication, listing publication, applicant communication, and donation processing. |
| Duration of the processing | For the term of the underlying Terms of Service or Master Services Agreement between the Customer and Called 2 Work, plus any post-termination return / deletion window described in this DPA. |
| Nature of the processing | Hosting, storage, transmission, retrieval, organization, structuring, modification, consultation, disclosure to authorized recipients, restriction, erasure, and destruction of personal data, in each case for the purposes set out below. |
| Purpose of the processing | Provisioning the Called 2 Work service to the Customer and the Customer's authorized end-users, including invitation-based onboarding, job-posting publication, applicant matching, in-app messaging, donation processing, and security monitoring. |
| Categories of data subjects | Customer's invited members, business-owner representatives, job applicants, donors, and any individual whose personal data the Customer submits to the service. |
| Categories of personal data | Identification and contact data (name, email, phone), authentication data (magic-link tokens, session identifiers), employment-context data (resumes, application narratives, voucher chains), location data (city / ZIP for geo-search), donation data (donor name, billing details handled by Stripe), and technical data (IP addresses, request metadata, error telemetry). |
| Special categories of personal data | Called 2 Work does not solicit special-category personal data within the meaning of GDPR Art. 9. To the extent a data subject voluntarily includes such data in a free-form field (e.g., a resume), the data is processed only as part of the general personal-data flow and is subject to the same security measures. |
| Frequency of the transfer | Continuous, for the duration of the service. |
| Retention period | As set out in the Called 2 Work Data Retention Schedule (published at /legal/retention) and incorporated here by reference. |
Annex II — Technical and organizational measures
The following measures are implemented by Called 2 Work to ensure a level of security appropriate to the risk per GDPR Art. 32. The list is non-exhaustive and may be updated provided that the level of protection is not materially diminished.
Encryption in transit
All connections to the service are served over HTTPS with TLS 1.2 or higher. HSTS is enabled at the edge.
Encryption at rest
Database storage and object storage volumes are encrypted at rest using provider-managed keys (Oracle Cloud Infrastructure block volumes; Cloudflare R2 server-side encryption).
Access control and least privilege
Production systems require named-account authentication with multi-factor authentication. Operator access is restricted to a limited set of named individuals and is reviewed periodically.
End-user authentication
End-user authentication uses single-use email magic-link tokens with a 15-minute time-to-live (see /legal/retention). Sessions are bound to the issuing browser via NextAuth-managed session and CSRF cookies.
Tenant isolation
Application code enforces row-level access checks on every request. Background workers run with their own credentials and never operate on behalf of an unauthenticated principal.
Secrets management
API keys, database credentials, and signing secrets are injected as environment variables at deployment time and never committed to source control. Secrets are rotated on suspected exposure.
Logging and monitoring
Application errors and exceptions are forwarded to Sentry / BugSink for alerting; structured request logs are retained per the audit-log row in /legal/retention. Operator-actionable anomalies trigger alerts to the on-call address.
Backups
Database backups are taken on a recurring schedule, encrypted, and retained for the period stated in the Customer's executed order form. Restoration is tested periodically.
Deletion and disposal
User-initiated deletion sets a deletedAt timestamp; a daily worker hard-deletes accounts past the 30-day grace window. Object-storage attachments are deleted from Cloudflare R2 by the same worker. See /legal/retention for the full schedule.
Incident response
Called 2 Work maintains a written incident-response procedure covering detection, containment, eradication, recovery, and post-incident review. Incidents involving personal data trigger the breach-notification flow described in this DPA.
Personnel and confidentiality
Personnel with access to personal data are bound by written confidentiality obligations and receive periodic security-awareness training.
Sub-processor management
Each sub-processor is engaged under a written agreement that imposes data-protection obligations no less protective than this DPA. The current sub-processor list is published at /legal/sub-processors and is updated when the roster changes.
Annex III — Sub-processors
The list of sub-processors authorized under Section 7 above is published at /legal/sub-processors and is incorporated here by reference. The published list is updated when the roster changes; the change-notice mechanism in Section 7 governs each update.