WorkestraDocs
PlatformSecurity & Privacy

GDPR Compliance

Data export, deletion requests, and privacy rights.

GDPR Compliance

Workestra helps you comply with the General Data Protection Regulation (GDPR) for EU data subjects.

Your Role Under GDPR

Data Controller

You (the workspace Owner) are the Data Controller:

  • Determine purposes of processing
  • Decide how data is used
  • Responsible for compliance
  • Point of contact for data subjects

Data Processor

Workestra Inc. is the Data Processor:

  • Processes data per your instructions
  • Implements security measures
  • Assists with compliance
  • Subprocessor management

Data Subject Rights

Right to Access

Data subjects can request their data:

How to fulfill:

  1. Go to Settings > Data & Privacy
  2. Click Export Data
  3. Generate complete export
  4. Provide to data subject

Timeline: 30 days

Right to Rectification

Data subjects can request corrections:

How to fulfill:

  1. Navigate to their record
  2. Edit incorrect information
  3. Save changes
  4. Confirm correction

Timeline: Immediate

Right to Erasure ("Right to be Forgotten")

Data subjects can request deletion:

How to fulfill:

  1. Go to Settings > Data & Privacy
  2. Click Delete Data
  3. Select user/data to delete
  4. Confirm permanent deletion

Timeline: 30 days

Deletion is permanent and cannot be undone. Verify request authenticity before proceeding.

Right to Data Portability

Data subjects can receive data in structured format:

How to fulfill:

  1. Export data as JSON
  2. Provide machine-readable format
  3. Include all personal data

Timeline: 30 days

Right to Restrict Processing

Data subjects can limit how data is used:

How to fulfill:

  1. Pause marketing communications
  2. Exclude from analytics
  3. Restrict access
  4. Maintain minimal data only

Right to Object

Data subjects can object to processing:

How to fulfill:

  1. Honor opt-out requests
  2. Stop processing for that purpose
  3. Document objection

Data Export

What's Included

Complete export contains:

Data TypeFormat
ProfileJSON
ContactsCSV
ActivitiesCSV
DocumentsOriginal format
EmailsMBOX
CommentsJSON
Audit logCSV

Generating Export

  1. Admin: Go to Settings > Data & Privacy
  2. Click Export Data
  3. Select user
  4. Choose format (GDPR Package recommended)
  5. Generate
  6. Download when ready
  7. Securely transfer to data subject

Data Retention

Default Retention Periods

Data TypeRetention
Active recordsUntil deleted
Deleted records30 days (recoverable)
Audit logs2 years
Email historyUntil account deletion

Configuring Retention

Customize in Settings > Data & Privacy:

  1. Set retention periods
  2. Configure auto-deletion
  3. Define data categories
  4. Save policies

Data Processing Agreement (DPA)

Requesting a DPA

Enterprise customers can request a DPA:

  1. Email legal@workestra.app
  2. Include:
    • Company name
    • Workspace ID
    • Billing address
  3. DPA sent within 2 business days
  4. Sign and return

Standard Contractual Clauses

For EU-US data transfers:

  • SCCs included in DPA
  • Module 2 (Controller-Processor)
  • Additional safeguards documented

Lawful Basis for Processing

PurposeLegal Basis
Service deliveryContract performance
Marketing (existing)Legitimate interest
Marketing (new)Consent
AnalyticsLegitimate interest
Legal complianceLegal obligation

Track consent for:

  • Marketing emails
  • Cookie usage
  • Data processing
  • Third-party sharing

Data Breach Notification

If a Breach Occurs

Workestra will:

  1. Notify you within 24 hours
  2. Provide breach details
  3. Recommend actions
  4. Assist with notifications

Your Responsibilities

As Controller, you must:

  1. Assess data subject risk
  2. Notify supervisory authority (if high risk)
  3. Notify affected individuals (if high risk)
  4. Document the breach

Timeline: 72 hours to authority

International Transfers

Data Location

Default data storage:

  • EU workspaces: Frankfurt, Germany
  • US workspaces: US East (N. Virginia)

Transfer Mechanisms

EU data may be processed in US with:

  • Standard Contractual Clauses
  • Adequate safeguards
  • Data Processing Agreement

Privacy by Design

Workestra Features

Built-in privacy features:

  • Data minimization
  • Purpose limitation
  • Storage limitation
  • Security by design

Your Configuration

Configure for privacy:

  • Minimal data collection
  • Clear retention policies
  • Regular access reviews
  • Staff training

Contact

Data Protection Questions

Supervisory Authority

If needed, contact:

  • EU: Your local data protection authority
  • UK: Information Commissioner's Office
  • Other: Relevant local authority

Next Steps

Security & Privacy

Security features, compliance, and data protection in Workestra.

Audit Log

Track and review all significant actions in your workspace.

On this page

GDPR ComplianceYour Role Under GDPRData ControllerData ProcessorData Subject RightsRight to AccessRight to RectificationRight to Erasure ("Right to be Forgotten")Right to Data PortabilityRight to Restrict ProcessingRight to ObjectData ExportWhat's IncludedGenerating ExportData RetentionDefault Retention PeriodsConfiguring RetentionData Processing Agreement (DPA)Requesting a DPAStandard Contractual ClausesLawful Basis for ProcessingCommon Legal BasesDocumenting ConsentData Breach NotificationIf a Breach OccursYour ResponsibilitiesInternational TransfersData LocationTransfer MechanismsPrivacy by DesignWorkestra FeaturesYour ConfigurationContactData Protection QuestionsSupervisory AuthorityNext Steps