WelloWork LogoWelloWorkBook a demo
Legal

Data processing (template).

A summary of how WelloWork acts as processor for customer organisations under the GDPR. Template — the executed DPA for a given customer takes precedence.

What is the data processing relationship? When you use the WelloWork platform as an employee of a customer organisation, your employer is the controller of your data and WelloWork AB is the processor acting on documented instructions. The terms of that processing are set out in a Data Processing Agreement (DPA) executed between WelloWork and your employer.
Template — review with counsel before launch. This page is a starting template based on standard practice for GDPR-resident SaaS in Sweden and the wider EU. WelloWork has not yet had it reviewed by legal counsel and it should not be relied upon as the final policy in production.

Subject matter and duration

We process personal data of the customer's end users (typically the customer's employees) for the purpose of delivering the WelloWork platform. Processing lasts for the duration of the customer agreement and the retention period specified in the DPA.

Nature and purpose

  • Cognitive training, assessment, and longitudinal performance reporting.
  • Workshop scheduling and attendance.
  • Biomarker sample reporting (where Proactive Care is in scope).
  • Aggregated, anonymised reporting to the customer's authorised admins.

Categories of data

  • Identification and contact data (name, work email, role).
  • Cognitive performance data (session results, assessment scores).
  • Biomarker reports (where Proactive Care is in scope).
  • Operational metadata (device, browser, time of access).

Categories of data subjects

End users of the WelloWork platform — typically employees of the customer.

Sub-processors

We engage a small number of sub-processors for hosting, email, and lab partners. A current list is provided to customers under their DPA and updated with notice as required. Sub-processors are all bound by GDPR-compliant terms and EU-resident where relevant.

International transfers

We do not transfer personal data outside the EU/EEA without an appropriate transfer mechanism. Where a transfer is required (e.g. operational support tooling), it is documented in the DPA.

Security

Encryption in transit and at rest, role-based access, audit logging, minimum-team- size enforcement on manager-visible aggregates, periodic security review. ISO 27001 certification is in progress.

Sub-processor or DPA questions

Email info@wellowork.net with "DPA request" in the subject and we will route you to the right person.