Data Processing Addendum
Last updated: May 14, 2026
This Data Processing Addendum ("DPA") supplements our Terms of Service and applies when RemoteWorkers.online processes personal data on behalf of a business customer (a "Controller") — for example, a company that uses our platform to source and verify remote workers. Individuals applying directly to roles should consult our Privacy Policy instead.
Plain-English summary: if your company uses our platform to hire remote workers, this document spells out our obligations under GDPR / UK-GDPR / CCPA: what we do with the data, who else touches it, how we keep it safe, and what happens if there's an incident.
1. Definitions
- Controller — the customer entity that determines the purposes and means of processing personal data.
- Processor — RemoteWorkers.online, processing personal data on the Controller's instructions.
- Data Subject — the individual (worker, applicant) whose personal data is processed.
- Personal Data — has the meaning given in GDPR Article 4 / CCPA §1798.140 / equivalent laws.
- Subprocessor — a third party we engage to process personal data on our behalf.
2. Scope & roles
When RemoteWorkers.online provides hiring-platform services to a Controller, the Controller is the data controller for application data submitted via its job posts; RemoteWorkers.online is the data processor. For our own internal operations (account management, security logs) we are an independent controller.
3. Details of processing
- Subject matter — operating an identity-verified remote-work platform.
- Duration — for as long as the underlying services agreement is in effect.
- Nature & purpose — collecting, storing, reviewing, and acting on applications submitted to Controller's job posts.
- Categories of data — name, address, date of birth, contact details, government tax identifier, ID documents (photos + numbers), selfie, work history, schedule preferences, status changes, hours/wages records.
- Categories of data subjects — applicants, hired workers.
4. Our obligations as Processor
We will:
- Process personal data only on the Controller's documented instructions (the use of our platform constitutes such instruction).
- Ensure that personnel with access to personal data are subject to confidentiality obligations.
- Implement and maintain technical and organisational measures appropriate to the risk (see Section 6).
- Engage subprocessors only under written terms providing at least the same level of protection (see Section 5).
- Assist the Controller in responding to data-subject requests where reasonably possible.
- Notify the Controller without undue delay (and in any event within 72 hours) on becoming aware of a personal-data breach.
- Delete or return personal data on termination of services, subject to legal retention requirements.
- Make available all information necessary to demonstrate compliance with this DPA.
5. Authorised subprocessors
The Controller authorises us to use the following subprocessors. We will give the Controller at least 30 days' notice of any new subprocessor before adding them, and the Controller may reasonably object.
| Subprocessor | Purpose | Location |
|---|---|---|
| Neon, Inc. | Application database (PostgreSQL) | United States (us-east-1) |
| Vercel, Inc. | Hosting, serverless functions, Vercel Blob (private file storage) | United States (iad1) |
| Resend, Inc. | Transactional email delivery (verification codes, status updates, password reset) | United States (us-east-1) |
| Hostinger International Ltd. | DNS only (does not process application data) | EU / global |
6. Security measures
We maintain the following safeguards:
- TLS encryption for data in transit.
- Passwords stored as bcrypt hashes (cost factor 12).
- Email verification codes stored as bcrypt hashes; plaintext never persisted.
- ID photos and selfies in private object storage; access only via authenticated admin-proxy endpoint.
- Role-based access control: production database access restricted to authorised administrators.
- Account lockout after 5 failed login attempts; OTP rate limits to prevent enumeration / spam.
- HTTPS-only with HSTS on production domain.
- Audit-style logging of administrative actions (status changes, reveal-tax-id events).
Known gap, disclosed: tax identifiers (SSN/SIN/TFN) are stored in the database without column-level encryption at this time. We are tracking implementation of envelope encryption with externally-managed keys.
7. International transfers
Personal data may be transferred to and processed in the United States by our subprocessors. For transfers from the EEA, UK, or Switzerland, we rely on Standard Contractual Clauses (SCCs) as approved by the European Commission and on our subprocessors' equivalent commitments.
8. Audit rights
On reasonable written request, no more than once per calendar year, the Controller (or its appointed auditor, bound by appropriate confidentiality) may audit our compliance with this DPA. Routine requests are addressed by us providing relevant documentation; on-site audits require 30 days' advance notice and reasonable cost-sharing.
9. Personal-data breaches
On becoming aware of a personal-data breach involving Controller data, we will notify the Controller without undue delay and in any event within 72 hours. The notice will describe the nature of the breach, the categories and approximate number of data subjects affected, the likely consequences, and the measures taken or proposed.
10. Liability
Each party's liability under this DPA is subject to the limitations set out in the underlying services agreement (or our Terms of Service if no separate agreement exists).
11. Contact
For DPA-related questions or to execute a signed copy on your company's paper, email support@remoteworkers.online.
Questions about this policy? Email support@remoteworkers.online and we'll respond within 5 business days.