Data Processing Agreement
This DPA forms part of the Master Subscription Agreement between SI WORKS INC and the Customer. It governs SiWorks's processing of personal information on the Customer's behalf and lists the controls and subprocessors involved.
1. Roles
For Customer Data processed inside customer tenants, the Customer is the controllerand SI WORKS INC (“SiWorks”) is the processor. SiWorks will process Customer Data only on documented instructions from the Customer.
2. Scope of processing
- Subject matter: provision of the SiWorks platform.
- Duration: for the term of the subscription plus the 30-day post-termination export window.
- Nature and purpose: hosting, displaying, indexing, transmitting, and analyzing Customer Data to deliver the contracted Service.
- Categories of data: contact information, mobile numbers, visit and reservation records, survey responses, call logs and recordings, transcriptions, and where applicable CPNI.
- Categories of data subjects:the Customer's authorized users, the Customer's end-customers, and walk-in store visitors.
3. Security controls
- Identity: Firebase Auth with TOTP MFA, Custom Claims for role / orgId / storeId, 60-minute default session expiry.
- Access control: granular RBAC matrix (view/create/edit/delete per module) with field-level masking on phone and email.
- Audit: immutable audit log of every privileged action with user, action, resource, timestamp, and IP.
- Network: Cloud Armor WAF, HTTPS only, CSP and HSTS headers, region-pinned to us-west1.
- Secrets: Google Secret Manager — no secrets in env files or repositories. Workload Identity Federation between GitHub Actions and GCP.
- Backups: daily Firestore backups and BigQuery snapshots. 35-day retention.
- Records destruction:retention policies aligned to AT&T Records Destruction guidance.
4. Subprocessors
SiWorks engages the subprocessors below to deliver the Service. Use of AI subprocessors (AssemblyAI, OpenAI, Anthropic) is opt-in per tenant and disabled by default.
| Subprocessor | Purpose | Location |
|---|---|---|
| Google Cloud Platform | Hosting · BigQuery · Firestore · GCS · Secret Manager | United States · us-west1 |
| Firebase | Authentication · MFA · Push | United States |
| Twilio | Voice tracking · SMS / MMS · 10DLC | United States |
| AssemblyAI | Speech-to-text transcription (opt-in) | United States |
| OpenAI · Anthropic | AI inference (sentiment, summary) — opt-in per tenant | United States |
| Stripe | Billing (when enabled per Order Form) | United States |
SiWorks will notify Customer admins by email at least 30 days before engaging a new subprocessor. The Customer may object on reasonable grounds.
5. Data subject requests
SiWorks will assist the Customer in responding to access, correction, deletion, portability, and opt-out requests within the time limits applicable to the Customer under law. Direct requests from data subjects will be forwarded to the Customer.
6. International transfers
All production processing occurs in the United States (Google Cloud region us-west1). Where personal data of EEA, UK, or Swiss data subjects is processed, the parties agree to the applicable Standard Contractual Clauses on request.
7. Incident notification
SiWorks will notify the Customer of a confirmed Personal Data Breach affecting the Customer's tenant data without undue delay and in any event within 72 hours of confirmation, providing sufficient detail for the Customer to meet its own notification obligations.
8. Audits
On reasonable written notice and no more than once per twelve-month period, the Customer may request an audit of SiWorks's controls, satisfied through SOC 2 reports (when available) or a written questionnaire response.
9. Return and deletion
On termination, SiWorks will make Customer Data available for export for 30 days, after which it will be deleted from production and backups within 35 days.
10. Governance
This DPA is incorporated by reference into the Master Subscription Agreement. In case of conflict between this DPA and the MSA, this DPA controls with respect to data processing.
11. Contact
SI WORKS INC
Bellevue, WA
hello@siworks.us