Data Processing Addendum

Last updated: June 13, 2026

This Data Processing Addendum ("DPA") forms part of the Terms of Service between the customer ("Controller") and Workflow Prodigy ("Processor") for the KTRNET Service.

1. Roles

The customer is the Controller of personal data submitted to the Service. Workflow Prodigy is the Processor and processes such data only on documented instructions from the Controller.

2. Subject matter & duration

Processing covers the operation of the Service for the duration of the customer agreement plus any post-termination return or deletion period.

3. Categories of data

• Identifiers (name, email, role)
• Contract and program metadata, including Controlled Unclassified Information (CUI) where the customer chooses to ingest it
• Audit and access logs

4. Security measures

Per-tenant data isolation, encryption in transit (TLS 1.2+), encrypted backups, role-based access control, MFA for privileged operators, and append-only audit logging.

5. Subprocessors

The Processor maintains a list of authorized subprocessors and will provide the Controller with prior notice of additions or replacements, with an opportunity to object on reasonable grounds.

6. Data subject requests & assistance

The Processor will reasonably assist the Controller in responding to data subject requests and in fulfilling its obligations under applicable data protection laws.

7. Breach notification

The Processor will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data.

8. Return / deletion

On termination of the customer agreement, the Processor will return or delete personal data within the timeframe specified in the order form, subject to legal retention requirements.

9. Contact

Privacy: privacy@ktrnet.com · Security: security@ktrnet.com