Data Processing Agreement

Version: 30 May 2026

This Data Processing Agreement ("DPA") governs the processing of personal data by Less Work (the "Processor") on behalf of a business client (the "Controller") in the course of a paid engagement. It applies whenever Less Work processes personal data that the client controls, for example when we build automations that read your customer records, run pilots on your internal data, or operate on your behalf inside your systems.

This DPA is written in plain English. Where it interacts with the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), this DPA references the SCCs rather than copying them; the SCCs themselves are available from the European Commission and are incorporated by reference where they apply.

1. Parties and effective date

Processor: Endre Adam, trading as Less Work, Budapest, Hungary. Contact for DPA matters: privacy@less-work.com.

Controller: the business client identified in the engagement letter or statement of work that incorporates this DPA.

Effective date: the date the underlying engagement letter or statement of work takes effect. This DPA is incorporated into every Less Work engagement letter by reference unless the parties sign a different DPA.

To countersign this DPA in its standalone form, email privacy@less-work.com stating that your organisation accepts the version dated above and naming the engagement it covers. We will reply confirming, and the email exchange will form the signed copy.

2. Subject matter, nature, purpose, and duration

The subject matter, nature, and purpose of the processing are set out in the engagement letter. In summary, Less Work processes personal data only to the extent necessary to deliver the consulting, automation, or operator service the client has engaged us for. The duration matches the engagement, plus any short retention window for transition and deletion described in section 10 below.

3. Categories of data subjects and personal data

Categories of data subjects and personal data depend on the engagement. The engagement letter or a written annex lists the actual categories before processing begins. Typical categories include:

• Data subjects: the Controller's employees, customers, leads, and end users whose data appears in the systems we work with.
• Data categories: business contact details (name, email, role, company), commercial records (orders, support tickets, account history), and operational metadata (timestamps, system IDs). Special category data and children's data are out of scope unless explicitly named in the engagement letter and protected by additional measures.

4. Processor obligations

Less Work will:

• process personal data only on the Controller's documented instructions, including the engagement letter, this DPA, and any subsequent written instruction;
• notify the Controller if we reasonably believe an instruction violates GDPR or UK GDPR;
• ensure that persons authorised to process the personal data are bound by confidentiality;
• take all measures required under Article 32 of GDPR, as described in section 5 below;
• assist the Controller in fulfilling its obligations to respond to data subject requests, as described in section 7;
• assist the Controller with data protection impact assessments and prior consultations where reasonably required;
• notify the Controller of any personal data breach without undue delay, and in any event within 72 hours of becoming aware of it, with the information needed for the Controller to meet its own notification obligations;
• at the Controller's choice, delete or return the personal data at the end of the engagement, and delete existing copies unless retention is required by law (section 10).

5. Security measures

Less Work applies industry-standard technical and organisational measures appropriate to the risks of the processing, including:

• encryption in transit (TLS) for all client data we receive or transmit;
• encryption at rest where supported by the relevant sub-processor;
• access on the principle of least privilege; multi-factor authentication on all administrative accounts;
• credential rotation and secrets stored outside source control;
• logging and monitoring sufficient to detect unauthorised access;
• regular review of sub-processor security postures;
• secure deletion of client data on the operator's local machines at the end of the engagement.

Where the engagement requires additional or specific measures, those measures are added to the engagement letter and become part of this DPA for that engagement.

6. Sub-processors

The Controller gives general authorisation for Less Work to engage the sub-processors listed at less-work.com/subprocessors, on the basis that Less Work will:

• impose data protection obligations on each sub-processor that are no less protective than those in this DPA;
• remain fully liable to the Controller for the performance of each sub-processor's obligations;
• publish the up-to-date sub-processor list at the URL above;
• give active B2B clients at least 14 days written notice before adding or replacing a sub-processor that will handle the client's personal data;
• give the Controller a right to object to the change on reasonable data-protection grounds. If the parties cannot reach a workable accommodation, the Controller may terminate the affected portion of the engagement.

7. Data subject requests

Less Work will, taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, in so far as possible, to fulfil the Controller's obligation to respond to requests from data subjects exercising their rights under GDPR Chapter III. If we receive such a request directly, we will forward it to the Controller without responding to it ourselves, unless authorised by the Controller.

8. International transfers

Where personal data is transferred outside the European Economic Area or the United Kingdom, Less Work relies on the EU Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), using Module Three (processor to sub-processor) between Less Work and any non-adequate sub-processor, and (where required by the Controller) Module Two (controller to processor) between the Controller and Less Work. For UK GDPR scenarios, the UK International Data Transfer Addendum applies in parallel.

9. Audit rights

Less Work will make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller, on reasonable notice (at least 30 days), no more than once per calendar year, at the Controller's cost, and subject to mutual confidentiality. Audits must not unreasonably interfere with Less Work's operations or compromise the confidentiality of other clients' data.

10. Return or deletion of data

On termination of the engagement, Less Work will, at the Controller's written choice, return all personal data to the Controller or delete it, and delete existing copies, unless EU or Member State law requires storage of the personal data. Less Work will confirm completion in writing. A short transitional window of up to 30 days may apply for secure deletion from backups.

11. Liability

Liability under this DPA is governed by the engagement letter. Where the engagement letter is silent, the parties' liability under this DPA is capped at the fees paid for the engagement in question, except for liabilities that cannot be capped under applicable law.

12. Governing law

This DPA is governed by the laws of Hungary. Any dispute arising from it is subject to the exclusive jurisdiction of the courts of Budapest, Hungary, subject to any mandatory rights either party has under applicable law. Where the SCCs apply, the governing law and forum provisions of the relevant SCC module take precedence to the extent required by those clauses.

13. Order of precedence

If there is a conflict, the order of precedence is: (1) the SCCs and the UK Addendum where they apply; (2) this DPA; (3) the engagement letter or statement of work; (4) any other document.

14. Changes

Less Work will publish updated versions of this DPA at this URL with a new version date. Updates apply to new engagements from the version date. For existing engagements, the version in force at the start of the engagement continues to apply unless the parties agree in writing to adopt the newer version.

Contact

For DPA questions, countersignature, or to request an annexed copy naming the specific data categories for your engagement, email privacy@less-work.com.