DPA Annex 2 — Standard Contractual Clauses (Module 2)
Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2) incorporated into the WORQABLE BV DPA for transfers of personal data to non-EEA sub-processors.
DPA Annex 2 — Standard Contractual Clauses
This Annex incorporates by reference the Standard Contractual Clauses for the transfer of personal data to third countries pursuant to Regulation (EU) 2016/679, set out in the Annex to Commission Implementing Decision (EU) 2021/914 of 4 June 2021, Module 2 (controller to processor). These SCCs apply between the Customer (Controller / data exporter) and any non-EEA Sub-processor (data importer) engaged by WORQABLE BV.
The SCCs are integrated into the Data Processing Agreement ("DPA") under §12 and apply automatically whenever WORQABLE BV's Sub-processor list (Annex 3 — /legal/subprocessors) shows a recipient outside the European Economic Area.
1. Incorporation
The complete text of the Standard Contractual Clauses (Implementing Decision (EU) 2021/914, Module 2) is hereby incorporated into the DPA by reference and is available in all official EU languages on the EUR-Lex website at:
eur-lex.europa.eu/eli/dec_impl/2021/914/oj
A printable copy is provided to enterprise Customers on request.
2. Specific elections within the SCCs
The Parties make the following elections in the SCCs as incorporated:
| Clause | Election |
|---|---|
| Clause 7 (Docking clause) | The optional docking clause applies: additional Parties may accede to the SCCs by signing Annex I. |
| Clause 9(a) (Sub-processor authorisation) | Option 2 — General written authorisation applies. The Customer authorises WORQABLE BV to engage Sub-processors as listed in Annex 3 (the Sub-processors page). New Sub-processors are notified at least 30 days in advance per §4.4 AV. |
| Clause 11 (Independent dispute resolution) | The optional independent dispute-resolution body does not apply by default. Enterprise Customers may negotiate inclusion via Order Form. |
| Clause 17 (Governing law) | Option 1 — the law of an EU Member State: Belgian law. |
| Clause 18 (Choice of forum and jurisdiction) | The courts of Belgium, specifically the Ondernemingsrechtbank Antwerpen, afdeling Antwerpen. |
3. Annexes to the SCCs
The Parties complete the SCC Annexes as follows:
SCC Annex I.A — List of Parties
Data exporter: the Customer (Controller). Identification details — name, address, signatory, contact for data-protection — are taken from the Order Form for enterprise Customers, or from the customer profile (Settings → Profile / Settings → Workspace) for self-service Customers.
Data importer: the relevant non-EEA Sub-processor as listed in Annex 3 — currently:
- Anthropic, PBC — 548 Market St., PMB 90375, San Francisco, CA 94104, United States. Data-protection contact: privacy@anthropic.com.
- OpenAI, L.L.C. — 3180 18th Street, San Francisco, CA 94110, United States. Data-protection contact: legal@openai.com.
WORQABLE BV signs the SCCs with each US Sub-processor on behalf of the Customers as data exporters under a delegated authority structure (recital 4 of Decision 2021/914 envisages this arrangement). Customers may request a copy of the executed SCCs with each Sub-processor.
SCC Annex I.B — Description of the transfer
| Categories of data subjects | Authorised Users; consumers scanning QR codes; supply-chain participants in Track & Trace; the Customer's customers/business contacts where uploaded |
| Categories of personal data | For Anthropic: chat-message text content (consumer chat + dashboard copilot inputs and outputs); label metadata. For OpenAI: text chunks for embedding (typically knowledge-base documents the Customer has uploaded); no chat content. |
| Sensitive data | None expected. The Customer must notify WORQABLE BV under §3.2 AV before uploading special-category data. |
| Frequency | Continuous (on each AI request triggered by the Customer or by a consumer scan) |
| Nature of processing | Inference (Anthropic); embedding generation (OpenAI). No persistent storage of customer inputs by the Sub-processor (per their commercial API DPAs). |
| Purpose | Providing the AI features of the Service as configured by the Customer |
| Retention | The Sub-processors do not retain customer inputs beyond 30 days for abuse and safety review (Anthropic); zero data retention is enabled where the API tier allows (OpenAI). |
| Onward transfers | The Sub-processors do not engage further sub-processors that process Customer Personal Data outside the contractual chain. |
SCC Annex I.C — Competent supervisory authority
The competent supervisory authority is the Belgian Gegevensbeschermingsautoriteit / Autorité de protection des données (GBA / APD) — Drukpersstraat 35, 1000 Brussels, Belgium, contact@apd-gba.be.
This designation reflects the Belgian establishment of WORQABLE BV. Under Clause 13 SCC, the supervisory authority of the Customer's Member State of establishment may also be competent in respect of the Customer; nothing in this Annex affects that competence.
SCC Annex II — Technical and organisational measures
The Sub-processors' TOMs are documented in their respective DPAs:
- Anthropic Commercial Terms / Workspace API DPA: SOC 2 Type 2 attested, ISO 27001 in progress as of 2026; encryption in transit (TLS 1.3) and at rest (AES-256); access controls; incident response; sub-processor list at trust.anthropic.com.
- OpenAI Platform DPA: SOC 2 Type 2 attested; encryption in transit and at rest; zero-data-retention option where enabled; access controls; sub-processor list at openai.com/policies.
WORQABLE BV's own TOMs apply to the data path before the export to the Sub-processor — see DPA Annex 1.
SCC Annex III — List of sub-processors
WORQABLE BV's onward Sub-processor list (i.e., the Sub-processors of Anthropic / OpenAI for any further processing) is documented in their respective Sub-processor pages and is incorporated by reference. WORQABLE BV updates the live Annex 3 — /legal/subprocessors — with material changes to the upstream chain.
4. EU-US Data Privacy Framework
Where the Sub-processor is certified under the EU-US Data Privacy Framework (Decision (EU) 2023/1795), the SCCs apply alongside the DPF: the DPF provides the primary adequacy basis; the SCCs are retained as a fallback transfer mechanism in the event of an invalidation of the DPF.
DPF certification status as of effective date:
- Anthropic, PBC — certified under the EU-US DPF. Verify at dataprivacyframework.gov.
- OpenAI, L.L.C. — certified under the EU-US DPF. Verify at dataprivacyframework.gov.
WORQABLE BV verifies DPF status on a quarterly cadence as part of the Vendor Review SOP and notifies Customers of any material change.
5. Transfer Impact Assessment
WORQABLE BV maintains a Transfer Impact Assessment (TIA) for each non-EEA transfer, addressing:
- the laws of the destination country relevant to access by public authorities (notably FISA s. 702 and EO 12333 for the US, and the relevant Schrems II safeguards documented in EO 14086 / DOJ regulations);
- the supplementary measures (technical: encryption in transit, no special-category data sent by default; contractual: training-prohibition; organisational: vendor review SOP);
- the assessment of whether the transfer is permissible.
A redacted TIA is provided to enterprise Customers under NDA on request to privacy@qrabl.eu. Annex 3 (Transfer Impact Assessment template) at /legal/dpa-annex-3-tia-template provides a Customer-facing template.
6. Override
In case of conflict between this Annex 2 and the SCCs (as incorporated), the SCCs prevail. In case of conflict between this Annex 2 and the DPA, this Annex 2 prevails for matters governed by the SCCs.
7. Updates
Material updates to this Annex (including DPF status changes, new non-EEA Sub-processors, changes to elected options) are notified per §6.7 AV.
For SCC-related inquiries: privacy@qrabl.eu.