Last updated: May 15, 2025
This Data Processing Addendum ("DPA") forms part of the Terms of Service ("Agreement") between DocumentsFlow LLC ("Processor", "we", "us", or "our") and the entity or person agreeing to these terms ("Controller", "you", or "your") to reflect the parties' agreement with regard to the Processing of Personal Data.
In this DPA, the following terms shall have the meanings set out below:
2.1 Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Personal Data, you are the Controller, we are the Processor, and we will engage Subprocessors pursuant to the requirements set forth in Section 5 "Subprocessors" below.
2.2 Your Processing of Personal Data. You shall, in your use of the Service, Process Personal Data in accordance with the requirements of Data Protection Laws. You shall have sole responsibility for the accuracy, quality, and legality of Personal Data and the means by which you acquired Personal Data.
2.3 Our Processing of Personal Data. We shall only Process Personal Data on behalf of and in accordance with your documented instructions for the following purposes: (a) Processing in accordance with the Agreement; (b) Processing initiated by users in their use of the Service; and (c) Processing to comply with other documented reasonable instructions provided by you where such instructions are consistent with the terms of the Agreement.
2.4 Details of the Processing. The subject matter, nature, purpose, and duration of the Processing, as well as the types of Personal Data collected and categories of Data Subjects, are set forth in Annex 1 to this DPA.
3.1 Data Subject Request. We shall, to the extent legally permitted, promptly notify you if we receive a request from a Data Subject to exercise their rights under Data Protection Laws ("Data Subject Request"). Taking into account the nature of the Processing, we shall assist you by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of your obligation to respond to a Data Subject Request under Data Protection Laws.
3.2 Response to Data Subject Requests. To the extent that you, in your use of the Service, do not have the ability to address a Data Subject Request, we shall, upon your request, provide commercially reasonable efforts to assist you in responding to such Data Subject Request, to the extent we are legally permitted to do so and the response to such Data Subject Request is required under Data Protection Laws.
4.1 Confidentiality. We shall ensure that our personnel engaged in the Processing of Personal Data are informed of the confidential nature of the Personal Data, have received appropriate training on their responsibilities, and have executed written confidentiality agreements.
4.2 Reliability. We shall take commercially reasonable steps to ensure the reliability of any of our personnel engaged in the Processing of Personal Data.
4.3 Limitation of Access. We shall ensure that our access to Personal Data is limited to those personnel performing services in accordance with the Agreement.
5.1 Appointment of Subprocessors. You acknowledge and agree that we may engage third-party Subprocessors in connection with the provision of the Service.
5.2 List of Current Subprocessors. We shall make available to you the current list of Subprocessors for the Service as set forth in Annex 2 to this DPA.
5.3 Notification of New Subprocessors. We shall provide notification of a new Subprocessor(s) before authorizing any new Subprocessor(s) to Process Personal Data in connection with the provision of the Service.
5.4 Objection Right for New Subprocessors. If you have a reasonable basis to object to our use of a new Subprocessor, you shall notify us promptly in writing within ten (10) business days after receipt of our notice. If you object to a new Subprocessor, and that objection is not unreasonable, we will use reasonable efforts to make available to you a change in the Service or recommend a commercially reasonable change to your configuration or use of the Service to avoid Processing of Personal Data by the objected-to new Subprocessor.
5.5 Liability. We shall be liable for the acts and omissions of our Subprocessors to the same extent we would be liable if performing the services of each Subprocessor directly under the terms of this DPA.
6.1 Security Measures. Taking into account the state of the art, the costs of implementation and the nature, scope, context and purposes of Processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons, we shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including but not limited to:
(a) Encryption of Personal Data; (b) The ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; (c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident; (d) A process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
6.2 Risk Assessment. In assessing the appropriate level of security, we shall take account in particular of the risks that are presented by Processing, in particular from a Personal Data Breach.
7.1 Notification of Personal Data Breach. We shall notify you without undue delay upon becoming aware of a Personal Data Breach affecting Personal Data, providing you with sufficient information to allow you to meet any obligations to report or inform Data Subjects of the Personal Data Breach under Data Protection Laws.
7.2 Information to be Provided. Such notification shall at a minimum: (a) Describe the nature of the Personal Data Breach, the categories and numbers of Data Subjects concerned, and the categories and numbers of Personal Data records concerned; (b) Communicate the name and contact details of our data protection officer or other relevant contact from whom more information may be obtained; (c) Describe the likely consequences of the Personal Data Breach; and (d) Describe the measures taken or proposed to be taken to address the Personal Data Breach.
8.1 Return of Data. Upon termination of the Service, we shall return all Personal Data Processed pursuant to this DPA to you and, to the extent allowed by applicable law, delete existing copies unless storage of Personal Data is required by applicable law.
9.1 Audits. We shall make available to you all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, by you or an auditor mandated by you in relation to the Processing of Personal Data by us.
10.1 Transfers of Data. We shall ensure that any transfer of Personal Data to a third country or an international organization is subject to appropriate safeguards as described in Article 46 of the GDPR, and that such transfers and safeguards are documented according to Article 30(2) of the GDPR.
11.1 Governing Law. This DPA shall be governed by the laws of the State of Delaware, USA, without regard to its conflict of laws principles.
11.2 Order of Precedence. In the event of any conflict or inconsistency between this DPA and the Agreement, the provisions of this DPA shall prevail.
Categories of Data Subjects:
Types of Personal Data:
Special Categories of Data: The Service is not intended to process special categories of data. However, such data may be contained in documents uploaded by users.
Processing Operations:
Duration of Processing: The Personal Data will be processed for the duration of the Agreement, or as otherwise required by law or agreed between the parties.
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure provider | United States |
| Google Cloud Platform | Document processing and analysis | United States |
| Stripe | Payment processing | United States |
| SendGrid | Email notifications | United States |
| Microsoft Azure | Analytics and monitoring | United States |
| Zendesk | Customer support | United States |
We use cookies and similar technologies, including Google Analytics and Microsoft Clarity, to enhance your experience, analyze site traffic, and for security and marketing purposes. By clicking "Accept", you agree to our use of these technologies. Read our Cookie Policy for more details and preference management.