Data Processing Agreement (DPA)

Documentero SaaS Service

Effective Date: 1 September 2023

This Data Processing Agreement ("DPA") is entered into between:

1. Documentero
("Data Processor," "we," "us," or "our"), with its registered office at

Documentero
Kilinskiego 121B, 90-049 Lodz
Poland
European Union

2. Customer
("Data Controller," "you," or "your").

This DPA is an addition to and forms part of the service agreement governing the use of the Documentero SaaS document generation service. The purpose of this DPA is to ensure compliance with the General Data Protection Regulation (EU Regulation 2016/679, "GDPR") concerning the processing of personal data by Documentero on behalf of the Customer.

1. Definitions

  • Personal Data: Any information related to an identified or identifiable natural person.
  • Processing: Any operation performed on personal data, such as collection, storage, use, or deletion.
  • Data Controller: The entity that determines the purposes and means of processing personal data.
  • Data Processor: The entity that processes personal data on behalf of the Data Controller.
  • Subprocessor: Any third party engaged by the Data Processor to process personal data on behalf of the Data Controller.

2. Subject Matter

The Data Processor will process personal data as described in this DPA on behalf of the Data Controller in relation to the provision of the Documentero SaaS document generation service.

3. Duration of Processing

The Data Processor will process personal data for the duration of the service agreement unless otherwise instructed by the Data Controller or required by law. Personal data is generally retained for the following periods:

  • Document Generation Data: Up to 24 hours or until the document is generated.
  • Generated Documents: Up to 24 hours post-generation.
  • Document Templates and Account Information: Stored as long as the account remains active.
  • Activity Logs: Retained for a maximum of 60 days for auditing and security purposes.

4. Types of Personal Data Processed

The types of personal data processed may include:

  • User Account Information: Name, email address, and password.
  • Document Generation Data: Personal data submitted via API or forms for generating documents.
  • Activity Logs: Data relating to the usage of the document generation service, such as timestamps and template usage.

5. Data Subject Rights

The Data Processor will assist the Data Controller in fulfilling their obligations regarding the rights of data subjects as set out under GDPR. These rights include but are not limited to:

  • Right to access personal data.
  • Right to rectify or correct personal data.
  • Right to erasure (the “right to be forgotten”).
  • Right to restrict processing.
  • Right to data portability.

Requests from data subjects will be forwarded to the Data Controller unless the Data Processor is legally obligated to respond directly.

6. Subprocessors and Data Transfers

The Data Processor uses the following subprocessors to assist in providing the service:

  • Google Cloud Firebase: Cloud storage, encryption, and security. Data is processed and stored in Google Cloud’s EU and US data centers.
  • Brevo: Email communication services.
  • Google Analytics: Website user behavior analysis.
  • LogRocket: Application interaction analysis.

Personal data processed by Google Cloud is stored within the European Union and the United States. The transfer of personal data to the United States is governed by the EU-US Data Privacy Framework, which allows transfers to certified US companies as of July 10, 2023.

The Data Processor ensures that subprocessors comply with GDPR and sign agreements that provide sufficient guarantees for data protection. The Data Controller will be notified of any changes to the subprocessors, providing the option to object.

7. Data Security

The Data Processor is committed to implementing and maintaining appropriate technical and organizational measures to ensure the security of personal data. These measures include:

  • Data encryption in transit and at rest using industry-standard encryption (e.g., HTTPS for data in transit).
  • Google Cloud Platform Security Mechanisms: Google Cloud uses advanced security features, including encryption, Google Cloud authentication, and secure access controls.
  • Secure storage and access control using Google Cloud Logs and Google Cloud’s Identity and Access Management (IAM).
  • Regular security audits and vulnerability assessments to ensure system robustness.
  • Incident response procedures to handle data breaches effectively and promptly.

8. Data Breaches

In the event of a data breach, the Data Processor will notify the Data Controller without undue delay, providing:

  • A description of the nature of the breach.
  • Information on the likely consequences.
  • Steps taken or to be taken to mitigate the breach.
  • Any other relevant details required under GDPR Article 33.

9. Data Transfers and Third Countries

Personal data is stored and processed within the European Union (EU) and the United States (US). Data transferred to the US is subject to the EU-US Data Privacy Framework, which allows the transfer of personal data to certified US companies as of July 10, 2023. Subprocessors, such as Google Cloud, are certified under this framework and comply with EU data protection standards.

In the event that data is transferred to a third country outside the EU, appropriate safeguards, such as Standard Contractual Clauses (SCCs) or certification under the EU-US Data Privacy Framework, will be applied.

10. Data Deletion and Return

Upon termination of the service agreement or upon the Data Controller's request, the Data Processor will delete or return all personal data processed on behalf of the Data Controller, unless otherwise required by law. Documentation proving the deletion will be provided upon request.

11. Liability and Data Backup

The Data Processor will maintain certain data that you transmit to the service for the purpose of managing the performance of the service. Although we perform regular routine backups of data, you are solely responsible for all data that you transmit or that relates to any activity you have undertaken using the service. You agree that the Data Processor shall have no liability to you for any loss or corruption of any such data, and you hereby waive any right of action against the Data Processor arising from any such loss or corruption of such data.

In the event of any breach of this DPA, both parties agree that liability will be apportioned according to their respective responsibilities under GDPR. The Data Processor shall only be liable for damages caused by its processing of personal data in violation of this DPA or GDPR, and the Data Controller will be responsible for any failure to comply with their obligations.

12. Audit and Inspection

The Data Controller may request audits or inspections to verify the Data Processor's compliance with this DPA. The Data Processor will allow for and contribute to audits, including inspections, conducted by the Data Controller or an independent third party. These audits will be subject to reasonable advance notice and will not interfere with the Data Processor's regular business operations.

13. Governing Law

This DPA is governed by the laws of the Republic of Poland, and any disputes arising from or related to this agreement shall be subject to the exclusive jurisdiction of the courts in Poland.

14. Contact Information

For any questions or concerns related to this DPA, please contact:

Data Protection Officer (support@documentero.com)