DocTracker

Legal

Data Processing Agreement (DPA)

This Data Processing Agreement forms part of the Terms of Service between:

Marmalade Skies s.r.o., IČO 24372901, Bělehradská 858/23, 120 00 Praha, Czech Republic ("Processor")
and
the Workspace Owner ("Controller").

This DPA is governed by General Data Protection Regulation.

1. Subject Matter and Duration

Processor processes personal data on behalf of Controller to provide the DocTrack SaaS application.

Processing duration: for the term of the main agreement and any applicable retention period.

2. Nature and Purpose of Processing

Processing includes storage, organisation, structuring, retrieval, consultation, transmission, restriction, and deletion of Customer Data.

Purpose: provision of document management workspace platform.

3. Types of Personal Data

May include:

  • identification data (name, email)
  • documents uploaded by Controller or its clients
  • financial or business records
  • metadata (deadlines, statuses, activity logs)

Processor does not intentionally collect special categories but may process them if uploaded by Controller.

4. Categories of Data Subjects

  • clients of Controller
  • employees
  • contractors
  • other persons whose data is uploaded

5. Processor Obligations

Processor shall:

  • Process data only on documented instructions of Controller.
  • Ensure confidentiality.
  • Implement appropriate technical and organisational measures (Annex I).
  • Notify Controller without undue delay and no later than 48 hours after becoming aware of a personal data breach.
  • Assist Controller with data subject requests.
  • Assist with DPIA where required.
  • Delete or return personal data upon termination.
  • Make available information necessary to demonstrate compliance.

6. Subprocessors

Controller grants general authorisation for subprocessors.

Current subprocessors include:

  • Vercel (EU region - Germany)
  • Neon (AWS US East - USA)
  • Resend
  • Stripe

Processor will inform Controller of changes.

Processor remains fully liable for subprocessors.

7. International Transfers

Customer Data may be transferred to the United States (Neon AWS US East).

Processor relies on appropriate safeguards, including Standard Contractual Clauses where applicable.

8. Retention and Deletion

  • Data retained while account is active.
  • Upon account deletion: soft deletion immediately.
  • Permanent deletion from primary database within 30 days.
  • Activity logs retained up to 180 days.
  • Log records retained up to 90 days.

9. Audit

Controller may conduct documentation-based audits once per year with 30 days prior notice.

Audit shall not disrupt Processor's operations or access other customers' data.

Annex I - Security Measures

  • TLS encryption in transit
  • Encryption at rest (database level)
  • Role-based access control (owner/client)
  • Logical workspace isolation
  • Activity logging
  • Daily automated cleanup of deleted data
  • No employee access to production data

Governing law: Czech law.