Data Processing Agreement (DPA)

1. Subject Matter and Duration

Processor processes personal data on behalf of Controller to provide the DocTracker SaaS application.

Processing duration: for the term of the main agreement and any applicable retention period.

2. Nature and Purpose of Processing

Processing includes storage, organisation, structuring, retrieval, consultation, transmission, restriction, and deletion of Customer Data.

Purpose: provision of document management workspace platform.

3. Types of Personal Data

May include:

• identification data (name, email)
• documents uploaded by Controller or its clients
• financial or business records
• metadata (deadlines, statuses, activity logs)

Processor does not intentionally collect special categories but may process them if uploaded by Controller.

4. Categories of Data Subjects

• clients of Controller
• employees
• contractors
• other persons whose data is uploaded

5. Processor Obligations

Processor shall:

• Process data only on documented instructions of Controller.
• Ensure confidentiality.
• Implement appropriate technical and organisational measures (Annex I).
• Notify Controller without undue delay and no later than 48 hours after becoming aware of a personal data breach.
• Assist Controller with data subject requests.
• Assist with DPIA where required.
• Delete or return personal data upon termination.
• Make available information necessary to demonstrate compliance.

6. Subprocessors

Controller grants general authorisation for subprocessors.

Current subprocessors include:

• Vercel (EU region - Germany)
• Neon (EU region - Germany)
• Cloudflare, Inc. (EU region)
• Google LLC (United States and/or European Union)
• Resend (USA)
• Stripe (United States and/or European Union)
• Upstash (EU region - Germany)

Processor will inform Controller of changes.

Processor remains fully liable for subprocessors.

7. International Transfers

Customer Data may be transferred outside the EEA by certain subprocessors (for example, Resend and/or Stripe where applicable).

Processor relies on appropriate safeguards, including Standard Contractual Clauses where applicable.

8. Retention and Deletion

• Data retained while account is active.
• Upon account deletion: soft deletion immediately.
• Permanent deletion from primary database within 30 days.
• All associated records such as documents, metadata, and activity logs are deleted upon deletion of the workspace
• Certain operational logs (such as email delivery logs) may be retained by subprocessors in accordance with their independent retention policies.

9. Audit

Controller may conduct documentation-based audits once per year with 30 days prior notice.

Audit shall not disrupt Processor's operations or access other customers' data.

Annex I - Security Measures

• TLS encryption in transit
• Encryption at rest (database level)
• Role-based access control (owner/client)
• Logical workspace isolation
• Activity logging
• Daily automated cleanup of deleted data
• No employee access to production data