DocuTract
English
Log in Get early access

Data Processing Agreement (DPA)

Last updated:

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", the controller) and DocuTract ("DocuTract", the processor). It governs DocuTract's processing of personal data contained in the documents, scans and templates you upload ("Customer Personal Data") and reflects the requirements of Article 28 of the EU General Data Protection Regulation (GDPR).

Roles of the parties

The Customer is the controller and determines the purposes and means of processing Customer Personal Data. DocuTract is the processor and processes Customer Personal Data only on the Customer's documented instructions, including those given through normal use of the service. Where DocuTract acts as controller for account and billing data, the Privacy Policy applies instead.

Subject matter and duration

The subject matter is the processing necessary to provide DocuTract — extracting fields from uploaded scans and generating filled documents. Processing lasts for the term of the Terms of Service and until Customer Personal Data is deleted in accordance with this DPA.

Nature and purpose of processing

DocuTract processes Customer Personal Data to receive uploaded files, perform automated extraction, populate templates, generate output documents, and store those documents and scans on the Customer's behalf.

Categories of data and data subjects

The Customer controls what it uploads. Customer Personal Data may include identity, contact, identification-document, financial and other details contained in the Customer's source files. Data subjects may include the Customer's clients, employees, counterparties and any individuals named in the Customer's documents.

DocuTract's obligations

DocuTract will:

  • process Customer Personal Data only on the Customer's documented instructions;
  • ensure persons authorised to process the data are bound by confidentiality;
  • implement the technical and organisational measures described below;
  • not use Customer Personal Data to train machine-learning models or for any purpose other than providing the service;
  • assist the Customer, taking into account the nature of processing, with data-subject requests and with its security, breach-notification and impact-assessment obligations.

Security measures

DocuTract maintains appropriate technical and organisational measures, including encryption in transit (TLS) and at rest, access controls with least-privilege and authentication, private file storage exposed only via short-lived signed URLs scoped to a workspace, network isolation between workspaces, logging and monitoring, and regular review of these measures.

Sub-processors

The Customer authorises DocuTract to engage sub-processors to provide the service. DocuTract imposes data-protection obligations on each sub-processor no less protective than those in this DPA, and remains responsible for their performance. The current sub-processors are:

  • Cloud hosting — application and database hosting in the Customer's chosen EU or US region.
  • Document-extraction provider — automated OCR and field extraction from uploaded scans.
  • Authentication and file storage — sign-in and private storage of scans and outputs.
  • Payment processor — subscription billing and invoicing (account/billing data only).
  • Document-rendering service — conversion of generated documents to PDF.

DocuTract will give advance notice of any intended addition or replacement of a sub-processor so the Customer may object on reasonable data-protection grounds.

International transfers

Where Customer Personal Data is transferred outside the EEA, DocuTract relies on appropriate safeguards such as the European Commission's Standard Contractual Clauses, together with the technical measures set out above.

Personal data breach

DocuTract will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, with the information the Customer reasonably needs to meet its own notification obligations.

Return and deletion

On termination of the service, or on the Customer's request, DocuTract will delete or return Customer Personal Data and delete existing copies within 30 days, except where storage is required by law.

Audits

DocuTract makes available the information necessary to demonstrate compliance with this DPA and will contribute to audits, including inspections, conducted by the Customer or an auditor it mandates, on reasonable notice and subject to confidentiality.

Liability and precedence

If any conflict arises between this DPA and the Terms of Service on the subject of personal-data processing, this DPA prevails. Questions about this DPA? Write to legal@docutract.online.