DocsFlow - Turn Documents Into Instant Answers

Data Processing Agreement

Effective date: April 21, 2026

This Data Processing Agreement ("DPA") supplements the DocsFlow Terms of Service ("Terms"). It applies when, in connection with your use of the Service, DocsFlow processes personal data on your behalf as processor, and is incorporated into the Terms by reference. This DPA is offered on a click-through basis: by accepting the Terms, you accept this DPA. If your organization requires a counter-signed copy, contact legal@docsflow.app.

1. Definitions

  • Applicable Data Protection Law — the EU General Data Protection Regulation 2016/679 (GDPR), the UK GDPR and Data Protection Act 2018 (UK GDPR), the California Consumer Privacy Act / California Privacy Rights Act (CCPA/CPRA), and any other data protection or privacy law applicable to Customer's use of the Service.
  • Controller, Processor, Data Subject, Personal Data, Processing, Supervisory Authority — have the meanings given in the GDPR, and equivalent terms under other Applicable Data Protection Law (including "business," "service provider," and "consumer" under CCPA).
  • Customer Personal Data — Personal Data contained in Customer Content processed by DocsFlow on behalf of Customer.
  • Sub-processor — any third party engaged by DocsFlow to process Customer Personal Data, listed at /subprocessors.

2. Roles

With respect to Customer Personal Data, Customer is the Controller (or Processor acting on behalf of its own controller), and DocsFlow is the Processor. Under CCPA, DocsFlow acts as a Service Provider and does not sell or share Personal Data.

3. Scope, purpose, and duration

DocsFlow will process Customer Personal Data only as a Processor and only to provide, maintain, secure, and support the Service for Customer, in accordance with Customer's documented instructions (the Terms, this DPA, and Customer's configuration of the Service). Details of processing are described in Annex A. The processing lasts for the term of the Terms, plus any permitted retention period.

4. DocsFlow obligations

  • Instructions. Process Customer Personal Data only on documented instructions from Customer, except as required by applicable law (in which case DocsFlow will notify Customer unless prohibited).
  • Confidentiality. Ensure persons authorized to process Customer Personal Data are bound by confidentiality obligations.
  • Security. Implement and maintain the technical and organizational measures described in Annex B and in our Security Addendum.
  • Sub-processing. Engage Sub-processors only under Section 5 and the sub-processor list.
  • Data subject rights. Assist Customer, by appropriate technical and organizational measures, to respond to Data Subject requests (access, rectification, deletion, restriction, portability, objection).
  • Breach notification. Notify Customer without undue delay, and in any event within 72 hours of confirmation, of any Personal Data Breach affecting Customer Personal Data, including information reasonably required for Customer to meet its own notification obligations.
  • Cooperation. Assist Customer with data protection impact assessments and prior consultations with Supervisory Authorities under GDPR Articles 35 and 36, where relevant.
  • Return / deletion. At termination, at Customer's election, return or delete Customer Personal Data in accordance with Section 14 of the Terms.
  • No sale. Not sell or share Customer Personal Data (CCPA) and not use it for any purpose other than providing the Service, including not using it to train foundation or generative AI models.

5. Sub-processors

Customer authorizes DocsFlow to engage the Sub-processors listed at /subprocessors. DocsFlow will:

  • Enter into a written agreement with each Sub-processor imposing data-protection obligations no less protective than those in this DPA.
  • Remain liable to Customer for the acts and omissions of its Sub-processors in processing Customer Personal Data.
  • Give at least 30 days' prior notice of the addition or replacement of any Sub-processor by updating the sub-processor list and emailing Customer's notification address (once subscribed per that page).
  • Allow Customer to object on reasonable data-protection grounds; if DocsFlow cannot reasonably accommodate the objection, Customer's remedy is to terminate the affected portion of the Service.

6. International data transfers

Customer Personal Data may be transferred to and processed in the United States and other countries outside the European Economic Area and the United Kingdom. For transfers from the EEA, Switzerland, or the UK to a country that has not received an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914, Module Two – Controller to Processor, or Module Three – Processor to Processor, as applicable), together with the UK International Data Transfer Addendum where relevant, are incorporated into this DPA by reference, with:

  • Clause 7 (docking clause): not applicable.
  • Clause 9(a): Option 2 (general written authorization); notice period 30 days.
  • Clause 11(a): optional independent dispute resolution language not included.
  • Clause 17: governed by the law of Ireland.
  • Clause 18: courts of Ireland.
  • Annex I.A – Parties: Customer as data exporter; DocsFlow as data importer.
  • Annex I.B – Description of transfer: as in Annex A below.
  • Annex I.C – Competent Supervisory Authority: the Irish Data Protection Commission (DPC), unless the Customer is established in an EEA Member State, in which case the Supervisory Authority of that Member State.
  • Annex II – Security measures: as in Annex B below.
  • Annex III – Sub-processors: the list at /subprocessors.

For transfers originating from other jurisdictions with cross-border transfer rules, the parties rely on Customer's consent, the safeguards described in Annex B, and any additional mechanisms required by applicable law.

7. Audits

DocsFlow will make available to Customer the information reasonably necessary to demonstrate compliance with this DPA, including our Security Addendum and, on request, responses to the CAIQ and SIG-Lite security questionnaires, and summaries of any third-party security assessments we hold.

Where Applicable Data Protection Law requires more, Customer may, at its own expense and no more than once per 12 months (except following a confirmed Personal Data Breach or when required by a Supervisory Authority), conduct an audit through an independent auditor mutually agreed by the parties, on reasonable prior notice, during normal business hours, and subject to confidentiality obligations.

8. Liability

Each party's liability under this DPA is subject to the limitations in Section 17 of the Terms.

9. Term and order of precedence

This DPA is effective for the term of the Terms. If there is a conflict between the Terms and this DPA with respect to the processing of Customer Personal Data, this DPA prevails. If there is a conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses prevail.

Annex A — Description of processing

  • Categories of Data Subjects: Customer's users, personnel, clients, counterparties, and any other natural persons whose Personal Data appears in Customer Content.
  • Categories of Personal Data: identifiers (name, email, phone), professional information, content of documents uploaded by Customer, usage data, and any other Personal Data Customer chooses to include in Customer Content.
  • Special categories: Customer is responsible for not uploading special-category data, criminal-offense data, PHI, or payment card data except as permitted by the AUP and applicable law.
  • Nature and purpose of processing: hosting, indexing, retrieval, AI-assisted search and question-answering, account management, security monitoring, billing, support.
  • Duration: for the term of the Terms plus permitted retention.
  • Sub-processors: as listed at /subprocessors.

Annex B — Technical and organizational measures

DocsFlow implements the security measures described in our Security Addendum, including at minimum:

  • Workspace-level tenant isolation enforced at the database layer (Row-Level Security).
  • AES-256 encryption at rest and TLS 1.3 in transit, with an additional AES-256-GCM encryption layer using a workspace-scoped key for AI-searchable content.
  • Access control based on least privilege, with multi-factor authentication for administrative access.
  • Audit logging of uploads, queries, membership changes, and access events.
  • AI Providers engaged under zero-retention or equivalent terms that prohibit model training on Customer Content.
  • Documented incident response process with 72-hour breach notification.
  • Personnel trained on data protection and bound by written confidentiality obligations.
  • Secure software development practices, including code review and dependency monitoring.