Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of the Terms of Service and Privacy Policy between DocuGenerate (“we”, “us”, or “Data Processor”) and the customer (“Customer” or “Data Controller”) for the use of DocuGenerate’s document generation services (“Services”).

This DPA addresses the requirements of the EU General Data Protection Regulation (GDPR) and other applicable data protection laws where DocuGenerate processes personal data on behalf of the Customer.

1. Definitions

Data Controller
The Customer who determines the purposes and means of processing personal data.

Data Processor
DocuGenerate, who processes personal data on behalf of and according to the documented instructions of the Data Controller.

Data Subject
An identified or identifiable natural person whose personal data is processed.

Personal Data
Any information relating to an identified or identifiable natural person as defined under applicable data protection laws.

Processing
Any operation performed on personal data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, dissemination, restriction, erasure, or destruction.

Sub-processor
Any third party appointed by DocuGenerate to process personal data on behalf of the Customer.

2. Scope and Applicability

2.1 Scope of Processing

This DPA applies to the processing of personal data by DocuGenerate in the course of providing the Services, including:

• Document template creation and management
• Document generation from templates using customer-provided data
• Storage of generated documents (when applicable)
• Team collaboration features
• Customer account management

2.2 Data Controller Instructions

DocuGenerate will process personal data only on documented instructions from the Customer, including:

• The Customer’s use of the Services through the web application and API
• Configuration settings chosen by the Customer
• Data provided by the Customer for document generation
• This DPA and any additional written instructions agreed upon by both parties

3. Categories of Data and Data Subjects

3.1 Categories of Data Subjects

The personal data transferred concerns the following categories of data subjects:

• The Customer’s employees, contractors, and collaborators
• The Customer’s customers, clients, and business contacts
• Any individuals whose personal data is included in documents created using the Services

3.2 Categories of Personal Data

The personal data transferred concerns the following categories of data:

• Identity data (names, job titles, contact information)
• Business contact information (email addresses, phone numbers, addresses)
• Financial information (invoicing details, payment terms)
• Employment information (employment contracts, certificates)
• Any other personal data included in document templates or generation data

3.3 Special Categories of Personal Data

DocuGenerate does not intentionally process special categories of personal data. Should the Customer provide such data, it is the Customer’s responsibility to ensure appropriate legal basis and safeguards are in place.

4. Technical and Organizational Measures

4.1 Security Measures

DocuGenerate implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit and at rest
• Regular security assessments and updates
• Access controls and authentication mechanisms
• Logging and monitoring of data access
• Incident response procedures

4.2 Data Processing Principles

• Data Minimization: Only the personal data necessary for document generation is processed
• Transient Processing: Data used for document generation is not permanently stored and is processed only for the duration necessary to generate the requested documents
• Purpose Limitation: Personal data is processed only for the specific purposes outlined in this DPA
• Storage Limitation: Generated documents are stored only as long as requested by the Customer and can be deleted at any time

5. Data Location and Transfers

5.1 Processing Locations

Personal data may be processed in the following regions, as selected by the Customer:

• European Union (Frankfurt, Germany)
• United States (San Francisco, California)
• United Kingdom (London)
• Australia (Sydney)

5.2 International Transfers

When personal data is transferred to countries outside the European Economic Area, DocuGenerate ensures adequate protection through:

• Processing in regions with adequacy decisions from the European Commission where applicable
• Implementation of appropriate safeguards in accordance with applicable data protection laws
• Customer control over data processing region selection

6. Sub-processors

6.1 Authorized Sub-processors

DocuGenerate may engage the following categories of sub-processors:

• Cloud Infrastructure Providers: For hosting and infrastructure services
• Communication Services: For customer support and notifications
• Payment Processors: For processing subscription payments

6.2 Current Sub-processors

DocuGenerate currently uses the following sub-processors:

• Google Cloud Platform: Cloud infrastructure and hosting (various global regions)
• DigitalOcean: API hosting services
• Intercom: Customer communication and support services
• Stripe: Payment processing services

6.3 Sub-processor Obligations

DocuGenerate ensures that any sub-processor:

• Is bound by data protection obligations equivalent to those set out in this DPA
• Provides sufficient guarantees regarding technical and organizational security measures
• Allows DocuGenerate to fulfill its obligations under this DPA

7. Data Subject Rights

7.1 Assistance with Data Subject Requests

DocuGenerate will assist the Customer in responding to data subject requests, including:

• Right of access
• Right to rectification
• Right to erasure
• Right to restrict processing
• Right to data portability
• Right to object

7.2 Data Subject Request Process

When DocuGenerate receives a data subject request directly, we will:

• Promptly notify the Customer
• Redirect the data subject to contact the Customer directly
• Provide reasonable assistance to the Customer in responding to the request

8. Data Retention and Deletion

8.1 Data Retention

• Template Data: Personal data in templates is retained until the Customer deletes the template
• Generated Documents: Personal data in generated documents is retained until the Customer deletes the document
• Processing Data: Personal data used for document generation is not permanently stored and exists only during the processing period
• Account Data: Customer account information is retained in accordance with our Privacy Policy

8.2 Data Deletion

Upon Customer request or contract termination, DocuGenerate will:

• Delete or return all personal data in our possession
• Delete existing copies unless retention is required by applicable law
• Provide written confirmation of deletion upon request

9. Data Breach Notification

9.1 Incident Response

In the event of a personal data breach, DocuGenerate will:

• Notify the Customer without undue delay and within 72 hours of becoming aware of the breach
• Provide all available information about the breach
• Take immediate steps to contain and remedy the breach
• Cooperate with the Customer’s breach notification obligations

9.2 Breach Information

Breach notifications will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Categories and approximate number of personal data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach

10. Audits and Compliance

10.1 Audit Rights

The Customer may request information about DocuGenerate’s compliance with this DPA. DocuGenerate will:

• Provide reasonable information about our data protection practices through documentation and reports
• Make available third-party audit reports or certifications when available
• Allow for remote audits or questionnaires, no more than once per calendar year
• Cooperate with regulatory audits and investigations as required by law

10.2 Compliance Documentation

DocuGenerate maintains records of:

• Categories of processing activities
• Technical and organizational measures
• Sub-processor agreements
• Data protection impact assessments where applicable

11. Liability and Indemnification

11.1 Limitation of Liability

Each party’s liability under this DPA is subject to the limitation of liability provisions in the Terms of Service.

11.2 Customer Responsibilities

The Customer is responsible for:

• Ensuring a lawful basis for processing under applicable data protection laws
• Providing accurate and complete instructions for data processing
• Implementing appropriate technical and organizational measures on their end
• Complying with data subject notification and consent requirements where applicable

12. Term and Termination

12.1 Term

This DPA is effective from the date the Customer accepts the Terms of Service and remains in effect for as long as DocuGenerate processes personal data on behalf of the Customer.

12.2 Survival

The provisions of this DPA relating to data protection, confidentiality, and return or deletion of personal data will survive termination of the Services.

13. Changes to This DPA

DocuGenerate may update this DPA to reflect changes in applicable laws or our data processing practices. We will notify Customers of material changes with at least 30 days’ notice.

14. Governing Law and Jurisdiction

This DPA is governed by the same law and jurisdiction provisions as set forth in the Terms of Service, provided that any conflicts with applicable data protection laws shall be resolved in favor of such data protection laws.

15. Contact Information

For questions about data protection or if you need a signed DPA, please contact us at:

Data Protection Contact
Email: support@docugenerate.com

Company Address
MOLEA SOFTWARE
3 rue Gérard Maire, Bât. C
69100 Villeurbanne
France