Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service or other written or electronic agreement between Doculent Ltd. ("Processor" or "Doculent") and the entity agreeing to these terms ("Controller" or "Customer") for the use of Doculent's Services (the "Agreement").

This DPA applies to the extent that Doculent processes Personal Data on behalf of the Customer in the course of providing the Services. This DPA is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), SOC 2 Type II requirements, and the European Telecommunications Standards Institute (ETSI) standards for electronic signatures and trust services.

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined under applicable Data Protection Laws.
• "Data Protection Laws" means all applicable laws relating to data protection, privacy, and the processing of Personal Data, including but not limited to the GDPR (Regulation (EU) 2016/679), the UK GDPR, the CCPA (Cal. Civ. Code § 1798.100 et seq.), and the Swiss Federal Act on Data Protection (FADP).
• "Processing" means any operation performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, retrieval, consultation, use, disclosure, combination, restriction, erasure, or destruction.
• "Sub-processor" means any third party engaged by Doculent to process Personal Data on behalf of the Customer.
• "Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Standard Contractual Clauses" (SCCs) means the contractual clauses approved by the European Commission for the transfer of Personal Data to processors established in third countries.

2. Scope and Purpose of Processing

2.1 Subject Matter

Doculent shall process Personal Data solely for the purpose of providing the Services as described in the Agreement, including but not limited to document automation, AI-assisted document processing, human-in-the-loop review workflows, and related data management functions.

2.2 Categories of Data Subjects

The Personal Data processed may relate to the following categories of Data Subjects:

• Customer's employees, contractors, and agents.
• Customer's end users and clients.
• Individuals whose Personal Data is contained in documents processed through the Services.

2.3 Types of Personal Data

The Personal Data processed may include:

• Identification data (name, address, date of birth, identification numbers).
• Contact information (email, phone number, mailing address).
• Financial data (account numbers, payment information, insurance details).
• Health data (medical records, health insurance information) where applicable.
• Professional data (employer, job title, professional qualifications).
• Any other Personal Data contained in documents uploaded by the Customer.

2.4 Duration

Doculent shall process Personal Data for the duration of the Agreement, unless otherwise required by applicable law. Upon termination, Doculent shall delete or return all Personal Data in accordance with Section 10.

3. Obligations of the Processor

Doculent shall:

1. Process Personal Data only on documented instructions from the Customer, unless required by applicable law, in which case Doculent shall inform the Customer of that legal requirement before processing (unless prohibited by law).
2. Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
3. Implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 of the GDPR, SOC 2 Type II standards, and ETSI security requirements.
4. Not engage another processor (Sub-processor) without prior specific or general written authorization of the Customer, subject to Section 6.
5. Assist the Customer, taking into account the nature of the processing, in fulfilling the Customer's obligations to respond to Data Subject requests.
6. Assist the Customer in ensuring compliance with obligations related to security of processing, notification of Security Incidents, data protection impact assessments, and prior consultation with supervisory authorities.
7. At the choice of the Customer, delete or return all Personal Data after the end of the provision of Services, and delete existing copies unless applicable law requires storage.
8. Make available to the Customer all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits and inspections.

4. Obligations of the Controller

The Customer shall:

1. Ensure that its collection and transfer of Personal Data to Doculent complies with all applicable Data Protection Laws.
2. Provide documented processing instructions to Doculent and ensure that such instructions comply with applicable Data Protection Laws.
3. Be solely responsible for determining the lawful basis for processing Personal Data and for obtaining any necessary consents or authorizations from Data Subjects.
4. Inform Doculent of any special categories of Personal Data (as defined under Article 9 of the GDPR) included in the data being processed.
5. Ensure that it has the right to transfer Personal Data to Doculent for processing in accordance with this DPA.

5. Security Measures

Doculent shall implement and maintain the following technical and organizational security measures, consistent with SOC 2 Type II certification requirements and ETSI standards:

• Encryption: All Personal Data is encrypted in transit using TLS 1.2 or higher and at rest using AES-256 encryption.
• Access Control: Role-based access controls (RBAC) with the principle of least privilege. Multi-factor authentication (MFA) required for all personnel with access to Personal Data.
• Network Security: Firewalls, intrusion detection/prevention systems, and network segmentation to isolate customer data.
• Monitoring and Logging: Comprehensive audit logging of all access to and actions on Personal Data, with real-time monitoring and alerting.
• Vulnerability Management: Regular vulnerability assessments, penetration testing, and timely patching of identified vulnerabilities.
• Business Continuity: Redundant infrastructure, regular backups, and disaster recovery procedures with defined Recovery Time Objectives (RTO) and Recovery Point Objectives (RPO).
• Physical Security: Data centers with 24/7 physical security, biometric access controls, and environmental protections.
• Employee Security: Background checks, security awareness training, and confidentiality agreements for all personnel.
• ETSI Compliance: Adherence to ETSI EN 319 401 and related standards for trust service providers, including audit trail integrity and electronic signature security where applicable.

6. Sub-processors

6.1 Authorization

The Customer grants Doculent general written authorization to engage Sub-processors for the processing of Personal Data. Doculent maintains a current list of Sub-processors, which is available upon request.

6.2 Notification of Changes

Doculent shall notify the Customer of any intended changes concerning the addition or replacement of Sub-processors at least 30 days before such changes, giving the Customer the opportunity to object to such changes.

6.3 Objection Right

If the Customer reasonably objects to a new Sub-processor on legitimate data protection grounds, Doculent shall use commercially reasonable efforts to make available an alternative arrangement. If no alternative is reasonably available, either party may terminate the affected portion of the Services.

6.4 Sub-processor Obligations

Doculent shall impose data protection obligations no less protective than those set out in this DPA on any Sub-processor. Doculent remains fully liable to the Customer for the performance of each Sub-processor's obligations.

7. Data Subject Rights

Doculent shall, to the extent legally permitted, promptly notify the Customer if it receives a request from a Data Subject to exercise their rights under applicable Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).

Doculent shall assist the Customer by appropriate technical and organizational measures, insofar as possible, in fulfilling the Customer's obligations to respond to Data Subject requests. The Customer is responsible for responding to such requests.

8. Security Incident Notification

Doculent shall notify the Customer without undue delay (and in any event within 48 hours) after becoming aware of a Security Incident affecting the Customer's Personal Data. Such notification shall include:

• A description of the nature of the Security Incident, including the categories and approximate number of Data Subjects and records concerned.
• The name and contact details of the point of contact from whom more information can be obtained.
• A description of the likely consequences of the Security Incident.
• A description of the measures taken or proposed to address the Security Incident, including measures to mitigate its possible adverse effects.

Doculent shall cooperate with the Customer and take commercially reasonable steps to assist in the investigation, mitigation, and remediation of any Security Incident.

9. International Data Transfers

To the extent that Doculent processes or transfers Personal Data outside the EEA, UK, or Switzerland, Doculent shall ensure that such transfers are made in compliance with applicable Data Protection Laws using one or more of the following safeguards:

• Standard Contractual Clauses (SCCs) as approved by the European Commission (Commission Implementing Decision (EU) 2021/914).
• An adequacy decision by the European Commission or UK Secretary of State.
• Binding Corporate Rules approved by a competent supervisory authority.
• Other lawful transfer mechanisms as may be available under applicable Data Protection Laws.

The parties agree that, where applicable, the Standard Contractual Clauses are incorporated by reference into this DPA and form an integral part hereof.

10. Data Retention and Deletion

Upon termination or expiration of the Agreement, Doculent shall, at the Customer's election:

1. Return all Personal Data to the Customer in a structured, commonly used, and machine-readable format; or
2. Securely delete all Personal Data, including all existing copies, within 30 days of receiving such instruction.

If no instruction is received within 90 days of termination, Doculent shall securely delete all Personal Data. Doculent may retain Personal Data to the extent required by applicable law, provided that Doculent shall ensure the confidentiality of such data and shall process it only for the purpose required by law.

11. Audits and Compliance

11.1 Audit Rights

Doculent shall make available to the Customer, upon reasonable request and no more than once per twelve-month period, information necessary to demonstrate compliance with this DPA. The Customer (or its appointed third-party auditor, subject to confidentiality obligations) may conduct an audit of Doculent's processing activities, provided that:

• The Customer provides at least 30 days' prior written notice.
• The audit is conducted during normal business hours and does not unreasonably disrupt Doculent's operations.
• The Customer bears the costs of the audit, unless the audit reveals material non-compliance by Doculent.

11.2 SOC 2 Reports

Doculent maintains SOC 2 Type II certification. Upon request and subject to confidentiality obligations, Doculent shall provide the Customer with a copy of its most recent SOC 2 Type II report. Such report shall be deemed to satisfy the Customer's audit rights under this Section 11 unless the Customer has reasonable grounds to believe that additional auditing is necessary.

11.3 ETSI Compliance

Where the Services involve electronic signatures, seals, or trust services, Doculent shall comply with the applicable ETSI standards, including ETSI EN 319 401 (General Policy Requirements for Trust Service Providers) and related technical specifications. Doculent shall provide evidence of such compliance upon request.

12. CCPA-Specific Provisions

To the extent the CCPA applies to the processing of Personal Data under this DPA:

• Doculent is a "Service Provider" as defined under the CCPA and shall not sell, share, or use Personal Data for any purpose other than the specific business purposes set forth in the Agreement.
• Doculent shall not retain, use, or disclose Personal Data for any commercial purpose other than providing the Services specified in the Agreement.
• Doculent shall not combine Personal Data received from the Customer with Personal Data received from other sources, except as permitted by the CCPA.
• Doculent certifies that it understands the restrictions set forth in this Section and will comply with them.
• Doculent shall notify the Customer if it determines that it can no longer meet its obligations under the CCPA.
• The Customer shall have the right to take reasonable and appropriate steps to ensure that Doculent uses Personal Data in a manner consistent with the Customer's obligations under the CCPA.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set forth in the Agreement. Nothing in this DPA shall limit either party's liability for: (a) death or personal injury caused by negligence; (b) fraud or fraudulent misrepresentation; or (c) any other liability that cannot be excluded or limited by applicable law.

In no event shall Doculent's aggregate liability under this DPA exceed the amounts paid or payable by the Customer to Doculent under the Agreement during the twelve (12) months preceding the event giving rise to the liability.

Doculent shall not be liable for any processing of Personal Data by the Customer or any third party acting on the Customer's instructions that does not comply with applicable Data Protection Laws.

14. Term and Termination

This DPA shall remain in effect for the duration of the Agreement. Any provision of this DPA that by its nature should survive termination (including Sections 8, 10, 11, and 13) shall survive termination of this DPA and the Agreement.

15. Governing Law

This DPA shall be governed by and construed in accordance with the governing law provisions of the Agreement, except where applicable Data Protection Laws require otherwise. For Data Subjects in the EEA, the laws of the EU Member State in which the Data Subject resides shall apply to disputes arising from this DPA regarding their Personal Data.

16. Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data. In the event of any conflict between this DPA and the Standard Contractual Clauses, the Standard Contractual Clauses shall prevail.

17. Contact

For questions or requests regarding this DPA, please contact:

• Email: [email protected]
• Data Protection Officer: [email protected]
• Address: Doculent Ltd., Sofia Center, ulitsa „Georgi S. Rakovski“ 108, G. C, 1000 Sofia, Bulgaria