Data Processing Agreement

This Data Processing Agreement (“DPA”) forms part of, and is incorporated into, the agreement between you and DocFast for the use of the DocFast service (the “Agreement”, comprising the Terms of Service and any order form). It applies whenever DocFast processes Personal Data on your behalf in the course of providing the service.

This DPA is offered to all customers without the need to sign a separate document. By accepting the Terms of Service, you accept this DPA. If your organisation requires a signed copy, contact privacy@docfast.ai.

1. Parties

• Controller (“Customer”, “you”) — the natural or legal person who has entered into the Agreement and whose Personal Data is processed by DocFast.
• Processor — DocFast, a private limited company (besloten vennootschap) incorporated under the laws of the Netherlands and registered with the Netherlands Chamber of Commerce under number 62029339, with its registered address at Wijnberg 22, 2716 PE Zoetermeer, the Netherlands.

2. Definitions

Capitalised terms used in this DPA but not defined here have the meaning given to them in Regulation (EU) 2016/679 (the “GDPR”).

• Personal Data — any information relating to an identified or identifiable natural person that is included in Customer Content and processed by DocFast under the Agreement.
• Customer Content — the text, brand assets, prompts, and documents you upload, paste, or generate using DocFast.
• Sub-processor — any third party engaged by DocFast to process Personal Data on its behalf.
• Applicable Data Protection Law — the GDPR, the Dutch Implementation Act (UAVG), and any other data-protection law that applies to the processing.

3. Subject matter, nature and purpose

• Subject matter: processing of Personal Data contained in Customer Content for the purpose of providing the DocFast service.
• Nature of processing: storage, hosting, transformation (formatting and text clean-up using third-party AI models), retrieval, and deletion.
• Purpose: enabling Customer to format text and generate Word and PDF documents that reflect the Customer’s brand profile.
• Duration: the term of the Agreement, plus the post-termination retention periods set out in the Privacy Policy.

4. Categories of data subjects and Personal Data

Customer determines what Personal Data it submits to DocFast. The categories typically include:

• Data subjects: Customer’s employees, clients, prospects, suppliers, and any other natural persons mentioned in Customer Content.
• Categories of Personal Data: name, contact details, job title, organisation, free-text content, and any other Personal Data that Customer chooses to include in its documents.

Customer must not upload special categories of data (Art. 9 GDPR) or criminal-offence data (Art. 10 GDPR) unless it has confirmed with DocFast in writing that the service is suitable for that purpose.

5. Obligations of DocFast (Processor)

DocFast will:

• process Personal Data only on Customer’s documented instructions, including the Agreement and any reasonable instructions given through the service; if DocFast is required by EU or Member State law to process Personal Data otherwise, DocFast will inform Customer first, unless prohibited by law;
• ensure that persons authorised to process Personal Data are bound by confidentiality obligations;
• implement and maintain appropriate technical and organisational measures as described in Annex II;
• assist Customer, taking into account the nature of the processing, in fulfilling its obligations to respond to data-subject requests and to comply with Articles 32–36 GDPR (security, breach notification, DPIA, prior consultation);
• delete or return all Personal Data at the end of the Agreement, in line with section 11; and
• make available all information necessary to demonstrate compliance with Article 28 GDPR.

6. Obligations of Customer (Controller)

Customer warrants that:

• it has a valid lawful basis for the processing it instructs DocFast to perform;
• it has provided any required notices and obtained any required consents from data subjects;
• its instructions to DocFast comply with Applicable Data Protection Law; and
• it will not upload Personal Data to DocFast that it is not permitted to share with a processor.

7. Sub-processors

Customer gives DocFast a general authorisation to engage Sub-processors. The current list of Sub-processors is published in the Privacy Policy (section 3, “Sub-processors and other recipients”) and is incorporated into this DPA by reference.

DocFast will:

• impose on each Sub-processor data-protection obligations no less protective than those in this DPA, by means of a written contract;
• remain liable to Customer for the performance of each Sub-processor’s obligations under that contract;
• give Customer at least 7 days’ prior notice of any intended addition or replacement of a Sub-processor, by e-mail to the address on file. Customer may object on reasonable data-protection grounds within that period. If the parties cannot agree on a workaround, Customer may terminate the Agreement with respect to the affected service and receive a pro-rata refund of any prepaid, unused fees.

8. International transfers

Where DocFast or a Sub-processor transfers Personal Data outside the European Economic Area, the transfer is covered by:

• the EU Commission’s Standard Contractual Clauses (2021/914), with Module Two (controller to processor) or Module Three (processor to processor) as applicable;
• the EU-US Data Privacy Framework, where the recipient is certified; or
• another transfer mechanism recognised under GDPR Chapter V.

By accepting this DPA, the parties accept the SCCs and the optional clauses selected by DocFast as set out in Annex III.

9. Security and personal data breaches

DocFast applies the technical and organisational measures described in Annex II. DocFast will notify Customer without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting Customer’s Personal Data. The notification will include the information required by Article 33(3) GDPR, to the extent known at the time.

10. Data-subject requests and DPIAs

If DocFast receives a request from a data subject relating to Customer’s Personal Data, DocFast will forward the request to Customer without undue delay and will not respond to the data subject itself except on Customer’s instruction or as required by law. DocFast will, at Customer’s reasonable request, assist Customer in fulfilling its obligations under Articles 12–22 (data-subject rights) and Articles 35–36 GDPR (DPIA and prior consultation).

11. Return and deletion

On termination or expiry of the Agreement, DocFast will, at Customer’s choice, delete or return all Personal Data to Customer, and delete remaining copies, unless retention is required by EU or Member State law. The default behaviour, if Customer makes no choice within 30 days of termination, is deletion in line with the retention periods stated in the Privacy Policy.

12. Audits

DocFast will make available to Customer, on reasonable written request and no more than once per year, the information necessary to demonstrate compliance with this DPA, including summaries of independent third-party assessments where available.

Where Customer reasonably believes that this information is insufficient, Customer may request an on-site audit, conducted on at least 30 days’ written notice, during normal business hours, and subject to confidentiality. Audits must not disrupt the service or compromise the security or privacy of other customers. Customer bears its own costs and reimburses DocFast for any reasonable time and expense it incurs in supporting the audit.

13. Liability

The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Law.

14. Conflicts and term

In the event of a conflict between this DPA and any other part of the Agreement, this DPA prevails with respect to the processing of Personal Data. This DPA terminates automatically when the Agreement terminates and DocFast has completed its obligations under section 11.

15. Governing law

This DPA is governed by the law of the Netherlands. Any dispute will be submitted to the exclusive jurisdiction of the competent court in The Hague, in accordance with section 15 of the Terms of Service.

Annex I — Details of processing

• Subject matter, nature, purpose, duration: as set out in section 3.
• Categories of data subjects and Personal Data: as set out in section 4.
• Frequency of processing: continuous, for the term of the Agreement.
• Controller: Customer, as identified in the Agreement.
• Processor: DocFast.
• Sub-processors: as listed in the Privacy Policy, section 3.

Annex II — Technical and organisational measures

DocFast applies the following measures, reviewed and updated as needed:

• Encryption: TLS 1.2+ for data in transit; AES-256 for data at rest in storage and database layers.
• Access control: role-based access, least-privilege IAM, MFA on administrative accounts, audit logging on infrastructure operations.
• Network security: private networking for internal services, public endpoints behind WAF / rate-limiting, current TLS configuration.
• Pseudonymisation and segregation: logical separation between Customer tenants; customer identifiers used in logs in place of free-text content where feasible.
• Resilience: regular automated backups, restore tests, container-level health checks, failover for the database layer through PlanetScale.
• Vulnerability management: dependency scanning, timely patching, periodic security review of code changes.
• Personnel: confidentiality undertakings, training on data-protection and security responsibilities, access provisioned only on a need-to-know basis.
• Sub-processor oversight: written data-processing agreements with all Sub-processors, periodic review of their security posture.
• Incident response: documented breach-response procedure, on-call rotation, post-incident review.

Annex III — Transfer mechanisms

Where the SCCs apply, the parties have selected:

• Module: Module Two (controller to processor) or Module Three (processor to processor), as the case may be.
• Clause 7 (Docking clause): applicable.
• Clause 9 (Sub-processors): Option 2 (general authorisation), with the 7-day notice period in section 7 of this DPA.
• Clause 11 (Redress): the optional independent dispute-resolution body is not selected.
• Clause 17 (Governing law): the law of the Netherlands.
• Clause 18 (Forum): the courts of The Hague, the Netherlands.
• Annex I.A (Parties): Customer as data exporter and Controller; DocFast as data importer and Processor.
• Annex I.B (Description of transfer): as set out in Annex I above.
• Annex II (Security measures): as set out in Annex II above.
• Annex III (Sub-processors): as referenced in section 7.