Data Processing Addendum

Overview

DocGovernance acts as a data processor when processing personal data on behalf of customers (controllers) in the course of providing the DocGovernance service. This Data Processing Addendum (DPA) governs that processing relationship in compliance with Article 28 of the GDPR.

What the DPA covers

• Subject matter, nature, and purpose of processing
• Categories of personal data processed (document content, user account data, event metadata)
• Categories of data subjects (your employees, contractors, and document authors)
• Duration of processing (per your subscription and retention policy)
• Technical and organizational security measures
• Subprocessor obligations and notification requirements
• Data subject rights assistance obligations
• Deletion and return of data on termination
• Audit rights
• Standard Contractual Clauses (SCCs) for transfers outside the EEA where applicable

Subprocessors

DocGovernance uses a limited number of subprocessors for cloud infrastructure, transactional email, and error monitoring. A current list is provided as part of the DPA and updated with 30 days' notice of changes. Customers have the right to object to new subprocessors.

Security measures

The DPA incorporates our technical and organizational security measures including: TLS encryption in transit, encryption at rest, tenant isolation, access controls, Ed25519 signing, SHA-256 integrity verification, vulnerability management, incident response, and backup/recovery procedures.

Audit rights

Business and Enterprise customers may request evidence of compliance (documentation, certifications) once per year. On-site audits are available to Enterprise customers under a confidentiality agreement.