Data Processing Agreement
Last updated: February 5, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Docmods, Inc. ("Processor", "we", "us") and the entity agreeing to these terms ("Controller", "you") for the processing of personal data in connection with the Docmods Service.
This DPA applies where and to the extent that the EU General Data Protection Regulation (GDPR), UK GDPR, or similar data protection laws apply to the processing of personal data.
1. Definitions
- "Personal Data": Any information relating to an identified or identifiable natural person contained in documents uploaded to or processed by the Service.
- "Processing": Any operation performed on Personal Data, including collection, storage, modification, retrieval, transmission, and deletion.
- "Sub-processor": A third party engaged by Docmods to process Personal Data on behalf of the Controller.
- "Data Subject": The individual to whom Personal Data relates.
- "GDPR": Regulation (EU) 2016/679 of the European Parliament and of the Council.
2. Scope and Roles
- You (Controller): Determine the purposes and means of processing Personal Data by uploading documents and directing the Service.
- We (Processor): Process Personal Data on your behalf solely to provide the Service in accordance with your instructions.
3. Processing Details
| Detail | Description |
|---|---|
| Subject matter | AI-powered document editing, review, and management |
| Duration | For the term of your Docmods subscription |
| Nature and purpose | Processing documents to provide AI editing, track changes, comments, and related features |
| Types of Personal Data | Names, contact details, and any other personal data contained in documents you upload |
| Categories of Data Subjects | Individuals referenced in your documents (employees, clients, counterparties, etc.) |
4. Our Obligations
As Processor, we shall:
4.1 Instructions
- Process Personal Data only on your documented instructions, including with regard to transfers outside the EEA.
- Inform you if we believe an instruction violates applicable data protection law.
4.2 Confidentiality
- Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations.
4.3 Security (Article 32 GDPR)
Implement appropriate technical and organizational measures, including:
- Encryption: TLS 1.2+ in transit; encryption at rest for stored documents.
- Isolation: Document processing in ephemeral, containerized sandboxes.
- Access controls: Role-based access with audit logging.
- Resilience: Infrastructure redundancy and automated failover.
- Testing: Regular security assessments and penetration testing.
- Incident response: Documented procedures for security incidents.
4.4 Sub-processing
- Maintain an up-to-date list of Sub-processors (see Section 8).
- Notify you of changes to Sub-processors at least 30 days in advance.
- Ensure Sub-processors are bound by data protection obligations no less protective than this DPA.
- Remain liable for Sub-processor compliance.
You may object to a new Sub-processor within 30 days of notification. If we cannot accommodate your objection, you may terminate the affected Service.
4.5 Data Subject Rights
- Assist you in responding to Data Subject requests (access, rectification, erasure, portability, restriction, objection).
- Notify you promptly of any Data Subject request received directly.
- Not respond to Data Subject requests without your authorization, except as required by law.
4.6 Data Protection Impact Assessments
Provide reasonable assistance for data protection impact assessments and prior consultations with supervisory authorities, to the extent required under GDPR Articles 35 and 36.
4.7 Breach Notification
- Notify you of any Personal Data breach without undue delay and no later than 72 hours after becoming aware.
- Provide sufficient information for you to fulfill your breach notification obligations.
- Cooperate with your investigation and remediation efforts.
5. Your Obligations
As Controller, you shall:
- Ensure you have a lawful basis for processing Personal Data through the Service.
- Provide any required notices to and obtain any required consents from Data Subjects.
- Ensure that your instructions to us comply with applicable data protection laws.
6. International Transfers
Where Personal Data is transferred outside the EEA:
- We rely on the European Commission's Standard Contractual Clauses (SCCs), Module 2 (Controller to Processor).
- The SCCs are incorporated by reference into this DPA.
- We implement supplementary measures (encryption, access controls, contractual protections) as needed based on transfer impact assessments.
7. Data Retention and Deletion
- We process Personal Data only for the duration of the Service agreement.
- Upon termination or your request, we will delete or return all Personal Data within 30 days.
- We may retain data where required by law, in which case we will isolate and protect it.
8. Sub-processors
Current Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Cloudflare, Inc. | Infrastructure, CDN, sandboxed compute | United States / Global |
| Moonshot AI (Kimi) | AI model inference for document processing | China |
| Clerk, Inc. | User authentication | United States |
| Stripe, Inc. | Payment processing | United States |
| PostHog, Inc. | Product analytics | United States / EU |
We will maintain an updated list and notify you of changes via email at least 30 days in advance.
9. Audits
- You may audit our compliance with this DPA up to once per year with 30 days' written notice.
- Audits shall be conducted during business hours and shall not unreasonably interfere with our operations.
- We will provide reasonable cooperation, including access to relevant documentation and personnel.
- Where a third-party audit report (e.g., SOC 2) addresses the matters in question, we may provide that report in lieu of a direct audit.
10. Liability
Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.
11. Term
This DPA takes effect when you begin using the Service and remains in effect until all Personal Data is deleted or returned. Provisions that by their nature should survive (confidentiality, liability, audit rights) shall survive termination.
12. Conflict
In the event of a conflict between this DPA and the Terms of Service, this DPA shall prevail with respect to the processing of Personal Data.
13. Contact
For DPA-related inquiries:
- Email: [email protected]
- Address: Docmods, Inc.
To execute this DPA or request a signed copy, email [email protected].