Data Processing Addendum

1. Definitions

For purposes of this DPA:

“Applicable Privacy Law” means all laws, regulations, and binding regulatory requirements applicable to the Processing of Personal Data under the Agreement, including, where applicable, the GDPR, UK GDPR, Swiss data protection law, PIPEDA, and applicable U.S. state privacy laws.

“Business,” “Controller,” “Processor,” “Service Provider,” “Contractor,” “Consumer,” “Sale,” “Share,” and “Sensitive Personal Information” have the meanings given under Applicable Privacy Law, to the extent such law applies.

“Customer Personal Data” means Personal Data Processed by DocuProof on behalf of Customer in connection with the Services, excluding data for which DocuProof acts as an independent controller/business as described in Section 4.

“Data Subject” means the identified or identifiable individual to whom Personal Data relates.

“Personal Data” or “Personal Information” means information defined as personal data, personal information, or equivalent under Applicable Privacy Law.

“Process” or “Processing” means any operation performed on Personal Data, including access, collection, recording, organization, storage, hashing, structuring, alteration, retrieval, use, disclosure, transmission, analysis, restriction, deletion, or destruction.

“Security Incident” means a confirmed breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data Processed by DocuProof. Security Incidents do not include unsuccessful attempts or activities that do not compromise Customer Personal Data, such as pings, scans, denied login attempts, or other network attacks.

“Subprocessor” means any third party engaged by DocuProof to Process Customer Personal Data on behalf of Customer.

2. Scope and Order of Precedence

This DPA applies only to the extent DocuProof Processes Customer Personal Data on behalf of Customer in providing the Services.

The parties acknowledge that, depending on the circumstances, Customer may act as a Controller or Business, and DocuProof may act as a Processor, Service Provider, or Contractor.

This DPA does not apply to Processing where DocuProof acts as an independent controller/business, such as for its own account administration, billing, security, fraud prevention, service improvement using non-Customer data, legal compliance, or other purposes expressly permitted by the Agreement and Applicable Privacy Law.

3. Roles of the Parties

Customer is responsible for determining the purposes and means of the Processing of Customer Personal Data to the extent required by Applicable Privacy Law.

Customer represents and warrants that it has provided all notices and obtained all rights, consents, permissions, and other lawful bases required for DocuProof to Process Customer Personal Data in accordance with the Agreement and this DPA.

DocuProof will Process Customer Personal Data only as a Processor, Service Provider, or Contractor on behalf of Customer, except where DocuProof acts as an independent controller/business as described in Section 4.

4. DocuProof Independent Processing

The parties acknowledge that DocuProof may Process certain Personal Data as an independent controller/business for limited purposes such as:

account creation and administration;

billing, payment, and collections;

fraud prevention, abuse prevention, and platform security;

legal compliance and responding to lawful requests;

internal business operations related to the provision of the Services;

maintaining system logs and records necessary to secure and operate the platform; and

other purposes expressly identified in the Privacy Policy or Agreement, to the extent permitted by law.

For clarity, this DPA governs only Customer Personal Data that DocuProof Processes on behalf of Customer.

5. Processing Details

The subject matter, nature, purpose, duration, categories of data, and categories of Data Subjects are described in Exhibit A.

6. Customer Instructions

DocuProof will Process Customer Personal Data only on documented instructions from Customer, including as set out in the Agreement, this DPA, Customer’s configuration and use of the Services, and other written instructions agreed by the parties, unless otherwise required by applicable law. GDPR requires processor contracts to provide that the processor acts only on documented instructions from the controller.

If DocuProof believes an instruction violates Applicable Privacy Law, DocuProof may notify Customer and suspend the affected Processing until the issue is resolved.

Customer is solely responsible for the accuracy, quality, legality, and means by which it acquired Customer Personal Data.

7. Confidentiality

DocuProof will ensure that persons authorized to Process Customer Personal Data are subject to appropriate confidentiality obligations, whether contractual or statutory, and receive appropriate privacy and security training relevant to their responsibilities. GDPR Article 28 requires processors to ensure persons authorized to process personal data are committed to confidentiality.

8. Security Measures

DocuProof will implement and maintain appropriate technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access, taking into account the nature of the data, the risks involved, and the state of the art.

Such measures may include, as appropriate:

access controls and role-based permissions;

authentication controls;

encryption in transit and, where appropriate, at rest;

logging and monitoring;

environment segregation;

vulnerability management;

backup and recovery controls;

incident response procedures; and

vendor and infrastructure security controls.

A description of current security measures may be set out in Exhibit B or made available separately by DocuProof. GDPR requires processors to implement appropriate security measures, and Canadian guidance similarly expects organizations outsourcing processing to provide a comparable level of protection through contractual or other means.

DocuProof may update security measures from time to time, provided such updates do not materially reduce the overall security of the Services.

9. Security Incident Notification

DocuProof will notify Customer without undue delay after becoming aware of a confirmed Security Incident involving Customer Personal Data.

To the extent available at the time of notification, DocuProof’s notice will include:

the nature of the Security Incident;

the categories of affected Customer Personal Data, where known;

the likely consequences, where reasonably assessable; and

the measures taken or proposed to address the Security Incident.

DocuProof will take reasonable steps to contain, investigate, and mitigate the Security Incident and will provide reasonably requested information necessary for Customer to meet its legal obligations.

DocuProof’s notification of or response to a Security Incident is not an admission of fault or liability.

10. Subprocessors

Customer grants DocuProof a general authorization to engage Subprocessors to Process Customer Personal Data, provided that DocuProof:

imposes data protection obligations on the Subprocessor that are substantially equivalent to those set out in this DPA, as required by Applicable Privacy Law; and

remains responsible for the Subprocessor’s performance of its data protection obligations to the extent required by law.

GDPR requires processors engaging subprocessors to obtain authorization and flow down the same data protection obligations by written contract.

DocuProof may maintain a current list of Subprocessors on its website or make it available upon request.

If Customer reasonably objects to a new Subprocessor on legitimate data protection grounds, the parties will work in good faith to address the objection. If the objection cannot be resolved, DocuProof may, at its option, provide a commercially reasonable alternative or permit Customer to terminate the affected Services.

11. Assistance with Data Subject Requests

Taking into account the nature of the Processing, DocuProof will provide reasonable assistance to Customer, through appropriate technical and organizational measures where possible, to help Customer respond to requests from Data Subjects exercising rights under Applicable Privacy Law.

If DocuProof receives a Data Subject request relating to Customer Personal Data directly, DocuProof may, to the extent legally permitted, either:

refer the request to Customer;

notify Customer of the request; or

respond only on Customer’s documented instructions.

California guidance notes that service providers are treated differently than the businesses they serve, and direct consumer requests may need to be handled by the business rather than the service provider.

12. Assistance with Compliance Obligations

Taking into account the nature of the Processing and information available to DocuProof, DocuProof will provide reasonable assistance to Customer in relation to:

security of Processing;

personal data breach notifications;

data protection impact assessments; and

consultations with supervisory authorities or regulators,

where required by Applicable Privacy Law and where Customer cannot reasonably fulfill such obligations without DocuProof’s assistance.

13. Audits and Information Rights

DocuProof will make available to Customer information reasonably necessary to demonstrate compliance with this DPA.

Where required by Applicable Privacy Law, Customer may conduct an audit, or have an independent third party auditor bound by confidentiality conduct an audit, subject to the following conditions:

Customer must provide reasonable prior written notice;

audits must occur no more than once annually, unless required by law or following a Security Incident;

audits must occur during normal business hours and in a manner that minimizes disruption;

Customer may not access information relating to other customers or DocuProof confidential information not relevant to the audit;

Customer must bear its own audit costs and reimburse DocuProof’s reasonable costs where permitted by law.

DocuProof may satisfy audit obligations by providing recent third-party audit reports, certifications, summaries, penetration test summaries, or other comparable documentation where appropriate.

14. Deletion and Return of Data

Upon termination or expiration of the Services, and upon Customer’s written request, DocuProof will, subject to the Agreement and Applicable Privacy Law, delete or return Customer Personal Data in its possession or control, unless storage is required by law.

If return or deletion is not technically feasible for certain data in backup systems or archives, DocuProof may retain that data until deletion is feasible, provided such retained data remains protected in accordance with this DPA and is not further Processed except as required by law.

Customer acknowledges that some metadata, logs, billing records, security records, and legal compliance records may be retained by DocuProof as an independent controller/business where permitted or required by law.

15. International Transfers

Customer authorizes DocuProof and its Subprocessors to Process Customer Personal Data in the jurisdictions in which DocuProof and its Subprocessors operate, subject to appropriate safeguards required by Applicable Privacy Law.

Where GDPR, UK GDPR, or Swiss law applies and Customer Personal Data is transferred to a country not recognized as providing an adequate level of protection, the parties agree that the applicable Standard Contractual Clauses or other valid transfer mechanism will apply and are incorporated by reference as follows:

for EEA transfers, the European Commission’s Standard Contractual Clauses;

for UK transfers, the UK International Data Transfer Addendum or other valid UK transfer mechanism;

for Swiss transfers, the SCCs as adapted for Swiss law where required.

The parties will complete relevant annexes or schedules as reasonably necessary.

The European Commission has stated that the SCCs may be used to satisfy both transfer requirements and, where applicable, Article 28 processor-contract requirements.

16. U.S. State Privacy Terms

To the extent applicable U.S. state privacy law applies to Customer Personal Data Processed by DocuProof on behalf of Customer:

DocuProof is acting solely as a Service Provider or Contractor, and not as a Third Party, with respect to such Customer Personal Data;

DocuProof will not Sell or Share Customer Personal Data;

DocuProof will not retain, use, or disclose Customer Personal Data for any purpose other than for the specific business purposes set out in the Agreement and this DPA, or as otherwise permitted by Applicable Privacy Law;

DocuProof will not retain, use, or disclose Customer Personal Data outside the direct business relationship between the parties, except as permitted by law;

DocuProof will comply with applicable restrictions on combining Customer Personal Data with personal information received from other sources, except as allowed by law;

DocuProof will provide the level of privacy protection required by Applicable Privacy Law;

Customer has the right to take reasonable and appropriate steps to help ensure that DocuProof uses Customer Personal Data in a manner consistent with Customer’s obligations under Applicable Privacy Law;

DocuProof will notify Customer if it determines that it can no longer meet its obligations under this Section; and

upon notice, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Customer Personal Data.

California regulations require service provider and contractor contracts to include use restrictions and compliance commitments of this kind.

17. Canadian Privacy Terms

To the extent PIPEDA or similar Canadian law applies, the parties acknowledge that Customer remains responsible for personal information under its control, including where it is transferred to DocuProof for processing, and that contractual or other means should be used to provide a comparable level of protection while the information is being processed by DocuProof.

DocuProof will Process Customer Personal Data only for the purposes of providing the Services and in accordance with Customer’s instructions, subject to applicable law.

18. Cooperation with Regulators

Where legally required and appropriate to the Processing performed under this DPA, DocuProof will provide reasonable cooperation to Customer in responding to inquiries from supervisory authorities or regulators relating to Customer Personal Data Processed under this DPA.

19. Liability

The liability of each party arising under or in connection with this DPA is subject to the exclusions and limitations of liability set out in the Agreement, unless Applicable Privacy Law requires otherwise.

20. Term and Termination

This DPA remains in effect for as long as DocuProof Processes Customer Personal Data on behalf of Customer under the Agreement.

21. Governing Law

This DPA is governed by the governing law and dispute resolution provisions set out in the Agreement, except to the extent a specific transfer mechanism or mandatory law requires otherwise.

22. Miscellaneous

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in effect.

This DPA may be updated by DocuProof where reasonably necessary to reflect changes in Applicable Privacy Law, provided any such update does not materially reduce the protections afforded to Customer Personal Data except where required by law.

Exhibit A

Details of Processing

1. Subject Matter

Provision of DocuProof’s digital evidence capture, verification, storage-agnostic processing, chain-of-custody, reporting, portal, integration, and support services.

2. Nature of Processing

Collection, access, storage, organization, hashing, timestamping, indexing, structuring, retrieval, transmission, review, export, deletion, hosting, support, security monitoring, and other Processing necessary to provide the Services.

3. Purpose of Processing

To provide the Services to Customer, including evidence capture, file verification, chain-of-custody records, certificate generation, workflow management, integration with third-party systems, support, security, and related service functionality.

4. Duration

For the duration of the Agreement, plus any post-termination period during which DocuProof retains Customer Personal Data in accordance with the Agreement, this DPA, and Applicable Privacy Law.

5. Categories of Data Subjects

May include:

Customer personnel, administrators, and users;

claimants, insureds, witnesses, policyholders, customers, counterparties, and other individuals whose records are submitted by Customer;

email correspondents, message participants, and document authors;

vendors, contractors, and service providers;

website visitors and support contacts.

6. Categories of Personal Data

May include:

identifiers and contact details;

account and organization information;

communications content and metadata;

uploaded files, documents, images, and attachments;

timestamps, audit events, and verification metadata;

device, log, and usage data;

billing and transaction metadata;

any other Personal Data submitted by or on behalf of Customer through the Services.

7. Special Categories / Sensitive Data

Only to the extent submitted by or on behalf of Customer and permitted by the Agreement and Applicable Privacy Law.

Exhibit B

Security Measures

DocuProof maintains administrative, technical, and organizational safeguards that may include, as appropriate:

role-based access controls and least-privilege access;

unique user authentication and credential management;

encryption in transit using current industry-standard protocols;

encryption at rest where appropriate to the service architecture;

logging, monitoring, and alerting for security-relevant events;

secure software development and change management processes;

vulnerability and patch management procedures;

backup, resilience, and disaster recovery controls;

incident response and escalation procedures;

vendor management and subprocessor review processes;

workforce confidentiality obligations and security awareness measures;

data segregation mechanisms in multi-tenant environments where applicable.

Optional Signature Block

Customer

Legal Name: __________________________

By: _________________________________

Name: _______________________________

Title: ________________________________

Date: ________________________________

DocuProof / [Company Legal Name]

By: _________________________________

Name: _______________________________

Title: ________________________________

Date: ________________________________