Data Processing Agreement

BETWEEN
Documotor ApS
Wilders Plads 15A
1403 Copenhagen K
Denmark
("Documotor")

AND
Each individual Documotor Customer or Partner that Documotor processes data for, holding a valid software as a service contract directly with Documotor, and that has not otherwise entered into a valid data processor agreement with Documotor.
(the “Customer”)

  1. INTRODUCTION

    1. This Data Processing Agreement (“DPA”) specifies the Parties’ data protection obligations which arise from Documotors's processing of Personal Data on behalf of Customer under the order form, service agreement or other agreement between the Parties (“the Agreement”). All capitalised terms not defined in this DPA shall have the meaning set forth in the Agreement.

    2. The DPA is adopted as an appendix to the Agreement. In the event that any provision of this DPA is inconsistent with any term of the Agreement, the DPA will prevail. If and to the extent the Standard Contractual Clauses conflict with any provision of the Agreement or the DPA, the Standard Contractual Clauses shall prevail to the extent of such conflict.

    3. If Applicable Data Protection Law is amended, replaced or repealed, the parties shall, where necessary, negotiate in good faith a solution to enable the processing of Personal Data to be conducted in compliance with Applicable Data Protection Law.

  2. PURPOSE, SCOPE AND RESPONSIBILITIES

    1. Documotor shall only process personal data in accordance with the terms of this DPA.

    2. The parties agree Customer is the Data Controller of Customer Personal Data. Documotor is the Data Processor of Customer Personal Data, except where Documotor acts as a Data Controller processing Customer Personal Data in accordance with Section 2.9.

    3. Documotor shall process Customer Personal Data for the limited purpose of performing the obligations set out under the Agreement and only in accordance with Customer's lawful instructions or otherwise necessary to comply with Applicable Data Protection Law. Data may, for that purpose, be processed by any of Documotor’s entities in accordance with Section 7.

    4. Customer shall ensure that its instructions to Documotor comply with all laws and regulations applicable to Customer Personal Data, and that the processing of Customer Personal Data following Customer's instructions will not cause Documotor to be in breach of Applicable Data Protection Law. Customer is solely responsible for the accuracy, quality and legality of Customer Personal Data provided to Documotor in accordance with this DPA.

    5. Personal Data processed by Documotor shall include such actions as may be specified in the Agreement. Further data processing outside the scope set out in this Section 2 shall require mutual written agreement of the parties.

    6. If Documotor becomes aware that any instruction given by Customer breaches Applicable Data Protection Law, Documotor shall immediately inform Customer of this, giving details of the breach or potential breach.

    7. The term of this DPA shall continue until the later of the following: the termination of the Agreement or the date at which Documotor ceases to process Personal Data for Customer.

    8. Unless explicitly required by the Customer, data processed by Documotor will not include financial data or Sensitive Data.

    9. The parties acknowledge and agree that Documotor may process Customer Personal Data for its own legitimate business operations as independent Data Controller, provided the data processing is limited to one of the following purposes: i) billing and account management; ii) internal reporting; iii) fraud and cyber-attacks prevention pertaining to the provision of the Services; iv) optimisation and maintenance of the Services; and v) compliance with legal and tax requirements.

    10. The types and categories of Customer Personal Data processed by Documotor, and the purpose of such processing is set out in Exhibit 1.

  3. OBLIGATIONS OF DOCUMOTOR AS DATA PROCESSOR

    1. Documotor warrants that it will:

      i) comply with Applicable Data Protection Law relevant to Documotor's obligations under the Agreement;

      ii) implement appropriate technical and organizational measures in such a manner that processing will meet the requirements of Applicable Data Protection Law and ensure the protection of the rights of the data subjects; and

      iii) make available to Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA; and reasonably cooperate with any audits performed by Customer or its independent auditor, at Customer’s own expense and no more than once a year, of facilities under the control of Documotor, in accordance with Section 10.2 of the Agreement.

  4. TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

    1. Documotor will implement and maintain throughout the term of the DPA and will procure its Sub-processors to implement and maintain through the term of the DPA, the appropriate technical and organizational security measures to protect Personal Data against accidental or unlawful destruction, loss, damage or alteration and against unauthorized disclosure, abuse or other processing in violation of the requirements of Data Protection Law.

    2. Documotor will ensure that it and its Sub-processors will at all times comply with the minimum data security requirements set out in Exhibit 2, which may, from time to time, be updated, provided that such updates and modifications do not degrade or diminish the overall security of the Services.

    3. Customer has evaluated the security measures implemented by Documotor and agrees that they provide an appropriate level of protection for Customer Personal Data.

  5. PERSONNEL

    1. Documotor shall ensure that any personnel required to access Customer Personal Data have committed themselves to the obligation of confidentiality set out in the Agreement or are under a statutory obligation of confidentiality.

    2. Documotor shall ensure that its personnel required to access Customer Personal Data are informed of the confidential nature of Customer Personal Data and the security procedures applicable to the processing of or access to Customer Personal Data.

    3. Documotor’s personnel’s confidentiality obligations will survive the termination of the personnel engagement and the term of this DPA.

  6. ASSISTANCE TO THE CUSTOMER AS DATA CONTROLLER

    1. Documotor shall provide reasonable and timely assistance, by appropriate technical and organizational measures to Customer to enable them to respond to: (i) any request from a data subject to exercise any of its rights under Applicable Data Protection Law (including its rights of access, correction, objection, erasure and data portability, as applicable); and (ii) any other correspondence, enquiry or complaint received from a data subject, Regulator or other third party in connection with the processing of the Personal Data. In the event that any such request, correspondence, enquiry or complaint is made directly to  Documotor, Documotor shall promptly inform Customer providing full details of the same, unless prohibited by the applicable law.

    2. Documotor shall reasonably assist Customer with its obligation to conduct any data protection impact assessment required by Applicable Data Protection Law.

  7. SUB-PROCESSORS

    1. The Sub-processors, approved by Customer, are listed in Exhibit 4. Customer hereby gives a general authorization for the engagement of additional Sub-processors for the purpose of performing its obligations under the Agreement, provided Documotor shall:

    2. If Customer objects to such new Sub-processor on reasonable grounds within 30 days of receiving notice, the parties shall negotiate in good faith to find an alternative solution. If such alternative solution cannot be found and Documotor decides to proceed with such Sub-processor, Customer may terminate the Agreement with 30 days prior written notice. Neither of the Parties shall be considered in breach of contract in the event of such termination. Customer acknowledges that Documotor provides a standardized service to all customers which does not allow using different Sub-processors for different customers and, therefore, that the inability to use a particular new or replacement Sub-processor for the Services to the Customer may result in delay in performing the Services, inability to perform the Services or increased fees. Documotor will notify Customer in writing of any change to Services or fees that would result from Documotor’s inability to use a new or replacement Sub-processor to which Customer has reasonably objected. If Customer does not object to a new Sub-processor's engagement within 30 days, that new Sub-processor shall be deemed accepted.

    3. Documotor shall be liable for the acts or omissions of its Sub-processors to the same extent that Documotor would be liable if performing the Services of each Sub-processor directly under the terms of this DPA.

  8. TRANSFER OF DATA TO THIRD COUNTRIES OR INTERNATIONAL ORGANIZATIONS

    1. Customer acknowledges and agrees that Documotor may transfer and process Customer Personal Data to its authorized Sub-processors in third countries for the provision of the Services. Any transfer of Personal Data to third countries or international organizations by Documotor shall always take place in compliance with EU Data Protection Law, UK Data Protection Law and this DPA.

    2. Any transfer of Customer Personal Data made from EEA, Switzerland or United Kingdom to a Restricted Country will be subject to the Standard Contractual Clauses (together with the UK Addendum, where UK Data Protection Law applies) and any other supplementary measures required to enable the lawful transfer of Customer Personal Data. The Parties agree to promptly undertake to amend this DPA if necessary to incorporate an updated data transfer mechanism to maintain compliance with EU Data Protection Law and UK GDPR.

    3. If any Customer Personal Data originates from any country (other than an EEA country) with one or more laws imposing data transfer restrictions or prohibitions and Customer has informed Documotor of such data transfer restrictions or prohibitions, Customer and Documotor shall ensure an appropriate transfer mechanism (satisfying the country’s data transfer requirements) is in place, as reasonably requested by Customer and mutually agreed upon by both Parties, before transferring or accessing Customer’s Data outside of such country. For the avoidance of doubt, this transfer restriction does not apply to Customer’s or its Affiliates’ Authorized Users who have access to the Services and Customer Data, and Documotor shall not be held responsible for actions of Customer or its Affiliates’ Authorized Users. Neither Customer nor its Authorized Users shall be entitled to use the Services in any country with data localization laws that would require Customer’s environment to be hosted in said country.

  9. OBLIGATIONS OF THE CUSTOMER

    1. Customer and Documotor will be separately responsible for conforming with Applicable Data Protection Law, as applicable to each.

    2. Customer will inform Documotor in writing without undue delay following Customer’s discovery of a failure to comply with Applicable Data Protection Law with respect to the processing of Personal Data in accordance with this DPA.

    3. Customer shall be responsible for providing accurate and relevant contact details at the time of entering into the Agreement and thereafter to assist with Documotor’s notification obligations.

    4. Customer represents and warrants it has provided and will continue to provide all notices and has obtained and will continue to obtain all consents and rights required under Applicable Data Protection Law for Templafy to process Customer Personal Data for the purposes of this Agreement.

  10. NOTIFICATION OF DATA BREACH

    1. Documotor shall without undue delay, and no later than 48 hours, notify Customer in writing of any identified Data Breach.

    2. The notification referred to in section 10.1. will, to the extent possible:

      a) describe the nature of the Data Breach including the categories and approximate number of data subjects concerned and the categories and approximate amount of Personal Data impacted,

      b) provide the Documotor contact details where more information can be obtained,

      c) describe the likely consequences of the Data Breach, and

      d) describe the measures taken or proposed to be taken by Documotor to address the Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

  11. ADDITIONAL ASSIGNMENTS

    1. In respect of tasks assigned to Documotor, that are not an obligation under this DPA and go beyond Documotor’s statutory obligations, Documotor shall be entitled to charge Customer for the additional resources, time, and material necessary to fulfill the required task(s), unless such services are already included in the Services provided under the Agreement.

    2. Documotor will notify Customer in advance of such additional charges and, to the extent possible, provide Customer with a quote of the expected costs.

    3. If Customer does not agree to the costs, Documotor is not required to perform the additional assignment.

  12. DELETION AND RETURN OF PERSONAL DATA

    1. Following the expiration or earlier termination of the Agreement, Documotor will retain Customer Data in a limited function account, securely isolated and protected from any further processing, for 90 days. Once the 90-day retention period ends,  Documotor shall disable Documotor’s account and delete all Customer Personal Data associated with it, or irreversibly anonymise them in such a manner that the data subject is not identifiable, unless Documotor is permitted or required by applicable law, or authorized under this DPA, to retain such data. At all times during the term of the Agreement, Customer will have the ability to access, extract and delete Customer Personal Data stored in its tenant.

    2. Upon Customer’s request, Documotor shall certify in writing the destruction or complete anonymisation of Customer Personal Data.

  13. LAW ENFORCEMENT REQUESTS

    1. If a court, law enforcement authority or intelligence agency contacts Documotor with a demand for Customer Personal Data, Documotor will first assess if it is a legitimate order. If compelled to disclose or provide access to any Customer Personal Data to law enforcement, Documotor will promptly notify Customer and provide a copy of the request, unless legally prohibited from doing so.

    2. Documotor shall only cooperate with the issued request or order if legally obliged to do so and, where possible, Documotor shall judicially object to the request or order or the prohibition to inform Customer about this or to follow the instructions of Customer. Documotor shall not provide more Customer Personal Data than is strictly necessary for complying with the request or order.

  14. JURISDICTION SPECIFIC TERMS

    1. To the extent Documotor processes Personal Data originating from and protected by Applicable Data Protection Law in one of the jurisdictions listed in Exhibit 3 (Jurisdiction Specific Terms) of this DPA, the terms specified in Exhibit 3 with respect to the applicable jurisdiction(s) apply in addition to the terms of this DPA.

  15. LIABILITY

    1. Each party's liability for one or more breaches of this DPA shall be subject to the limitations and exclusions of liability set out in the Agreement.

  16. LEGAL VENUE AND APPLICABLE LAW

    1. This DPA shall be governed by Danish Law.

    2. Any claim or dispute arising from or in connection with this DPA must be settled by the Copenhagen City Court as first instance.

  17. DEFINITIONS

    1. The terms “Data Controller”, “Data Processor”, “data subject”, “processing” and “process” shall have the meaning given in Applicable Data Protection Law.

      Applicable Data Protection Law” means any applicable law that applies to each party in any territory in which they process Personal Data and which relates to the protection of individuals with regards to the processing of Personal Data and privacy rights, and may include EU Data Protection Laws, UK Data Protection Laws, Canada's Personal Information Protection and Electronic Documents Act (“PIPEDA”), the California Consumer Privacy Act, as amended by the California Privacy Right Act of 2020 and it's implementing regulation (“CCPA”); the Privacy Act 1988 (Cth) of Australia, as amended (“Australian Privacy Law”), the Virginia’s Consumer Data Protection Act (“VCDPA”); the Colorado Privacy Act (“CPA”); the Connecticut’s Act Concerning Data Privacy and Online Monitoring (“CTDPA”), and the Utah Consumer Privacy Act (“UCPA”).

      ​“Customer Personal Data” means the Personal Data that is generated by or provided to Documotor by, or on behalf of, Customer through use of the Services.

      ​“Data Breach” means a breach of security which results in the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data processed by Documotor.

      ​“EU Data Protection Laws” means all data protection laws and regulation applicable to the European Economic Area (“EEA”) and Switzerland, including the General Data Protection Regulation 2016/679 (“GDPR”) and supplementing data protection law of the European Union Member States, the ePrivacy Directive 2002/58/EC (the “Directive”), together with any European Union Member national law implementing the Directive and the Swiss Federal Data Protection Act (“Swiss DPA”).

      ​“Personal Data” means any information defined under Applicable Data Protection Law as “personal data”, “personal information”, “personally identifiable information” or any other similar term relating to an identifier of an identifiable natural person.

      ​“Regulator” means any local, national, or multinational agency, department, official, public of statutory person, or any regulatory or supervisory authority for administering, providing guidance on, supervising, and enforcing Applicable Data Protection Law.

      ​“Restricted Country” means a country, territory, or jurisdiction which (i) when GDPR applies, is not covered by an adequacy determination by European Commission, as described under the GDPR, (ii) when Swiss DPA applies, is not included on the list of adequate jurisdictions published by the Swiss Regulator or (iii) when UK Data Protection Law applies, is not recognized as providing an adequate level of protection for Personal Data pursuant to Section 17A of the UK GDPR.

      ​“Sensitive data” means any (i) special categories of Personal Data defined under EU Data Protection Law and UK Data Protection Law, (ii) data relating to criminal convictions and offenses defined under EU Data Protection Law and UK Data Protection Law or (iii) within the definition of ’sensitive personal information” under the CCPA.

      ​“Standard Contractual Clauses” means: (i) where the GDPR applies, the contractual clauses annexed to the European Commission’s Implementing Decision 2021/914 of 4 June 2021 on standard contractual clauses for the transfer of Personal Data to third countries (“EU SCCs”) and (ii)  where the Swiss DPA applies, the standard data protection clauses issued, approved or otherwise recognized by the Swiss Regulator (“Swiss SCCs”), each as amended, supplemented or replaced from time to time.

      ​“Sub-processor” means any Documotor Affiliate and any sub-contractor engaged by Templafy in the processing of Customer Personal Data under the terms of the Agreement and this DPA.

      UK Addendum” means the UK Addendum issued by the United Kingdom Regulator under section 119A(1) of the Data Protection Act 2018, being an addendum to the Standard Contractual Clauses.

      ​“UK Data Protection Law” means all data protection laws and regulations applicable to the United Kingdom, including the United Kingdom's Data Protection Act 2018 and the GDPR as incorporated into United Kingdom law by virtue of Section 3 of the United Kingdom's European Union (Withdrawal) Act 2018 (“UK GDPR”), each as amended, supplemented or replaced from time to time.

  18. Obtaining a signed copy

EXHIBIT 1:  INFORMATION ABOUT THE PROCESSING

  1. The purpose of the data processor’s processing of Personal Data on behalf of the data controller is:

    Documotor is a software development company, assigned by Customer to make available to Customer software as a service for supporting the creation of business documents. The content of this DPA reflects the limited amount of Personal Data Documotor handles for the Customer.

  2. The data processor’s processing of Personal Data on behalf of the data controller shall mainly pertain to (the nature of the processing):

    The provision of the Services by Documotor to Customer.

  3. ​The processing includes the following types of Personal Data about data subjects:

    Name, business e-mail address; as well as documents, images, and other content or data in electronic form stored or transmitted by End Users via the Services.

  4. The processing includes the following type of Sensitive data about data subjects:

    None.

  5. Processing includes the following categories of data subject:

    Customer’s employees.
    Or as determined by Customer through their use of the Documotor Service.

  6. ​The data processor’s processing of personal data on behalf of the data controller may be performed when the Clauses commence. Processing has the following duration:

    Personal data is stored with Documotor until the Customer requests that the data be erased or returned, pursuant to Section 12.1 of this DPA.

EXHIBIT 2: DESCRIPTION OF MINIMUM DATA SECURITY

  1. ​Physical Access Controls

    Documotor shall take reasonable measures to prevent physical access, such as secured buildings, to prevent unauthorized persons from gaining access to Personal Data.

  2. System Access Controls

    Documotor shall take reasonable measures to prevent Personal Data from being used without authorization. These controls shall vary based on the nature of the processing undertaken and may include, among other controls, authentication via passwords and/or two-factor authentication, documented authorization processes, documented change management processes, and/or, logging of access on several levels.

  3. Data Access Controls

    Documotor shall take reasonable measures to ensure that Personal Data is accessible and manageable only by properly authorized staff, direct database query access is restricted and application access rights are established and enforced to ensure that persons entitled to use a data processing system only have access to the Personal Data to which they have privilege of access; and, that Personal Data cannot be read, copied, modified or removed without authorization in the course of processing. Documotor shall take reasonable measures to implement an access policy under which access to its system environment, to Personal Data, and other data by authorized personnel only.

  4. Transmission Controls

    Documotor shall take reasonable measures to ensure that it is possible to check and establish to which entities the transfer of Personal Data by means of data transmission facilities is envisaged so Personal Data cannot be read, copied, modified or removed without authorization during electronic transmission or transport.

  5. Input Controls

    Documotor shall take reasonable measures to ensure that it is possible to check and establish whether and by whom Personal Data has been entered into data processing systems, modified, or removed.  Documotor shall take reasonable measures to ensure that (i) the personal data source is under the control of the data exporter; and (ii) Personal Data integrated into Documotor’s systems is managed by secured file transfer from Documotor and data subject.

EXHIBIT 3:  JURISDICTION SPECIFIC TERMS

  1. ​California (CCPA):

    1. The definition of “data subject” includes “Consumer” as defined under CCPA. Any data subject rights, as set forth in Section 6 of this DPA, apply to Consumer rights.

    2. The definition of “Data Controller” includes “Business” as defined under CCPA. The definition of “Data Processor” includes “Service Provider” as defined under CCPA.

    3. Documotor will process, retain, use, and disclose Personal Data only as necessary to provide the Services under the Agreement. Documotor agrees not to (a) sell or share (as defined by the CCPA) Customer’s Personal Data; (b) retain, use, or disclose Customer’s Personal Data for any commercial purpose (as defined by the CCPA) other than providing the Services; (c) retain, use, or disclose Customer’s Personal Data outside of the scope of the Agreement.

    4. Documotor may deidentify (as defined by the CCPA) Customer Personal Data as part of performing the Services in the Agreement, in accordance with the limitation on Services Providers under the CCPA. Documotor shall not re-identify any Customer deidentified Data.

    5. Documotor certifies that its Sub-processors, as set forth in Section 7 of this DPA, are Service Providers under CCPA, with whom Documotor has entered into a written contract that includes terms substantially similar to this DPA.

    6. If Documotor becomes aware that it cannot longer meet any of its obligations under the CCPA, Documotor shall immediately notify Customer.

EXHIBIT 4: LIST OF DOCUMOTOR SUB-PROCESSORS