Data Processing Agreement

1. Definitions

For the purposes of this DPA, the following terms shall have the meanings set forth below. Capitalized terms not defined herein shall have the meanings assigned to them in the Master Service Agreement.

• "Controller" means the Customer who determines the purposes and means of the processing of Personal Data.
• "Processor" means PrivateDocs AI, Inc., which processes Personal Data on behalf of the Controller.
• "Sub-Processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.
• "Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
• "Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including GDPR, CCPA, and successor legislation.
• "GDPR" means the General Data Protection Regulation (EU) 2016/679.
• "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.

2. Scope & Purpose of Processing

PrivateDocs AI does not process Customer documents, proprietary data, or chat queries on its own infrastructure. All such content is processed locally on the Customer's devices using the desktop application.

This DPA therefore applies only to the limited categories of Personal Data processed for account management, licensing, and billing (for example, user account details and payment metadata).

2.1 Subject Matter

Provision of customer account, license, and billing management related to the PrivateDocs AI desktop application.

2.2 Nature and Purpose

Processing is necessary to enable the Customer to create accounts, purchase and activate licenses, and receive basic product and support communications.

2.3 Types of Personal Data

The Processor may process the following categories of Personal Data:

• Account information (name, email address, login identifiers)
• Billing information (billing address, tax identifiers where applicable)
• Payment metadata (non-card details such as last 4 digits, card brand, and expiration date) handled primarily by Stripe
• Support correspondence (emails or messages sent to our support channels)

2.4 Categories of Data Subjects

Personal Data may relate to the following categories of Data Subjects:

• End users of the PrivateDocs AI desktop application
• Customer billing and administrative contacts

2.5 Local Desktop Processing

All document and AI inference processing performed by the PrivateDocs AI desktop application occurs locally on the Customer's devices. For that processing, the Customer acts as both Controller and Processor; this DPA does not apply to data processed solely on-device. The obligations, Sub-Processor list, and security measures described in this DPA apply only to Personal Data processed in connection with account, licensing, and billing functions.

3. Processor Obligations

The Processor shall:

• Process Personal Data only in accordance with documented instructions from the Controller
• Ensure that persons authorized to process Personal Data have committed themselves to confidentiality
• Implement appropriate technical and organizational measures to ensure security of Personal Data
• Engage Sub-Processors only with prior written authorization from the Controller
• Assist the Controller in responding to Data Subject requests
• Assist the Controller in ensuring compliance with Data Protection Laws
• Delete or return all Personal Data at the end of the service provision
• Make available to the Controller all information necessary to demonstrate compliance

3.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. If the Processor believes that any instruction violates Data Protection Laws, it shall immediately inform the Controller.

3.2 Confidentiality

The Processor shall ensure that all personnel authorized to process Personal Data are subject to written confidentiality obligations and receive appropriate training on Data Protection Laws.

4. Security Measures (TOMs)

The Processor has implemented and shall maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

4.1 Data Isolation & Encryption

• 100% Data Residency: All Customer document content, vector embeddings, and chat history reside exclusively on the Customer's own hardware. No Personal Data from AI workloads is stored on or transmitted to Processor infrastructure.
• Native OS-Level Encryption at Rest: Data stored locally by the desktop application is protected by the Customer's operating system Full Disk Encryption (macOS FileVault or Windows BitLocker). The Processor does not implement a separate application-layer encryption scheme for local data.
• Encryption in Transit: All data transmissions between the desktop application and Processor APIs (e.g., license activation) use TLS 1.2 or higher encryption protocols.

4.2 Infrastructure Isolation

• Logical Isolation: Customer workloads run in strictly isolated containers with no cross-tenant data access
• Network Segmentation: Each customer environment is logically separated at the network level
• Dedicated Resources: GPU compute resources are not shared between customers during active processing

4.3 Access Controls

• Multi-Factor Authentication (MFA): Required for all Processor personnel accessing production systems
• Role-Based Access Control (RBAC): Least-privilege access principles enforced across all systems
• Audit Logging: Comprehensive logging of all access to Personal Data with tamper-proof storage
• Zero-Knowledge Architecture: Processor personnel cannot access Customer document content

4.4 Data Sanitization

• Auto-Wipe Technology: All Personal Data is cryptographically erased from GPU memory within seconds after each processing session
• Secure Deletion: Data deletion uses NIST 800-88 compliant methods
• No Persistent Storage: Document content is not retained after session termination

4.5 Physical & Environmental Security

• Data centers with 24/7 physical security monitoring
• Biometric access controls for data center entry
• Tier 3/4 certified facilities with redundant power and cooling
• Environmental controls including fire suppression and flood detection

5. Sub-Processors

The Controller hereby provides general written authorization for the Processor to engage the Sub-Processors listed below. The Processor shall:

• Enter into written agreements with Sub-Processors imposing data protection obligations equivalent to those in this DPA
• Remain fully liable to the Controller for the performance of each Sub-Processor's obligations
• Provide at least 30 days' notice before engaging new Sub-Processors, allowing the Controller to object

5.1 Authorized Sub-Processors List

5.2 Notice of New Sub-Processors

The Processor shall provide the Controller with at least 30 days' written notice before engaging any new Sub-Processor. The notice shall include:

• The name and location of the proposed Sub-Processor
• The processing activities to be performed
• Security certifications and compliance status

5.3 Right to Object

The Controller may object to the engagement of a new Sub-Processor on reasonable grounds relating to data protection within 14 days of receiving notice. If the Controller objects and the Processor cannot accommodate the objection, the Controller may terminate the affected Service.

6. International Data Transfers

The Processor may transfer Personal Data outside of the European Economic Area (EEA) or the United Kingdom only in accordance with applicable Data Protection Laws.

6.1 Transfer Mechanisms

For transfers of Personal Data from the EEA or UK to third countries, the Processor shall implement appropriate safeguards, including:

• Standard Contractual Clauses (SCCs): EU Commission-approved SCCs are incorporated into this DPA by reference
• UK International Data Transfer Agreement: For UK transfers, the UK IDTA is incorporated where applicable
• Adequacy Decisions: Where available, the Processor relies on adequacy decisions issued by the EU Commission or UK authorities

6.2 Data Localization Options

Enterprise customers may request data residency in specific regions:

• EU Data Residency: All processing can be scoped to EU data centers where available
• US Data Residency: All processing occurs within US data centers
• On-Premise Deployment: For maximum control, customers may deploy PrivateDocs AI on their own infrastructure

7. Data Subject Rights

The Processor shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject to exercise any of the following rights under Data Protection Laws:

• Right of access
• Right to rectification
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing
• Rights related to automated decision-making and profiling

7.1 Assistance with Data Subject Requests

The Processor shall provide reasonable assistance to the Controller in responding to Data Subject requests, including:

• Providing available information about the Data Subject's Personal Data
• Implementing technical measures to facilitate data access, correction, or deletion
• Responding to Controller requests within 5 business days

Note: Due to our zero-knowledge architecture and auto-wipe technology, the Processor typically does not retain Personal Data beyond active processing sessions. Most Data Subject requests will need to be fulfilled by the Controller using their own records.

8. Incident Management

8.1 Personal Data Breach Notification

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Personal Data Breach affecting the Controller's Personal Data.

8.2 Breach Notification Contents

The notification shall include, to the extent available:

• Description of the nature of the Personal Data Breach
• Categories and approximate number of Data Subjects affected
• Categories and approximate number of Personal Data records affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach and mitigate harm
• Contact details for further information

8.3 Remediation & Cooperation

The Processor shall:

• Take immediate steps to contain and remediate the breach
• Preserve forensic evidence for investigation
• Cooperate with the Controller's investigation and remediation efforts
• Provide regular updates on remediation progress
• Document all breach-related activities for regulatory reporting

9. Audits & Compliance

9.1 Audit Rights

The Controller may, upon reasonable notice and during business hours, conduct audits (including inspections) to verify the Processor's compliance with this DPA. Such audits shall not occur more than once per year unless required by Data Protection Laws or in response to a suspected breach.

9.2 Compliance Documentation

The Processor shall make available to the Controller:

• SOC 2 Type II audit reports (upon request, subject to NDA)
• Security certifications and compliance attestations
• Policies and procedures related to data protection
• Sub-Processor audit reports and certifications

9.3 Third-Party Audits

The Processor undergoes annual SOC 2 Type II audits conducted by independent third-party auditors. Audit reports are available to Enterprise customers upon request and execution of a mutual non-disclosure agreement.

10. Duration & Termination

10.1 Term

This DPA shall remain in effect for the duration of the Master Service Agreement and as long as the Processor processes Personal Data on behalf of the Controller.

10.2 Data Return or Deletion

Upon termination of the Service or upon Controller request, the Processor shall, at the Controller's election:

• Return: Return all Personal Data to the Controller in a commonly used, machine-readable format
• Delete: Permanently delete all copies of Personal Data in accordance with the Processor's secure deletion procedures

10.3 Certification of Deletion

Upon Controller request, the Processor shall provide written certification that all Personal Data has been returned or deleted, unless retention is required by applicable law.

Note: Due to our auto-wipe technology, document content is automatically deleted within seconds after each session. Only account metadata (not document content) persists beyond active sessions.

11. Liability

Each party's liability arising out of or related to this DPA shall be subject to the limitation of liability provisions in the Master Service Agreement.

11.1 Processor Liability

The Processor shall be liable for damages caused by processing only where:

• It has not complied with obligations specifically directed to processors under Data Protection Laws, or
• It has acted outside or contrary to lawful instructions of the Controller

11.2 Sub-Processor Liability

The Processor shall remain fully liable to the Controller for the performance of any Sub-Processor's obligations under this DPA.

12. Contact Information

For questions regarding this DPA or data protection matters, please contact: