Data Processing Addendum

Template-sourced v1 DPA. The structure follows GDPR Art. 28 + POPIA §21 + CCPA/CPRA §1798.140(ag) required clauses, but this text has not yet been counsel-reviewed. Before signing with a live customer, the final version will be drafted by qualified SA + EU privacy counsel. Contact legal@docreadi.com to request the signable version.

Parties + scope

This Data Processing Addendum ("DPA") forms part of the agreement between DocReadi ("Processor") and the tenant ("Controller") using the DocReadi service ("Service"). It governs Processor's processing of Personal Data on behalf of Controller.

Annex 1 — Processing details

• Subject matter: extraction of structured data from uploaded financial documents.
• Duration: the term of the Service agreement; retention per the Controller's configured policy (default 7 years).
• Nature + purpose: automated document parsing, OCR, LLM-based field extraction, validation, counterparty resolution, reviewer workflow, and export.
• Categories of data subjects: Controller's authorised users; counterparties named on uploaded documents; signatories on delivery notes.
• Categories of personal data: business contact details (names, emails, phone numbers, addresses), VAT and tax registration numbers, bank account details, invoice content, signatures (stored only — never matched or biometrically processed).

Annex 2 — Processor obligations (GDPR Art. 28(3))

1. Process Personal Data only on documented instructions from Controller.
2. Ensure that persons authorised to process Personal Data have committed to confidentiality.
3. Implement the technical and organisational measures set out in Annex 3.
4. Engage sub-processors only under the conditions of Art. 28(2) and (4) — with general authorisation, prior notice, and flow-down of equivalent obligations.
5. Assist Controller in responding to data-subject rights requests within applicable regulatory deadlines.
6. Assist Controller with security, breach notification, DPIA, and regulator consultation obligations under Art. 32–36.
7. At the end of the agreement, delete or return all Personal Data at Controller's election and certify completion.
8. Make available all information necessary to demonstrate compliance with Art. 28, and allow for audits reasonably requested by Controller.

Annex 3 — Technical and organisational measures (GDPR Art. 32 / POPIA §19)

• Row-level security policies per tenant in Postgres (app.current_company_id) enforced at the database level.
• HMAC-signed session cookies with rotatable secret; bcrypt password hashing (cost ≥ 12).
• CSRF protection on state-changing requests.
• HTTPS (TLS 1.2+) for all traffic.
• Fernet encryption at rest for designated sensitive columns (WhatsApp tokens; bank-account numbers in Wave 2).
• Client-side age-encryption of backups before upload to S3; 30-day hot / 90-day Glacier / 365-day delete lifecycle.
• Audit log of settings changes, approvals, rejections, registry mutations (Wave 2).
• Rate limiting on authentication endpoints.
• Structured logging with tenant + document correlation IDs.
• Stale-tenant session-cookie guard that invalidates cookies referencing deleted tenants.

Annex 4 — Sub-processors

Current authorised sub-processors are listed at /legal/subprocessors. Changes are announced 30 days in advance of activation; Controller may object to any new sub-processor, in which case the parties will discuss a carve-out or termination for the affected workload.

Annex 5 — International transfers

Where sub-processors operate outside the EEA:

• For providers certified under the EU–US Data Privacy Framework, transfers are covered by the DPF adequacy decision.
• For providers not DPF-certified, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2) published in Commission Implementing Decision (EU) 2021/914, together with the UK Addendum where UK-origin data is transferred and the Swiss Addendum where Swiss-origin data is transferred.
• South African transfers rely on POPIA §72(1)(a) contractual safeguards; Processor warrants that sub-processors are bound to POPIA-substantially-similar commitments.

Annex 6 — CCPA / CPRA service-provider terms (§1798.140(ag))

For California-personal-information processing, Processor:

• Processes Personal Information solely for Controller's business purposes specified in the agreement.
• Shall not sell or share Personal Information.
• Shall not retain, use, or disclose Personal Information outside the direct business relationship with Controller, or as permitted by the CCPA.
• Shall not combine Personal Information received from Controller with data from any other source, except as permitted by CCPA regulations.
• Certifies it understands these restrictions and will comply.
• Notifies Controller if Processor can no longer meet CCPA obligations.

Breach notification

Processor will notify Controller without undue delay and in any event within 48 hours of becoming aware of a Personal Data breach affecting Controller's data.

Deletion + return

On termination, Processor will, at Controller's election, delete or return all Personal Data within 30 days. Backup copies are deleted on the lifecycle schedule documented in Annex 3.

Audit

Controller may audit Processor's compliance with this DPA on reasonable prior notice, at Controller's cost, and in a manner that does not disrupt Processor's operations. Audit requests addressed to legal@docreadi.com.