Legal
Data Processing Agreement
Last updated: 2026-04-08. Questions: hello@docsiv.com. These documents are provided as drafts for integration; have qualified counsel review before reliance.
Introduction
This Data Processing Agreement (“DPA”) forms part of the agreement between [Legal entity name] (“Docsiv,” “Processor,” “we,” “us,” or “our”) and the customer entity that orders or uses the Docsiv Service (“Customer,” “Controller”).
This DPA applies when Docsiv processes personal data on behalf of Customer in the course of providing the Service under our Terms of Service. It reflects the parties’ intent to comply with applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and laws that incorporate similar concepts.
If you need an executed copy for procurement, contact hello@docsiv.com.
Definitions
“Applicable laws” means data protection laws binding on Controller or Processor with respect to the processing.
“Data subject,” “personal data,” “processing,” and “supervisory authority” have the meanings in GDPR where applicable.
“Services” means the Docsiv platform and related services described in the Terms.
“Subprocessor” means a Processor engaged by Docsiv to process personal data subject to this DPA.
Capitalized terms not defined here have the meanings in the Terms unless otherwise stated.
Roles and scope
Customer (Controller) determines the purposes and means of processing personal data relating to its workspace users and, where applicable, individuals with whom Customer shares documents through the Service.
Docsiv (Processor) processes personal data only on documented instructions from Customer unless Applicable laws require otherwise (in which case Docsiv will inform Customer unless prohibited).
Processing under this DPA is limited to what is necessary to provide the Services and as further instructed through Customer’s use (including account configuration, invitations, and document sharing Customer enables).
Details of processing
| Topic | Description |
|---|---|
| Subject matter | Provision of the Docsiv Service to Customer. |
| Duration | For the term of the agreement plus the period needed to delete or return data in accordance with this DPA and the Terms. |
| Nature and purpose | Hosting, authentication, storage, collaboration, messaging/notification activities Customer enables, security monitoring, support, and AI-assisted features initiated by users, as configured by Customer. |
| Categories of data subjects | Customer’s employees and contractors; workspace guests; end users Customer invites to view or collaborate on content (for example client stakeholders), as determined by Customer’s use. |
| Categories of personal data | Identifiers (name, email); account and profile data; usage metadata; content Customer and users submit to the Service (which may include optional contact details inside documents), as determined by Customer’s configuration and uploads. Special categories of data should not be submitted unless Customer has a lawful basis and appropriate safeguards; Customer is responsible for compliance with restrictions. |
Processor may update the table for clarity without changing the substance of processing, with notice as described under Changes.
Customer instructions
Customer instructs Processor to process personal data to provide the Services and to perform steps Customer initiates in the product (including sharing, exports, and integrations Customer enables).
Additional instructions must be documented and agreed in writing (including email from Customer’s administrator) if they materially extend beyond the Service’s intended functionality.
Processor obligations
Processor will:
- Process personal data only on documented instructions unless required by Applicable laws (and will inform Customer unless prohibited).
- Ensure persons authorized to process data are bound by confidentiality.
- Implement appropriate technical and organizational measures as described in Security and Schedule A.
- Assist Customer, taking into account the nature of processing, with data subject requests, impact assessments, and consultations with authorities where GDPR-style obligations apply—as reasonable and subject to reimbursement for extensive costs unless otherwise agreed.
- Notify Customer without undue delay after becoming aware of a personal data breach, with information reasonably available to Processor.
- At Customer’s choice, delete or return personal data after the end of Services, except where retention is required by law.
- Make available information necessary to demonstrate compliance and allow audits as described in Audits.
Customer obligations
Customer will:
- Have a lawful basis for processing and, where required, obtain authorizations and notices for data subjects.
- Not submit unlawful personal data or instructions.
- Use the Service in line with documentation and security recommendations.
- Notify Processor promptly of data subject requests or regulatory inquiries that involve Processor’s systems.
Subprocessors
Customer authorizes Docsiv to engage Subprocessors listed at Subprocessors. Docsiv will impose data protection terms on Subprocessors that meet GDPR Article 28 requirements (or equivalent).
Docsiv may replace or add Subprocessors by updating the Subprocessors page and notifying Customer (for example by email to administrators or in-product notice). Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection within a reasonable period, Customer may terminate the affected Services as its exclusive remedy.
International transfers
Processor may transfer personal data globally where needed to operate the Service. Where GDPR or UK GDPR applies and transfers are to countries without an adequacy decision, Processor will use appropriate safeguards such as Standard Contractual Clauses (SCCs) or successor mechanisms, consistent with regulatory guidance. Customer authorizes such transfers as part of using the Service. Upon request, Processor will provide information about the mechanism used.
Security (summary)
Processor maintains a program appropriate to the risk, including access controls, encryption in transit, vulnerability management, and vendor reviews. Further detail is outlined in Schedule A.
Audits
Customer may audit Processor’s compliance with this DPA once per year (or following a material security incident affecting Customer data), on 30 days’ notice, during business hours, not unreasonably disrupting operations. Customer may use a mutually agreed independent auditor under confidentiality. Alternatively, Customer may accept a Processor-provided audit report (for example SOC 2 Type II) if and when available, in place of an on-site audit.
Liability
Liability caps and exclusions are governed by the Terms, except that nothing in this DPA limits either party’s liability that cannot be limited under Applicable laws.
Term and termination
This DPA continues until Processing ends. Sections that should survive (including assistance, deletion, and liability where applicable) survive termination.
Changes
Docsiv may update this DPA to reflect legal or product changes. Material changes will be notified as described in the Terms or by email. Continued use after the effective date may constitute acceptance where permitted.
Contact
Processor: [Legal entity name], [Registered business address]
Privacy: hello@docsiv.com
Schedule A — Security measures (summary)
Processor implements measures appropriate to the nature of the Service, which may include:
- Access control: role-based access, least privilege for personnel, and authentication requirements for production systems.
- Transmission security: encryption of data in transit using industry-standard protocols.
- Segmentation: logical separation of customer workspaces and data stores consistent with a multi-tenant architecture.
- Availability and recovery: backups and resilience practices appropriate to our service tier.
- Logging and monitoring: security-relevant logging and alerting for operational and incident response purposes.
- Vendor management: contractual security and confidentiality requirements for Subprocessors listed at Subprocessors.
Customer responsibilities include maintaining strong credentials, promptly offboarding users, configuring sharing appropriately, and classifying data they choose to upload.
Schedule B — List of subprocessors
The authoritative list is maintained at Subprocessors and may be updated as described in Subprocessors.
Effective: 2026-04-08 · Last updated: 2026-04-08