© 2026 DocUnlock, Inc. · All rights reserved
This Data Processing Agreement ("DPA") is entered into by and between the customer identified in the applicable Terms of Service or Order Document ("Customer," "Controller," or "Business") and DocUnlock, Inc. ("DocUnlock," "Processor," or "Service Provider"), and is incorporated into and forms part of the DocUnlock Terms of Service available at https://www.docunlock.com/legal/terms-of-service (the "Agreement").
This DPA sets forth the parties' obligations with respect to the Processing of Personal Data in connection with Customer's use of the Service, and applies to the extent DocUnlock Processes Personal Data on behalf of Customer.
In the event of any conflict between this DPA and the Agreement, this DPA shall control with respect to the Processing of Personal Data.
Capitalized terms not defined herein have the meanings set forth in the Agreement. In addition:
"Applicable Data Protection Law" means all applicable laws and regulations relating to the Processing of Personal Data, including: (a) the EU General Data Protection Regulation 2016/679 ("GDPR"); (b) the UK General Data Protection Regulation and Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); and (e) any other applicable data protection or privacy laws.
"Controller" means the entity that determines the purposes and means of Processing Personal Data. Where the CCPA/CPRA applies, Controller means "Business" as defined therein.
"Data Subject" means an identified or identifiable natural person to whom Personal Data relates.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under Applicable Data Protection Law. Where the CCPA/CPRA applies, Personal Data includes "Personal Information" as defined therein.
"Processing" means any operation or set of operations performed on Personal Data, including collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Processor" means the entity that Processes Personal Data on behalf of the Controller. Where the CCPA/CPRA applies, Processor means "Service Provider" as defined therein.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data transmitted, stored, or otherwise Processed by DocUnlock in connection with the Service.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission in Implementing Decision (EU) 2021/914.
"Subprocessor" means any third party engaged by DocUnlock to Process Personal Data on behalf of Customer.
2.1 Roles of the Parties. Customer acts as the Controller (or Business) and DocUnlock acts as the Processor (or Service Provider) with respect to Personal Data Processed in connection with the Service.
2.2 Scope of Processing. DocUnlock will Process Personal Data solely to provide the Service to Customer in accordance with the Agreement, this DPA, and Customer's documented instructions as described in Section 3.
2.3 Details of Processing. The subject matter, duration, nature, purpose, types of Personal Data, and categories of Data Subjects are described in Annex I to this DPA.
3.1 Documented Instructions. DocUnlock will Process Personal Data only on Customer's documented instructions, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such case, DocUnlock will inform Customer of that legal requirement before Processing, unless the law prohibits such notice on important grounds of public interest.
3.2 Scope of Instructions. Customer's instructions for Processing are set forth in the Agreement, this DPA, and any applicable Order Document. Customer may issue additional written instructions consistent with the terms of the Agreement.
3.3 Compliance Notification. If DocUnlock reasonably believes that a Customer instruction infringes Applicable Data Protection Law, DocUnlock will promptly notify Customer and may suspend performance of the relevant instruction until Customer modifies or confirms the instruction.
4.1 Personnel Obligations. DocUnlock ensures that all personnel authorized to Process Personal Data are bound by written confidentiality obligations, whether contractual or statutory.
4.2 Access Limitations. DocUnlock limits access to Personal Data to those personnel who require access to perform obligations under the Agreement, and ensures that such personnel Process Personal Data only in accordance with Customer's instructions.
5.1 Security Measures. DocUnlock will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures are described in Annex II and include, at a minimum:
(a) Encryption of Personal Data in transit (TLS 1.2+) and at rest (AES-256); (b) Role-based access controls and multi-factor authentication; (c) Regular access reviews and audit logging; (d) Network security including firewalls, intrusion detection, and network segmentation; (e) Incident response planning with 24/7 security monitoring; (f) Regular vulnerability assessments and penetration testing; (g) Business continuity and disaster recovery capabilities; and (h) Annual security awareness training for all personnel with access to Personal Data.
5.2 SOC 2 Compliance. DocUnlock maintains SOC 2 Type II certification (or equivalent) covering the trust service criteria for security, availability, and confidentiality. DocUnlock will provide a summary of its most recent SOC 2 report upon Customer's written request, subject to DocUnlock's standard confidentiality requirements.
5.3 Continuous Improvement. DocUnlock will regularly test, assess, and evaluate the effectiveness of its security measures, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects.
6.1 Authorization. Customer provides general written authorization for DocUnlock to engage Subprocessors to Process Personal Data. The current list of Subprocessors is set forth in Annex III and in Appendix A to the Agreement.
6.2 Subprocessor Obligations. DocUnlock will enter into a written agreement with each Subprocessor imposing data protection obligations no less protective than those set forth in this DPA, including obligations regarding confidentiality, security, and restrictions on Processing.
6.3 Notification of Changes. DocUnlock will notify Customer at least thirty (30) days before engaging a new Subprocessor or replacing an existing Subprocessor. Customers may subscribe to notifications by emailing privacy@docunlock.com or through account settings.
6.4 Right to Object. Customer may object to a new Subprocessor by providing written notice to privacy@docunlock.com within thirty (30) days of receiving notification. The objection must include specific, reasonable grounds related to data protection. DocUnlock will work in good faith to address the objection, which may include providing additional information, implementing additional safeguards, or offering an alternative Service configuration. If DocUnlock cannot reasonably accommodate the objection, either party may terminate the affected portion of the Service upon written notice, and Customer will receive a pro-rata refund of prepaid fees.
6.5 Liability. DocUnlock remains fully liable for the acts and omissions of its Subprocessors to the same extent DocUnlock would be liable if performing the Processing directly.
6.6 AI and LLM Subprocessors. Where DocUnlock engages AI or large language model providers as Subprocessors:
(a) Customer Data is processed solely for the purpose of providing the Service; (b) Customer Data is not used for model training or improvement unless Customer has explicitly opted in; (c) Customer Data is not retained beyond the duration necessary to generate the requested output, except as required by law; and (d) DocUnlock maintains contractual commitments from each AI/LLM Subprocessor reflecting the obligations in (a) through (c).
7.1 Assistance. DocUnlock will assist Customer in responding to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including rights of access, rectification, erasure, restriction, portability, and objection.
7.2 Notification. If DocUnlock receives a request directly from a Data Subject, DocUnlock will promptly redirect the request to Customer unless prohibited by law, and will not respond to the request without Customer's prior authorization except to confirm that the request relates to Customer.
7.3 Reasonable Measures. DocUnlock will provide such technical and organizational assistance as is reasonably necessary to enable Customer to fulfill Data Subject requests, taking into account the nature of the Processing.
8.1 Notification. DocUnlock will notify Customer without undue delay, and in any event within seventy-two (72) hours, after becoming aware of any Security Incident affecting Customer's Personal Data.
8.2 Contents. The notification will include, to the extent known:
(a) The nature of the Security Incident, including categories and approximate number of Data Subjects and Personal Data records affected; (b) The name and contact details of DocUnlock's Data Protection Officer; (c) The likely consequences of the Security Incident; and (d) Measures taken or proposed to address the Security Incident and mitigate its effects.
8.3 Ongoing Updates. Where full information is not available at the time of initial notification, DocUnlock will provide information in phases without further undue delay.
8.4 Cooperation. DocUnlock will cooperate with Customer and take reasonable steps to assist in the investigation, mitigation, and remediation of the Security Incident, and will assist Customer in fulfilling its breach notification obligations to supervisory authorities and Data Subjects.
8.5 Documentation. DocUnlock will document all Security Incidents, including the facts, effects, and remedial actions taken, and will make such documentation available to Customer and supervisory authorities upon request.
9.1 Assistance. DocUnlock will provide reasonable assistance to Customer in conducting Data Protection Impact Assessments and prior consultations with supervisory authorities where required under GDPR Articles 35 and 36, taking into account the nature of Processing and the information available to DocUnlock.
10.1 Transfer Mechanisms. Where Personal Data is transferred from the EEA, UK, or Switzerland to DocUnlock in the United States, DocUnlock relies on the following mechanisms:
(a) Standard Contractual Clauses. The SCCs (Commission Implementing Decision (EU) 2021/914) are incorporated into this DPA by reference and apply as follows:
The parties' details and the information required to complete the SCCs are set forth in Annex I and Annex IV.
(b) UK International Data Transfer Addendum. For transfers from the UK, the UK Addendum issued by the UK ICO is applied in conjunction with the applicable SCC modules.
(c) Swiss Transfers. For transfers from Switzerland, the SCCs are applied as adapted in accordance with guidance from the Swiss Federal Data Protection and Information Commissioner.
10.2 Supplementary Measures. In addition to the SCCs, DocUnlock implements supplementary technical and organizational measures as described in Annex II, including encryption in transit and at rest, access controls, and security monitoring.
10.3 Subprocessor Transfers. DocUnlock ensures that any Subprocessor receiving Personal Data from the EEA, UK, or Switzerland is bound by appropriate transfer mechanisms, including SCCs where required.
10.4 Transfer Impact Assessment. DocUnlock has conducted a transfer impact assessment evaluating the laws and practices of the United States as they relate to the protections provided by the SCCs. A summary is available upon request by contacting dpo@docunlock.com.
11.1 Audit Information. DocUnlock will make available to Customer all information reasonably necessary to demonstrate compliance with this DPA and Applicable Data Protection Law.
11.2 Audit Rights. Customer (or a qualified, independent third-party auditor appointed by Customer) may conduct audits of DocUnlock's Processing activities, subject to the following:
(a) Customer must provide at least thirty (30) days' prior written notice; (b) Audits may be conducted no more than once per twelve (12) month period, unless required by a supervisory authority or following a Security Incident; (c) Audits will be conducted during normal business hours, with reasonable scope and duration, and in a manner that minimizes disruption to DocUnlock's operations; (d) The auditor must execute a confidentiality agreement acceptable to DocUnlock before commencing any audit; and (e) Customer bears the costs of the audit, unless the audit reveals material non-compliance by DocUnlock.
11.3 SOC 2 Reports. DocUnlock may satisfy audit requests by providing its most recent SOC 2 Type II report (or equivalent third-party audit or certification), provided it addresses the matters relevant to the audit request. If the SOC 2 report does not adequately address Customer's concerns, Customer retains its audit rights under Section 11.2.
11.4 Regulatory Audits. DocUnlock will cooperate with and provide reasonable assistance to any supervisory authority that requires access to DocUnlock's facilities or documentation in connection with an investigation relating to the Processing of Personal Data under this DPA.
12.1 Duration. DocUnlock will Process Personal Data for the duration of the Agreement, unless otherwise instructed by Customer.
12.2 Return or Deletion. Upon termination or expiration of the Agreement, DocUnlock will, at Customer's election:
(a) Return all Personal Data to Customer in a structured, commonly used, machine-readable format; or (b) Delete all Personal Data from its systems, including directing Subprocessors to do the same.
Customer must make its election within ninety (90) days of termination. If no election is made, DocUnlock will delete all Personal Data after the ninety (90) day period.
12.3 Backup Retention. Personal Data may persist in encrypted backup systems for up to ninety (90) days following deletion from production systems. During this period, backup data is encrypted, access-restricted, and treated as functionally inaccessible. DocUnlock will re-apply pending deletion requests if backup data is restored for disaster recovery purposes.
12.4 Legal Exceptions. DocUnlock may retain Personal Data to the extent required by applicable law, provided that DocUnlock limits such retention to the data and duration required and notifies Customer unless prohibited by law.
12.5 Certification. Upon Customer's written request, DocUnlock will provide written confirmation that Personal Data has been deleted in accordance with this Section.
To the extent the CCPA/CPRA applies to DocUnlock's Processing of Personal Data on behalf of Customer:
13.1 Service Provider Status. DocUnlock is a "Service Provider" as defined under the CCPA/CPRA and Processes Personal Information solely on behalf of Customer and for the business purposes specified in the Agreement.
13.2 Prohibited Activities. DocUnlock will not:
(a) Sell or share Personal Information; (b) Retain, use, or disclose Personal Information for any purpose other than the business purposes specified in the Agreement, including for any commercial purpose other than providing the Service; (c) Retain, use, or disclose Personal Information outside the direct business relationship between DocUnlock and Customer; or (d) Combine Personal Information received from Customer with Personal Information received from other sources, except as expressly permitted by the CCPA/CPRA.
13.3 Compliance Certification. DocUnlock certifies that it understands and will comply with the restrictions in Sections 13.1 and 13.2.
13.4 Consumer Rights Assistance. DocUnlock will assist Customer in responding to verifiable consumer requests under the CCPA/CPRA, including requests to know, delete, correct, and opt out of sale or sharing.
13.5 Notification of Inability to Comply. DocUnlock will notify Customer if it determines that it can no longer meet its obligations under the CCPA/CPRA. Upon such notification, Customer may take reasonable and appropriate steps to stop and remediate unauthorized use of Personal Information.
13.6 Right to Monitor. Customer has the right to take reasonable and appropriate steps to ensure DocUnlock uses Personal Information in a manner consistent with Customer's obligations under the CCPA/CPRA. DocUnlock will comply with Customer's reasonable requests to verify compliance.
14.1 Governing Law. This DPA is governed by the laws stated in the Agreement, except that the SCCs are governed by the law of the EU Member State in which the Controller is established (or, where the Controller is not established in an EU Member State, the laws of Ireland).
14.2 Order of Precedence. In the event of any conflict: (a) the SCCs prevail over this DPA; (b) this DPA prevails over the Agreement; and (c) the Agreement prevails in all other respects.
14.3 Severability. If any provision of this DPA is found invalid or unenforceable, the remaining provisions remain in full force and effect.
14.4 Term. This DPA is effective upon Customer's acceptance of the Agreement and remains in effect until all Personal Data is deleted or returned in accordance with Section 12.
14.5 Amendments. This DPA may be amended only in writing signed by both parties, except that DocUnlock may update the Annexes to reflect changes in Subprocessors (subject to the notification requirements in Section 6.3) or security measures.
14.6 Contact. All notices under this DPA should be sent to:
DocUnlock, Inc. Attn: Legal / Data Protection Officer PO Box 15683 San Francisco, CA 94115
Email: legal@docunlock.com / dpo@docunlock.com
A. List of Parties
Data Exporter (Controller/Business):
Data Importer (Processor/Service Provider):
B. Subject Matter and Duration
C. Nature and Purpose of Processing
DocUnlock Processes Personal Data for the following purposes:
D. Types of Personal Data
Personal Data Processed may include, depending on Customer's use of the Service:
E. Categories of Data Subjects
F. Sensitive Data
DocUnlock does not intentionally collect or require the submission of sensitive or special categories of Personal Data. However, Customer may upload documents containing such data. Where Customer submits sensitive data, Customer is responsible for ensuring a lawful basis and appropriate safeguards exist under Applicable Data Protection Law.
DocUnlock implements and maintains the following security measures, which correspond to the measures described in Appendix B of the Agreement:
Access Control
Encryption
Network Security
Physical Security
Personnel Security
Incident Response
Business Continuity
Application Security
Monitoring and Logging
Subprocessor
Purpose
Processing Activities
Categories of Personal Data
Location
Transfer Mechanism
Google Cloud Platform (Google LLC)
Infrastructure Hosting
Storage, compute, and hosting of Customer Data
All Customer Data, including any Personal Data contained therein
USA
SCCs (Module 3)
Anthropic
AI/LLM Processing
Document analysis and AI-powered feature processing
Customer Data submitted for processing, which may include Personal Data
USA
SCCs (Module 3)
OpenAI
AI/LLM Processing
Document analysis and AI-powered feature processing
Customer Data submitted for processing, which may include Personal Data
USA
SCCs (Module 3)
PostHog
Product Analytics
Collection and analysis of usage and performance data
Usage data, device identifiers, IP addresses
USA
SCCs (Module 3)
HubSpot
Customer Relationship Management
Customer communications and account management
Name, email address, company name, communication history
USA
SCCs (Module 3)
DocUnlock maintains contractual commitments from AI/LLM Subprocessors that Customer Data is not used for model training or improvement unless Customer has explicitly opted in.
To subscribe to Subprocessor change notifications, contact privacy@docunlock.com.
This Annex provides the information required to complete the SCCs.
Clause 7 — Docking Clause: The optional docking clause is included.
Clause 9 — Subprocessors: Option 2 (general written authorization) applies, with a notification period of thirty (30) days.
Clause 11 — Redress: The optional language permitting independent dispute resolution is not included.
Clause 13 — Supervision: The competent supervisory authority is determined in accordance with GDPR Article 55 or 56, based on the Controller's establishment. Where the Controller is not established in the EEA, the supervisory authority of the EU Member State where the EU Representative is appointed shall act as the competent supervisory authority.
Clause 17 — Governing Law: The SCCs are governed by the laws of Ireland.
Clause 18 — Forum: Disputes arising under the SCCs shall be resolved before the courts of Ireland.
UK International Data Transfer Addendum: For UK transfers, the UK Addendum (issued by the ICO under Section 119A of the UK Data Protection Act 2018) is incorporated and applied in conjunction with the applicable SCC modules. The mandatory information required by Table 1 through Table 4 of the UK Addendum is completed using the corresponding information in Annexes I through III of this DPA.
Swiss Transfers: For transfers from Switzerland, the SCCs are applied with the adaptations specified by the Swiss Federal Data Protection and Information Commissioner, including that references to the GDPR are understood as references to the FADP and references to the competent supervisory authority are understood as references to the Swiss FDPIC.
DocUnlock, Inc.
PO Box 15683
San Francisco, CA 94115
General: support@docunlock.com
Legal: legal@docunlock.com
Privacy: privacy@docunlock.com
Security: security@docunlock.com
Data Protection Officer: dpo@docunlock.com
Effective Date: December 12, 2023
Last Updated: January 1, 2026