Effective Date: January 27, 2025
Last Updated: January 27, 2025
This Data Processing Agreement (DPA) is required by data protection laws (GDPR/CCPA) when a company (you) uses our service to process personal data of your team members.
In simple terms: This document explains how we handle your team's personal information and our legal responsibilities.
"Controller" (You):
The organization that subscribes to Docfai Team Plan and determines what personal data is processed and how.
"Processor" (Docfai):
IGBranding (operating as Docfai), Memelweg 10, 70825 Korntal-Münchingen, Germany, which processes personal data on your behalf.
Personal Data: Information about identified or identifiable individuals (names, emails, usage data)
Processing: Any operation performed on personal data (collection, storage, use, deletion)
Sub-processor: Third-party service providers we use to help deliver our service
Data Subject: Individual whose personal data is being processed (your team members)
| Data Category | Examples |
|---|---|
| Identity Data | Name, email address, user ID |
| Account Data | Company name, team roles (admin/member) |
| Usage Data | Login times, feature usage, preferences |
| Billing Data | Subscription details, payment history (via Stripe) |
| Technical Data | IP address, browser type, device info |
Provide team management and collaboration features
Manage user accounts and access permissions
Process subscription payments
Provide customer support
Maintain service security and performance
Comply with legal obligations
Team administrators
Team members with assigned seats
Authorized users of your organization
Having a legal basis for processing personal data
Ensuring you have rights to share team member data with us
Informing your team members about data processing
Handling data subject requests (access, deletion, etc.)
Complying with data protection laws in your jurisdiction
Process personal data only according to your documented instructions
Ensure confidentiality of personnel with access to data
Implement appropriate security measures
Assist with data subject requests when reasonably possible
Notify you of data breaches within 72 hours
Delete or return data upon termination (unless legal retention required)
Maintain records of processing activities
TLS/HTTPS for data in transit
Encrypted data storage
Hashed passwords (bcrypt)
Role-based permissions
Multi-factor authentication
Regular access reviews
Regular backups
Disaster recovery plans
Data redundancy
Security event logging
Intrusion detection
Regular audits
Employee confidentiality agreements
Security awareness training
Incident response procedures
Vendor security assessments
Regular security updates and patches
We use the following trusted sub-processors to help deliver our service:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database, authentication, hosting | USA (with EU region option) |
| Stripe Inc. | Payment processing | USA (Global operations) |
If we add or change sub-processors, we will:
Notify you at least 30 days in advance
Update this list on our website
Give you the opportunity to object
If you object: You may terminate your subscription without penalty.
Immediate Action: We contain the breach and assess the impact
Notification (within 72 hours): We notify you via email with:
Nature of the breach
Categories and approximate number of affected data subjects
Likely consequences
Measures taken or proposed
Cooperation: We assist you in meeting your notification obligations to authorities and data subjects
Documentation: We maintain records of all breaches
European Union (EU/EEA)
United States
Other countries where our sub-processors operate
Standard Contractual Clauses (SCCs):
We use EU-approved Standard Contractual Clauses for transfers outside the EU/EEA
Adequacy Decisions:
Where possible, we use countries with EU adequacy decisions
Additional Safeguards:
Encryption, access controls, and security measures protect data in transit
When your team members exercise their rights (access, deletion, portability, etc.), we will:
Provide data in a machine-readable format within 30 days
Update inaccurate data within 7 days
Permanently delete data within 30 days (unless legal retention required)
Export data in JSON or CSV format
Note: As the Controller, you are primarily responsible for responding to data subject requests. We provide tools and assistance to help you fulfill these obligations.
You may request information to verify our compliance with this DPA:
Security measures documentation
Sub-processor agreements
Compliance certifications
Audit reports (subject to confidentiality)
On-site audits: With 30 days' notice, you may conduct audits at reasonable intervals (max once per year), at your expense, subject to confidentiality agreements.
30-Day Grace Period: Your data remains accessible for 30 days after cancellation
Data Export: You can download your data during this period
Deletion: After 30 days, we permanently delete all personal data
Exceptions: Some data may be retained if required by law:
Billing records (7 years for tax purposes)
Legal dispute records
Fraud prevention data
Effective Date: This DPA takes effect when you subscribe to Docfai Team Plan.
Duration: Remains in effect for the duration of your subscription and data retention period.
Survival: Sections related to data deletion, confidentiality, and audit rights survive termination.
Docfai's Liability: We are liable for damages caused by our failure to comply with GDPR obligations as a processor
Your Liability: You are liable for damages caused by your instructions that violate data protection laws
Limitation: Subject to limitations in the main Terms of Use
For DPA-related inquiries:
Email: support@docfai.app
Data Protection: support@docfai.app
Security Issues: support@docfai.app
Legal Entity:
IGBranding (operating as Docfai)
Memelweg 10
70825, Korntal-Münchingen
Germany
This Data Processing Agreement is part of your Docfai Team Plan subscription.
By subscribing to the Team Plan, you accept the terms of this DPA along with our Terms of Use and Privacy Policy.
Last Updated: January 27, 2025 • Version 1.0