DPA
Legal
Data Processing Agreement
Last updated: May 10, 2025 · Docufast Technologies Ltd · Pursuant to Art. 28 GDPR
This Data Processing Agreement ("DPA") forms part of the agreement between Docufast Technologies Ltd ("Processor") and the customer entity agreeing to these terms ("Controller"), collectively the "Parties".
This DPA supplements and is incorporated into the Docufast Terms of Use. In the event of any conflict between this DPA and the Terms of Use, the terms of this DPA shall prevail with respect to data protection matters.
How to execute this DPA: Customers who accept the Docufast Terms of Use automatically accept this standard DPA. Customers who wish to submit their own DPA or negotiate specific terms may contact privacy@docufast.ai.
1. Definitions
For the purposes of this DPA:
"Controller" means the customer entity that determines the purposes and means of processing Personal Data using the Services.
"Processor" means Docufast Technologies Ltd, which processes Personal Data on behalf of the Controller.
"Personal Data" means any information relating to an identified or identifiable natural person, as defined under the GDPR.
"Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
"Data Subject" means the natural person to whom Personal Data relates.
"GDPR" means the EU General Data Protection Regulation (2016/679).
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Services" means the Docufast platform, Chrome extension, and related services as described in the Terms of Use.
"Security Incident" means any accidental or unlawful destruction, loss, alteration, or unauthorised disclosure of Personal Data.
2. Scope and roles
This DPA applies where the Controller uses the Services to process Personal Data of its own end users, employees, or other individuals ("Data Subjects") and Docufast processes that Personal Data on the Controller's behalf.
The Controller acts as the data controller and the Processor acts as the data processor within the meaning of Art. 4 GDPR. Each Party shall comply with its respective obligations under applicable data protection law.
The subject matter, duration, nature, and purpose of the processing, as well as the categories of Personal Data and Data Subjects, are set out in Annex I to this DPA.
3. Processor obligations
The Processor shall:
Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to third countries, unless required to do so by EU or Member State law. In such cases, the Processor shall notify the Controller prior to processing, unless prohibited by law.
Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations.
Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as further described in Annex III of this DPA.
Notify the Controller without undue delay, and in any event within 48 hours, after becoming aware of a Security Incident affecting Personal Data processed under this DPA.
Assist the Controller, taking into account the nature of the processing and the information available to the Processor, in fulfilling its obligations to respond to Data Subject requests under Chapter III of the GDPR.
Assist the Controller in ensuring compliance with its obligations under Articles 32–36 of the GDPR (security, breach notification, data protection impact assessments, prior consultation).
At the Controller's choice, delete or return all Personal Data to the Controller upon termination of the Services, and delete existing copies unless EU or Member State law requires otherwise.
Make available to the Controller all information necessary to demonstrate compliance with this DPA and allow for and contribute to audits conducted by the Controller or a mandated auditor, subject to reasonable prior notice and confidentiality obligations.
4. Controller obligations
The Controller warrants and represents that:
It has a valid legal basis for processing Personal Data and instructing the Processor to process Personal Data on its behalf.
It has provided Data Subjects with all required notices and disclosures regarding the processing of their Personal Data, including the involvement of the Processor.
Its instructions to the Processor comply with applicable law. The Controller shall indemnify the Processor against any claims, fines, or liabilities arising from the Controller's failure to comply with this clause.
It will not instruct the Processor to process special categories of Personal Data (as defined in Art. 9 GDPR) without first notifying the Processor and agreeing to any additional safeguards required.
5. Sub-processors
The Controller grants the Processor general written authorisation to engage Sub-processors for the delivery of the Services. The current list of approved Sub-processors is set out in Annex II of this DPA.
The Processor shall:
Inform the Controller of any intended changes to Sub-processors (additions or replacements) by updating Annex II and providing at least 14 days' prior notice via email or notice on the Docufast website.
Ensure that each Sub-processor is bound by data protection obligations equivalent to those set out in this DPA.
Remain fully liable to the Controller for the performance of any Sub-processor's obligations under this DPA.
If the Controller reasonably objects to a new Sub-processor, it must notify the Processor in writing within 14 days of receiving notice. The Parties shall work in good faith to resolve the objection. If no resolution is reached, the Controller may terminate the relevant Services upon 30 days' written notice.
6. International data transfers
The Processor shall not transfer Personal Data outside the European Economic Area (EEA) without ensuring that an adequate level of protection is in place, including by relying on one of the following mechanisms:
An adequacy decision by the European Commission
Standard Contractual Clauses (SCCs) as approved by the European Commission
Binding Corporate Rules
Any other lawful transfer mechanism under applicable data protection law
Where Sub-processors are located outside the EEA (as indicated in Annex II), the Processor has entered into or will enter into SCCs or equivalent agreements with each such Sub-processor prior to any transfer of Personal Data.
7. Data Subject rights
If the Processor receives a request from a Data Subject exercising their rights under GDPR (access, rectification, erasure, portability, restriction, or objection), the Processor shall promptly forward the request to the Controller and shall not respond directly to the Data Subject unless instructed to do so by the Controller or required by law.
The Processor shall provide reasonable assistance to the Controller to fulfil such requests within the timeframes required by law.
8. Security incidents
In the event of a Security Incident, the Processor shall:
Notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the incident, at the contact email provided by the Controller.
Provide the Controller with sufficient information to allow it to meet its obligations to notify supervisory authorities and affected Data Subjects under Articles 33 and 34 of the GDPR, including: the nature of the incident, categories and approximate number of Data Subjects affected, categories and approximate volume of records affected, likely consequences, and measures taken or proposed to address the incident.
Cooperate with the Controller and take reasonable steps to contain, investigate, and remediate the incident.
Notification of a Security Incident by the Processor does not constitute an acknowledgement of fault or liability.
9. Audit rights
Upon the Controller's written request with at least 30 days' prior notice, the Processor shall provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA. The Controller may conduct an audit no more than once per calendar year, at its own expense, and must ensure any appointed auditor is subject to appropriate confidentiality obligations.
As an alternative to a direct audit, the Processor may provide the Controller with relevant third-party audit reports, certifications (e.g. ISO 27001, SOC 2), or completed security questionnaires, which the Controller shall accept as sufficient evidence of compliance in the absence of documented specific concerns.
10. Liability
Each Party's liability under this DPA is subject to the limitations set out in the Docufast Terms of Use. Where both Parties are responsible for damage caused by processing in breach of the GDPR, each Party shall be held liable for the damage attributable to it.
11. Term and termination
This DPA enters into force upon the Controller's acceptance of the Terms of Use and remains in effect for the duration of the Services. It terminates automatically upon termination of the Terms of Use.
Upon termination, the Processor shall, at the Controller's election, delete or return all Personal Data within 30 days, unless retention is required by applicable law.
12. Governing law
This DPA is governed by the laws of the Republic of Cyprus. Any disputes arising under this DPA shall be subject to the exclusive jurisdiction of the courts of Cyprus, without prejudice to the rights of Data Subjects to bring claims before supervisory authorities or courts in their jurisdiction of residence.
13. Contact
For all DPA-related enquiries, including requests to negotiate a custom DPA:
Docufast Technologies Ltd
11-13 Georgiou Karaiskaki Street, Carisa Salonica Court, Office/Flat 102
7560 Pervolia, Larnaca, Cyprus
privacy@docufast.ai
Execution
By accepting the Docufast Terms of Use, the Controller agrees to this DPA. For customers who require a signed copy, please contact privacy@docufast.ai.
Controller
Signature
Name
Title
Company
Date
Processor — Docufast Technologies Ltd
Signature
Name
Title
Date
Annex I — Description of Processing Activities
Required under Art. 28(3) GDPR
A. List of Parties
Controller: The customer entity as identified in the Docufast account registration or order form.
Processor: Docufast Technologies Ltd, 11-13 Georgiou Karaiskaki Street, Carisa Salonica Court, Office/Flat 102, 7560 Pervolia, Larnaca, Cyprus. Contact: privacy@docufast.ai
B. Description of the Transfer
Subject matter: Processing of Personal Data in connection with the use of the Docufast Services.
Duration: For the term of the DPA as set out in Section 11.
Nature and purpose of the processing:
Hosting and storing screen recordings, screenshots, and workflow data captured by the Controller's users
Processing captured content using AI to generate step-by-step guides, narrated videos, and interactive walkthroughs
Providing the Controller and its authorised users access to created content via the web application
Enabling sharing and collaboration features within Workspaces
Categories of Personal Data:
Account data: name, email address, company name
Content data: screenshots, screen recordings, web page text, and other content captured during recording sessions — which may incidentally contain personal data of third parties
Usage data: IP address, browser type, device information, feature usage logs
Categories of Data Subjects:
The Controller's employees, contractors, or authorised users who use the Services
Third parties whose personal data may be incidentally captured in recordings (e.g. names, email addresses visible on-screen)
Special categories of data: Not intended. The Controller must not use the Services to process special categories of Personal Data under Art. 9 GDPR without prior written agreement with the Processor.
Competent supervisory authority: The Cyprus Commissioner for Personal Data Protection (dataprotection.gov.cy).
Annex II — List of Sub-processors
Current as of May 10, 2025. Updates communicated with 14 days' prior notice.
Sub-processor | Purpose | Location | Transfer mechanism |
|---|---|---|---|
OpenAI, Inc. | AI-generated step descriptions and audio narration (GPT-4o mini, TTS) | USA | Standard Contractual Clauses |
Google LLC (Gemini) | AI-generated step descriptions (Gemini 2.0 Flash) | USA | Standard Contractual Clauses |
Stripe, Inc. | Payment processing and billing management | USA | Standard Contractual Clauses |
Google LLC (Analytics) | Website traffic and usage analytics | USA | Standard Contractual Clauses |
Mixpanel, Inc. | Product analytics and user behaviour tracking | USA | Standard Contractual Clauses |
Cloudflare, Inc. | Content delivery, DNS, DDoS protection, and security | USA / Global | Standard Contractual Clauses |
The Processor will update this list and notify the Controller of any changes at least 14 days in advance. The current version is always available at docufast.ai/subprocessors.
Annex III — Technical and Organisational Measures (TOMs)
Pursuant to Art. 32 GDPR
Encryption
All data in transit is encrypted using TLS 1.2 or higher
All data at rest is encrypted using AES-256
User passwords are hashed using bcrypt with a minimum work factor of 10
Access controls
Access to production systems is restricted to authorised personnel on a need-to-know basis
Multi-factor authentication (MFA) is enforced for all internal system access
Role-based access controls are implemented across all internal systems
Access rights are reviewed quarterly and revoked promptly upon role change or termination
Physical security
Infrastructure is hosted on cloud providers (including Cloudflare) with SOC 2 Type II and ISO 27001 certifications
No Personal Data is processed on physical on-premises servers owned by Docufast
Availability and resilience
Regular automated backups are performed with off-site storage
Systems are monitored 24/7 with automated alerting for anomalies
Disaster recovery and business continuity procedures are documented and tested periodically
Data minimisation
Only Personal Data necessary for the provision of the Services is collected and processed
Analytics data is pseudonymised where technically feasible
IP anonymisation is enabled for analytics tools where supported
Incident management
A documented Security Incident response procedure is in place
All suspected Security Incidents are logged, assessed, and escalated in accordance with the procedure
The Controller is notified within 48 hours of confirmed incidents as set out in Section 8 of this DPA
Vendor management
All Sub-processors are assessed for data protection compliance prior to engagement
Data processing agreements are in place with all Sub-processors as listed in Annex II
Staff training
All personnel with access to Personal Data receive data protection training upon onboarding
Confidentiality obligations are included in all employment and contractor agreements
© 2025 Docufast Technologies Ltd. All rights reserved. · Version 1.0 · Effective May 10, 2025
© 2026 Docufast. All rights reserved.