1. Introduction
This DPA reflects the parties' agreement on the processing of Personal Data in connection with the Services and is incorporated into the Terms of Service. In the event of a conflict between this DPA and the Terms, this DPA controls with respect to data protection matters.
2. Definitions
Capitalized terms have the meanings given in the GDPR or CCPA, as applicable. "Personal Data," "Data Subject," "Controller," "Processor," "Sub-Processor," and "Processing" have the meanings in Article 4 GDPR. "Sell," "Share," "Service Provider," and "Business Purpose" have the meanings in the CCPA/CPRA.
3. Roles & scope
The parties acknowledge that, in respect of Customer Personal Data submitted to the Services, Customer is the Controller (or Processor acting on behalf of its own Controllers) and TempoDocs is the Processor. This DPA applies to the Personal Data described in Annex I.
4. Processing instructions
TempoDocs will process Customer Personal Data only on documented instructions from Customer, including with regard to transfers, unless required to do so by applicable law. Customer's instructions consist of (a) the Terms, this DPA, and any order form, and (b) Customer's use and configuration of the Services. TempoDocs will notify Customer if, in its opinion, an instruction infringes the GDPR or other data-protection law.
5. Personnel & confidentiality
TempoDocs ensures that personnel authorized to process Customer Personal Data are bound by written confidentiality obligations and receive annual data-protection and security training.
6. Security measures (Annex II)
TempoDocs implements and maintains the following technical and organizational measures, audited annually against the SOC 2 Type II Trust Services Criteria:
- Access control: SSO, MFA on all production systems, role-based access, quarterly access reviews, immediate revocation on termination.
- Encryption: AES-256 at rest; TLS 1.3 in transit; per-tenant key isolation; key rotation at least annually.
- Network security: WAF, DDoS protection, segmented VPCs, default-deny security groups, no public database ingress.
- Application security: SSDLC with peer code review, static analysis, dependency scanning, secrets scanning, annual third-party penetration testing.
- Logging & monitoring: Centralized immutable logs, anomaly detection, 24×7 on-call.
- Backups & resilience: Encrypted point-in-time backups retained 35 days; tested restore procedure; documented RTO ≤ 4h, RPO ≤ 1h for production data.
- Physical security: Inherited from SOC 2 / ISO 27001-certified cloud providers; no TempoDocs-operated data centers.
- Vendor management: Security review of all Sub-Processors prior to engagement and at least annually thereafter.
- Incident response: Documented IR plan, tabletop exercises, breach notification within 72 hours as required.
- Business continuity: Multi-AZ deployment, documented BCP/DR plan tested annually.
7. Subprocessors (Annex III)
Customer authorizes TempoDocs to engage the Sub-Processors listed below. TempoDocs imposes data-protection obligations on each Sub-Processor that are no less protective than those in this DPA and remains liable for their performance. TempoDocs will give at least 30 days' notice of new Sub-Processors via email to administrators and updates to this page; Customer may object on reasonable data-protection grounds within that period.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Amazon Web Services, Inc. | Cloud hosting, compute, storage | US (us-east-1, us-west-2); EU (eu-west-1) for EU residency |
| Supabase, Inc. | Managed Postgres, authentication, storage | US / EU |
| Cloudflare, Inc. | CDN, WAF, DDoS mitigation | Global edge |
| Google LLC (Vertex AI) | AI document extraction (no training on Customer Content) | US / EU |
| OpenAI, LLC | AI document extraction (zero-retention API; no training) | US |
| Stripe, Inc. | Payment processing | US |
| Resend, Inc. | Transactional email delivery | US / EU |
| Sentry (Functional Software, Inc.) | Error monitoring (PII-scrubbed) | US / EU |
| Datadog, Inc. | Infrastructure monitoring and logging | US / EU |
| Zendesk, Inc. | Customer support ticketing | US |
8. International transfers
For transfers of Personal Data from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties incorporate the EU Standard Contractual Clauses (Commission Decision 2021/914), Module Two (Controller-to-Processor) or Module Three (Processor-to-Processor) as applicable, with Clause 7 (docking), Option 2 in Clause 9(a) with a 30-day notice period, Clause 17 Option 1 governed by Irish law, and Clause 18 jurisdiction in the courts of Ireland. The UK IDTA or the UK Addendum to the SCCs applies for UK transfers.
9. Data subject rights
TempoDocs provides self-service tools (export, deletion, access logs) so Customer can fulfil Data Subject requests. Where TempoDocs receives a Data Subject request directly, it will redirect the Data Subject to Customer and, taking into account the nature of the processing, assist Customer in responding within the statutory deadline.
10. Personal data breach
TempoDocs will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Personal Data Breach affecting Customer Personal Data, and provide the information required by Article 33(3) GDPR as it becomes available.
11. Audits & evidence
TempoDocs makes available to Customer its current SOC 2 Type II report, ISO 27001 certificate (where issued), penetration-test executive summary, and security whitepaper under NDA. On reasonable prior notice and not more than once per year, Customer may conduct or commission an audit limited to information necessary to confirm TempoDocs's compliance with this DPA, subject to confidentiality and during business hours so as not to disrupt the Services.
12. CCPA service-provider terms
With respect to Personal Information of California residents, TempoDocs acts as a Service Provider. TempoDocs shall not (a) Sell or Share Personal Information; (b) retain, use, or disclose Personal Information outside the direct business relationship with Customer or for any purpose other than the Business Purpose specified in the Terms; or (c) combine Personal Information received from Customer with Personal Information received from any other source, except as permitted by 11 CCR § 7050(b). TempoDocs certifies that it understands and will comply with these restrictions.
13. Return & deletion
On termination or expiration of the Services, TempoDocs will retain Customer Personal Data for 7 days to allow Customer to export it, then delete it from production systems. Encrypted backups containing Customer Personal Data are overwritten within 35 days through the normal backup-rotation lifecycle. TempoDocs will provide written confirmation of deletion on request.
Annex I — Processing details
Categories of Data Subjects: Customer's employees, contractors, customers, partners, and other individuals whose Personal Data is included in Customer Content.
Categories of Personal Data: name, business contact information, account identifiers, role, content of documents uploaded by Customer, comments, timestamps, and other Personal Data submitted at Customer's discretion.
Sensitive Data: Customer should not upload special-category data (Art. 9 GDPR) unless covered by a separate written agreement.
Frequency: continuous, for the duration of the subscription.
Nature & purpose: hosting, processing, and analyzing Customer Content to provide the Services described in the Terms.
Duration: for the term of the subscription plus the 7-day post-termination grace period defined in Section 13.
Questions about this document?
Reach our privacy and compliance team at privacy@tempodocs.com.
Contact us