Data Processing Agreement

Docuplete, Inc.  ·  Version 1.0  ·  Effective May 26, 2026

1. Definitions

"Controller" means the organisation subscribing to Docuplete that determines the purposes and means of processing Personal Data through the platform (e.g., the registered investment adviser, law firm, insurance agency, or other professional services firm).

"Processor" means Docuplete, Inc., which processes Personal Data on behalf of the Controller pursuant to this DPA.

"Personal Data" means any information relating to an identified or identifiable natural person that is submitted by or on behalf of the Controller's clients through the Docuplete platform, including but not limited to: names, Social Security numbers, dates of birth, financial account numbers, email addresses, IP addresses, and document field values.

"Processing" means any operation performed on Personal Data, including collection, recording, storage, use, disclosure, transmission, and deletion.

"Sub-processor" means any third party engaged by the Processor to assist in processing Personal Data.

"Data Subject" means the natural person to whom the Personal Data relates — typically the Controller's client who completes a Docuplete interview session.

2. Subject Matter and Duration

This DPA governs the processing of Personal Data by Docuplete on behalf of the Controller in connection with the provision of the Docuplete document automation platform. Processing commences on the effective date of the Controller's subscription and continues until the subscription is terminated and all Personal Data has been deleted or returned in accordance with Section 10.

3. Nature, Purpose, and Scope of Processing

Item	Description
Nature	Collection, storage, use, transmission, and deletion of Personal Data to enable document automation, interview facilitation, PDF generation, e-signature collection, and delivery to integrations configured by the Controller
Purpose	To provide the Docuplete document automation service as configured and directed by the Controller, including generating completed PDF documents, collecting electronic signatures, and routing completed documents to the Controller's configured integrations (Google Drive, HubSpot, Dropbox, OneDrive, webhooks, email)
Duration	For the term of the Controller's subscription plus any retention period specified herein or agreed separately

4. Categories of Personal Data

Personal Data processed under this DPA may include:

• Identification data: full legal name, date of birth, Social Security number or Tax ID
• Contact data: email address, phone number, mailing address
• Financial data: account numbers, custodian details, transfer amounts, investment objectives
• Document field values as configured by the Controller in their document packages
• Technical data: IP addresses, device type, browser, operating system, session timestamps
• Signature data: electronic signature image, OTP verification record, signing certificate

5. Categories of Data Subjects

Data Subjects are the natural persons whose Personal Data is submitted through Controller-initiated Docuplete document sessions — typically the Controller's clients, prospective clients, or counterparties who complete a guided interview or signing session.

6. Controller Obligations

The Controller represents and warrants that:

1. It has a lawful basis for processing the Personal Data of each Data Subject under applicable privacy law (including, as applicable, informed consent, contractual necessity, or legitimate interest);
2. It has provided Data Subjects with an appropriate privacy notice disclosing the use of Docuplete as a document processing service;
3. Its instructions to Docuplete for processing Personal Data comply with applicable law;
4. It is solely responsible for the accuracy and completeness of the document templates, interview questions, and field mappings it configures within the platform; and
5. It will not instruct Docuplete to process Special Categories of Personal Data (as defined under applicable law) unless expressly agreed in writing.

7. Processor Obligations

Docuplete agrees to:

1. Process Personal Data only on documented instructions from the Controller and only for the purposes described in Section 3;
2. Ensure that persons authorised to process Personal Data are bound by appropriate confidentiality obligations;
3. Implement and maintain the technical and organisational security measures described in Section 8;
4. Assist the Controller in responding to Data Subject rights requests (access, correction, deletion, portability) to the extent Docuplete has access to the relevant data and such assistance is technically feasible;
5. Notify the Controller without undue delay — and in no event later than 72 hours after becoming aware — of any confirmed or reasonably suspected breach of Personal Data security affecting Controller data;
6. Provide reasonable assistance to the Controller for data protection impact assessments where required by applicable law; and
7. Not sell, rent, or commercially exploit Personal Data for Docuplete's own purposes.

8. Technical and Organisational Security Measures

Measure	Implementation
Encryption at rest	AES-256-GCM authenticated encryption for client interview answer data
Encryption in transit	TLS 1.2 or higher for all data transmission
Access control	Multi-tenant isolation enforced at database level; all queries scoped to organisation ID; role-based access within organisations
Authentication	Clerk-managed authentication with MFA support for organisation users; OTP verification for document signatories
Audit logging	Immutable audit trail for all document session events; access logs retained for 90 days
Vulnerability management	Dependency auditing; security patch deployment within 30 days of critical CVE publication
Incident response	Written incident response plan; breach notification procedure as described in Section 7(e)
Sub-processor security	Contractual security requirements imposed on all Sub-processors (see Section 9)

9. Sub-processors

The Controller authorises Docuplete to engage the following Sub-processors for the purposes described:

Sub-processor	Purpose	Location
Railway (Railway Corp.)	API server hosting and execution environment	United States
Vercel, Inc.	Frontend hosting and static asset delivery	United States
Cloudflare, Inc. (R2)	Document and asset object storage	United States
Resend, Inc.	Transactional email delivery (OTP codes, submission notifications)	United States
Stripe, Inc.	Payment processing (billing data only — not document or client personal data)	United States
Neon / PostgreSQL host	Database hosting for session, submission, and audit trail data	United States

Docuplete will notify the Controller of any intended addition or replacement of Sub-processors no less than 30 days in advance. The Controller may object to a new Sub-processor in writing within 14 days. If no resolution is reached, either party may terminate the subscription without penalty.

10. Data Deletion and Return

Upon termination of the Controller's subscription:

• The Controller may export all submission records, audit trails, and completed documents via the dashboard or API prior to account closure;
• Docuplete will delete all Personal Data from active systems within 90 days of account closure;
• Backups containing Personal Data will be purged within 180 days of account closure;
• Docuplete may retain anonymised, aggregated data that cannot be linked to any individual for its own product analytics purposes; and
• Docuplete may retain records required to be kept for compliance with applicable law (e.g., financial record-keeping requirements).

11. International Data Transfers

Personal Data processed under this DPA is stored and processed in the United States. If the Controller is subject to data transfer restrictions under non-U.S. law (including GDPR for EU/EEA data subjects), the parties agree to execute the applicable Standard Contractual Clauses (SCCs) or other approved transfer mechanism upon request.

12. Audit Rights

The Controller may, no more than once per calendar year and on at least 30 days written notice, request an audit of Docuplete's data processing practices relevant to this DPA. Docuplete may satisfy this obligation by providing its then-current SOC 2 report (when available) or by responding to a written security questionnaire. Physical audits of Docuplete facilities or systems require mutual agreement and are subject to confidentiality restrictions.

13. Liability

Each party's liability under this DPA is subject to the limitations and exclusions set out in the applicable Docuplete Terms of Service. Nothing in this DPA is intended to confer greater liability on either party than that agreed in the Terms of Service.

14. Governing Law

This DPA is governed by the laws of the State of Delaware, United States, without regard to conflict of law principles. For Controllers subject to GDPR, the parties agree that EU data protection law governs the parties' obligations with respect to EU/EEA personal data.

15. Order of Precedence

In the event of a conflict between this DPA and the Docuplete Terms of Service, this DPA governs with respect to the processing of Personal Data. In the event of a conflict between this DPA and any applicable Standard Contractual Clauses, the SCCs govern.

16. Execution

This DPA is effective upon the Controller's acceptance of the Docuplete Terms of Service. A countersigned copy of this DPA may be requested by emailing legal@docuplete.com. Docuplete will return a signed copy within 5 business days.

Docuplete, Inc. · Questions: legal@docuplete.com · This is a template document. Consult legal counsel before execution.