Data Processing Agreement (DPA)

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Controller" or "Customer") and NovaVantix operating ProcessMyDocs ("Processor" or "ProcessMyDocs"). This DPA applies to the processing of personal data submitted through the ProcessMyDocs platform.

This DPA is designed to comply with the EU General Data Protection Regulation (GDPR), the California Consumer Privacy Act (CCPA), and other applicable data protection laws. It sets forth the rights and obligations of both parties with respect to the processing of personal data.

2. Definitions

For the purposes of this DPA:

• "Personal Data" means any information relating to an identified or identifiable natural person contained in documents you upload to ProcessMyDocs
• "Processing" means any operation performed on Personal Data, including collection, storage, analysis, extraction, and deletion
• "Controller" means you, the customer who determines the purposes and means of processing Personal Data
• "Processor" means ProcessMyDocs, which processes Personal Data on behalf of the Controller
• "Sub-processor" means any third party engaged by ProcessMyDocs to process Personal Data
• "Data Subject" means the individual to whom Personal Data relates
• "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR and CCPA

3. Roles and Responsibilities

3.1 Controller Responsibilities

As the Controller, you:

• Determine the purposes and means of processing Personal Data
• Ensure you have a lawful basis for processing Personal Data under applicable Data Protection Laws
• Obtain necessary consents from Data Subjects where required
• Ensure you have the right to upload and process the Personal Data you submit
• Provide any required privacy notices to Data Subjects
• Respond to Data Subject requests regarding their data

3.2 Processor Responsibilities

As the Processor, ProcessMyDocs:

• Processes Personal Data only in accordance with your documented instructions
• Implements appropriate technical and organizational measures to protect Personal Data
• Ensures personnel authorized to process Personal Data are bound by confidentiality obligations
• Assists you in responding to Data Subject requests
• Assists you in ensuring compliance with security obligations
• Deletes or returns Personal Data upon termination of services, as instructed

4. Nature and Purpose of Processing

4.1 Subject Matter

ProcessMyDocs processes Personal Data contained in documents you upload for the purpose of providing AI-powered document processing services, including:

• Storing documents securely in cloud storage
• Extracting structured data and entities from documents
• Performing OCR on scanned documents
• Validating and analyzing extracted data
• Providing AI chat capabilities for document querying
• Generating analytics and insights

4.2 Duration of Processing

Processing will continue for the duration of your subscription and for 30 days thereafter (retention period for expired accounts), unless you request earlier deletion.

4.3 Types of Personal Data

The types of Personal Data processed depend on the documents you upload and may include:

• Names and contact information (email, phone, address)
• Identification numbers (customer IDs, invoice numbers, employee IDs)
• Financial information (payment amounts, account numbers, transaction details)
• Employment information (job titles, departments, compensation)
• Business information (company names, vendor details, contract terms)
• Any other Personal Data contained in your documents

4.4 Categories of Data Subjects

Data Subjects may include:

• Your customers and clients
• Your employees and contractors
• Vendors and business partners
• Any other individuals whose Personal Data appears in your documents

5. Sub-processors

ProcessMyDocs engages the following Sub-processors to provide the Service:

5.1 Sub-processor Authorization

By accepting this DPA, you provide general authorization for ProcessMyDocs to engage the Sub-processors listed above. We ensure that Sub-processors are bound by data protection obligations equivalent to those in this DPA.

5.2 Changes to Sub-processors

We will notify you of any intended changes to Sub-processors (addition or replacement) by:

• Updating this DPA page with the new Sub-processor information
• Sending an email notification to your registered email address
• Providing at least 30 days' notice before the change takes effect

If you object to a new Sub-processor, you may terminate your subscription without penalty during the notice period.

6. Security Measures

ProcessMyDocs implements the following technical and organizational security measures:

6.1 Technical Measures

• Encryption at Rest: All documents and data are encrypted when stored in Supabase Storage
• Encryption in Transit: All data transfers use TLS 1.2+ encryption
• Access Controls: Row-level security policies ensure users can only access their own data
• Password Security: User passwords are hashed using bcrypt with salt
• Session Security: HTTP-only, secure cookies with CSRF protection
• Signed URLs: Document access uses time-limited, cryptographically signed URLs

6.2 Organizational Measures

• Access Authorization: Only authorized personnel can access production systems
• Confidentiality: All personnel are bound by confidentiality agreements
• Incident Response: Documented procedures for security incidents and data breaches
• Regular Updates: Security patches and updates applied regularly
• Logging: Security-relevant events are logged for auditing

6.3 Security Testing

We conduct regular security assessments and rely on the security certifications of our Sub-processors (Supabase is SOC 2 Type II compliant).

7. Data Subject Rights

ProcessMyDocs will assist you in fulfilling Data Subject rights requests under GDPR and CCPA:

7.1 Right of Access

We provide you with tools to access and export all your documents and extracted data. Data Subjects can request access from you (the Controller), and you can use our export features to fulfill these requests.

7.2 Right to Rectification

You can edit extracted entities and correct inaccuracies directly within the platform at any time.

7.3 Right to Erasure ("Right to be Forgotten")

You can delete individual documents or request complete account deletion. Upon deletion:

• Documents are immediately removed from active storage
• Extracted data associated with deleted documents is removed
• Backups are retained for up to 90 days for disaster recovery, then permanently deleted

7.4 Right to Data Portability

You can export your data in machine-readable formats (Excel, CSV, JSON) at any time using our export features.

7.5 Right to Object and Restrict Processing

As the Controller, you can instruct us to stop processing specific documents by deleting them or by terminating your account.

7.6 Assistance with Requests

If you receive a Data Subject rights request that you need our assistance to fulfill, please contact us. We will provide reasonable assistance within 10 business days.

8. Data Breach Notification

8.1 Notification Obligation

In the event of a Personal Data breach that affects your data, ProcessMyDocs will:

• Notify you without undue delay and, where feasible, within 72 hours of becoming aware of the breach
• Provide a description of the nature of the breach, including the categories and approximate number of Data Subjects affected
• Describe the likely consequences of the breach
• Describe the measures taken or proposed to address the breach and mitigate its effects

8.2 Breach Response

Upon discovering a breach, we will:

• Immediately investigate the incident and contain the breach
• Document all facts and effects of the breach
• Take reasonable measures to remediate the cause
• Cooperate with you and regulatory authorities as required

8.3 Your Obligations

As the Controller, you are responsible for assessing whether the breach requires notification to Data Subjects or data protection authorities under applicable Data Protection Laws.

9. International Data Transfers

ProcessMyDocs and our Sub-processors may process Personal Data in countries outside the European Economic Area (EEA) or your jurisdiction. For EEA data subjects, we ensure adequate safeguards are in place:

• Standard Contractual Clauses (SCCs): We rely on EU-approved SCCs for data transfers to countries without adequacy decisions
• Sub-processor Compliance: Our Sub-processors (Supabase, OpenRouter) implement appropriate safeguards for international transfers
• Encryption: All data is encrypted in transit and at rest, providing additional protection during international transfers

Upon request, we can provide details of the specific safeguards applied to your data transfers.

10. Data Deletion and Return

10.1 Upon Termination

Upon termination or expiration of your subscription:

• 30-Day Retention: Your data remains accessible for 30 days in case you wish to renew
• Deletion After 30 Days: After 30 days, all Personal Data is permanently deleted from active systems
• Backup Retention: Encrypted backups may be retained for up to 90 days for disaster recovery, then permanently deleted

10.2 Early Deletion Request

You may request immediate deletion of all your data at any time by:

• Contacting our support team with a deletion request
• We will confirm your identity and process the deletion within 5 business days
• You will receive confirmation once deletion is complete

10.3 Data Return

Before deletion, you may export your data using our export features (Excel, CSV, JSON). We do not provide separate data return services beyond the built-in export functionality available while your account is active.

11. Audits and Compliance

11.1 Audit Rights

You have the right to audit our compliance with this DPA. Audits must be:

• Conducted at your expense
• Scheduled with reasonable advance notice (at least 30 days)
• Limited in scope to ProcessMyDocs' compliance with data protection obligations
• Conducted in a manner that does not disrupt our operations or compromise other customers' data
• Subject to confidentiality obligations

11.2 Information and Documentation

We will make available to you information necessary to demonstrate compliance with this DPA, including:

• This DPA and our Privacy Policy
• Information about our security measures
• Details of Sub-processors and their locations
• Certifications from Sub-processors (e.g., Supabase SOC 2 reports)

11.3 Limitations

Audit rights are limited to once per year unless a suspected breach or regulatory requirement necessitates additional audits. We reserve the right to charge reasonable fees for extensive audit requests.

12. Liability and Indemnification

12.1 Liability Limitations

The total liability of each party under this DPA is subject to the limitation of liability provisions in our Terms of Service. Neither party limits its liability for:

• Gross negligence or willful misconduct
• Fraud or fraudulent misrepresentation
• Breaches of confidentiality obligations
• Liabilities that cannot be limited under applicable law

12.2 Data Protection Compliance

Each party is responsible for compliance with its respective obligations under Data Protection Laws. You are responsible for ensuring you have a lawful basis for processing and that you comply with Controller obligations. We are responsible for complying with Processor obligations under this DPA.

13. Term and Termination

This DPA remains in effect for as long as we process Personal Data on your behalf. It will automatically terminate upon:

• Termination or expiration of your ProcessMyDocs subscription
• Completion of all deletion obligations (90 days after termination for complete backup deletion)

Sections relating to confidentiality, liability, and audit rights survive termination as necessary to fulfill their purposes.

14. Governing Law and Disputes

This DPA is governed by the same law as our Terms of Service. Any disputes arising from this DPA will be resolved in accordance with the dispute resolution provisions in our Terms of Service.

For disputes specifically related to data protection compliance, you may also have the right to lodge a complaint with your local data protection authority.

15. Updates to This DPA

We may update this DPA to reflect changes in Data Protection Laws, our practices, or Sub-processors. Material changes will be communicated through:

• Updating this page with a new "Last Updated" date
• Email notification to your registered email address
• At least 30 days' notice for material changes

Your continued use of ProcessMyDocs after changes take effect constitutes acceptance of the updated DPA.

16. Contact Information

For questions about this Data Processing Agreement, data protection inquiries, or to exercise your rights, please contact us: