Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service between Document Bundler ("Processor") and the customer ("Controller") and governs the processing of personal data in the documents you upload to the service.

1. Roles

For Customer Content uploaded to the service, the Controller is the data controller and Document Bundler is the data processor. Each party complies with its obligations under the UK GDPR and the Data Protection Act 2018.

2. Subject matter, duration, nature, purpose

• Subject matter: documents (PDF, Office, image, email) uploaded by the Controller for assembly into a single indexed bundle.
• Duration: for as long as the Controller's account is active, plus the wind-down period in section 9.
• Nature: storage, OCR, text extraction, page-count, metadata extraction, AI flag review (where enabled), merging into a PDF, and serving the result back to the Controller.
• Purpose: producing case-file bundles for the Controller's legal, investigative, or compliance work.

3. Categories of data and data subjects

The Controller decides what to upload. Documents may contain personal data of individuals connected to the Controller's matter, including names, addresses, contact details, identifiers, employment information, financial information and, depending on the matter, special-category data (e.g. health, criminal-offence data, biometric data). Data subjects include the Controller's clients, witnesses, opposing parties, third-party data subjects mentioned in the documents, and the Controller's own staff.

4. Processor's obligations

• Process Customer Content only on the Controller's documented instructions (these set out in the Terms and the in-product configuration).
• Ensure personnel who access Customer Content are bound by confidentiality.
• Implement appropriate technical and organisational measures (see section 7).
• Assist the Controller, taking into account the nature of the processing, with data-subject-rights requests and with prior-consultation / DPIA obligations.
• Notify the Controller without undue delay (and in any event within 72 hours) of becoming aware of a personal-data breach affecting Customer Content.
• Make available the information necessary to demonstrate compliance with this DPA, and allow audits (see section 8).

5. Sub-processors

The Controller gives general authorisation for the following sub-processors:

• Hostinger International Ltd: hosting, and account and transactional email over SMTP
• Amazon Web Services EMEA SARL: object storage (EU region)
• Stripe Payments UK Ltd: payments (billing data only; not Customer Content)
• Google Ireland Ltd / Google LLC: OCR via Document AI (when that tier is enabled), and sign-in authentication if the Controller uses Google sign-in
• Dropbox International Unlimited Company: document import (only when the Controller chooses to import from Dropbox)
• Hangzhou DeepSeek Artificial Intelligence Co., Ltd. (China): AI review and chat (default provider, only when AI features are enabled)
• OpenAI Ireland Ltd: AI review and chat (only when the Controller enables it with its own API key)
• Anthropic PBC: AI review and chat (only when the Controller enables it with its own API key)

Links to each sub-processor's own privacy and data processing terms are listed in the Privacy Policy.

We will give at least 30 days' advance notice of any addition or replacement of a sub-processor that processes Customer Content; the Controller may object within that period.

6. International transfers

Where Customer Content is transferred outside the UK/EEA, the transfer is protected by the UK International Data Transfer Addendum to the EU SCCs or by an adequacy decision. The Controller agrees to those mechanisms. The one exception is the default AI provider, DeepSeek, which processes content in China (a country with no UK adequacy decision); content is sent there only on the basis of the Controller's explicit in-product consent (UK GDPR Article 49(1)(a)), and the Controller can avoid this transfer entirely by leaving AI features off or using its own OpenAI or Anthropic key.

7. Security measures

We maintain at least the following:

• Encryption in transit (TLS 1.2+) and at rest (AES-256 on object storage).
• Least-privilege access for personnel, with named-account audit trails.
• Hardened web origins (HSTS, strict CSP, signed sessions, CSRF protection).
• Daily backups of metadata, with documented recovery procedures.
• Vulnerability monitoring on dependencies and runtime; timely security updates.
• Webhook integrations validated by signed payloads.

8. Audit

On reasonable written request (no more than once in any 12-month period, subject to confidentiality), the Processor will respond to a written security questionnaire and provide summary information sufficient to demonstrate compliance. On-site audits will be considered where reasonably required by a regulator.

9. Return or deletion on termination

On termination of the Terms, the Controller may export their data via the in-product export. After 30 days, Customer Content is deleted from active storage; residual backups are overwritten on the normal backup-rotation schedule (currently 90 days). Financial records are retained as required by HMRC (see Privacy Policy).

10. Governing law

This DPA is governed by the laws of England and Wales; the courts of England and Wales have exclusive jurisdiction.