Data Processing Addendum

Between: Customer ("Controller") And: DocuJSON, Inc., a Delaware corporation ("Processor" or "DocuJSON")

Effective Date: The Effective Date of the underlying Terms of Service or master agreement between the parties (the "Agreement").

1. Definitions

Terms not defined here have the meanings in the Agreement or in applicable Data Protection Laws.

• "Applicable Data Protection Laws" means (a) the EU General Data Protection Regulation (2016/679) ("GDPR"); (b) the UK GDPR and UK Data Protection Act 2018; (c) the Swiss Federal Act on Data Protection ("FADP"); (d) the California Consumer Privacy Act, as amended by the California Privacy Rights Act ("CCPA/CPRA"); (e) other US state privacy laws; and (f) any other data protection or privacy law applicable to the processing.
• "Customer Personal Data" means personal data that Controller submits to the Services, or that is generated by the Services on Controller's behalf.
• "Data Subject" means the identified or identifiable natural person to whom Customer Personal Data relates.
• "Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
• "Sub-processor" means a third party engaged by DocuJSON to process Customer Personal Data.

2. Scope and Roles

2.1 Subject matter. DocuJSON processes Customer Personal Data to provide the Services under the Agreement.

2.2 Roles. For Customer Personal Data submitted by Controller through the Services:

• Controller is the "controller" (or analogous concept under applicable law).
• DocuJSON is the "processor" (or "service provider" under CCPA/CPRA).

2.3 Duration. The term of this DPA is coterminous with the Agreement, plus any post-termination processing for deletion, export, or legal retention.

2.4 Nature and purpose of processing. See Annex I.

2.5 Categories of Data Subjects. See Annex I.

2.6 Types of Customer Personal Data. See Annex I.

3. Processing Instructions

3.1 DocuJSON processes Customer Personal Data only: (a) to provide, maintain, secure, and improve the Services per the Agreement; (b) on Controller's documented instructions, including this DPA; (c) as required by applicable law, in which case DocuJSON will notify Controller unless prohibited by law.

3.2 DocuJSON will not: (a) "sell" or "share" Customer Personal Data as defined by the CCPA/CPRA; (b) process Customer Personal Data outside the direct business relationship between the parties; (c) combine Customer Personal Data with personal data received from other sources, except as permitted by law (e.g., service provider exceptions).

3.3 If DocuJSON cannot comply with Controller's instructions, DocuJSON will notify Controller and may suspend the relevant processing.

4. Confidentiality

DocuJSON personnel authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate training.

5. Security

DocuJSON will implement and maintain appropriate technical and organizational measures to protect Customer Personal Data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. The current security measures are described in Annex II.

6. Personal Data Breach Notification

6.1 DocuJSON will notify Controller without undue delay — and, where feasible, within 72 hours — after becoming aware of a Personal Data Breach affecting Customer Personal Data.

6.2 The notification will include: (a) a description of the nature of the breach, categories of data, and approximate number of Data Subjects affected; (b) the likely consequences; (c) measures taken or proposed to address and mitigate the breach; (d) a point of contact for further information.

6.3 DocuJSON will cooperate with Controller's reasonable investigation and notification efforts.

7. Sub-processors

7.1 General authorization. Controller authorizes DocuJSON to engage sub-processors to process Customer Personal Data. The current sub-processor list is published at https://docujson.com/sub-processors.

7.2 Notice of changes. DocuJSON will notify Controller by email (or via the sub-processor page) at least 30 days before adding or replacing a sub-processor. Controller may object in writing within the 30-day window if the new sub-processor poses a material data protection risk. DocuJSON will work in good faith to address the objection; if it cannot, Controller may terminate the affected Services without penalty.

7.3 Sub-processor obligations. DocuJSON will impose data protection terms on each sub-processor no less protective than those in this DPA, and DocuJSON remains fully liable to Controller for sub-processors' performance.

8. Data Subject Rights

8.1 DocuJSON will — taking into account the nature of the processing — provide reasonable assistance to enable Controller to respond to Data Subject requests for access, correction, deletion, portability, restriction, objection, and similar rights under Applicable Data Protection Laws.

8.2 If DocuJSON receives a Data Subject request directly, it will promptly forward the request to Controller without responding (unless legally required).

9. Data Protection Impact Assessments and Prior Consultations

DocuJSON will provide reasonable assistance to Controller in performing Data Protection Impact Assessments (Art. 35 GDPR) or prior consultations with supervisory authorities (Art. 36 GDPR), taking into account the nature of processing and information available.

10. International Data Transfers

10.1 DocuJSON is based in the United States and primarily processes Customer Personal Data in the US. Sub-processors may process in other jurisdictions as disclosed on the sub-processor list.

10.2 For transfers of Customer Personal Data from the EEA, UK, or Switzerland to countries without an adequacy decision, the parties incorporate by reference the EU Standard Contractual Clauses (Module 2: Controller-to-Processor, and Module 3: Processor-to-Sub-processor, as applicable) under Commission Implementing Decision (EU) 2021/914. The UK Addendum issued by the UK Information Commissioner's Office applies to UK transfers. The Swiss FDPIC guidance applies to Swiss transfers.

10.3 The SCCs are subject to the following selections:

• Clause 7 (Docking Clause): Not used (no additional party).
• Clause 9(a) (Sub-processor authorization): Option 2, general written authorization (see Section 7).
• Clause 11 (Redress): Option not used (no independent dispute resolution body).
• Clause 17 (Governing law): Ireland (for EU); England and Wales (for UK).
• Clause 18 (Choice of forum): Ireland (for EU); England and Wales (for UK).
• Annex I.A, I.B, I.C, II, III: See Annexes to this DPA, which are deemed the Annexes to the SCCs.

10.4 In the event of a conflict between the SCCs and this DPA, the SCCs prevail.

11. Audits

11.1 DocuJSON provides Controller with documentation reasonably needed to demonstrate compliance with this DPA, including: (a) published security documentation (e.g., Security page, trust center); (b) when available, SOC 2 and similar attestation reports (under NDA); (c) answers to reasonable security questionnaires.

11.2 Controller may request an on-site audit by giving at least 60 days' written notice, no more than once per 12 months (unless required by law or following a Personal Data Breach), at Controller's expense, subject to confidentiality and reasonable scheduling. For Sub-processor audits, DocuJSON will use reasonable efforts to assist.

12. Deletion and Return

12.1 Upon termination of the Agreement, DocuJSON will, at Controller's option: (a) delete Customer Personal Data from active systems within 30 days; (b) return Customer Personal Data via export before deletion.

12.2 Backups containing Customer Personal Data are purged within 30 days of the primary deletion. Legally required retention (e.g., tax and audit records) may be retained longer, subject to ongoing protection obligations.

13. CCPA/CPRA Specific Provisions

13.1 DocuJSON is a "service provider" under the CCPA/CPRA and processes personal information only for the business purposes specified in the Agreement.

13.2 DocuJSON will not: (a) sell or share personal information as defined by the CCPA/CPRA; (b) retain, use, or disclose personal information outside the direct business relationship or for any purpose other than the business purposes specified in the Agreement; (c) combine personal information received from Controller with personal information from other sources, except as permitted under CCPA/CPRA service provider exceptions.

13.3 DocuJSON will notify Controller if it can no longer meet its obligations as a service provider. Controller has the right, upon such notice, to take reasonable and appropriate steps to stop and remediate unauthorized use of personal information.

14. General

14.1 Hierarchy. If any provision of this DPA conflicts with the Agreement, this DPA controls for matters of data protection.

14.2 Limitation of liability. Each party's liability under this DPA is subject to the limitation of liability provisions in the Agreement.

14.3 Amendment. DocuJSON may update this DPA to reflect changes in law or sub-processor practices. Material changes will be notified 30 days in advance.

14.4 Severability. If any provision is held unenforceable, the remaining provisions remain in effect.

Signature

Acceptance of the Agreement and continued use of the Services constitutes acceptance of this DPA. For customers requiring a signed DPA, email legal@docujson.com to request a counter-signed copy on company letterhead.

Annex I — Description of Processing

A. List of Parties

Controller (Data Exporter): Name: [Customer legal name] Address: [Customer address] Contact: [Customer privacy contact] Activities: Business use of the Services as described in the Agreement. Role: Controller.

Processor (Data Importer): Name: DocuJSON, Inc. Address: Current notice address available upon request at legal@docujson.com Contact: privacy@docujson.com Activities: Providing SaaS PDF generation services. Role: Processor.

B. Description of Transfer

• Categories of Data Subjects: Customer's end-users, employees, contractors, and any individuals whose personal data Customer submits through the Services.
• Categories of Personal Data:
• Identifiers: names, email addresses, identifiers included in JSON payloads.
• Commercial/transactional: order details, invoice line items, pricing, billing data.
• Other personal data: any additional fields Customer chooses to include.
• Sensitive data: None expected. Customer must not submit PHI, payment card data, government IDs, biometric data, or Social Security numbers.
• Frequency of transfer: Continuous (on each API request).
• Nature of processing: Collection, storage (transient), rendering, transmission to Customer.
• Purpose: Providing the Services.
• Retention: See Privacy Policy, Section 6.

C. Competent Supervisory Authority

For EEA transfers: The supervisory authority of the Controller's main establishment, or the Irish Data Protection Commission by default. For UK transfers: The UK Information Commissioner's Office (ICO). For Swiss transfers: The Federal Data Protection and Information Commissioner (FDPIC).

Annex II — Technical and Organizational Security Measures

DocuJSON implements the following measures (subject to continuous improvement):

1. Access Control

• Unique credentials per user.
• Multi-factor authentication for DocuJSON employees with production access.
• Role-based access control (RBAC).
• Principle of least privilege.
• Quarterly access reviews.

2. Network Security

• TLS 1.2+ for all data in transit.
• HTTPS-only (HSTS enforced).
• Network segmentation between tiers.
• Web application firewall at the edge.
• DDoS protection via infrastructure provider.

3. Data Protection

• AES-256 at rest (provider-managed).
• Encrypted backups.
• Database-level encryption (Supabase-managed).
• PDF blob storage encrypted at rest.
• No storage of raw payment card data (Stripe-handled).

4. Application Security

• Input validation and output encoding.
• HTML sanitization (DOMPurify) for rendered content.
• Content Security Policy enforcement.
• Automated dependency vulnerability scanning.
• Code review before production deployment.
• API keys stored as SHA-256 hashes; raw keys shown once to user.

5. Operational Security

• Production-only deploy gates (no direct-to-prod commits).
• Centralized logging (being rolled out as part of SOC 2 readiness).
• Incident response plan documented.
• Regular backup and disaster recovery testing.
• Physical security managed by infrastructure providers (AWS, Vercel, Supabase).

6. Personnel

• Background checks before production access is granted.
• Written confidentiality obligations.
• Security training on hire and annually.
• Offboarding process includes credential revocation within 24 hours.

7. Vendor Management

• Sub-processor agreements enforce data protection.
• Annual sub-processor review.
• Sub-processor list publicly maintained and versioned.

8. Continuity

• Daily backups, multi-region replication.
• Documented disaster recovery procedures.
• Recovery time objective (RTO): 24 hours for core services.
• Recovery point objective (RPO): 24 hours maximum data loss tolerance.

9. Compliance

• SOC 2 Type I readiness in progress.
• SOC 2 Type II planned.
• HIPAA compliance on roadmap (not currently available).
• Annual security review of all measures above.

Annex III — List of Sub-processors

See https://docujson.com/sub-processors for the current list, which is incorporated into this DPA by reference.