Data Processing Agreement
Last updated: 25 January 2024
About us:
Docue Technologies UK Ltd
78 York Street, London, W1H 1DP
Company number: 13949138
ICO number: ZB345032
This Data Processing Agreement ("DPA") governs the processing of personal data by Docue Technologies UK Ltd (“Docue”, “our”, “us” or “we”) as a processor on behalf of Customers.
1. Definitions
Unless otherwise stated, the definitions in the Terms of Use shall apply in this DPA. In addition, the following definitions apply in this DPA:
“controller”, “processor”, “data subject”, “personal data”, “personal data breach”, “process”, “processing”, “appropriate technical and organisational measures” and “supervisory authority” shall have the meanings given to them in the Data Protection Laws.
Customer Personal Data: the personal data processed by Docue on the Customer’s behalf as set out in the section titled “Processing Details” below.
Data Protection Laws: means all applicable data protection and privacy legislation in force in the United Kingdom, including but not limited to:
(i) the UK GDPR as defined in section 3(10) of the Data Protection Act 2018, and supplemented by section 205(4) (“UK GDPR”); and
(ii) the Data Protection Act 2018,
in each case as amended, updated or replaced from time to time.
2. Processing Details
Scope, nature and purpose of the processing
We will process personal data on behalf of the Customer when a User customises the Document Templates to include personal data, uses the e-signature feature of the Service, or uses the document storage feature of the Service to store any document(s) which contains personal data.
Categories of data subject
Staff and representatives of the Customer, and staff and representatives of third parties that the Customer enters into agreements with (or prepares draft agreements in relation to), or whose details are included in any other final or draft documentation of the Customer.
Categories of personal data
Personal data provided by or on behalf of the Customer: (i) for insertion into the Document Templates; (ii) when using the e-signature feature of the Service; or (iii) when using the document storage feature of the Service. This could include individuals’ names, email addresses, phone numbers, work positions, employment contract details (such as hours worked, working location), location and the signature of the individual.
Duration of processing
For the duration that we provide the Service to the Customer and throughout any period that we provide any further storage of Customer documents or data.
3. Data Protection Roles and Relationship
3.1 The Customer is the controller in respect of the Customer Personal Data and where we process Customer Personal Data on the Customer’s behalf, we are a processor in respect of that Customer Personal Data.
3.2 The Customer shall have sole responsibility for the legality, integrity and accuracy of Customer Personal Data. The Customer shall ensure that it has all necessary consents and notices in place to enable the lawful transfer of Customer Personal Data to Docue for the duration, and purposes of, the Service so that Docue may lawfully collect and process Customer Personal Data in accordance with this DPA.
3.3 We are the controller in respect of personal data provided by you, where this personal data is not covered by the definition of Customer Personal Data (e.g. User Information). See our privacy notice for instances where we are a controller.
4. Data Controller Obligations
4.1 The Customer shall, as controller of the Customer Personal Data:
4.1.1.maintain records which indicate how it processes personal data under its responsibility. These records will contain at least the minimum information required by Data Protection Laws;
4.1.2 ensure that it has provided all necessary notices to data subjects in accordance with Data Protection Laws; and
4.1.3 ensure that it has established a legal basis under Data Protection Laws for transferring the personal data to Docue and, where necessary, has obtained and recorded all necessary consents.
5. Data Processor Obligations
5.1 To the extent that we process Customer Personal Data on behalf of the Customer, we shall:
5.1.1 process that Customer Personal Data only on the Customer’s documented instructions, which shall be to process the Customer Personal Data to the extent necessary to maintain, deliver and develop our Service (and to fulfil any of our obligations under these Terms or enforce any of our rights under these Terms), unless we are otherwise required to process the Customer Personal Data by applicable laws. We will notify the Customer if its instructions infringe Data Protection Laws or other applicable laws;
5.1.2 implement appropriate technical and organisational measures to protect against unauthorised or unlawful processing of Customer Personal Data and against accidental loss or destruction of, or damage to, Customer Personal Data, having regard to the state of technological development and the cost of implementing any measures;
5.1.3 ensure that any personnel engaged and authorised by us to process Customer Personal Data are obliged to keep it confidential;
5.1.4 not transfer any Customer Personal Data to any destination which is outside of both the European Economic Area (EEA) and the United Kingdom unless the Customer or Docue has provided appropriate safeguards in relation to the transfer, so as to ensure the transfer is carried out in accordance with Data Protection Laws;
5.1.5 assist the Customer where reasonably possible (taking into account the nature of the processing and the information available to us), and at the Customer’s cost and written request, to the extent necessary to ensure compliance with its obligations under the applicable Data Protection Laws with respect to data subject requests, security, breach notifications, impact assessments and consultations with supervisory authorities or regulators;
5.1.6 notify the Customer without undue delay on becoming aware of a personal data breach involving the Customer Personal Data; and
5.1.7 maintain records to demonstrate our compliance with this Clause 5.1. The Customer may request access to the records kept under this Clause 5.1.7 by submitting a written request for such access to Docue. The Customer shall only be entitled to make one request per year and such access shall be limited to Docue’s provision of such records electronically. Docue shall respond to each such request as soon as is reasonably practicable.
6. Retention of Personal Data
6.1 The Customer acknowledges and agrees that:
6.1.1 it can delete the Customer Personal Data held by us at any time, by deleting any of the relevant documents held in the Customer’s account during its use of the Service; and
6.1.2 unless the Customer has instructed us otherwise, we will hold documents (which may contain Customer Personal Data) in the Customer’s account free of charge for two years following termination of any Free Trial or Subscription, to ensure that the Customer is able to access this information (“Storage Service”). After this two year period, we may continue to provide the Storage Service, or may delete the documents (which may contain Customer Personal Data) at any time.
6.2 Where you are no longer able to delete Customer Personal Data held by us (for example, where the Customer no longer has access to the Service), and you request in writing that we delete specific documents which contain Customer Personal Data, we will comply with your request.
7. Sub-processors
7.1 The Customer hereby provides its prior, general authorisation for us to appoint sub-processors to process the Customer Personal Data, provided that we shall:
7.1.1 ensure that the terms on which we appoint such sub-processors are consistent with the obligations imposed on us as a processor in this DPA;
7.1.2 remain responsible for the acts and omissions of any such sub-processor as if they were our own acts and omissions; and
7.1.3 inform the Customer of any intended material changes concerning the addition or replacement of the sub-processors, giving the Customer the opportunity to object to such changes. Our current list of sub-processors is available upon request.
8. International Transfers
The Customer hereby provides its prior, general authorisation for us to transfer Customer Personal Data to destinations outside of the United Kingdom and/or the EEA as required for the purposes of providing the Service, provided that Docue shall ensure that all such transfers are carried out in accordance with Data Protection Laws. For these purposes, the Customer shall promptly comply with any reasonable request of Docue, including any request to enter into standard data protection clauses adopted by the UK Information Commissioner’s Office (ICO) from time to time.