Legal
Last updated: 2026-04-08. Questions: hello@docsiv.com. These documents are provided as drafts for integration; have qualified counsel review before reliance.
This Data Processing Agreement (“DPA”) forms part of the agreement between [Legal entity name] (“Docsiv,” “Processor,” “we,” “us,” or “our”) and the customer entity that orders or uses the Docsiv Service (“Customer,” “Controller”).
This DPA applies when Docsiv processes personal data on behalf of Customer in the course of providing the Service under our Terms of Service. It reflects the parties’ intent to comply with applicable data protection laws, including the EU General Data Protection Regulation (“GDPR”), the UK GDPR, and laws that incorporate similar concepts.
If you need an executed copy for procurement, contact hello@docsiv.com.
“Applicable laws” means data protection laws binding on Controller or Processor with respect to the processing.
“Data subject,” “personal data,” “processing,” and “supervisory authority” have the meanings in GDPR where applicable.
“Services” means the Docsiv platform and related services described in the Terms.
“Subprocessor” means a Processor engaged by Docsiv to process personal data subject to this DPA.
Capitalized terms not defined here have the meanings in the Terms unless otherwise stated.
Customer (Controller) determines the purposes and means of processing personal data relating to its workspace users and, where applicable, individuals with whom Customer shares documents through the Service.
Docsiv (Processor) processes personal data only on documented instructions from Customer unless Applicable laws require otherwise (in which case Docsiv will inform Customer unless prohibited).
Processing under this DPA is limited to what is necessary to provide the Services and as further instructed through Customer’s use (including account configuration, invitations, and document sharing Customer enables).
| Topic | Description |
|---|---|
| Subject matter | Provision of the Docsiv Service to Customer. |
| Duration | For the term of the agreement plus the period needed to delete or return data in accordance with this DPA and the Terms. |
| Nature and purpose | Hosting, authentication, storage, collaboration, messaging/notification activities Customer enables, security monitoring, support, and AI-assisted features initiated by users, as configured by Customer. |
| Categories of data subjects | Customer’s employees and contractors; workspace guests; end users Customer invites to view or collaborate on content (for example client stakeholders), as determined by Customer’s use. |
| Categories of personal data | Identifiers (name, email); account and profile data; usage metadata; content Customer and users submit to the Service (which may include optional contact details inside documents), as determined by Customer’s configuration and uploads. Special categories of data should not be submitted unless Customer has a lawful basis and appropriate safeguards; Customer is responsible for compliance with restrictions. |
Processor may update the table for clarity without changing the substance of processing, with notice as described under Changes.
Customer instructs Processor to process personal data to provide the Services and to perform steps Customer initiates in the product (including sharing, exports, and integrations Customer enables).
Additional instructions must be documented and agreed in writing (including email from Customer’s administrator) if they materially extend beyond the Service’s intended functionality.
Processor will:
Customer will:
Customer authorizes Docsiv to engage Subprocessors listed at Subprocessors. Docsiv will impose data protection terms on Subprocessors that meet GDPR Article 28 requirements (or equivalent).
Docsiv may replace or add Subprocessors by updating the Subprocessors page and notifying Customer (for example by email to administrators or in-product notice). Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection within a reasonable period, Customer may terminate the affected Services as its exclusive remedy.
Processor may transfer personal data globally where needed to operate the Service. Where GDPR or UK GDPR applies and transfers are to countries without an adequacy decision, Processor will use appropriate safeguards such as Standard Contractual Clauses (SCCs) or successor mechanisms, consistent with regulatory guidance. Customer authorizes such transfers as part of using the Service. Upon request, Processor will provide information about the mechanism used.
Processor maintains a program appropriate to the risk, including access controls, encryption in transit, vulnerability management, and vendor reviews. Further detail is outlined in Schedule A.
Customer may audit Processor’s compliance with this DPA once per year (or following a material security incident affecting Customer data), on 30 days’ notice, during business hours, not unreasonably disrupting operations. Customer may use a mutually agreed independent auditor under confidentiality. Alternatively, Customer may accept a Processor-provided audit report (for example SOC 2 Type II) if and when available, in place of an on-site audit.
Liability caps and exclusions are governed by the Terms, except that nothing in this DPA limits either party’s liability that cannot be limited under Applicable laws.
This DPA continues until Processing ends. Sections that should survive (including assistance, deletion, and liability where applicable) survive termination.
Docsiv may update this DPA to reflect legal or product changes. Material changes will be notified as described in the Terms or by email. Continued use after the effective date may constitute acceptance where permitted.
Processor: [Legal entity name], [Registered business address]
Privacy: hello@docsiv.com
Processor implements measures appropriate to the nature of the Service, which may include:
Customer responsibilities include maintaining strong credentials, promptly offboarding users, configuring sharing appropriately, and classifying data they choose to upload.
The authoritative list is maintained at Subprocessors and may be updated as described in Subprocessors.
Effective: 2026-04-08 · Last updated: 2026-04-08