Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the Terms of Service ("Agreement") between the customer ("Customer") and Document Blueprint, Inc. ("Document Blueprint", "we", "us"). It applies whenever Document Blueprint Processes Personal Data on Customer's behalf in connection with the Service. To the extent of any conflict, this DPA controls over the Agreement on matters of data protection.

This DPA becomes effective when Customer accepts it through the Settings → Enterprise flow in the Service. Acceptance binds Customer's organization, represented by the named signatory.

1. Definitions

Terms not defined here have the meaning given in the Agreement.

• "Customer Data" — any information Customer or its end users submit, upload, or generate through the Service, including documents, file metadata, and AI-extracted values.
• "Personal Data" — any portion of Customer Data that relates to an identified or identifiable natural person, as defined in the GDPR (and "Personal Information" as defined in the CCPA).
• "Processing" — any operation performed on Personal Data, including collection, storage, retrieval, use, disclosure, and deletion.
• "Data Subject" — the identified or identifiable natural person to whom Personal Data relates.
• "Sub-processor" — a third party engaged by Document Blueprint to Process Personal Data on Customer's behalf.
• "Personal Data Breach" — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.
• "Standard Contractual Clauses" or "SCCs" — the European Commission's Standard Contractual Clauses for the transfer of personal data to third countries, as adopted in Decision 2021/914 of 4 June 2021.
• "Service Provider", "Business", "Sale", "Share" — have the meanings given in the California Consumer Privacy Act ("CCPA") as amended.

GDPR terms map to CCPA terms as follows: Customer is the "Controller" under the GDPR / "Business" under the CCPA; Document Blueprint is the "Processor" under the GDPR / "Service Provider" under the CCPA.

2. Scope and Roles

Customer engages Document Blueprint to Process Personal Data only as necessary to provide the Service. Customer is the Controller / Business with respect to its Personal Data; Document Blueprint is the Processor / Service Provider acting on Customer's documented instructions, including those reflected in the Agreement, this DPA, and Customer's configuration of the Service (such as access controls, retention settings, and team membership).

3. Customer Obligations

Customer represents and warrants that:

1. It has a lawful basis under applicable data protection law to Process the Personal Data it submits to the Service.
2. It has provided notice to and obtained any necessary consents from Data Subjects whose Personal Data is included in Customer Data.
3. It will configure access controls within the Service appropriately, including team membership, role assignments, and field-level visibility.
4. It will not submit Personal Data subject to special legal regimes (e.g., HIPAA Protected Health Information, PCI-DSS cardholder data, classified or controlled information) unless a separate written agreement specifically permitting such Processing (such as a Business Associate Agreement under HIPAA) is in place between the parties.
5. It will only submit Personal Data over which it has the legal authority and a lawful Processing purpose.

4. Document Blueprint Obligations

Document Blueprint will:

1. Process Personal Data only on documented Customer instructions, including for the purposes of providing the Service, complying with the Agreement, and as required by applicable law. Document Blueprint will inform Customer if it believes a Customer instruction violates applicable data protection law.
2. Ensure that personnel authorized to Process Personal Data are bound by appropriate confidentiality obligations.
3. Implement and maintain the technical and organizational measures described in Annex II.
4. Assist Customer with Data Subject requests as described in Section 6.
5. Notify Customer of Personal Data Breaches as described in Section 7.
6. Provide reasonable assistance to Customer with data protection impact assessments and prior consultations with regulators, taking into account the nature of the Processing and the information available to Document Blueprint.

5. Sub-processors

Customer authorizes Document Blueprint to engage the Sub-processors listed at https://documentblueprint.com/legal/subprocessors. Document Blueprint will:

1. Impose contractual obligations on each Sub-processor that are equivalent in substance to the obligations in this DPA.
2. Remain liable to Customer for the acts and omissions of its Sub-processors.
3. Provide at least 30 days' written notice (which may be by email or by updating the published Sub-processor list) before adding or replacing a Sub-processor that Processes Personal Data. Customer may object to a new Sub-processor on reasonable data-protection grounds within that period; if the parties cannot resolve the objection in good faith, either party may terminate the affected portion of the Agreement.

6. Data Subject Rights

Document Blueprint will assist Customer in fulfilling Customer's obligation to respond to requests from Data Subjects under applicable law. The Service provides administrative tools that Customer may use to access, correct, export, or delete Personal Data within Customer's account. Where additional assistance is required, Customer may contact privacy@documentblueprint.com, and Document Blueprint will respond within a reasonable time given the nature of the request and the information available to Document Blueprint.

7. Personal Data Breach Notification

Document Blueprint will notify Customer of a Personal Data Breach without undue delay and, where feasible, within 72 hours of becoming aware of it. The notification will include, to the extent known at the time:

1. The nature of the breach, including the categories and approximate number of Data Subjects and records involved.
2. The likely consequences of the breach.
3. Measures taken or proposed by Document Blueprint to address the breach and mitigate its possible adverse effects.

Document Blueprint will provide additional information as it becomes available. Document Blueprint's notification of a Personal Data Breach is not an admission of fault or liability.

8. Data Return and Deletion

On termination of the Agreement, Customer may export Customer Data through the Service's administrative tools or by request to support@documentblueprint.com. Following Customer's election, and in any event within 30 days of termination, Document Blueprint will delete or anonymize Customer Data, except to the extent retention is required by applicable law or for legitimate business purposes (such as resolving disputes, enforcing the Agreement, or maintaining backups subject to Document Blueprint's standard backup-retention schedule). Backups containing Personal Data are deleted on the standard retention schedule.

9. Audit Rights

Customer may, on at least 30 days' prior written notice and no more than once per calendar year (except in cases of suspected non-compliance or following a Personal Data Breach), request Document Blueprint's then-current security documentation, which Document Blueprint will provide subject to confidentiality obligations. Customer may also conduct or commission an audit by a mutually agreed third-party auditor, subject to reasonable scope, timing, confidentiality, and cost-sharing terms. Customer is responsible for any costs Document Blueprint reasonably incurs in supporting an audit beyond the standard documentation request.

10. International Data Transfers

Where Document Blueprint Processes Personal Data of Data Subjects in the European Economic Area, the United Kingdom, or Switzerland, and that Processing involves a transfer of Personal Data outside those jurisdictions, the transfer is subject to:

1. Standard Contractual Clauses (SCCs). The parties enter into the Module Two (Controller to Processor) SCCs by reference, which form an integral part of this DPA. Customer is the data exporter; Document Blueprint is the data importer. Annex I and Annex II of the SCCs are populated by Annex I and Annex II of this DPA, respectively. The optional docking clause in Clause 7 is enabled. The SCCs are governed by the law of the Republic of Ireland; disputes are resolved in the Irish courts.
2. UK International Data Transfer Addendum. Where the transfer involves UK Data Subjects, the parties enter into the UK International Data Transfer Addendum to the EU SCCs.
3. Swiss data transfers. Where the transfer involves Swiss Data Subjects, the SCCs apply with the modifications recognized by the Swiss Federal Data Protection and Information Commissioner.

11. CCPA Service Provider Obligations

Where Document Blueprint Processes Personal Information of California consumers on Customer's behalf:

1. Document Blueprint will not Sell or Share the Personal Information.
2. Document Blueprint will not retain, use, or disclose the Personal Information for any purpose other than the business purposes specified in the Agreement and this DPA, including any commercial purpose.
3. Document Blueprint will not retain, use, or disclose the Personal Information outside of the direct business relationship between Document Blueprint and Customer.
4. Document Blueprint will not combine the Personal Information that it receives from Customer with Personal Information that it receives from another source, except as permitted under California Civil Code §1798.140(ag)(1).
5. Document Blueprint certifies that it understands these restrictions and will comply with them.

12. Liability

Liability under this DPA is subject to the limitations of liability set forth in the Agreement. Nothing in this DPA creates additional liability beyond what is provided in the Agreement.

13. Term and Termination

This DPA is effective on Customer's acceptance through the Service and remains in effect for the term of the Agreement. Termination of the Agreement automatically terminates this DPA. Sections that by their nature survive termination (including Sections 7, 8, 9, 10, 11, and 12) will survive.

14. General

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions remain in full force and effect. This DPA is governed by the laws specified in the Agreement, except to the extent applicable data protection law requires otherwise. Document Blueprint may modify this DPA by publishing an updated version at https://documentblueprint.com/legal/dpa. Material changes will be communicated to Customer at least 30 days before the effective date. Customer's continued use of the Service after the effective date of a modified DPA constitutes acceptance of the modified DPA, except to the extent the modification requires renewed signatory acceptance via the Settings → Enterprise flow.

Annex I — Description of Processing

Subject matter of the Processing: Provision of the Service described in the Agreement.

Duration of the Processing: The term of the Agreement, plus any post-termination retention period required under Section 8.

Nature and purpose of the Processing: Storage, retrieval, transformation, and AI-assisted extraction of Customer Data to support Customer's document workflows, automation, and reporting. This includes generating filled documents from Customer-provided templates, extracting structured values from Customer-provided files, and routing files into cases based on Customer-defined automations.

Categories of Data Subjects whose Personal Data is processed: Customer's end users, employees, clients, contacts, contractors, and any other individuals whose Personal Data is included in Customer Data.

Categories of Personal Data Processed:

• Identification and contact data (name, email address, postal address, phone number)
• Workflow data (case identifiers, status, dates, notes, comments)
• Document content and file metadata
• AI-extracted values derived from Customer's documents
• Authentication and audit data (IP address, user agent, action timestamps)
• Any other Personal Data Customer chooses to submit

Special Categories of Personal Data: Customer agrees not to submit special-category Personal Data (such as health data, biometric data, or data revealing racial or ethnic origin) unless a separate written agreement specifically permits such Processing.

Annex II — Technical and Organizational Measures

Document Blueprint implements and maintains the following technical and organizational security measures:

Encryption. Personal Data is encrypted in transit using TLS 1.2 or higher and encrypted at rest in our cloud datastore. Sensitive fields identified by Customer or by Document Blueprint as elevated-risk are additionally encrypted using Google Cloud KMS, with envelope-encryption keys distinct from the underlying datastore keys.

Access controls. Production systems are accessible only to authorized personnel with the principle of least privilege. Multi-factor authentication is required for administrative access. Customer-facing access controls (workspace ownership, team roles, collaborator invitations, and field-level visibility) are configurable by Customer through the Service.

Logging and monitoring. Production systems are monitored continuously for security and availability events. Access to production data is logged. Logs are retained for an operationally appropriate period.

Personnel. Personnel with access to Personal Data are bound by confidentiality obligations as a condition of employment or engagement. Document Blueprint conducts background checks on personnel consistent with applicable law.

Incident response. Document Blueprint maintains a documented incident-response process including detection, containment, notification, and remediation steps. Personal Data Breaches are escalated to leadership and notified to affected Customers per Section 7.

Data minimization. Document Blueprint collects only the Personal Data necessary to provide the Service.

Backups. Encrypted backups of production data are retained on a defined schedule and are subject to the same access and encryption controls as production data.

Vendor management. Sub-processors are assessed for security and privacy posture before engagement and reviewed periodically. Sub-processors that Process Personal Data are required to provide equivalent protection in their own contractual obligations.

Physical security. Production data is hosted in cloud infrastructure provided by Document Blueprint's Sub-processors, which maintain industry-standard physical security at their data centers.

Annex III — Sub-processors

The current list of Sub-processors is maintained at https://documentblueprint.com/legal/subprocessors. Customer is notified of changes per Section 5.