GDPR Compliance at DocuProx

At DocuProx, we understand that our customers entrust us with their most sensitive document data. Ensuring the privacy, security, and integrity of that data is our highest priority. DocuProx is fully committed to compliance with the General Data Protection Regulation (GDPR) and helping our users navigate their own compliance requirements.

1. Our Role: Data Processor vs. Data Controller

Under the GDPR, roles are clearly defined to ensure accountability:

2. How We Comply with GDPR Principles

Our platform is built with "Privacy by Design" at its core. We adhere to the following GDPR principles:

• Lawfulness, Fairness, and Transparency: We only process data based on your instructions (as defined in our Terms and DPA) or to fulfill our contractual obligations.
• Purpose Limitation: Documents uploaded to DocuProx are processed solely for the purpose of data extraction and structured output as requested by the user.
• Data Minimization: We encourage users to only extract the fields necessary for their business process. Our visual annotation tools allow you to target specific data points without needing to store or process unnecessary information.
• Accuracy: Our AI-powered extraction aims for 99.8% accuracy to ensure the data you receive is reliable and high-quality.
• Storage Limitation: We provide tools for users to manage their data lifecycle, including the ability to delete processed documents and extracted data from our servers.

3. Data Processing Agreement (DPA)

We offer a comprehensive Data Processing Agreement (DPA) that outlines our commitment to protecting personal data. Our DPA includes the Standard Contractual Clauses (SCCs) to ensure a valid transfer mechanism for data moving outside the EU/EEA, where applicable.

4. International Data Transfers

DocuProx utilizes enterprise-grade cloud infrastructure. While our primary servers are located in the United States and EU, we ensure that any cross-border transfers of personal data are protected by industry-standard safeguards, including SCCs and rigorous vendor security assessments.

5. Security Measures

Security is not an afterthought; it is integrated into every layer of the DocuProx infrastructure:

• Encryption in Transit: All data sent to and from DocuProx is encrypted using TLS 1.2 or higher.
• Encryption at Rest: All documents and extracted data are encrypted using AES-256 encryption.
• Access Control: We implement strict "least privilege" access policies. Only authorized personnel have access to production environments, and all access is logged and monitored.
• Vulnerability Management: We conduct regular security audits and vulnerability scans to identify and mitigate risks.

6. Sub-processors

To deliver our service, we work with a select group of third-party sub-processors (e.g., cloud hosting providers like AWS/Azure, payment processors like Stripe). We perform due diligence on all sub-processors to ensure they meet the high security and privacy standards required by the GDPR.

A full list of our current sub-processors is available upon request.

7. Individual Rights (Data Subjects)

If you are an individual whose data is processed by a DocuProx customer, please contact that customer (the Data Controller) to exercise your rights.

As a DocuProx customer, you can fulfill Data Subject Requests (DSRs) directly through our platform, including:

8. Data Breach Notification

In the unlikely event of a personal data breach, DocuProx has an incident response plan in place. We will notify affected Customers without undue delay (and within the timeframes required by GDPR) after becoming aware of a breach, providing full cooperation to help you meet your notification obligations.

9. Contact Our Data Protection Office