Draft — under legal review. This document is a working draft pending counsel review. Effective version may change before public launch. Last updated 2026-05-22.

Heightened review notice. This DPA is a working scaffold. Do not rely on it for compliance decisions. The executable DPA — including the international-transfer mechanism (SCCs / UK IDTA / Swiss addendum), audit-rights mechanics, and liability allocation — will be finalized by counsel before launch and signed in executable form.

Data Processing Addendum

Last updated 2026-05-22

This Data Processing Addendum (“DPA”) supplements the undocsend Terms of Service between Easy Labs (“undocsend”) and the workspace owner (the “Operator”) and governs the processing of personal data by undocsend on the Operator’s behalf in connection with the Service.

1. Subject Matter and Duration

The subject matter of the processing is the operation of the Service for the Operator: hosting and serving dealroom documents, authenticating Visitors, computing visitor analytics, generating watermarks, and (where the Operator has enabled them) AI-powered summarization and Q&A.

The duration of the processing is the term of the Operator’s subscription to the Service, plus the retention periods described in section 9.

2. Nature and Purpose of Processing

Undocsend processes personal data to provide and secure the Service in accordance with the Terms of Service, the Privacy Policy, and the Operator’s documented instructions (configured through the Service).

3. Categories of Data Subjects and Personal Data

Categories of data subjects:

Operator personnel (workspace members and admins).
Visitors invited by the Operator to access a dealroom.
Any individuals whose personal data appears in documents the Operator chooses to upload.

Categories of personal data:

Identifiers: name, email address, IP address, user agent.
Approximate geolocation derived from IP.
Visitor engagement data: page views, dwell time, downloads, Q&A submissions.
Document content uploaded by the Operator (which may contain personal data the Operator chooses to include).
Audit-log entries describing actions taken in the Service.

4. Sub-processors

The Operator authorizes undocsend to engage the sub-processors listed at /subprocessors to process personal data on its behalf, subject to the terms of this DPA.

Undocsend will give Operators at least 30 days’ advance notice before adding a new sub-processor. If the Operator reasonably objects on data-protection grounds, the Operator may terminate the affected Service for cause.

Undocsend remains responsible for the acts and omissions of its sub-processors to the same extent it would be if it performed those services itself.

5. Operator’s Instructions

The Operator is the data controller of the personal data processed by undocsend under this DPA; undocsend is the data processor.

Undocsend will process personal data only on the Operator’s documented instructions, which are established by the Terms of Service, this DPA, the Privacy Policy, and the Operator’s configuration of the Service (including AI feature toggles, BYOK settings, retention settings, and share-link controls). If undocsend reasonably believes an instruction violates applicable law, it will inform the Operator without undue delay.

6. Technical and Organizational Measures

Undocsend implements appropriate technical and organizational measures to protect personal data, as described at /security. These measures include encryption in transit and at rest, passwordless authentication, row-level security at the database boundary, workspace isolation, audit logging, and an incident-response process with a 72-hour notification commitment for confirmed breaches.

7. Audit Rights

On reasonable written request and no more than once per calendar year (except where required by a supervisory authority), undocsend will make available to the Operator the information necessary to demonstrate compliance with this DPA, including the most recent third-party audit reports we hold for our sub-processors and (when available) our own third-party assessments.

Where on-site audit is required by applicable law, the parties will cooperate in good faith on scope and timing, subject to reasonable confidentiality, security, and cost-sharing arrangements.

8. International Transfers

[Placeholder — replace with the counsel-approved international-transfers clause. This section is explicitly flagged for legal review beyond the standard banner: the executable DPA must identify the applicable Standard Contractual Clauses module(s), incorporate the UK IDTA or addendum where required, address Swiss transfers, and state our DPF certification status (if any). Sub-processors in scope include Cloudflare, Supabase, Vercel, Anthropic, OpenAI, PostHog, Sentry, and Resend.]

9. Term and Termination

This DPA takes effect when the Operator accepts the Terms of Service and remains in effect for the term of the Operator’s subscription to the Service.

On termination, personal data is deleted in accordance with the retention windows described in the Privacy Policy: a 30-day soft-retention window for workspaces (to allow recovery from accidental deletion), permanent purge from primary storage thereafter, and backup-rotation purges in line with our backup cycle. Audit logs are retained for two years for security and compliance.

10. Liability

[Placeholder — replace with the counsel-approved liability allocation. The executable DPA should align the liability cap with the underlying Terms of Service and address how data-protection regulatory fines are apportioned between controller and processor under applicable law.]