1. Parties And Order Of Precedence
This Data Processing Addendum (“DPA”) forms part of the agreement between the customer using exdata (“Customer”) and the exdata contracting entity identified in the applicable order form, checkout record, or account onboarding record (“exdata”).
If this DPA conflicts with the main agreement, this DPA controls for the processing of Customer Personal Data. If an order form contains stricter data protection commitments, the stricter commitment applies for that order.
2. Roles
For Customer Personal Data contained in uploaded documents, extracted text, normalized fields, previews, webhook payloads, and customer-configured processing metadata, Customer is the controller and exdata is the processor.
For account administration, billing, fraud prevention, service security, support records, legal compliance, and product operations, exdata may act as an independent controller as described in the Privacy Policy.
3. Processing Details
| Subject matter | Provision of document extraction, API, workspace, webhook, support, billing, security, retention, and operational services. |
|---|---|
| Duration | For the term of the customer’s account or agreement, plus any retention period needed for deletion, backup rotation, legal compliance, billing, audit, or dispute handling. |
| Nature and purpose | Receiving documents, extracting and normalizing fields, generating previews, delivering API responses and webhooks, storing processing state, supporting users, and securing the service. |
| Personal data | Document content, extracted text, personal names, business contact data, addresses, tax identifiers, payment references, bank account details, account metadata, webhook metadata, and support context submitted by Customer. |
| Data subjects | Customer users, employees, suppliers, customers, business contacts, invoice parties, document authors, payment recipients, and other people whose data appears in customer-uploaded documents. |
4. Customer Instructions
Customer instructs exdata to process Customer Personal Data to provide the service, comply with the agreement, follow account settings, perform support and security work, satisfy documented customer requests, and make transfers needed to provide the service. exdata will not process Customer Personal Data for unrelated purposes unless required by law.
If exdata believes an instruction infringes applicable data protection law, exdata will inform Customer unless prohibited by law.
5. Confidentiality And Personnel
exdata restricts access to Customer Personal Data to personnel and service providers who need access for the service, support, security, billing, or legal purposes. Personnel with access are bound by confidentiality obligations or equivalent professional duties.
6. Security Measures
exdata implements technical and organizational measures designed to protect Customer Personal Data against unauthorized access, accidental loss, alteration, disclosure, or destruction. The current measures are listed in the Technical and Organizational Measures.
Customer is responsible for configuring account roles, API tokens, webhook endpoints, retention settings, and downstream systems in a secure manner.
7. Subprocessors
Customer gives exdata general authorization to use subprocessors for the service. Current subprocessors are listed on the Subprocessor List. exdata will require subprocessors to protect Customer Personal Data with data protection obligations that are materially consistent with this DPA.
exdata remains responsible to Customer for subprocessor obligations where required by applicable data protection law. When exdata adds or replaces a subprocessor for production processing, exdata will update the Subprocessor List or provide another reasonable notice channel. Customer may object on reasonable data protection grounds. If the parties cannot resolve the objection, Customer may stop using the affected service feature or terminate the affected order where required by applicable law.
8. Assistance
Taking into account the nature of processing and the information available to exdata, exdata will reasonably assist Customer with data subject requests, security obligations, personal data breach notifications, data protection impact assessments, and regulator consultations where required by applicable data protection law.
9. Personal Data Breach
exdata will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. The notice will include information reasonably available to exdata, such as affected systems, likely categories of data, known impact, mitigation steps, and recommended customer actions.
10. International Transfers
Where Customer Personal Data is transferred to a country that requires a transfer mechanism, exdata will use appropriate safeguards such as adequacy decisions, the EU Standard Contractual Clauses or equivalent transfer terms, subprocessor transfer commitments, and supplementary measures where applicable.
11. Return And Deletion
During the account term, Customer may export API responses and delete documents through available service controls. After termination or upon written request, exdata will delete or return Customer Personal Data unless retention is required for legal, billing, audit, security, backup, or dispute purposes.
12. Audit Information
exdata will make available information reasonably necessary to demonstrate compliance with this DPA, which may include these TOMs, the Subprocessor List, security documentation, policy summaries, incident summaries, and other relevant compliance information. Audits must be reasonable, scheduled in advance, limited to relevant systems and records, protect other customers and confidential information, and avoid disrupting the service.