Data Processing Agreement (DPA)
Version 1.0
This Data Processing Agreement (“DPA”) is incorporated into and forms part of the Terms of Service between THEKROLL LTD (docs101.com) (“Processor”) and the entity or person agreeing to these Terms (“Controller”). It specifies the data protection obligations of the parties arising from the processing of personal data on behalf of the Controller pursuant to Art. 28(3) of Regulation (EU) 2016/679 (General Data Protection Regulation — “GDPR”).
§ 1 Subject Matter and Duration of Processing
- The subject matter of the processing, as well as the nature, purpose, type of personal data, and categories of data subjects are specified in Annex 1 to this Agreement.
- The duration of this Agreement corresponds to the duration of the Main Agreement (Terms of Service), unless additional obligations arise from this DPA.
§ 2 Instructions
- The Processor shall process personal data only on documented instructions from the Controller, unless required to do so by Union or Member State law (Art. 28(3)(a) GDPR).
- The initial instructions are defined by this Agreement and the Main Agreement. Subsequent instructions may be issued in writing or in text form and shall be documented.
- The Controller is solely responsible for assessing the lawfulness of the data transfer to the Processor and of the data processing.
- If the Processor believes that an instruction infringes the GDPR or other data protection provisions, the Processor shall inform the Controller without undue delay.
§ 3 Technical and Organizational Measures
- The Processor shall implement technical and organizational measures to ensure an appropriate level of security (Art. 32 GDPR).
- The measures must ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services. See Annex 2.
- The Processor shall regularly review and adapt the technical and organizational measures.
§ 4 Rectification, Restriction, and Erasure of Data
- The Processor shall rectify, erase, or restrict the processing of personal data only upon documented instruction from the Controller.
- If a data subject contacts the Processor directly, the Processor shall forward the request to the Controller without undue delay.
§ 5 Obligations of the Processor
- The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality.
- The Processor shall support the Controller with appropriate measures in fulfilling data subject requests under Chapter III of the GDPR.
- The Processor shall assist the Controller in ensuring compliance with Art. 32–36 GDPR, including DPIAs and prior consultations.
- The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach (Art. 33(2) GDPR).
- Upon termination, the Processor shall return or delete all personal data, unless law requires storage.
§ 6 Sub-Processing
- The approved sub-processors are listed in Annex 3.
- The Controller grants general written authorization. The Processor shall inform the Controller of any changes concerning sub-processors, giving at least 30 calendar days to object.
- Where the Processor engages a sub-processor, the same data protection obligations shall be imposed by contract (Art. 28(4) GDPR).
- The Processor shall remain fully liable for the sub-processor’s obligations.
§ 7 Control Rights and Audit
- The Processor shall demonstrate compliance by appropriate means, including evidence of TOMs pursuant to Art. 32 GDPR.
- Compliance may be demonstrated through certifications (e.g. ISO 27001), independent audit reports, or self-audits.
- The Controller may conduct inspections at the Controller’s expense with reasonable advance notice.
§ 8 Notification Obligations
The Processor shall notify the Controller without undue delay if:
- the Processor becomes aware of any suspected breach of personal data protection;
- a supervisory authority takes action concerning the processing;
- a data subject exercises rights directly against the Processor;
- the Processor believes that an instruction infringes applicable data protection law.
§ 9 Remuneration
Support services beyond the scope of the Main Agreement (e.g. DPIA assistance, audits, data subject requests) shall be billed at customary and reasonable hourly rates.
§ 10 Liability
- The Controller and the Processor shall be liable in accordance with Art. 82 GDPR.
- Any liability provisions in the Main Agreement (Terms of Service) shall also apply to this DPA.
§ 11 Processing Outside the EU/EEA
- The Processor shall process personal data exclusively within the EU/EEA.
- A transfer to a third country shall only take place with the prior written consent of the Controller and appropriate safeguards (SCCs, adequacy decision).
Annex 1 — Details of Processing
| Field | Description |
|---|---|
| Subject matter | Provision of the docs101.com SaaS platform for invoice generation, customer relationship management, and document management. |
| Duration | Duration of the Main Agreement (Terms of Service) between Controller and Processor. |
| Nature and purpose | Storage and processing of Controller’s business data for: creation and delivery of invoices, management of customer records, generation of PDF documents, email delivery of invoices, payment processing, time tracking import. |
| Categories of data subjects | Controller’s end-customers, business contacts, employees/team members. |
| Types of personal data | Contact data (name, email, phone, address), invoice data (amounts, items, dates), bank details (IBAN, BIC), VAT identification numbers, company registration data. |
Annex 2 — Technical and Organizational Measures
The following measures are implemented in accordance with Art. 32 GDPR:
| TOM Category | Measures |
|---|---|
| Access control (physical) | Hetzner Online GmbH ISO 27001 certified data centers in Germany. No on-premise servers. |
| Access control (logical) | SSO via Keycloak, role-based access, JWT token authentication, password policies, optional 2FA. |
| Access control (data) | Company-scoped data isolation (company_id), API authorization checks, principle of least privilege. |
| Transfer control | TLS encryption for all data in transit, logically separated S3 storage paths, presigned URLs with expiration for document access. |
| Input control | Audit logging, user identification via JWT, traceable API request logging. |
| Availability control | Hetzner redundant infrastructure, automated database backups. |
| Separation control | Logical multi-tenant separation via company_id, separate S3 storage paths, environment separation. |
| Incident response | Breach notification process (within 72h per Art. 33 GDPR), application monitoring, structured logging. |
Annex 3 — List of Sub-Processors
| Sub-Processor | Purpose | Location |
|---|---|---|
| Hetzner Online GmbH | Hosting, infrastructure, S3-compatible object storage | Germany / EU |
| Stripe, Inc. | Payment processing | USA (EU SCCs + DPA) |
| Amazon Web Services (AWS SES) | Transactional email delivery | EU (Frankfurt) |