Data Processing Addendum

Effective Date: July 07, 2026·CypherLayer Technologies Private Limited (Re-Doc)

This Data Processing Addendum ("DPA") forms part of the agreement between CypherLayer Technologies Private Limited, operator of Re-Doc ("Re-Doc," "we," "us," or "Processor"), and the customer using Re-Doc's Services ("Customer," "you," or "Controller") where Re-Doc processes Customer Personal Data on behalf of Customer.

This DPA applies to the extent Re-Doc processes Customer Personal Data in connection with the Re-Doc Services, including personal data contained in uploaded documents, generated outputs, document metadata, processing records, account information, support communications, or related information.

This DPA is intended to describe the parties' respective data protection obligations where Re-Doc acts as a processor, data processor, service provider, or equivalent role under applicable Data Protection Laws.

If Customer and Re-Doc enter into a separate written data processing agreement, enterprise agreement, order form, statement of work, or amendment that expressly modifies this DPA, that written agreement will control to the extent of the conflict.

This DPA should be read together with Re-Doc's Terms of Service, Privacy Policy, Subprocessor List, Upload Authorization, and any applicable order form, invoice, subscription plan, or enterprise agreement.

When This DPA Applies

This DPA applies only to the extent Re-Doc processes Customer Personal Data on behalf of Customer as a Processor, Data Processor, Service Provider, or equivalent role under applicable Data Protection Laws.

This DPA does not apply to personal data that Re-Doc processes as an independent Controller, Data Fiduciary, Business, or equivalent role, such as personal data processed for Re-Doc's own account administration, billing, payment processing, website analytics, fraud prevention, legal compliance, customer communications, or general business operations. Such processing is governed by Re-Doc's Privacy Policy and Terms of Service.

Where the same information is processed for both customer-instructed document processing and Re-Doc's independent business purposes, the applicable role will be determined based on the specific processing activity.

Re-Doc's privacy and data-handling practices are designed to support compliance with applicable data protection obligations, including the Digital Personal Data Protection Act, 2023 and the Digital Personal Data Protection Rules, 2025, where applicable. Nothing in this DPA should be understood as a certification under any privacy, security, healthcare, or regulatory framework.

1. Definitions

"Agreement"

means the Terms of Service, order form, invoice, subscription plan, enterprise agreement, or other agreement between Customer and Re-Doc governing Customer's use of the Services.

"Customer"

means the individual, company, organization, or legal entity that uses the Services or on whose behalf the Services are used.

"Customer Personal Data"

means any personal data, personal information, or equivalent regulated information that Re-Doc processes on behalf of Customer in connection with the Services.

Customer Personal Data may include information contained in uploaded documents, generated outputs, extracted text, document metadata, account information, support information, and related processing records.

"Data Protection Laws"

means all applicable laws and regulations relating to the processing, privacy, protection, security, breach notification, or cross-border transfer of personal data, personal information, or equivalent regulated information.

This may include, where applicable:

  • ·the General Data Protection Regulation;
  • ·the UK GDPR;
  • ·the Swiss Federal Act on Data Protection;
  • ·the Digital Personal Data Protection Act, 2023;
  • ·applicable rules, regulations, or guidance issued under those laws; and
  • ·other data protection, privacy, or security laws that apply to the parties or the processing.

"Controller"

means the party that determines the purposes and means of processing Customer Personal Data, including equivalent roles such as Data Fiduciary, Business, or similar terms under applicable Data Protection Laws.

"Processor"

means the party that processes Customer Personal Data on behalf of the Controller, including equivalent roles such as Data Processor, Service Provider, or similar terms under applicable Data Protection Laws.

"Data Subject"

means an identified or identifiable individual whose personal data is processed, including equivalent terms such as Data Principal, Consumer, or individual under applicable Data Protection Laws.

"Processing"

means any operation performed on Customer Personal Data, including collection, recording, storage, hosting, organization, structuring, extraction, analysis, conversion, transmission, disclosure, redaction, anonymization, pseudonymization, replacement, generation, retrieval, use, deletion, or destruction.

"Services"

means Re-Doc's website, web application, APIs, document-processing tools, redaction tools, anonymization tools, pseudonymization tools, document conversion tools, AI-assisted processing workflows, and related services.

"Uploaded Content"

means documents, files, text, images, data, instructions, configurations, or other content submitted by Customer to Re-Doc for processing.

"Generated Output"

means any redacted document, anonymized document, pseudonymized document, converted file, extracted text, replacement text, processing report, or other output generated through the Services.

"Subprocessor"

means any third-party service provider engaged by Re-Doc to process Customer Personal Data on behalf of Re-Doc in connection with the Services.

"Security Incident"

means a confirmed breach of security leading to accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or unauthorized access to Customer Personal Data processed by Re-Doc.

A Security Incident does not include unsuccessful attempts or activities that do not compromise the security of Customer Personal Data, such as unsuccessful login attempts, pings, port scans, denial-of-service attempts, or other network events that do not result in unauthorized access to Customer Personal Data.

2. Roles of the Parties

Customer Role

Customer determines the purpose for which documents are uploaded to Re-Doc and the processing workflow selected for those documents.

Customer is generally the Controller, Data Fiduciary, Business, or equivalent decision-maker for Customer Personal Data processed through the Services.

Customer is responsible for determining whether it has the necessary rights, permissions, consents, notices, approvals, lawful basis, and authority to upload documents to Re-Doc and have them processed through the Services.

Re-Doc Role

Re-Doc processes Customer Personal Data on behalf of Customer and in accordance with Customer's documented instructions, this DPA, the Agreement, and applicable Data Protection Laws.

Re-Doc generally acts as a Processor, Data Processor, Service Provider, or equivalent role when processing Customer Personal Data on behalf of Customer.

Re-Doc does not determine the purpose for which Customer uploads documents or the legal basis on which Customer processes personal data contained in those documents.

No Compliance Guarantee

Re-Doc provides document-processing technology.

Re-Doc does not guarantee that Customer's use of the Services will make Customer compliant with any specific law, regulation, court order, contractual obligation, professional duty, industry standard, privacy framework, healthcare requirement, financial requirement, or regulatory requirement.

Customer remains responsible for determining whether the Services are appropriate for Customer's intended use and legal obligations.

3. Scope of Processing

Re-Doc will process Customer Personal Data only for the purposes described in this DPA, the Agreement, the Privacy Policy, the Subprocessor List, the Upload Authorization, and Customer's documented instructions.

The subject matter, duration, nature, purpose, categories of personal data, and categories of data subjects are described in Annex 1: Processing Details.

Processing may include the following activities, depending on the workflow selected by Customer:

  • ·document upload and temporary storage;
  • ·OCR and document extraction;
  • ·document layout analysis;
  • ·text extraction;
  • ·format conversion, including PDF to DOCX and DOCX to PDF where required;
  • ·AI-assisted sensitive information detection;
  • ·AI-assisted contextual analysis;
  • ·redaction;
  • ·anonymization;
  • ·pseudonymization;
  • ·synthetic or replacement text generation;
  • ·output generation;
  • ·processing reports;
  • ·document download;
  • ·retention and deletion;
  • ·support and troubleshooting;
  • ·security monitoring;
  • ·operational logging; and
  • ·related document-processing activities.

Not every document passes through every processing activity or subprocessor. The processing performed may depend on:

  • ·document type;
  • ·whether the document is scanned, image-based, or text-searchable;
  • ·selected workflow;
  • ·requested output format;
  • ·document quality;
  • ·customer configuration;
  • ·subscription plan;
  • ·enterprise-specific settings;
  • ·technical requirements; and
  • ·applicable legal or contractual requirements.

4. Customer Instructions

Customer instructs Re-Doc to process Customer Personal Data as necessary to provide the Services and perform the processing activities described in the Agreement, this DPA, the Privacy Policy, the Subprocessor List, the Upload Authorization, and any applicable order form or enterprise agreement.

Customer's documented instructions include:

  • ·processing uploaded documents according to the workflow selected by Customer;
  • ·using subprocessors where necessary to provide the Services;
  • ·temporarily storing uploaded documents and generated outputs;
  • ·performing OCR, extraction, conversion, AI-assisted processing, redaction, anonymization, pseudonymization, replacement, and output generation where required;
  • ·making generated outputs available for download;
  • ·retaining and deleting Customer Personal Data according to the applicable retention period;
  • ·processing account, support, billing, metadata, log, and technical information as necessary to operate the Services; and
  • ·taking actions reasonably necessary to secure, maintain, troubleshoot, and improve the Services.

Re-Doc will not process Customer Personal Data for purposes unrelated to providing the Services unless required by applicable law, authorized by Customer, or otherwise permitted under the Agreement or this DPA.

If Re-Doc believes that an instruction from Customer violates applicable Data Protection Laws, Re-Doc may notify Customer where legally permitted.

Re-Doc may suspend processing where reasonably necessary to prevent unlawful processing, security risk, harm to the Services, harm to third parties, or violation of the Agreement.

5. Customer Responsibilities

Customer is responsible for its own compliance with applicable Data Protection Laws and for the lawfulness of its use of the Services.

Customer represents and warrants that:

  • ·it has the necessary rights, permissions, consents, notices, approvals, legal bases, and authority to upload Customer Personal Data to Re-Doc;
  • ·it has provided all notices required by applicable Data Protection Laws;
  • ·it has obtained all consents or authorizations required by applicable Data Protection Laws;
  • ·it is authorized to instruct Re-Doc to process Customer Personal Data;
  • ·its instructions to Re-Doc comply with applicable Data Protection Laws;
  • ·the processing of Customer Personal Data through the Services does not violate third-party rights;
  • ·it will not upload documents or data that it is not authorized to process;
  • ·it will not use the Services for unlawful, harmful, discriminatory, fraudulent, abusive, or unauthorized purposes;
  • ·it will review Generated Outputs before sharing, publishing, submitting, relying on, or using them in any legal, medical, financial, regulatory, compliance, business, or professional workflow; and
  • ·it will protect downloaded files and Generated Outputs after they leave Re-Doc's systems.

Customer is responsible for determining whether the Services, processing workflow, output format, retention period, subprocessor configuration, and AI processing configuration are suitable for Customer's intended use.

Customer acknowledges that uploaded documents may contain personal data relating to individuals other than Customer's users, employees, or representatives. Customer remains responsible for handling requests, notices, consents, objections, and obligations relating to those individuals unless applicable law or a written agreement provides otherwise.

Customer will not provide Re-Doc with special instructions, regulated data, or processing requirements that require additional legal, technical, security, contractual, or compliance measures unless those measures have been expressly agreed in writing by Re-Doc.

6. Re-Doc Processing Obligations

Re-Doc will process Customer Personal Data only in accordance with:

  • ·Customer's documented instructions;
  • ·this DPA;
  • ·the Agreement;
  • ·the Privacy Policy;
  • ·the Subprocessor List;
  • ·the Upload Authorization;
  • ·any applicable order form, enterprise agreement, or written amendment; and
  • ·applicable Data Protection Laws that apply directly to Re-Doc.

Re-Doc will not sell Customer Personal Data.

Re-Doc will not use uploaded documents or Generated Outputs to train Re-Doc's own artificial intelligence or machine learning models.

Re-Doc will not process Customer Personal Data for purposes unrelated to providing, securing, supporting, maintaining, or improving the Services, except where required by applicable law or expressly authorized by Customer.

Where applicable law requires Re-Doc to process Customer Personal Data other than in accordance with Customer's instructions, Re-Doc will notify Customer of that legal requirement before processing, unless such notice is prohibited by law.

Re-Doc will take reasonable steps to ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

Re-Doc will provide reasonable assistance to Customer, taking into account the nature of the processing and the information available to Re-Doc, to help Customer meet applicable obligations relating to data subject requests, security, deletion, breach notifications, and assessments, where required by applicable Data Protection Laws.

Re-Doc may charge reasonable fees for assistance that is outside the standard functionality of the Services, unless such assistance is required due to Re-Doc's breach of this DPA or the Agreement.

7. Confidentiality

Re-Doc will treat Customer Personal Data as confidential.

Re-Doc will restrict access to Customer Personal Data to personnel, contractors, and subprocessors who require access for the purpose of providing, securing, supporting, maintaining, or improving the Services, or as otherwise permitted by this DPA or the Agreement.

Re-Doc will ensure that persons authorized to process Customer Personal Data are subject to confidentiality obligations or are under an appropriate statutory obligation of confidentiality.

Re-Doc does not routinely review uploaded documents manually.

Authorized personnel may access uploaded documents, extracted text, Generated Outputs, logs, metadata, or related information only where reasonably necessary to:

  • ·provide customer-requested support;
  • ·investigate technical issues;
  • ·troubleshoot failed or incomplete processing jobs;
  • ·detect or prevent misuse of the Services;
  • ·respond to security incidents;
  • ·comply with applicable law;
  • ·enforce the Agreement;
  • ·protect the rights, safety, or integrity of Re-Doc, Customer, users, or third parties; or
  • ·perform other processing permitted under this DPA.

Customer acknowledges that certain automated processing workflows may require Customer Personal Data to be transmitted to subprocessors as described in the Subprocessor List.

8. Security Measures

Re-Doc will implement and maintain reasonable technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access.

Taking into account the nature of the Services, the processing activities, the state of the art, implementation costs, and the risk presented by the processing, Re-Doc's security measures may include:

  • ·Transport Layer Security (TLS) or similar encryption protocols for transmission of data to and from the Services;
  • ·access controls for production systems;
  • ·restrictions on human access to uploaded documents and Generated Outputs;
  • ·automated document-processing workflows by default;
  • ·operational controls for document retention and deletion;
  • ·server-side configuration controls;
  • ·separation of production access from ordinary user access;
  • ·use of subprocessors with documented security and privacy commitments;
  • ·application logs, API logs, and security-related records for monitoring and troubleshooting;
  • ·incident investigation and response procedures;
  • ·exclusion of uploaded documents and Generated Outputs from Re-Doc's code or application backups;
  • ·deletion of uploaded documents and Generated Outputs according to the applicable retention period; and
  • ·internal access practices designed to limit access to personnel with an operational need to know.

Re-Doc's current technical and organizational measures are further described in Annex 2: Technical and Organizational Measures.

Customer acknowledges that no online service, hosting environment, transmission method, or processing system can be guaranteed to be completely secure.

Re-Doc does not represent that the Services are certified under any specific privacy, security, healthcare, financial, or regulatory certification unless expressly stated in a signed written agreement.

Customer remains responsible for securely configuring its account, protecting authentication credentials, controlling user access, reviewing Generated Outputs, and protecting downloaded files after they leave the Services.

9. Subprocessors

Customer authorizes Re-Doc to engage subprocessors to process Customer Personal Data where necessary to provide, secure, support, maintain, or improve the Services.

Re-Doc may use subprocessors for functions such as:

  • ·cloud hosting;
  • ·authentication;
  • ·payment processing;
  • ·analytics;
  • ·OCR and document extraction;
  • ·document conversion;
  • ·AI-assisted document processing;
  • ·infrastructure operations;
  • ·security and reliability;
  • ·customer support; and
  • ·application monitoring.

Some subprocessors may process uploaded documents, extracted text, Generated Outputs, filenames, document metadata, account information, billing information, logs, or analytics information where necessary to provide the selected workflow or operate the Services.

Re-Doc's current main subprocessors are described in the Subprocessor List.

Re-Doc will take reasonable steps designed to ensure that subprocessors process Customer Personal Data only for the purposes for which they are engaged and apply appropriate technical and organizational safeguards.

Re-Doc remains responsible for the performance of its subprocessors' obligations to the extent required by applicable Data Protection Laws and the Agreement.

Re-Doc may update its subprocessors from time to time as the Services evolve, providers are replaced, new features are introduced, or infrastructure changes are made. Where required by applicable law, contract, or enterprise agreement, Re-Doc will provide notice of material subprocessor changes.

If Customer has a contractual right to object to a new subprocessor, Customer must submit its objection in writing within the notice period specified in the applicable enterprise agreement or written amendment.

If Customer reasonably objects to a new subprocessor, Re-Doc will review the objection in good faith and may, where commercially and technically reasonable:

  • ·make an alternative configuration available;
  • ·avoid use of the subprocessor for Customer's workflow;
  • ·provide additional information about the subprocessor;
  • ·work with Customer to resolve the concern; or
  • ·allow Customer to terminate the affected Services according to the applicable agreement.

Customer acknowledges that some subprocessors are essential to providing certain features. If Customer objects to an essential subprocessor and no reasonable alternative is available, Re-Doc may be unable to provide the affected feature or Service.

10. International Transfers

Customer acknowledges that Re-Doc is operated by a company incorporated in India, while Re-Doc's primary application and document-processing infrastructure is hosted on cloud servers located within the European Union.

Re-Doc does not intentionally transfer uploaded documents to India for document storage or document processing.

Certain subprocessors may process Customer Personal Data in other jurisdictions where required to provide the Services. This may include processing for OCR, document extraction, document conversion, AI-assisted processing, authentication, analytics, payments, security, infrastructure operations, support, or related functions.

Where Customer Personal Data is transferred internationally, Re-Doc will take reasonable steps designed to ensure that appropriate contractual, technical, or organizational safeguards are in place, where required by applicable Data Protection Laws.

Where applicable Data Protection Laws require a specific transfer mechanism, the parties will cooperate in good faith to implement an appropriate mechanism. Such mechanisms may include standard contractual clauses, data processing terms, transfer addenda, supplementary safeguards, or another lawful transfer mechanism.

For transfers of personal data from the European Economic Area, United Kingdom, Switzerland, or other jurisdictions with cross-border transfer restrictions, Customer and Re-Doc may agree to additional transfer terms through an enterprise agreement, written amendment, or applicable transfer addendum.

Customer acknowledges that certain subprocessors, including OCR, document conversion, AI, payment, authentication, and analytics providers, may have provider-dependent processing locations, routing, retention practices, or infrastructure arrangements.

Re-Doc's Subprocessor List provides additional information about the current subprocessors and their processing roles.

11. Data Subject and Data Principal Requests

Customer is responsible for responding to requests from Data Subjects, Data Principals, consumers, or other individuals exercising rights under applicable Data Protection Laws.

Such requests may include requests for:

  • ·access;
  • ·correction;
  • ·deletion;
  • ·restriction of processing;
  • ·objection to processing;
  • ·portability;
  • ·withdrawal of consent;
  • ·information about processing;
  • ·grievance redressal; or
  • ·any other right available under applicable Data Protection Laws.

Where Re-Doc receives a request directly from an individual relating to Customer Personal Data processed on behalf of Customer, Re-Doc may:

  • ·refer the individual to Customer;
  • ·notify Customer of the request, where legally permitted;
  • ·await Customer's instructions; or
  • ·respond as required by applicable law.

Taking into account the nature of the processing and the information available to Re-Doc, Re-Doc will provide reasonable assistance to Customer in responding to valid requests, where required by applicable Data Protection Laws.

Customer acknowledges that Re-Doc may not be able to independently identify or verify individuals whose personal data appears inside Customer-uploaded documents without Customer's assistance.

Re-Doc may charge reasonable fees for assistance with Data Subject or Data Principal requests that require manual effort, custom retrieval, engineering work, legal review, or support outside the standard functionality of the Services, unless the request arises from Re-Doc's breach of this DPA or the Agreement.

DPDP Cooperation

Where the Digital Personal Data Protection Act, 2023 or the Digital Personal Data Protection Rules, 2025 apply, and Re-Doc processes Customer Personal Data on behalf of Customer as a Data Processor, Re-Doc will provide reasonable assistance to Customer in responding to applicable Data Principal requests, grievances, correction requests, erasure requests, nomination-related requests, and withdrawal-related requests, taking into account the nature of processing and the information available to Re-Doc. Customer remains responsible for determining whether and how to respond to Data Principal requests relating to Customer-uploaded documents, unless applicable law requires Re-Doc to respond directly.

12. Deletion and Return of Customer Personal Data

Unless a shorter retention period is agreed in writing or Customer requests earlier deletion, uploaded documents and Generated Outputs are retained for up to 30 days.

After the applicable retention period, uploaded documents and Generated Outputs are scheduled for deletion from Re-Doc's active processing systems.

Customer may request earlier deletion of uploaded documents and Generated Outputs, including immediate deletion where technically supported.

Upon termination of the Agreement, Customer may request deletion of Customer Personal Data processed by Re-Doc, subject to technical feasibility and any legal, tax, accounting, security, contractual, dispute-resolution, or compliance obligations requiring continued retention.

Re-Doc may retain limited information where necessary for legitimate operational, legal, security, billing, audit, or compliance purposes, including:

  • ·account information;
  • ·billing and payment records;
  • ·document metadata;
  • ·processing records;
  • ·API logs;
  • ·security logs;
  • ·diagnostic records;
  • ·support communications; and
  • ·records required to establish, exercise, or defend legal claims.

Document metadata may include filenames, upload timestamps, file type, file size, job identifiers, processing status, retention schedule, and account identifiers.

Re-Doc does not intentionally include uploaded documents or Generated Outputs in Re-Doc's code or application backups.

If Customer Personal Data is present in backups, replicated systems, logs, or archival records, Re-Doc will handle that information according to applicable retention, security, and deletion procedures.

Deletion or return of Customer Personal Data held by subprocessors may be subject to the technical capabilities, retention practices, legal obligations, and deletion procedures of those subprocessors.

Where applicable, Re-Doc will use available subprocessor deletion controls, including provider deletion APIs where supported and relevant to the processing workflow.

13. Security Incidents

Re-Doc will take reasonable steps to investigate, contain, and remediate any confirmed Security Incident involving Customer Personal Data processed by Re-Doc.

Where Re-Doc becomes aware of a Security Incident affecting Customer Personal Data, Re-Doc will notify Customer without undue delay after confirming the Security Incident, where required by applicable Data Protection Laws or the Agreement.

The notification may include, where available and appropriate:

  • ·a description of the nature of the Security Incident;
  • ·the categories of Customer Personal Data affected;
  • ·the categories of individuals affected, where known;
  • ·the likely consequences of the Security Incident, where known;
  • ·the measures taken or proposed to address the Security Incident;
  • ·steps Customer may consider taking to mitigate potential harm; and
  • ·a contact point for follow-up.

Customer acknowledges that Re-Doc's notification of a Security Incident is not an admission of fault, liability, or violation of law.

Customer is responsible for determining whether it is required to notify affected individuals, regulators, customers, clients, authorities, or other third parties, unless applicable law requires Re-Doc to make such notification directly.

Re-Doc will provide reasonable cooperation to Customer in connection with Customer's Security Incident obligations, taking into account the nature of the processing, the information available to Re-Doc, and applicable legal requirements.

Re-Doc may charge reasonable fees for assistance that exceeds standard incident support unless the Security Incident was caused by Re-Doc's breach of this DPA or the Agreement.

Where the Digital Personal Data Protection Act, 2023 or the Digital Personal Data Protection Rules, 2025 apply, and where Re-Doc processes Customer Personal Data on behalf of Customer as a Data Processor, Re-Doc will provide reasonable cooperation to Customer to support Customer's applicable personal data breach assessment and notification obligations. Where Re-Doc is legally required to notify the Data Protection Board of India, affected Data Principals, or another competent authority directly, Re-Doc will do so in accordance with applicable law. For enterprise customers, specific breach notification timelines, escalation contacts, and incident reporting procedures may be agreed in an enterprise agreement, order form, or written amendment.

14. Audit and Information Rights

Upon reasonable written request, Re-Doc will provide information reasonably necessary to demonstrate Re-Doc's compliance with this DPA, taking into account the nature of the Services, Re-Doc's size, security requirements, confidentiality obligations, and the sensitivity of Customer Personal Data.

This may include:

  • ·descriptions of technical and organizational measures;
  • ·copies or summaries of relevant policies;
  • ·subprocessor information;
  • ·data flow explanations;
  • ·retention and deletion information;
  • ·security questionnaire responses;
  • ·incident response information, where applicable;
  • ·privacy and security documentation; and
  • ·other information reasonably necessary for Customer's compliance assessment.

Re-Doc may satisfy audit or information requests by providing written responses, documentation, certifications if later obtained, third-party reports if available, or other commercially reasonable evidence of compliance.

Customer may request additional audit rights through an enterprise agreement or written amendment.

Unless otherwise agreed in writing, Customer is not entitled to conduct physical inspections, penetration tests, vulnerability scans, access production systems, access another customer's data, access Re-Doc's source code, access confidential security architecture, or obtain information that would compromise the security, confidentiality, or integrity of Re-Doc, its customers, subprocessors, or systems.

Any audit or information request must:

  • ·be reasonable in scope;
  • ·be related to Customer Personal Data;
  • ·be subject to confidentiality obligations;
  • ·not unreasonably interfere with Re-Doc's business operations;
  • ·not create security risk;
  • ·not require disclosure of third-party confidential information; and
  • ·occur no more than once per year unless required by applicable law, a Security Incident, or a signed enterprise agreement.

Re-Doc may charge reasonable fees for audit support, security questionnaire responses, custom compliance review, or documentation requests that require significant manual effort, engineering time, or legal review, unless the request arises from Re-Doc's breach of this DPA or the Agreement.

Where applicable Data Protection Laws require audit or inspection rights, Re-Doc will support such rights through a commercially reasonable process that protects the confidentiality, security, availability, and integrity of Re-Doc's systems, other customers' data, subprocessors' confidential information, and Re-Doc's proprietary information.

15. AI-Assisted Processing and AI Language Models

Re-Doc may use AI-assisted processing, including AI language models, to provide certain document-processing features, including:

  • ·sensitive information detection;
  • ·entity recognition;
  • ·contextual analysis;
  • ·document classification;
  • ·anonymization;
  • ·pseudonymization;
  • ·redaction support;
  • ·synthetic or replacement text generation;
  • ·processing recommendations;
  • ·output generation; and
  • ·related document-processing tasks.

AI-assisted processing may involve transmitting extracted text, relevant document content, prompts, workflow instructions, metadata, or model outputs to selected AI subprocessors.

Re-Doc may use OpenRouter and selected AI model providers for AI-assisted processing.

Where supported by the relevant provider and configuration, Re-Doc will use Zero Data Retention or similar provider-side settings designed to limit retention of prompts, extracted text, document content, and model outputs.

Customer acknowledges that AI provider capabilities, model availability, routing, region, logging, retention controls, and privacy settings may vary depending on provider, model, subscription plan, workflow, and configuration.

Re-Doc does not use uploaded documents or Generated Outputs to train Re-Doc's own artificial intelligence or machine learning models.

Re-Doc does not authorize third-party AI subprocessors to use Customer Personal Data, uploaded documents, extracted text, or Generated Outputs to train models, except where Customer expressly agrees otherwise in writing.

Customer remains responsible for reviewing Generated Outputs before using, sharing, publishing, submitting, or relying on them.

Re-Doc does not guarantee that AI-assisted processing will identify every item of personal data, confidential information, sensitive information, protected information, or regulated information.

Re-Doc does not guarantee that Generated Outputs will satisfy any specific legal, regulatory, contractual, professional, medical, financial, court, audit, or compliance requirement.

Customer is responsible for determining whether AI-assisted processing is appropriate for Customer's documents, use case, jurisdiction, risk tolerance, and legal obligations.

Enterprise customers may agree to additional AI processing restrictions, provider limitations, AI language model restrictions, ZDR requirements, region requirements, or workflow-specific controls through a written enterprise agreement or amendment.

16. Liability and Relationship With the Agreement

This DPA forms part of the Agreement between Customer and Re-Doc.

Unless expressly stated otherwise in a signed enterprise agreement, order form, or written amendment, each party's liability under this DPA is subject to the limitations, exclusions, and liability cap set out in the Agreement.

Nothing in this DPA limits or excludes liability that cannot be limited or excluded under applicable law.

If there is a conflict between this DPA and the Agreement regarding the processing of Customer Personal Data, this DPA will control for that data-processing issue.

If there is a conflict between this DPA and a signed enterprise agreement or negotiated written data processing agreement, the signed written agreement will control to the extent of the conflict.

This DPA does not create any rights for individuals or entities who are not parties to the Agreement, except where such rights cannot be excluded under applicable law.

17. Term and Termination

This DPA will remain in effect for as long as Re-Doc processes Customer Personal Data on behalf of Customer.

This DPA will automatically terminate when:

  • ·the Agreement terminates or expires;
  • ·Re-Doc no longer processes Customer Personal Data on behalf of Customer; and
  • ·all Customer Personal Data has been deleted, returned, anonymized, or otherwise handled according to this DPA and the Agreement.

Termination of the Agreement does not affect any obligations that are intended to survive termination, including obligations relating to confidentiality, security, deletion, audit records, liability, dispute resolution, and legal compliance.

Upon termination, Re-Doc will delete or return Customer Personal Data as described in Section 12 of this DPA, unless retention is required or permitted by applicable law, tax, accounting, security, contractual, dispute-resolution, or compliance obligations.

Customer acknowledges that certain limited records may continue to be retained after termination, including billing records, transaction records, account records, support communications, logs, metadata, and records necessary to establish, exercise, or defend legal claims.

18. Customer-Specific Amendments

Re-Doc may agree to customer-specific data processing terms through an enterprise agreement, order form, Data Processing Addendum amendment, statement of work, or other written agreement signed by both parties.

Customer-specific amendments may include, for example:

  • ·shorter retention periods;
  • ·immediate deletion workflows;
  • ·custom deletion schedules;
  • ·specific subprocessor restrictions;
  • ·restrictions on AI model providers;
  • ·Zero Data Retention requirements;
  • ·regional processing requirements;
  • ·dedicated infrastructure;
  • ·enhanced access controls;
  • ·encryption requirements;
  • ·custom security measures;
  • ·breach notification timelines;
  • ·audit procedures;
  • ·international transfer terms;
  • ·Standard Contractual Clauses or similar transfer mechanisms;
  • ·confidentiality requirements;
  • ·regulated industry requirements;
  • ·custom support obligations; or
  • ·modified liability or indemnity terms.

Unless expressly agreed in writing, Re-Doc's standard Services are provided according to the Terms of Service, Privacy Policy, Subprocessor List, Upload Authorization, this DPA, and the applicable subscription or order terms.

Customer must notify Re-Doc in writing before using the Services for any workflow that requires special legal, regulatory, technical, security, contractual, or compliance measures beyond those described in Re-Doc's standard documentation.

Re-Doc is not obligated to support customer-specific processing requirements unless those requirements have been expressly agreed in writing.

Annex 1: Processing Details

This Annex describes the subject matter, duration, nature, purpose, categories of Customer Personal Data, and categories of Data Subjects processed by Re-Doc on behalf of Customer.

1. Subject Matter of Processing

The subject matter of processing is Re-Doc's provision of document-processing services to Customer.

This may include processing uploaded documents and related information for the purpose of providing redaction, anonymization, pseudonymization, document conversion, OCR, AI-assisted document analysis, text replacement, output generation, and related document-processing workflows.

2. Duration of Processing

Re-Doc will process Customer Personal Data for the duration of the Agreement and for the period necessary to provide the Services, unless a shorter retention period is agreed in writing or Customer requests earlier deletion where supported.

Unless deleted earlier or agreed otherwise:

  • ·uploaded documents are retained for up to 30 days;
  • ·generated outputs are retained for up to 30 days;
  • ·document metadata may be retained for operational, billing, audit, security, support, and compliance purposes;
  • ·account information may be retained while the account remains active;
  • ·billing and payment records may be retained as required for tax, accounting, payment, and legal obligations;
  • ·logs and technical records may be retained for security, troubleshooting, audit, and operational purposes.

After the applicable retention period, uploaded documents and generated outputs are scheduled for deletion from Re-Doc's active processing systems.

3. Nature of Processing

The nature of processing may include:

  • ·receiving uploaded documents;
  • ·temporarily storing uploaded documents;
  • ·extracting text;
  • ·performing OCR;
  • ·analyzing document layout and structure;
  • ·detecting sensitive information;
  • ·identifying personal data, confidential data, or other selected entities;
  • ·converting documents between supported formats, including PDF to DOCX and DOCX to PDF where required;
  • ·using AI-assisted processing where applicable;
  • ·generating anonymized, redacted, pseudonymized, replaced, or converted outputs;
  • ·creating processing reports;
  • ·making generated outputs available for download;
  • ·storing document metadata;
  • ·maintaining account and subscription records;
  • ·processing payment and billing information;
  • ·maintaining application, API, security, and diagnostic logs;
  • ·providing customer support;
  • ·troubleshooting processing errors;
  • ·monitoring service reliability and security;
  • ·deleting documents and generated outputs according to the applicable retention period; and
  • ·other processing reasonably necessary to provide, secure, support, and operate the Services.

4. Purpose of Processing

Re-Doc processes Customer Personal Data for the purpose of providing the Services requested by Customer. The purposes may include:

  • ·document redaction;
  • ·document anonymization;
  • ·document pseudonymization;
  • ·sensitive information detection;
  • ·synthetic or replacement text generation;
  • ·document transformation;
  • ·OCR and document extraction;
  • ·document conversion;
  • ·preserving document layout and structure where supported;
  • ·generating processed documents and outputs;
  • ·enabling download of generated outputs;
  • ·maintaining customer accounts;
  • ·processing subscriptions and billing;
  • ·providing technical support;
  • ·improving service reliability and usability;
  • ·maintaining security;
  • ·detecting abuse or misuse;
  • ·complying with applicable legal obligations; and
  • ·enforcing the Agreement.

Re-Doc will not process Customer Personal Data for purposes unrelated to providing, securing, supporting, maintaining, or improving the Services, unless required by applicable law or expressly authorized by Customer.

5. Categories of Customer Personal Data

The categories of Customer Personal Data processed by Re-Doc depend on the documents uploaded by Customer and the workflow selected.

Account and User Information

  • ·name;
  • ·email address;
  • ·authentication identifier;
  • ·organization name;
  • ·account role;
  • ·subscription information;
  • ·support communications;
  • ·usage information;
  • ·login and session information.

Uploaded Document Information

Uploaded documents may contain any personal data, confidential information, or regulated information that Customer chooses to upload. This may include, depending on the document:

  • ·names;
  • ·addresses;
  • ·email addresses;
  • ·phone numbers;
  • ·dates of birth;
  • ·government identification numbers;
  • ·financial information;
  • ·medical or health-related information;
  • ·employment information;
  • ·legal information;
  • ·insurance information;
  • ·education information;
  • ·family or relationship information;
  • ·signatures;
  • ·photographs;
  • ·scanned identity documents;
  • ·account numbers;
  • ·case numbers;
  • ·customer identifiers;
  • ·transaction information;
  • ·contractual information;
  • ·correspondence;
  • ·notes;
  • ·tables;
  • ·images;
  • ·handwritten or printed text;
  • ·metadata embedded in documents; and
  • ·other information contained in documents submitted by Customer.

Extracted and Generated Information

  • ·extracted text;
  • ·OCR outputs;
  • ·layout information;
  • ·table structures;
  • ·entity labels;
  • ·confidence scores;
  • ·detected sensitive information;
  • ·replacement text;
  • ·anonymized text;
  • ·pseudonymized values;
  • ·redaction markings;
  • ·processing reports;
  • ·converted document files;
  • ·generated output files;
  • ·model inputs and outputs where AI processing is used.

Document Metadata

  • ·filename;
  • ·file type;
  • ·file size;
  • ·upload timestamp;
  • ·processing timestamp;
  • ·job identifier;
  • ·processing status;
  • ·retention schedule;
  • ·download status;
  • ·account identifier;
  • ·error messages;
  • ·processing duration.

Technical and Operational Information

  • ·IP address;
  • ·browser information;
  • ·device information;
  • ·operating system;
  • ·API request metadata;
  • ·session identifiers;
  • ·timestamps;
  • ·performance logs;
  • ·error logs;
  • ·security logs;
  • ·diagnostic information;
  • ·usage events.

Billing and Payment Information

  • ·billing name;
  • ·billing email;
  • ·invoice information;
  • ·transaction identifiers;
  • ·payment status;
  • ·subscription plan;
  • ·tax information;
  • ·refund information;
  • ·payment provider metadata.

Re-Doc does not store complete credit card or debit card numbers on its own systems.

6. Sensitive or Special Categories of Data

Customer acknowledges that uploaded documents may contain sensitive or special categories of personal data depending on the documents submitted. Such information may include, without limitation:

  • ·health or medical information;
  • ·financial information;
  • ·legal information;
  • ·government identification information;
  • ·children's or minors' information;
  • ·biometric-like information appearing in documents, such as photographs or signatures;
  • ·employment records;
  • ·insurance records;
  • ·criminal or legal proceeding information;
  • ·family or relationship information;
  • ·other sensitive, confidential, or regulated information.

Customer is responsible for ensuring that it has the necessary authority, legal basis, permissions, consents, notices, and safeguards to upload and process such information using the Services.

Re-Doc processes such information only to provide the selected document-processing workflow and related Services.

7. Categories of Data Subjects

The categories of Data Subjects may include any individuals whose personal data appears in Customer-uploaded documents or related processing records. Depending on Customer's use case, this may include:

  • ·Customer's users;
  • ·Customer's employees;
  • ·contractors;
  • ·consultants;
  • ·customers;
  • ·clients;
  • ·patients;
  • ·policyholders;
  • ·claimants;
  • ·applicants;
  • ·vendors;
  • ·business partners;
  • ·legal parties;
  • ·witnesses;
  • ·beneficiaries;
  • ·family members;
  • ·dependents;
  • ·students;
  • ·government identification holders;
  • ·data subjects or data principals named in uploaded documents;
  • ·individuals appearing in scanned documents, images, signatures, or forms;
  • ·other individuals whose information is included in documents uploaded by Customer.

8. Processing Frequency

Processing occurs when Customer uses the Services, uploads documents, selects a workflow, uses APIs, generates outputs, requests support, maintains an account, or otherwise interacts with Re-Doc.

Processing may occur on a one-time, occasional, recurring, subscription-based, usage-based, API-based, or enterprise workflow basis depending on Customer's use of the Services.

9. Subprocessors

Re-Doc may use subprocessors to support the processing activities described in this Annex. Subprocessor roles may include:

  • ·cloud hosting;
  • ·OCR and document extraction;
  • ·document conversion;
  • ·AI-assisted document processing;
  • ·authentication;
  • ·payments;
  • ·analytics;
  • ·infrastructure operations;
  • ·security;
  • ·customer support;
  • ·application monitoring.

The current main subprocessors are described in Re-Doc's Subprocessor List.

10. Customer Instructions

Customer instructs Re-Doc to process Customer Personal Data as necessary to provide the Services, perform the selected document-processing workflow, operate and secure the platform, retain and delete data according to applicable retention terms, and otherwise perform the Agreement.

Additional or modified instructions may be agreed in writing through an enterprise agreement, order form, statement of work, DPA amendment, or other written agreement.

Annex 2: Technical and Organizational Measures

This Annex describes the technical and organizational measures maintained by Re-Doc to protect Customer Personal Data processed through the Services. These measures are designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or unauthorized access, taking into account the nature of the Services, the type of data processed, the risks involved, the available technology, and the current stage of Re-Doc's operations. Re-Doc may update these measures from time to time as its Services, infrastructure, security practices, subprocessors, and customer requirements evolve.

1. Transmission Security

Re-Doc uses Transport Layer Security (TLS) or similar secure transmission protocols to protect data transmitted between the customer's browser, device, or API client and the Re-Doc Services. This includes transmission of:

  • ·uploaded documents;
  • ·account information;
  • ·authentication-related information;
  • ·generated outputs;
  • ·API requests;
  • ·API responses;
  • ·processing instructions;
  • ·application data.

Customers are responsible for accessing the Services through secure devices, networks, browsers, and integrations.

2. Hosting and Infrastructure

Re-Doc's primary application and document-processing infrastructure is hosted on cloud servers located within the European Union.

Uploaded documents and Generated Outputs are stored within access-controlled infrastructure for the limited retention period described in the Agreement, Privacy Policy, and DPA.

Re-Doc applies infrastructure configuration controls and operational safeguards designed to reduce unauthorized access to production systems.

Re-Doc does not claim that uploaded documents or Generated Outputs are encrypted at the block-storage level in the standard hosted environment unless such encryption is expressly implemented and agreed in writing for a specific deployment or enterprise arrangement.

3. Access Controls

Re-Doc restricts access to production systems, uploaded documents, Generated Outputs, and Customer Personal Data to authorized personnel who require access for legitimate operational, support, security, or legal purposes. Access to Customer Personal Data is limited based on need to know. Authorized access may be used only for purposes such as:

  • ·providing the Services;
  • ·maintaining the platform;
  • ·troubleshooting failed or incomplete processing jobs;
  • ·providing customer-requested support;
  • ·investigating security incidents;
  • ·detecting misuse or abuse;
  • ·complying with applicable legal obligations;
  • ·protecting the Services, customers, users, or third parties.

Re-Doc does not routinely review uploaded documents manually.

4. Authentication

Re-Doc currently supports user authentication through Google Sign-In. Authentication is used to help ensure that only authorized users can access their accounts and available Services.

Customers are responsible for maintaining the security of their Google accounts or other authentication methods used to access Re-Doc. Customers should use strong security practices including secure passwords, device protection, and multi-factor authentication where available.

5. Customer Account Security

Customers are responsible for managing access to their Re-Doc accounts and ensuring that only authorized users access the Services. Customers should:

  • ·restrict account access to authorized users;
  • ·avoid sharing login credentials;
  • ·promptly remove users who no longer require access, where user management is available;
  • ·protect downloaded documents and Generated Outputs;
  • ·notify Re-Doc promptly of suspected unauthorized access;
  • ·review Generated Outputs before using or sharing them.

Re-Doc is not responsible for unauthorized access caused by compromised customer credentials, insecure customer devices, customer-side sharing, or customer failure to protect downloaded files, except to the extent caused by Re-Doc's breach of the Agreement or applicable law.

6. Automated Processing by Default

Re-Doc is designed to process uploaded documents through automated workflows by default. Depending on the selected workflow, automated processing may include:

  • ·document upload;
  • ·temporary storage;
  • ·OCR;
  • ·text extraction;
  • ·layout analysis;
  • ·document conversion;
  • ·AI-assisted detection;
  • ·redaction;
  • ·anonymization;
  • ·pseudonymization;
  • ·replacement text generation;
  • ·output generation;
  • ·download delivery;
  • ·scheduled deletion.

Automated processing helps reduce unnecessary human exposure to uploaded documents and Generated Outputs.

7. Data Minimization

Re-Doc aims to collect and retain only the information reasonably necessary to provide, secure, support, maintain, and improve the Services. Where possible, Re-Doc limits processing to the information required for the selected workflow. For example:

  • ·OCR is used where text extraction or document analysis is required;
  • ·document conversion is used where required for processing or output generation;
  • ·AI-assisted processing is used where required for detection, redaction, anonymization, pseudonymization, replacement, or related workflows;
  • ·analytics providers are not intentionally used to process uploaded document contents.

8. Retention Controls

Unless deleted earlier or agreed otherwise, uploaded documents and Generated Outputs are retained for up to 30 days. After the applicable retention period, they are scheduled for deletion from Re-Doc's active processing systems.

Customers may request earlier deletion, including immediate deletion where technically supported.

Re-Doc may retain document metadata, logs, account information, support records, payment records, and operational records for longer where necessary for security, billing, audit, support, legal, tax, accounting, dispute-resolution, or compliance purposes.

9. Backup Practices

Uploaded documents and Generated Outputs are not intentionally included in Re-Doc's code or application backups.

Re-Doc may maintain backups of application code, configuration, and operational systems for continuity, recovery, maintenance, and business operations.

If any Customer Personal Data is present in backups, replicated systems, logs, or archival records, Re-Doc will handle that information according to applicable retention, security, and deletion procedures.

10. Logging and Monitoring

Re-Doc may maintain application logs, API logs, diagnostic logs, security logs, and operational records to support platform reliability, troubleshooting, security, and abuse prevention. Logs may include:

  • ·timestamps;
  • ·account identifiers;
  • ·IP addresses;
  • ·API request metadata;
  • ·processing status;
  • ·error messages;
  • ·job identifiers;
  • ·browser or device information;
  • ·security events;
  • ·operational events.

Re-Doc does not intentionally use logs for unrelated advertising purposes.

Where logs contain Customer Personal Data, Re-Doc may delete or anonymize such logs upon request where technically feasible and legally permitted.

11. Subprocessor Controls

Re-Doc uses subprocessors to support functions such as hosting, authentication, payment processing, analytics, OCR, document extraction, document conversion, AI-assisted processing, infrastructure operations, security, and support. Re-Doc selects subprocessors based on factors such as:

  • ·technical capability;
  • ·operational reliability;
  • ·data handling practices;
  • ·security commitments;
  • ·availability of relevant privacy controls;
  • ·ability to support the required processing workflow.

Subprocessors are expected to process Customer Personal Data only for the purpose of providing the relevant service to Re-Doc.

The current main subprocessors are described in Re-Doc's Subprocessor List.

12. AI Processing Safeguards

Where AI-assisted processing is used, Re-Doc may transmit extracted text, relevant document content, prompts, workflow instructions, metadata, and model outputs to selected AI subprocessors.

Where supported by the relevant provider and configuration, Re-Doc uses Zero Data Retention or similar provider-side settings designed to limit retention of prompts, extracted text, document content, and model outputs.

Re-Doc does not use uploaded documents or Generated Outputs to train Re-Doc's own artificial intelligence or machine learning models.

Re-Doc does not permit third-party AI providers to use uploaded documents or Generated Outputs to train Re-Doc-specific models.

Customer acknowledges that AI provider capabilities, routing, model availability, region, logging, retention controls, and privacy settings may vary depending on provider, model, configuration, workflow, and subscription plan.

13. Document Conversion Controls

Re-Doc may convert documents between supported formats where required to preserve layout, support downstream processing, or generate the requested output. This may include, for example, converting PDF files to DOCX format for processing and converting DOCX files back to PDF format for delivery.

Document conversion is performed only where required for the selected workflow.

Where Re-Doc uses third-party document conversion providers, Re-Doc uses available deletion controls where supported and relevant to the processing workflow.

14. OCR and Document Extraction Controls

Where uploaded documents contain scanned pages, image-based content, tables, layout structures, or other content requiring extraction, Re-Doc may use OCR or document extraction providers. OCR and document extraction may involve processing:

  • ·uploaded document files;
  • ·document images;
  • ·page images;
  • ·extracted text;
  • ·layout information;
  • ·table structures;
  • ·document structure;
  • ·related analysis outputs.

OCR and document extraction are used only where required for the selected workflow.

15. Human Access Controls

Re-Doc does not routinely review uploaded documents manually. Authorized personnel may access uploaded documents, Generated Outputs, extracted text, document metadata, logs, or related information only where reasonably necessary for:

  • ·customer-requested support;
  • ·troubleshooting;
  • ·investigating failed jobs;
  • ·investigating suspected misuse;
  • ·security incident response;
  • ·legal compliance;
  • ·enforcing the Agreement;
  • ·protecting the rights, safety, or integrity of Re-Doc, customers, users, or third parties.

Access is limited to personnel with an operational need to know.

16. Security Incident Response

Re-Doc maintains procedures designed to identify, investigate, contain, and remediate confirmed Security Incidents involving Customer Personal Data.

Where Re-Doc becomes aware of a confirmed Security Incident affecting Customer Personal Data, Re-Doc will notify Customer according to the DPA, Agreement, and applicable Data Protection Laws. Re-Doc may provide information such as:

  • ·nature of the incident;
  • ·affected data categories;
  • ·known or likely impact;
  • ·remedial measures taken or planned;
  • ·recommended customer actions;
  • ·contact point for follow-up.

17. Deletion Support

Re-Doc supports deletion of uploaded documents and Generated Outputs according to the applicable retention period. Customers may request earlier deletion where supported.

Where technically feasible and legally permitted, Re-Doc may also delete or anonymize certain logs, metadata, or support records upon customer request.

Deletion may be subject to technical feasibility, subprocessor capabilities, backup processes, legal obligations, tax obligations, accounting obligations, security requirements, dispute-resolution needs, and compliance obligations.

18. Separation of Customer Responsibilities

Re-Doc's security measures apply to Re-Doc-controlled systems and processing activities. Customer remains responsible for security measures within Customer's own environment, including:

  • ·securing user accounts;
  • ·controlling user access;
  • ·protecting devices;
  • ·protecting networks;
  • ·securing API keys, if applicable;
  • ·securing downloaded files;
  • ·managing internal sharing;
  • ·reviewing outputs;
  • ·complying with internal policies and applicable laws.

Re-Doc is not responsible for Customer-side security failures except to the extent caused by Re-Doc's breach of the DPA, Agreement, or applicable law.

19. No Certification Claim

Re-Doc does not claim that the Services are certified under any specific privacy, security, healthcare, financial, or regulatory framework unless expressly stated in a signed written agreement.

Re-Doc does not claim ISO 27001, SOC 2, HIPAA, GDPR certification, DPDP certification, or similar certification unless such certification has been formally obtained and expressly published or agreed in writing.

The measures in this Annex describe Re-Doc's current technical and organizational safeguards and do not constitute a certification or regulatory approval.

20. Updates to Security Measures

Re-Doc may update, replace, improve, or modify its technical and organizational measures from time to time.

Re-Doc will not materially reduce the overall level of protection for Customer Personal Data during the term of the Agreement without providing replacement safeguards that are reasonably designed to maintain an appropriate level of protection, taking into account the nature of the Services and the risk of processing.

Enterprise customers may agree to additional or customized technical and organizational measures through a written enterprise agreement, order form, or DPA amendment.

Annex 3: Subprocessors

This Annex describes Re-Doc's use of subprocessors in connection with the Services.

1. Authorization to Use Subprocessors

Customer authorizes Re-Doc to engage subprocessors to process Customer Personal Data where necessary to provide, secure, support, maintain, or improve the Services. Subprocessors may be used for functions such as:

  • ·cloud hosting;
  • ·OCR and document extraction;
  • ·document conversion;
  • ·AI-assisted document processing;
  • ·authentication;
  • ·payment processing;
  • ·analytics;
  • ·infrastructure operations;
  • ·application monitoring;
  • ·security and reliability;
  • ·customer support; and
  • ·related operational services.

Some subprocessors may process uploaded documents, extracted text, generated outputs, filenames, document metadata, account information, billing information, logs, analytics information, or related Customer Personal Data where necessary for the relevant service.

2. Current Subprocessor List

Re-Doc maintains a public Subprocessor List that describes its current main subprocessors, including their purpose, role, whether document content may be involved, typical information processed, processing region, and retention notes. The Subprocessor List is incorporated into this DPA by reference.

Re-Doc may update the Subprocessor List from time to time as the Services evolve, providers are replaced, new features are introduced, infrastructure changes are made, or processing requirements change.

3. Categories of Subprocessors

Re-Doc's subprocessors may include providers in the following categories:

Hosting and Infrastructure

Providers used to host Re-Doc's application, processing systems, uploaded documents, generated outputs, metadata, logs, and related operational systems.

OCR and Document Extraction

Providers used to extract text, tables, layout, and structure from scanned, image-based, or complex documents where required by the selected workflow.

Document Conversion

Providers used to convert documents between supported formats where required to preserve layout, support downstream processing, or generate the requested output.

This may include, for example, converting PDF files to DOCX format for processing and converting DOCX files back to PDF format for delivery.

AI-Assisted Processing

Providers used for AI-assisted document understanding, sensitive information detection, redaction support, anonymization, pseudonymization, replacement text generation, classification, and related processing.

Where supported by the relevant provider and configuration, Re-Doc uses Zero Data Retention or similar provider-side settings designed to limit retention of prompts, extracted text, document content, and model outputs.

Authentication

Providers used to authenticate users and manage secure account access.

Payment Processing

Providers used to process payments, subscriptions, invoices, transaction records, refunds, taxes, and related billing information.

Analytics and Usability

Providers used to understand website usage, product flows, usability issues, performance, and service improvements.

Analytics providers are not intentionally used to process uploaded document contents, generated outputs, or extracted document text.

Security, Monitoring, and Support

Providers used to maintain platform reliability, investigate errors, monitor system performance, provide support, and protect the Services.

4. Subprocessor Obligations

Re-Doc will take reasonable steps designed to ensure that subprocessors process Customer Personal Data only for the purposes for which they are engaged.

Re-Doc will take reasonable steps designed to ensure that subprocessors apply appropriate technical and organizational safeguards in relation to the processing they perform.

Re-Doc remains responsible for the performance of its subprocessors to the extent required by applicable Data Protection Laws and the Agreement.

5. Subprocessor Changes

Re-Doc may add, replace, remove, or modify subprocessors from time to time.

Where required by applicable law, contract, enterprise agreement, or written amendment, Re-Doc will provide notice of material subprocessor changes. Notice may be provided by:

  • ·updating the public Subprocessor List;
  • ·email notice;
  • ·account notification;
  • ·notice through the Services;
  • ·contractual notice under an enterprise agreement; or
  • ·another reasonable method.

6. Customer Objection Rights

Enterprise customers may have specific subprocessor notice and objection rights under a signed enterprise agreement, order form, or written amendment.

Where Customer has a contractual right to object to a new subprocessor, Customer must submit its objection in writing within the notice period specified in the applicable agreement. Customer's objection must explain the reasonable data protection concern relating to the proposed subprocessor.

If Customer reasonably objects to a new subprocessor, Re-Doc will review the objection in good faith and may, where commercially and technically reasonable:

  • ·provide additional information about the subprocessor;
  • ·make an alternative configuration available;
  • ·restrict use of the subprocessor for Customer's workflow;
  • ·work with Customer to resolve the concern;
  • ·delay use of the subprocessor for Customer, where feasible; or
  • ·allow Customer to terminate the affected Services according to the applicable agreement.

Customer acknowledges that some subprocessors are essential to providing certain Services. If Customer objects to an essential subprocessor and no commercially or technically reasonable alternative is available, Re-Doc may be unable to provide the affected feature or Service.

7. No Direct Subprocessor Relationship With Customer

Re-Doc's subprocessors provide services to Re-Doc and not directly to Customer, unless Customer separately contracts with that provider.

Nothing in this DPA creates a direct contractual relationship between Customer and Re-Doc's subprocessors.

8. Customer-Specific Subprocessor Restrictions

Customer-specific restrictions on subprocessors, AI providers, processing regions, OCR providers, document conversion providers, or analytics providers must be expressly agreed in writing through an enterprise agreement, order form, DPA amendment, or other written agreement signed by both parties.

Unless expressly agreed in writing, Re-Doc may use the subprocessors described in the Subprocessor List to provide the Services.

Annex 4: International Transfers and Customer-Specific Terms

This Annex describes Re-Doc's approach to international processing, transfer safeguards, and customer-specific data processing terms.

1. International Processing Overview

Re-Doc is operated by CypherLayer Technologies Private Limited, a company incorporated in India. Re-Doc's primary application and document-processing infrastructure is hosted on cloud servers located within the European Union.

Re-Doc does not intentionally transfer uploaded documents to India for document storage or document processing.

Certain subprocessors may process Customer Personal Data in other jurisdictions where required to provide the Services. This may include processing for:

  • ·OCR;
  • ·document extraction;
  • ·layout analysis;
  • ·document conversion;
  • ·AI-assisted processing;
  • ·authentication;
  • ·payment processing;
  • ·analytics;
  • ·security;
  • ·infrastructure operations;
  • ·support;
  • ·application monitoring; and
  • ·related service operations.

2. Provider-Dependent Processing Locations

Customer acknowledges that some subprocessors may have provider-dependent processing locations, routing, infrastructure, retention practices, logging practices, or regional configurations. For example:

  • ·hosting and primary storage are currently performed through Re-Doc-controlled infrastructure located within the European Union;
  • ·OCR and document extraction may be performed through providers deployed in other jurisdictions, such as the United States;
  • ·document conversion may be performed through provider infrastructure used for file transformation;
  • ·AI-assisted processing may depend on the AI routing provider, selected model, provider endpoint, privacy configuration, and workflow;
  • ·payment, authentication, analytics, and monitoring providers may process information in accordance with their own infrastructure and legal requirements.

Additional information is provided in Re-Doc's Subprocessor List.

3. Transfer Safeguards

Where Customer Personal Data is transferred internationally, Re-Doc will take reasonable steps designed to ensure that appropriate contractual, technical, or organizational safeguards are in place where required by applicable Data Protection Laws. Such safeguards may include, where applicable:

  • ·data processing terms with subprocessors;
  • ·provider security and privacy commitments;
  • ·contractual restrictions on processing;
  • ·transfer addenda;
  • ·Standard Contractual Clauses;
  • ·supplementary safeguards;
  • ·limited retention controls;
  • ·provider-side deletion controls;
  • ·Zero Data Retention or similar settings for AI-assisted processing where supported and configured;
  • ·access controls;
  • ·retention and deletion limits; and
  • ·other lawful transfer mechanisms.

4. European Economic Area, United Kingdom, Switzerland, and Similar Transfers

Where Customer is located in the European Economic Area, United Kingdom, Switzerland, or another jurisdiction with cross-border transfer restrictions, and where Customer Personal Data is transferred to a country that requires a transfer mechanism, the parties will cooperate in good faith to implement an appropriate transfer mechanism where required. Such mechanism may include:

  • ·Standard Contractual Clauses;
  • ·a UK International Data Transfer Addendum;
  • ·an equivalent transfer addendum;
  • ·customer-specific transfer terms;
  • ·additional technical or organizational safeguards; or
  • ·another lawful transfer mechanism recognized under applicable Data Protection Laws.

Any such transfer mechanism should be documented in an enterprise agreement, written amendment, order form, transfer addendum, or customer-specific DPA amendment where required.

5. No Automatic Transfer Certification

Re-Doc does not claim that the Services are certified under any specific international transfer, privacy, security, healthcare, financial, or regulatory framework unless expressly stated in a signed written agreement.

Re-Doc does not claim GDPR certification, DPDP certification, ISO 27001 certification, SOC 2 certification, HIPAA certification, or similar certification unless such certification has been formally obtained and expressly published or agreed in writing.

6. Customer-Specific Processing Terms

Customer and Re-Doc may agree to customer-specific data processing terms through a signed enterprise agreement, order form, statement of work, DPA amendment, transfer addendum, or other written agreement. Customer-specific terms may include:

  • ·shorter retention periods;
  • ·immediate deletion workflows;
  • ·custom deletion schedules;
  • ·regional processing restrictions;
  • ·restrictions on AI providers or models;
  • ·restrictions on OCR providers;
  • ·restrictions on document conversion providers;
  • ·dedicated infrastructure;
  • ·encryption requirements;
  • ·no-analytics configurations;
  • ·specific subprocessor exclusions;
  • ·breach notification timelines;
  • ·audit procedures;
  • ·Standard Contractual Clauses or other transfer mechanisms;
  • ·regulated industry requirements;
  • ·custom security obligations;
  • ·confidentiality requirements;
  • ·custom support commitments;
  • ·customer-managed review procedures;
  • ·modified liability or indemnity terms.

7. Written Agreement Required

Customer must notify Re-Doc in writing before using the Services for any workflow requiring legal, regulatory, security, technical, contractual, regional, or compliance controls beyond Re-Doc's standard Services and published documentation.

Re-Doc is not obligated to provide custom controls, restricted processing, dedicated infrastructure, specific provider routing, specific model routing, specific regional processing, encryption requirements, industry-specific compliance commitments, or regulated deployment terms unless expressly agreed in writing.

8. Order of Precedence

If there is a conflict between this Annex and a signed enterprise agreement, order form, DPA amendment, transfer addendum, or customer-specific written agreement, the signed written agreement will control to the extent of the conflict.

If there is a conflict between this Annex and the main body of the DPA, the main body of the DPA will control unless the Annex expressly states otherwise or is modified by a signed written agreement.

Annex 5: Customer-Specific Transfer Addendum

If Customer Personal Data is subject to cross-border transfer restrictions and Customer reasonably requires Standard Contractual Clauses, a UK International Data Transfer Addendum, or another lawful transfer mechanism, the parties may enter into a separate transfer addendum or customer-specific DPA amendment.

Such transfer terms will apply only to the relevant Customer Personal Data, relevant transfer, and relevant Services described in the applicable written agreement.

Signature and Acceptance

This DPA may be accepted:

  • ·by electronic acceptance of the Terms of Service, where the Terms incorporate this DPA by reference;
  • ·by accepting an order form, subscription, enterprise agreement, or written agreement that incorporates this DPA;
  • ·by signing this DPA electronically or physically; or
  • ·by any other legally valid method of acceptance agreed by the parties.

Where this DPA is accepted online, Customer's continued use of the Services after acceptance constitutes agreement to this DPA to the extent Re-Doc processes Customer Personal Data on Customer's behalf.

Where a signed version is required, the parties may use the signature block below.

Re-Doc

CypherLayer Technologies Private Limited
Operator of Re-Doc

Authorized Signatory

Name

Title

Date

Customer

 

Legal Name

Authorized Signatory

Name

Title

Date