DATA PROCESSING APPENDUM
Updated at July 30, 2024
When this document mentions “Company,” “we,” “us,” or “our,” it refers to Docxster Private Limited, located at 3rd Floor, Cosmos Prime, 80 ft Road Indiranagar, Bengaluru 560038
The purpose of this Data Processing Agreement (DPA) is to establish the terms under which Docxster Private Limited (the "Data Processor") processes personal data on behalf of the Data Controller. Our services include a comprehensive data automation pipeline, which encompasses data import, cleaning, processing, classification, and export. This DPA ensures compliance with GDPR requirements and sets forth the necessary safeguards for data protection throughout our data handling procedures.
Definitions and key terms
To help explain things as clearly as possible in this Privacy Policy, every time any of these terms are referenced, are strictly defined as:
Cookie: small amount of data generated by a website and saved by your web browser. It is used to identify your browser, provide analytics, remember information about you such as your language preference or login information.
Company: when this document mentions “Company,” “we,” “us,” or “our,” it refers to Docxster Private Limited, (3rd Floor, Cosmos Prime, 80ft Road Indiranagar, Bangalore 560038), that is responsible for your information under this DPA.
Country: where Docxster or the owners/founders of Docxster are based, in this case is India
Customer: refers to the company, organization or person that signs up to use the Docxster Service tomanage the relationships with your consumers or service users.
Device: any internet connected device such as a phone, tablet, computer or any other device that can be used to visit Docxster and use the services.
IP address: Every device connected to the Internet is assigned a number known as an Internet protocol (IP) address. These numbers are usually assigned in geographic blocks. An IP address can often be used to identify the location from which a device is connecting to the Internet.
Personnel: refers to those individuals who are employed by Docxster or are under contract to perform a service on behalf of one of the parties.
Personal Data: any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
Service: refers to the service provided by Docxster as described in the relative terms (if available) and on this platform.
Third-party service: refers to advertisers, contest sponsors, promotional and marketing partners, and others who provide our content or whose products or services we think may interest you.
You: a person or entity that is registered with Docxster to use the Services.
Data Controller: The natural or legal person, public authority, agency or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.
Data Processor: A natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller.
Subject Matter and Duration of Processing
The subject matter of this agreement is the processing of personal data as part of Docxster Private Limited's data automation services, which include:
Data Import: Importing personal data from various sources.
Data Cleaning: Removing inaccuracies and ensuring data quality.
Data Processing: Performing operations on personal data as outlined in the agreement.
Data Classification: Categorizing data for efficient management and analysis.
Data Export: Exporting processed data to designated destinations or formats.
The processing activities will commence on the effective date of this DPA and will continue throughout the duration of the service contract between the Data Controller and the Data Processor. Upon termination of the service contract, the Data Processor will cease all processing activities and will return or delete personal data in accordance with the Data Controller’s instructions.
Nature and Purpose of Processing
The nature and purpose of processing personal data at Docxster Private Limited are centred around leveraging advanced technologies and sophisticated processing techniques to deliver high-quality document automation services while ensuring compliance with data protection standards. The nature of the processing performed by Docxster Private Limited involves a range of sophisticated activities to manage and handle personal data efficiently. These activities include:
- Cookie: small amount of data generated by a website and saved by your web browser. It is used to identify your browser, provide analytics, remember information about you such as your language preference or login information.
- Company: when this policy mentions “Company,” “we,” “us,” or “our,” it refers to Docxster Private Limited, (215, Oxford Towers, Kodihalli, Bangalore 560017), that is responsible for your information under this Privacy Policy.
- Country: where Docxster or the owners/founders of Docxster are based, in this case is India
- Customer: refers to the company, organization or person that signs up to use the Docxster Service tomanage the relationships with your consumers or service users.
- Device: any internet connected device such as a phone, tablet, computer or any other device that can be used to visit Docxster and use the services.
- IP address: Every device connected to the Internet is assigned a number known as an Internet protocol (IP) address. These numbers are usually assigned in geographic blocks. An IP address can often be used to identify the location from which a device is connecting to the Internet.
- Personnel: refers to those individuals who are employed by Docxster or are under contract to perform a service on behalf of one of the parties.
- Personal Data: any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
- Service: refers to the service provided by Docxster as described in the relative terms (if available) and on this platform.
- Third-party service: refers to advertisers, contest sponsors, promotional and marketing partners, and others who provide our content or whose products or services we think may interest you.
- You: a person or entity that is registered with Docxster to use the Services.
Storage: Secure storage of personal data to ensure it is readily accessible for processing while maintaining confidentiality and integrity.
Analysis: Utilisation of advanced technologies to analyse personal data, enabling insights and actionable intelligence. This includes the use of our in-house Optical Character Recognition (OCR) model and third-party AI tools to extract and interpret data from various document types.
Manipulation: Transformation and modification of personal data to suit the needs of our data automation services. This includes data cleansing, enrichment, and reformatting.
Data Cleaning: Implementing processes to ensure data accuracy and quality. This includes tasks such as currency transformation (converting monetary values into a standardised format) and extraction of specific data labels (e.g., extracting names, addresses, or other critical information).
Data Classification: Using machine learning models and predefined rules to categorise and organise data effectively for easier management and retrieval.
Data Export: Preparing and delivering processed data to designated destinations or in specified formats as per the Data Controller's instructions.
Our data processing services leverage both in-house technologies and third-party solutions to optimise the efficiency and accuracy of data handling. Specifically, we use:
In-house OCR Model: Our proprietary OCR technology is used to convert scanned documents and images into machine-readable text. This enables the extraction of data from documents such as invoices, receipts, and forms.
AI Subprocessors: Please refer to the sub-processors page for more information.
Data Types and Subject Categories
The types of personal data processed include: names, contact details, any other personal information required for the execution of data automation services.
The categories of data subjects include: customers, employees, clients, lawyers, any other individuals whose data is processed as part of the service.
Obligations and Rights of the Data Controller
The Data Controller will provide documented instructions for the processing of personal data. The Data Processor will assist the Data Controller in fulfilling GDPR obligations, including handling data subject requests. The Data Processor will assist the Data Controller in managing data subject requests to
or restrict the processing of their personal data.
We may also disclose personal and non-personal information about you to government or law enforcement officials or private parties as we, in our sole discretion, believe necessary or appropriate in order to respond to claims, legal process (including subpoenas), to protect our rights and interests or those of a third party, the safety of the public or any person, to prevent or stop any illegal, unethical, or legally actionable activity, or too therwise comply with applicable court orders, laws, rules and regulations.
Support and Assistance: For any questions regarding the specified data rights and more, our customer support team is available to assist you. We offer support through our API and are here to help with any inquiries or issues related to data management through our Data Protection Committee: dpo@docxster.com.
Security Measures
We implement a variety of security measures to maintain the safety of your personal information when you place an order or enter, submit, or access your personal information. We offer the use of a secure server. All supplied sensitive/credit information is transmitted via Secure Socket Layer (SSL) technology and then encrypted into our Payment gateway providers database only to be accessible by those authorized with special access rights to such systems, and are required to keep the information confidential. After a transaction, your private information (credit cards, social security numbers, financials, etc.) is never kept on file. We cannot, however, ensure or warrant the absolute security of any information you transmit to Docxster or guarantee that your information on the Service may not be accessed, disclosed, altered, or destroyed by a breach of any of our physical, technical, or managerial safeguards.
Personnel authorised to process personal data are bound by confidentiality agreements and receive regular training on data protection and security practices. We rely on third-party vendors to provide the necessary data storage and processing capabilities. Below, we outline how we ensure GDPR compliance and data security through these third-party services and within our own internal team.
Access to databases and sensitive data is strictly controlled. We enforce role-based access controls. Regular security training and awareness programs are conducted. Appropriate background checks are performed for employees with access to sensitive data. All company laptops and devices are equipped with up-to-date antivirus and anti-malware software. This helps to protect against malicious software and potential cyber threats. Data at rest and in transit is encrypted using industry-standard encryption protocols. This adds an additional layer of security to protect personal data from unauthorised access.
We maintain comprehensive audit logs that track access to data and system activities, which helps in monitoring and detecting unauthorised access. We review and ensure that providers have established incident management protocols for responding to any security breaches or unauthorised access incidents. We verify that all third-party vendors hold relevant security certifications such as ISO 27001, SOC 2, or equivalent, ensuring their data centre practices meet GDPR requirements. We conduct regular reviews of our third-party providers’ security measures and compliance status to ensure ongoing adherence to GDPR and industry best practices.
Sub-Processors
Docxster engages several sub-processors to support the delivery of our services, including cloud hosting providers for secure data storage, payment gateways for processing transactions, email service providers for managing communications, and analytics services for user interaction analysis. Before partnering with any subprocessor, we perform rigorous due diligence. This process involves evaluating their security measures to ensure compliance with GDPR standards, reviewing their data protection policies, conducting compliance checks, and verifying relevant certifications.
We confirm that each third-party provider has stringent access control policies in place. This includes both physical access controls to data centres and logical access controls to data processing systems. List of sub processors is reviewed and updated on the Docxster website
here.
Privacy Policy
Docxster is dedicated to safeguarding your personal information and maintaining transparency in how it is used. Our Privacy Policy details our practices for collecting, using, and disclosing your personal data across our website and application. We collect personal data, including names, email addresses, and payment information, as well as optional data from mobile devices to enhance user experience. The policy outlines how we process data from both our customers and their end-users, including data from third parties. We also explain our procedures for sharing information, retaining data, and protecting user privacy. Importantly, the policy complies with GDPR, ensuring we handle personal data lawfully and transparently. Our updated Privacy Policy can be found
here.
Our Privacy Policy is reviewed and updated regularly to stay compliant with GDPR and other regulations. Recent updates include clearer definitions of data handling practices and enhanced explanations of our data processing activities. We have refined the sections on data retention, protection measures, and user rights to ensure they align with GDPR requirements. These updates are intended to maintain transparency and address any changes in our data processing operations or legal obligations.We actively communicate updates to our Privacy Policy to stakeholders through various channels. Major changes are announced via email and on our website to ensure that all users are informed. We provide clear instructions on how to review the updated policy and manage data preferences. Stakeholders are encouraged to review the policy periodically to stay informed about how their data is handled. We also offer support to address any questions or concerns regarding our data protection practices.
Data Retention Policy
We process and store all personal data using fully vetted vendors that adhere to our DPA requirements. Personal data is retained for up to 6 years unless an account is deleted. If an account is deleted, we dispose of all associated data in accordance with our Terms of Service and Privacy Policy. Deleted data will not be retained for longer than 60 days.
International Data Transfer
Docxster is incorporated in India. As part of our commitment to GDPR compliance and to ensure the protection of personal data when transferred outside the European Economic Area (EEA), Docxster Private Limited utilises Standard Contractual Clauses (SCCs). These clauses are designed to provide adequate safeguards for personal data processed or stored outside the EEA. We rely on third-party cloud service providers as seen on the Sub Processors section. These providers may be located outside the EEA. To ensure that personal data transferred to these providers is adequately protected, we have implemented the following measures We incorporate SCCs into our agreements with our Sub Processors.
The SCCs are part of our contractual framework, ensuring that these providers adhere to GDPR requirements and provide equivalent protection for personal data as required within the EEA.The SCCs used in our agreements are in the form of the standard clauses adopted by the European Commission, which have been validated as providing adequate protection for personal data. These clauses are designed to address the risks associated with data transfers and ensure that data subjects’ rights are protected. To the fullest extent allowed by applicable law, by using any of the above, you voluntarily consent to the trans-border transfer and hosting of such information.
Record of Processing Activities
As part of our commitment to transparency and compliance with GDPR, Docxster Private Limited maintains a detailed Record of Processing Activities (ROPA). This record includes comprehensive information about the personal data we process, including the purposes of processing, categories of data subjects, types of personal data, and details of data transfers and third-party processors. This can be made available on request.
Data Breach Policy
Docxster maintains a robust data breach response plan to minimize potential harm. Our proactive monitoring system detects unusual activities and security alerts, enabling early identification of potential breaches. Upon detection, we swiftly isolate affected systems, secure compromised accounts, and prevent further unauthorized access.
A comprehensive breach assessment follows, determining the scope and severity of the incident. We prioritize notifying the relevant Data Protection Authority within 72 hours, providing detailed breach information. Individuals at high risk are directly informed.
Post-incident, we conduct thorough investigations to understand the root cause and implement corrective measures. Improvements will be incorporated into our security protocols to enhance protection.
Data Protection Committee
The following contact details can be used for any data processing related queries and grievances, and the same will be handled by our on-site Data Protection Committee headed by our Data Protection Officer (DPO).
- Cookie: small amount of data generated by a website and saved by your web browser. It is used to identify your browser, provide analytics, remember information about you such as your language preference or login information.
- Company: when this policy mentions “Company,” “we,” “us,” or “our,” it refers to Docxster Private Limited, (215, Oxford Towers, Kodihalli, Bangalore 560017), that is responsible for your information under this Privacy Policy.
- Country: where Docxster or the owners/founders of Docxster are based, in this case is India
- Customer: refers to the company, organization or person that signs up to use the Docxster Service tomanage the relationships with your consumers or service users.
- Device: any internet connected device such as a phone, tablet, computer or any other device that can be used to visit Docxster and use the services.
- IP address: Every device connected to the Internet is assigned a number known as an Internet protocol (IP) address. These numbers are usually assigned in geographic blocks. An IP address can often be used to identify the location from which a device is connecting to the Internet.
- Personnel: refers to those individuals who are employed by Docxster or are under contract to perform a service on behalf of one of the parties.
- Personal Data: any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
- Service: refers to the service provided by Docxster as described in the relative terms (if available) and on this platform.
- Third-party service: refers to advertisers, contest sponsors, promotional and marketing partners, and others who provide our content or whose products or services we think may interest you.
- You: a person or entity that is registered with Docxster to use the Services.
- Cookie: small amount of data generated by a website and saved by your web browser. It is used to identify your browser, provide analytics, remember information about you such as your language preference or login information.
- Company: when this policy mentions “Company,” “we,” “us,” or “our,” it refers to Docxster Private Limited, (215, Oxford Towers, Kodihalli, Bangalore 560017), that is responsible for your information under this Privacy Policy.
- Country: where Docxster or the owners/founders of Docxster are based, in this case is India
- Customer: refers to the company, organization or person that signs up to use the Docxster Service tomanage the relationships with your consumers or service users.
- Device: any internet connected device such as a phone, tablet, computer or any other device that can be used to visit Docxster and use the services.
- IP address: Every device connected to the Internet is assigned a number known as an Internet protocol (IP) address. These numbers are usually assigned in geographic blocks. An IP address can often be used to identify the location from which a device is connecting to the Internet.
- Personnel: refers to those individuals who are employed by Docxster or are under contract to perform a service on behalf of one of the parties.
- Personal Data: any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
- Service: refers to the service provided by Docxster as described in the relative terms (if available) and on this platform.
- Third-party service: refers to advertisers, contest sponsors, promotional and marketing partners, and others who provide our content or whose products or services we think may interest you.
- You: a person or entity that is registered with Docxster to use the Services.
- Cookie: small amount of data generated by a website and saved by your web browser. It is used to identify your browser, provide analytics, remember information about you such as your language preference or login information.
- Company: when this policy mentions “Company,” “we,” “us,” or “our,” it refers to Docxster Private Limited, (215, Oxford Towers, Kodihalli, Bangalore 560017), that is responsible for your information under this Privacy Policy.
- Country: where Docxster or the owners/founders of Docxster are based, in this case is India
- Customer: refers to the company, organization or person that signs up to use the Docxster Service tomanage the relationships with your consumers or service users.
- Device: any internet connected device such as a phone, tablet, computer or any other device that can be used to visit Docxster and use the services.
- IP address: Every device connected to the Internet is assigned a number known as an Internet protocol (IP) address. These numbers are usually assigned in geographic blocks. An IP address can often be used to identify the location from which a device is connecting to the Internet.
- Personnel: refers to those individuals who are employed by Docxster or are under contract to perform a service on behalf of one of the parties.
- Personal Data: any information that directly, indirectly, or in connection with other information — including a personal identification number — allows for the identification or identifiability of a natural person.
- Service: refers to the service provided by Docxster as described in the relative terms (if available) and on this platform.
- Third-party service: refers to advertisers, contest sponsors, promotional and marketing partners, and others who provide our content or whose products or services we think may interest you.
- You: a person or entity that is registered with Docxster to use the Services.