Data Processing Agreement

Introduction

This DPA forms part of the Agreement and applies to the extent HolyDocs Processes Personal Data on behalf of the Customer in connection with the provision of the Service. In the event of a conflict between the Agreement and this DPA with respect to the Processing of Personal Data, this DPA controls.

1. Definitions

Capitalized terms used but not defined herein have the meanings given in the GDPR or the Agreement.

• Controller, Processor, Sub-Processor, Personal Data, Personal Data Breach, Processing, and Data Subject have the meanings set out in Article 4 of the GDPR.
• Applicable Data Protection Law means the GDPR, the UK GDPR, the Swiss Federal Act on Data Protection (FADP), and any other data protection or privacy law applicable to the Processing under this DPA.
• SCCs means the Standard Contractual Clauses approved by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, as amended.
• UK Addendum means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner’s Office under section 119A of the Data Protection Act 2018, in force from 21 March 2022.
• Customer Personal Data means Personal Data Processed by HolyDocs on behalf of the Customer under the Agreement.

2. Roles of the Parties

The Customer is the Controller of Customer Personal Data and HolyDocs is the Processor. Where the Customer is itself acting as a processor on behalf of a third-party controller, the Customer warrants that it has authority to engage HolyDocs as a Sub-Processor and to instruct HolyDocs on the Processing of such Personal Data.

Each party will comply with its respective obligations under Applicable Data Protection Law. HolyDocs will Process Customer Personal Data only on the documented instructions of the Customer, as set out in this DPA, the Agreement, and the configuration of the Service.

3. Subject Matter, Nature, Purpose, Duration, Categories

The details of Processing are as follows:

• Subject matter: the provision of the HolyDocs documentation platform and related services as described in the Agreement.
• Duration: for the term of the Agreement and any post-termination period during which HolyDocs retains Customer Personal Data, as described in Section 11.
• Nature and purpose: hosting, storing, transmitting, indexing, rendering, searching, translating, summarizing, and otherwise making Customer Content available through the Service, including via AI-powered features and via third-party sub-processors.
• Categories of Personal Data: Customer Personal Data may include contact information (name, email, role), authentication identifiers, content authored by the Customer or its users that may contain Personal Data, comments and feedback submitted on documentation sites, IP addresses, and device or browser metadata.
• Categories of Data Subjects: Customer’s employees, contractors, collaborators, and end-user visitors to the Customer’s documentation sites.

4. Customer Instructions

HolyDocs will Process Customer Personal Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do so by law to which HolyDocs is subject. In such a case, HolyDocs will inform the Customer of that legal requirement before Processing, unless the law prohibits notification on important grounds of public interest.

The Agreement, this DPA, and the Customer’s configuration of the Service constitute the Customer’s complete and final instructions to HolyDocs. Any additional or alternative instructions must be agreed in writing.

HolyDocs will inform the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

5. Confidentiality of Personnel

HolyDocs ensures that persons authorized to Process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Customer Personal Data is limited to personnel who require such access to perform the Agreement, and is subject to the access controls described in Annex 1.

6. Security Measures

HolyDocs implements and maintains appropriate technical and organizational measures (the “TOMs”) to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing. The TOMs are described in Annex 1. HolyDocs may update the TOMs from time to time provided the updates do not materially decrease the overall security of the Service.

7. Sub-Processors

The Customer grants HolyDocs general authorization to engage Sub-Processors to Process Customer Personal Data in connection with the Service. The current list of Sub-Processors is published at /subprocessors and is incorporated into this DPA as Annex 2.

HolyDocs will notify the Customer by email of any intended addition or replacement of Sub-Processors at least 30 days in advance, giving the Customer the opportunity to object to such changes. The Customer may object to a new Sub-Processor on reasonable grounds relating to data protection by emailing dpa@holydocs.com within the 30-day window. If the parties cannot reach agreement, the Customer may terminate the affected portion of the Service for convenience without penalty, with a pro-rata refund of prepaid unused fees.

HolyDocs will impose data protection obligations on each Sub-Processor that are materially equivalent to those imposed on HolyDocs under this DPA, and will remain liable for the acts and omissions of its Sub-Processors to the same extent as for its own acts and omissions.

8. Data Subject Rights Assistance

Taking into account the nature of the Processing, HolyDocs will assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer’s obligation to respond to requests for exercising Data Subject rights under Chapter III of the GDPR (or equivalent rights under other Applicable Data Protection Law).

HolyDocs provides self-service functionality within the Service to enable Customers to access, correct, export, and delete Customer Personal Data. If a Data Subject contacts HolyDocs directly with a rights request, HolyDocs will, without undue delay, forward the request to the Customer and instruct the Data Subject to contact the Customer. HolyDocs will not respond to such requests except as required by law or on the Customer’s documented instructions.

9. Personal Data Breach Notification

HolyDocs will notify the Customer of a Personal Data Breach affecting Customer Personal Data without undue delay after becoming aware of it. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of Data Subjects and records affected, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects. HolyDocs will provide updates as additional information becomes available.

HolyDocs’ notification of, or response to, a Personal Data Breach is not an acknowledgment by HolyDocs of any fault or liability with respect to the breach.

10. Data Protection Impact Assessment Assistance

HolyDocs will provide reasonable assistance to the Customer with any data protection impact assessments and prior consultations with supervisory authorities that the Customer is required to carry out under Articles 35 and 36 of the GDPR, taking into account the nature of the Processing and the information available to HolyDocs.

11. Return or Deletion of Personal Data

Upon termination or expiration of the Agreement, HolyDocs will, at the Customer’s choice, delete or return all Customer Personal Data, and delete existing copies, unless storage is required by Union or Member State law. The Customer may export Customer Personal Data from the Service for at least 30 days following termination. Thereafter, HolyDocs will purge Customer Personal Data from active systems within 30 days, with backup copies rolling off within an additional 35 days.

12. Audit Rights

HolyDocs will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR. HolyDocs will allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, no more frequently than once per twelve-month period (unless required by a supervisory authority or following a Personal Data Breach).

The Customer’s audit right may be exercised by reviewing HolyDocs’ third-party audit reports (when available, such as SOC 2 Type II), policies, and responses to a security questionnaire. The parties will agree on the scope, timing, and duration of any on-site audit in advance; on-site audits must be conducted during business hours, with reasonable notice, and in a manner that does not interfere with HolyDocs’ business operations. The Customer bears its own costs and the reasonable costs incurred by HolyDocs in connection with the audit, unless the audit reveals a material non-compliance.

13. International Transfers of Personal Data

Where the Customer’s use of the Service requires the transfer of Customer Personal Data from the European Economic Area, the United Kingdom, or Switzerland to HolyDocs or to a Sub-Processor located in a country not benefitting from an adequacy decision, the parties agree that:

• the SCCs (Module Two: Controller to Processor) are incorporated into this DPA by reference and apply to such transfers, with the elections, completions, and annexes set out in Annex 3;
• where the UK GDPR applies, the UK Addendum is incorporated, with Tables 1, 2, and 3 completed by reference to this DPA and the SCCs, and Table 4 permitting only the Importer to end the Addendum;
• where the Swiss FADP applies, references in the SCCs to the GDPR are deemed to include the FADP, references to “Member State” do not preclude Swiss Data Subjects from enforcing rights in their place of habitual residence, and the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner.

Where a Sub-Processor is engaged to Process Customer Personal Data in such a third country, HolyDocs will ensure that the SCCs (or equivalent transfer mechanism) are in place between HolyDocs and the Sub-Processor, with HolyDocs acting as the data exporter.

Annex 1 — Technical and Organizational Measures (TOMs)

HolyDocs implements the following TOMs to protect Customer Personal Data:

A. Pseudonymization and Encryption

• TLS 1.3 enforced for all data in transit between Users, the Service, and Sub-Processors.
• AES-256 encryption at rest for primary storage (Cloudflare R2 and D1) and backups.
• Secrets managed via Cloudflare Secrets Store and not stored in source code or logs.

B. Confidentiality, Integrity, Availability, and Resilience

• Role-based access controls (RBAC) and least-privilege principles for all internal systems.
• Multi-factor authentication (MFA) required for all HolyDocs personnel.
• Network isolation, edge-level WAF and DDoS mitigation, and rate limiting at the edge.
• Globally distributed infrastructure on Cloudflare’s edge network.
• Daily encrypted backups with point-in-time recovery; tested restoration procedures.

C. Restoration and Business Continuity

• Documented incident response runbook with 24/7 on-call rotation for production incidents.
• Regularly tested disaster recovery plan with defined RTO and RPO targets.
• Status page at status.holydocs.com.

D. Testing, Assessment, and Evaluation

• Continuous dependency vulnerability scanning and automated security patching where feasible.
• Static analysis (CodeQL) on all production codepaths.
• Periodic third-party penetration tests and remediation tracking.
• Annual review of TOMs and the Sub-Processor list.

E. Personnel Security

• Background checks for personnel with access to production data, where lawful.
• Security and privacy training on hire and annually thereafter.
• Contractual confidentiality obligations binding on all personnel.

F. Logical Access and Audit

• All administrative actions on production are logged and retained for at least 12 months.
• Quarterly access reviews; immediate revocation upon role change or departure.

Annex 2 — Sub-Processors

The current list of Sub-Processors engaged by HolyDocs is published and maintained at https://holydocs.com/subprocessors and is incorporated into this DPA by reference. HolyDocs will notify Customers of changes as described in Section 7.

Annex 3 — Standard Contractual Clauses (Module 2)

Where the SCCs apply pursuant to Section 13, the parties agree that the SCCs are deemed entered into and completed as follows:

• Module: Module Two (Controller to Processor) applies. Where the Customer is itself a processor, Module Three (Processor to Processor) applies, with appropriate adjustments.
• Clause 7 (Docking): the optional docking clause does not apply.
• Clause 9 (Use of Sub-Processors): Option 2 (General Written Authorization) is selected, with a notice period of 30 days as described in Section 7.
• Clause 11 (Redress): the optional independent dispute resolution body language is not used.
• Clause 17 (Governing Law): the SCCs are governed by the laws of Ireland.
• Clause 18 (Forum and Jurisdiction): any dispute arising from the SCCs will be resolved by the courts of Ireland.
• Annex I.A (List of Parties): the data exporter is the Customer, as identified in the Agreement; the data importer is HolyDocs.
• Annex I.B (Description of Transfer): as set out in Section 3 of this DPA.
• Annex I.C (Competent Supervisory Authority): the supervisory authority of the Member State in which the Customer’s EU representative is established or, in the absence of such designation, the Irish Data Protection Commission.
• Annex II (Technical and Organisational Measures): as set out in Annex 1 of this DPA.
• Annex III (List of Sub-Processors): as set out in Annex 2 of this DPA.

Acceptance and Counter-Signature

By subscribing to a HolyDocs Pro, Business, or Enterprise plan, the Customer accepts this DPA. The DPA enters into force on the effective date of the Agreement and terminates concurrently with it, except for those provisions that, by their nature, survive termination.

For a counter-signed PDF copy, please email dpa@holydocs.com with your legal entity name, the email address associated with the account, and the name and title of the signatory. We will return a counter-signed copy within 10 business days.