ChatDocs ChatDocs

Data Processing Agreement (DPA)

Last Updated: March 3, 2026

GDPR Compliant • EU-based • Encrypted

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between you ("Customer", "Data Controller") and Max Digital Solutions AB (org. nr 5593221046), operating as ChatDocs ("Processor", "we", "us").

This DPA applies when Customer uses ChatDocs to process personal data and governs our data processing activities under the General Data Protection Regulation (GDPR).

2. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person contained in documents uploaded to ChatDocs
  • Processing: Any operation performed on personal data, including storage, analysis, and retrieval
  • Data Controller: The entity that determines the purposes and means of processing personal data (you, the Customer)
  • Data Processor: The entity that processes personal data on behalf of the Data Controller (ChatDocs)
  • Sub-processor: Any third party engaged by ChatDocs to process personal data
  • Data Subject: The individual whose personal data is being processed

3. Scope and Roles

3.1 Controller-Processor Relationship

Where Customer uploads documents containing personal data to ChatDocs, Customer acts as the Data Controller and ChatDocs acts as the Data Processor.

3.2 Customer Responsibilities as Controller

Customer warrants that they:

  • Have a lawful basis for processing personal data under GDPR Article 6
  • Have obtained necessary consents from data subjects
  • Have informed data subjects about the processing, including use of sub-processors
  • Comply with all applicable data protection laws
  • Only upload personal data that is necessary and proportionate

3.3 ChatDocs Responsibilities as Processor

ChatDocs will:

  • Process personal data only on documented instructions from Customer (via the ChatDocs interface and API)
  • Store and manage question/answer history for service provision and analytics
  • Implement appropriate technical and organizational security measures
  • Ensure confidentiality of persons authorized to process personal data
  • Assist Customer in responding to data subject requests
  • Assist Customer with data protection impact assessments when required
  • Delete or return personal data upon request or contract termination
  • Make available information necessary to demonstrate compliance

3.4 Data Minimization

Customer is responsible for ensuring that uploaded documents contain only personal data that is necessary for their intended use. ChatDocs recommends:

  • Redacting unnecessary personal data before upload
  • Using pseudonymization where appropriate
  • Regularly reviewing and deleting obsolete documents

4. Nature and Purpose of Processing

4.1 Subject Matter

Processing of personal data contained in documents uploaded by Customer for AI-powered analysis and question answering.

4.2 Duration

Processing continues for as long as documents remain in Customer's account, or until Customer deletes them.

Trial Mode: Documents uploaded during trial mode are automatically deleted after 14 days of inactivity.

4.3 Purpose

  • Document storage and indexing
  • Natural language processing and analysis
  • Question answering via AI models
  • Search and retrieval of information
  • WhatsApp message delivery and processing via third-party messaging infrastructure

4.4 Types of Personal Data

Depends entirely on what Customer uploads. May include:

  • Names, contact information, identification numbers
  • Employment information, financial data
  • Health data, biometric data (if uploaded by Customer)
  • Any other personal data contained in Customer's documents
  • Phone numbers and WhatsApp identifiers (for WhatsApp channel users)
  • Message content and messaging metadata (timestamps, delivery status)

4.5 Categories of Data Subjects

Depends on Customer's use case. May include:

  • Employees, customers, suppliers
  • Patients, students, applicants
  • Any individuals mentioned in uploaded documents

4.6 Question and Conversation History

ChatDocs stores questions asked by Customer's users and the corresponding AI-generated answers for:

  • Service provision (conversation continuity)
  • Usage analytics and billing
  • Service improvement
  • Customer support

This data includes:

  • Question text, answer text, timestamps
  • Conversation metadata (tokens used, sources referenced)
  • User attribution (which admin user asked which question)

Retention: Stored for the duration of Customer's account or until deleted by Customer.

5. Security Measures

ChatDocs implements the following technical and organizational measures:

5.1 Technical Measures

  • Encryption: TLS 1.2+ in transit, AES-256 at rest
  • Access Control: Authentication via Auth0, session management
  • Infrastructure: AWS Frankfurt (eu-central-1) with security best practices
  • Monitoring: Error tracking and logging via Sentry
  • Isolation: Customer data is logically separated by customer ID

5.2 Organizational Measures

  • Confidentiality commitments from personnel
  • Access limited to authorized personnel only
  • Regular security updates and patches
  • Incident response procedures

6. Sub-processors

6.1 Authorized Sub-processors

Customer authorizes ChatDocs to engage the following sub-processors:

Sub-processor Service Location Safeguards
Amazon Web Services (AWS) Cloud infrastructure, storage, database, message queuing EU (Frankfurt, eu-central-1) GDPR-compliant DPA, EU Data Processing Addendum
Azure OpenAI (Microsoft) AI/ML models for question answering and embeddings EU (Sweden Central) Microsoft EU Data Boundary, DPA, Microsoft Products and Services DPA. No customer data leaves the EU. Azure OpenAI does not use customer data to train models.
Anthropic (via AWS Bedrock) AI vision model for visual content analysis (diagrams, charts, scanned documents) EU (Frankfurt, eu-central-1) Processed via AWS Bedrock within EU. AWS Bedrock does not use customer data to train models. Covered by AWS DPA.
Cohere (via AWS Bedrock) AI reranking model for search result relevance ranking EU (Frankfurt, eu-central-1) Processed via AWS Bedrock within EU. AWS Bedrock does not use customer data to train models. Covered by AWS DPA.
Auth0 (Okta) Authentication and user management USA Standard Contractual Clauses, DPA
Stripe Payment processing USA Standard Contractual Clauses, PCI DSS certified
Sentry Error monitoring USA Standard Contractual Clauses, DPA
360dialog GmbH WhatsApp Business API provider, message routing and delivery EU (Germany) GDPR-compliant DPA, EU-based processing
Meta Platforms (WhatsApp) End-to-end WhatsApp message delivery infrastructure USA / Global EU-U.S. Data Privacy Framework, WhatsApp Business Terms of Service

6.2 Changes to Sub-processors

ChatDocs will notify Customer of any intended changes to sub-processors via email at least 30 days in advance. Customer may object to new sub-processors by contacting us within 30 days of notification.

6.3 Sub-processor Obligations

ChatDocs ensures that sub-processors are bound by contractual obligations equivalent to those in this DPA, including appropriate security measures and GDPR compliance.

7. Data Subject Rights

7.1 Customer Responsibility

Customer is responsible for responding to data subject requests (access, rectification, erasure, restriction, portability, objection).

7.2 ChatDocs Assistance

ChatDocs will assist Customer by:

  • Providing Customer with tools to access, export, and delete their data (including uploaded documents and question history)
  • Responding to Customer requests for assistance within a reasonable timeframe (typically 7-14 business days)
  • Implementing technical measures to facilitate data subject rights

8. Data Breach Notification

In the event of a personal data breach, ChatDocs will notify Customer without undue delay and no later than 72 hours after becoming aware of the breach.

The notification will include:

  • Nature of the breach and categories/volumes of data affected
  • Likely consequences of the breach
  • Measures taken or proposed to address the breach
  • Contact point for further information

9. Data Deletion and Return

9.1 Upon Request

Customer may delete their documents at any time via the ChatDocs interface.

9.2 Upon Contract Termination

Upon termination of the agreement, ChatDocs will delete all personal data within 30 days unless legally required to retain it.

9.3 Data Deletion

Upon request, personal data is immediately and permanently deleted from our application systems. AWS infrastructure-level backups may retain encrypted copies for up to 35 days for disaster recovery purposes, which are inaccessible to our application and automatically purged thereafter.

10. Compliance

ChatDocs will provide reasonable information about its data processing practices and security measures upon written request, subject to confidentiality obligations.

11. International Data Transfers

11.1 Primary Storage

Personal data is stored in AWS Frankfurt (eu-central-1) within the European Union. AI processing takes place in Azure OpenAI Sweden Central (EU) and AWS Bedrock Frankfurt (EU). No document or personal data is transferred outside the EU for AI processing.

11.2 Transfers to Third Countries

Some sub-processors (Auth0, Stripe, Sentry, Meta Platforms) may process data outside the EU/EEA. AI processing (Azure OpenAI, Anthropic via AWS Bedrock, Cohere via AWS Bedrock) takes place entirely within the EU. Transfers outside the EU are safeguarded by:

  • Standard Contractual Clauses (SCCs): EU Commission's 2021 Standard Contractual Clauses for transfers to third countries
  • Adequacy Decisions: For countries deemed adequate by the European Commission
  • Additional Safeguards: Encryption, access controls, contractual commitments

12. Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service, including any aggregate liability caps.

ChatDocs' liability for GDPR fines is limited to the amount paid by Customer in the 12 months preceding the breach, and only to the extent caused solely by ChatDocs' willful breach of this DPA.

13. Term and Termination

This DPA takes effect when Customer first uploads documents containing personal data and continues until all personal data is deleted or returned.

This DPA will automatically terminate upon termination of the Terms of Service.

14. Governing Law

This DPA is governed by the laws of Sweden and interpreted in accordance with GDPR and other applicable EU data protection laws.

15. Contact for DPA Matters

For questions or requests related to this DPA, contact:

Max Digital Solutions AB
Email: privacy@chatdocs.eu
Organization Number: 5593221046
Sweden

16. Order of Precedence

In case of conflict between this DPA and the Terms of Service, this DPA takes precedence with respect to data protection matters.