Data Processing Addendum (UK GDPR)

1) Parties & scope

This Data Processing Addendum (“DPA”) forms part of the agreement between the Customer and EDUCATIONAL WHITEBOARDS LIMITED (trading as “Docoply”), company number 14554635, registered office: Educational Whiteboards Limited, 124 City Road, London, England, EC1V 2NX (“Docoply”). It applies to the extent Docoply processes Personal Data on behalf of the Customer under the Agreement.

2) Definitions

Capitalised terms not defined here have the meanings in the Agreement. “UK GDPR” means the UK GDPR as incorporated by the Data Protection Act 2018. “Personal Data”, “Processing”, “Controller”, “Processor” and “Personal Data Breach” have the meanings given in UK GDPR.

3) Roles of the parties

Customer is the Controller (or a Processor acting on behalf of a Controller) of Personal Data submitted to the Services. Docoply is the Processor (or Sub-processor where Customer is itself a Processor) and will process Personal Data only on documented instructions from Customer, as set out in this DPA and the Agreement.

4) Processing instructions & details

Docoply will process Personal Data only:

• to provide, maintain and secure the Services;
• to prevent or address service, support and security issues;
• to comply with law; and
• as otherwise documented by Customer (including via in-product settings and this DPA).

The subject matter, duration, nature and purpose, types of Personal Data and Data Subjects are set out in Annex I.

5) Customer obligations

• Ensure a lawful basis and all necessary notices/permissions to submit Personal Data to the Services.
• Not submit special-category data unless strictly necessary and lawful.
• Provide documented instructions; configure the Services appropriately.
• Where Customer is a Processor, warrant authorisation by the relevant Controller to appoint Docoply as Sub-processor.

6) Docoply (Processor) obligations

• Process Personal Data only on documented instructions and ensure persons authorised to process it are bound by confidentiality.
• Implement and maintain appropriate technical and organisational measures (Annex II).
• Assist Customer, insofar as possible, with Data Subject rights requests and security obligations (Articles 32–36 UK GDPR).
• Notify Customer without undue delay of a Personal Data Breach (Section 11).
• Maintain records of processing activities as required by law.
• No training on your data: Docoply will not use Customer Personal Data to train foundation models unrelated to providing the Services.

8) Sub-processors

• Customer authorises Docoply to engage Sub-processors to support the Services. Current Sub-processors are listed at /legal/sub-processors.
• Docoply will impose data-protection terms on Sub-processors no less protective than this DPA and remains responsible for their performance.
• Docoply will provide reasonable advance notice (typically 30 days) of additions/replacements via that page and/or in-product/email notice. Customer may object on reasonable, data-protection grounds; if unresolved, Customer may terminate the affected Services per the Agreement.

9) International transfers

Where Docoply or its Sub-processors transfer Personal Data outside the UK/EEA, Docoply will ensure appropriate safeguards, including:

• the EU Standard Contractual Clauses (Commission Decision 2021/914, Modules 2/3) as applicable; and
• the UK Addendum to the EU SCCs or the UK International Data Transfer Agreement (IDTA), as applicable,

together with supplementary measures where necessary. The parties agree that the SCCs/UK Addendum/IDTA (as completed by Docoply) are incorporated by reference into this DPA to the extent required.

10) Data subject requests

Taking into account the nature of the Processing, Docoply will assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer’s obligation to respond to Data Subject requests. Docoply will promptly notify Customer of requests it receives directly and will not respond except on Customer’s documented instructions or where required by law.

11) Personal Data Breach

Docoply will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data and will provide information available to it to assist Customer in meeting any breach-notification obligations. Docoply will take reasonable steps to mitigate the effects and prevent recurrence.

12) Audits & information

• Upon request, Docoply will make available information necessary to demonstrate compliance with this DPA.
• Customer may conduct an audit once in any 12-month period, on 30 days’ prior written notice, during normal business hours, and in a manner that minimises disruption and protects confidentiality and security. Where available, Docoply may satisfy audit requests by providing recent independent assessments, security reports, or responses to reasonable questionnaires under NDA.

13) Records & DPIA assistance

Docoply will maintain records of processing and provide reasonable assistance to Customer with data-protection impact assessments and consultations with supervisory authorities, taking into account the nature of Processing and the information available to Docoply.

14) Return & deletion

Upon termination/expiry of the Services or on Customer’s written request, Docoply will delete or return Customer Personal Data and delete existing copies within a reasonable period, subject to legal retention requirements.

• Ephemeral uploads: Source uploads are retained only for short-term processing and are deleted by default within 72 hours (unless Customer configures otherwise).
• Generated reports: Persist per Customer configuration/retention policy in the workspace.
• Backups and logs are cycled per our security/operations policy.

See the Privacy Policy for additional retention details.

15) Confidentiality

Docoply will ensure that persons authorised to process Personal Data are bound by confidentiality obligations and receive appropriate data-protection training.

16) Liability

Liability is governed by the Agreement. Nothing in this DPA limits either party’s liability where such limitation is prohibited by law.

17) Term, termination & survival

This DPA applies for the duration of the Agreement and thereafter until Docoply deletes/returns Customer Personal Data as described above. Sections intended to survive (e.g., confidentiality, liability, audits to the extent necessary) will do so.

18) Precedence

In the event of conflict between this DPA and the Agreement, this DPA controls with respect to Processing of Personal Data. In the event of conflict between this DPA and the SCCs/UK Addendum/IDTA (where applicable), those transfer instruments control.

19) Governing law & jurisdiction

This DPA is governed by the laws of England and Wales, and the parties submit to the exclusive jurisdiction of its courts, without prejudice to rights under applicable SCCs/UK Addendum/IDTA.

Annex I — Details of Processing

Annex II — Technical & Organisational Measures

• Governance & access: Role-based access control; least privilege; MFA for staff; background checks where lawful; confidentiality agreements.
• Encryption: TLS 1.2+ in transit; encryption at rest where supported; key management via cloud KMS.
• Segregation & minimisation: Logical separation of customer data; ephemeral processing for uploads; data minimised to what is necessary.
• Logging & monitoring: Security and audit logging for privileged actions; anomaly detection; rate limiting and WAF/CDN protections where applicable.
• Secure development: Version control, peer review, dependency scanning, vulnerability management; change management procedures.
• Resilience & backups: Automated backups with limited retention; tested restores; high-availability cloud infrastructure.
• Incident response: Documented plan (triage, containment, eradication, recovery, post-incident review); customer notification without undue delay.
• Vendor management: Due diligence and contractual safeguards for Sub-processors; ongoing review; transfer impact assessments where relevant.
• Employee training: Security and privacy training at onboarding and periodically.
• Testing: Periodic vulnerability assessments and remediation; penetration-testing summaries available under NDA.

Annex III — Authorised Sub-processors

Current Sub-processors are listed at /legal/sub-processors. This Annex III incorporates that list by reference, as updated from time to time per Section 8.

Signatures

You may execute this DPA electronically. By using the Services where Docoply processes Personal Data as Processor, you agree to this DPA.