Legal
Data Processing Agreement
Last updated: June 12, 2026
This Data Processing Agreement (“DPA”) forms part of the DocChase Terms of Service between Delirium Development SRL, a company registered in Romania (CIF: RO40159995, Reg. com.: J08/2695/2018, Str. Ioan Popasu 48, Brașov, Romania) (“DocChase,” “we,” “us”) and the customer agreeing to those terms (“Customer”). It applies whenever DocChase processes personal data on behalf of the Customer in connection with the DocChase service (the “Service”) and the Customer is subject to Regulation (EU) 2016/679 (“GDPR”) or equivalent data protection laws. By using the Service, the Customer accepts this DPA. This DPA is published in English; the English version controls.
1. Definitions
“Personal data,” “processing,” “controller,” “processor,” “data subject,” and “personal data breach” have the meanings given in the GDPR. “Customer Data” means personal data that DocChase processes on behalf of the Customer, as described in Section 3. “Sub-processor” means a third party engaged by DocChase to process Customer Data.
2. Roles and Scope
For Customer Data, the Customer is the controller and DocChase is the processor. The Customer is responsible for having a lawful basis for the processing it instructs (for example, its engagement agreement with its clients), for the accuracy of the data it provides, and for providing any notices to its clients required under Articles 13 and 14 GDPR.
This DPA does not apply to personal data for which DocChase is itself the controller: the Customer’s own account, billing, and product analytics data. That processing, including billing data processed by Stripe, is described in our Privacy Policy.
3. Details of Processing
Subject matter and duration
Provision of the Service: collecting documents from the Customer’s clients via upload portals, sending document requests and reminders, and tracking submission status. Processing lasts for the term of the Customer’s use of the Service, plus the deletion period in Section 9.
Nature and purpose
Storage, transmission, organization, and display of Customer Data solely to deliver the Service to the Customer. DocChase does not use Customer Data for advertising, profiling, model training, or any purpose of its own.
Categories of data subjects
The Customer’s clients and their representatives (the persons the Customer requests documents from), and the Customer’s team members.
Categories of personal data
Client names and email addresses; documents uploaded through the portal (receipts, bank statements, invoices, and similar financial records), which may contain any personal data the uploader includes; portal activity metadata (upload timestamps, verification events). The Service is not intended for special categories of data under Article 9 GDPR, and the Customer agrees not to instruct such processing except as may incidentally appear in financial documents.
4. Instructions
DocChase processes Customer Data only on the Customer’s documented instructions, including with regard to international transfers, unless required to do otherwise by EU or member state law (in which case DocChase will inform the Customer of that legal requirement before processing, unless the law prohibits this). The Terms of Service, this DPA, and the Customer’s use of the Service’s features constitute the Customer’s complete documented instructions. DocChase will inform the Customer if, in its opinion, an instruction infringes the GDPR.
5. Confidentiality
DocChase ensures that all persons authorized to process Customer Data are bound by contractual or statutory obligations of confidentiality and process Customer Data only as needed to provide the Service.
6. Security
Taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, DocChase implements appropriate technical and organizational measures under Article 32 GDPR, including:
- Encryption of Customer Data in transit (TLS 1.2+) and at rest (AES-256)
- Upload portal access via unique, time-limited links with email verification codes
- Row-level security and role-based access controls restricting each firm’s data to its authorized users
- Least-privilege access to production systems, limited to personnel who need it to operate the Service
- Logical separation of each customer’s data; segregated storage paths per firm
- Infrastructure provided by vendors holding recognized certifications (SOC 2 / ISO 27001)
- Monitoring, logging, and regular review of the Service’s security posture
DocChase may update these measures from time to time, provided the updates do not materially reduce the overall level of protection.
7. Sub-processors
The Customer grants DocChase general authorization to engage the sub-processors listed below. DocChase imposes data protection obligations on each sub-processor by written contract that are no less protective than those in this DPA, and remains liable to the Customer for their performance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase, Inc. | Database, file storage, authentication | EU / United States |
| Vercel Inc. | Application hosting and delivery | EU / United States |
| Sendinblue SAS (Brevo) | Sending document requests, reminders, and transactional email | European Union (France) |
| PostHog, Inc. | Product analytics (EU data residency) | European Union |
DocChase will give the Customer at least 30 days’ notice of any intended addition or replacement of a sub-processor (by email or notice in the Service). The Customer may object on reasonable data protection grounds within that period; if the parties cannot resolve the objection, the Customer may terminate the affected services and receive a pro-rata refund of prepaid fees.
8. International Transfers
Customer Data is processed primarily within the European Union. Where a sub-processor processes Customer Data outside the EEA, the transfer is protected by an adequacy decision of the European Commission (including the EU-US Data Privacy Framework, where the sub-processor is certified) or by the European Commission’s Standard Contractual Clauses incorporated into DocChase’s agreement with that sub-processor, together with supplementary measures where required.
9. Deletion and Return
The Customer can delete individual files, clients, and requests at any time through the Service, and can delete its entire account (including all Customer Data) from account settings. Uploaded documents can be downloaded by the Customer at any time during the term. Upon termination or account deletion, DocChase deletes all Customer Data within 90 days, unless EU or member state law requires longer retention. Residual copies in encrypted backups are deleted in the ordinary course of backup rotation.
10. Assistance
- Taking into account the nature of the processing, DocChase assists the Customer with appropriate technical and organizational measures in fulfilling requests from data subjects under Chapter III GDPR (access, rectification, erasure, restriction, portability, objection). Where a data subject contacts DocChase directly about Customer Data, DocChase will refer the request to the Customer without undue delay.
- DocChase assists the Customer in ensuring compliance with Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to DocChase.
11. Personal Data Breach
DocChase notifies the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Data. The notification includes, to the extent known: the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects. DocChase documents breaches and cooperates with the Customer’s reasonable requests for further information.
12. Audits
DocChase makes available to the Customer the information necessary to demonstrate compliance with Article 28 GDPR, including responses to reasonable written security questionnaires (no more than once per 12 months) and summaries of relevant third-party certifications held by its infrastructure providers. Where this information is insufficient and an audit is required by data protection law or a supervisory authority, the Customer may conduct an audit through an independent, qualified auditor bound by confidentiality, on at least 30 days’ written notice, during business hours, no more than once per 12 months, without access to other customers’ data, and at the Customer’s expense.
13. Liability, Term, and Precedence
- Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service, except where data protection law does not permit such limitation.
- This DPA takes effect when the Customer first uses the Service and remains in force as long as DocChase processes Customer Data.
- If this DPA conflicts with the Terms of Service, this DPA prevails with respect to the processing of Customer Data. This DPA is governed by the same law and jurisdiction as the Terms of Service.
14. Contact
Questions about this DPA, requests for a countersigned copy, and sub-processor objections can be sent to:
Delirium Development SRL
CIF: RO40159995 · Reg. com.: J08/2695/2018 · Str. Ioan Popasu 48, Brașov, Romania