Docusift
Sign inStart free

Data Processing Addendum

Last updated: 2026-06-10

Draft — pending legal review.This page captures Docusift’s current intent. The final binding language will be posted after counsel review. Email hello@docusift.co for the interim signed version of this document.

Purpose

This Data Processing Addendum ("DPA") forms part of the Docusift Terms of Service between Ekarche Private Limited ("Docusift") and the Customer. It governs the processing of Personal Data by Docusift on behalf of the Customer where the General Data Protection Regulation ("GDPR"), the UK GDPR, or substantially equivalent privacy law applies.

Roles

The Customer is the Controller of Customer Personal Data. Docusift processes Customer Personal Data only as a Processor on the Customer’s documented instructions, namely: (a) to provide the Docusift service as described at our Security page, and (b) to fulfil applicable legal obligations.

Subprocessors

Docusift uses the subprocessors listed on the Subprocessors page. We will notify Customers of changes at least 30 days in advance via email to the billing contact and the subprocessor mailing list.

International transfers

Cross-border transfers from the EEA / UK to outside-adequacy jurisdictions rely on the European Commission Standard Contractual Clauses (Module 2 — Controller to Processor) and the UK International Data Transfer Addendum, as updated from time to time.

Security

Docusift applies the technical and organisational measures set out at Security: encryption at rest (AES-256), encryption in transit (TLS 1.3), workspace isolation, audit logging on every mutation, and quarterly access reviews.

Sub-processor disclosures and audit rights

On request, Docusift will make available a SOC 2 Type II report (when in scope) or equivalent assurance summary, subject to a confidentiality agreement. On-site audits are available to Business and Enterprise plan customers under 30-day written notice, at the Customer’s cost.

Data subject rights

Docusift will assist the Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection) within 30 days. Requests may be raised via the in-app Settings → Data & Privacy panel or by email to hello@docusift.co.

Breach notification

Docusift will notify the Customer of a confirmed Personal Data Breach affecting the Customer’s data without undue delay and within 72 hours of becoming aware.

Termination & deletion

On termination, Customer Personal Data will be deleted within 30 days from production systems and within a further 90 days from encrypted backups, except where retention is required by law.

Click-to-accept

Sign in to your Docusift workspace and accept this version of the DPA directly from this page. Your acceptance is recorded against your user account.

Signing (counter-signed PDF)

For a counter-signed PDF of this DPA, email hello@docusift.co with your legal-entity name and billing contact.