1. Roles
The Customer is the Controller of personal data submitted to the Service. DocuMind AI acts as Processor and processes personal data only on the Customer's documented instructions, which are the Terms of Service, this DPA, and the Customer's configuration of the Service.
2. Subject matter and duration
- Subject matter: providing the DocuMind AI service.
- Duration: for as long as the Customer's account is active, plus the retention periods in section 7 of the Privacy Policy.
- Nature and purpose: hosting documents, generating embeddings, retrieving relevant chunks, generating AI answers, storing chats and leads.
3. Categories of data and data subjects
- Data subjects: Customer's end users, website visitors, and staff who interact with the Service.
- Categories: identifiers (name, email, company, phone if provided), message content, uploaded documents, IP-based rate-limit signals, technical metadata.
- Special categories: none required by the Service; the Customer is responsible for not uploading special-category data unless it has a lawful basis.
4. Processor obligations
- Process personal data only on documented instructions from the Controller.
- Ensure personnel with access are bound by confidentiality.
- Implement the technical and organisational measures described in our Security page.
- Assist the Controller in responding to data-subject requests where technically feasible.
- Notify the Controller without undue delay after becoming aware of a personal-data breach affecting Customer data.
- Delete or return Customer personal data at the end of the service, subject to the retention periods above and legal requirements.
5. Sub-processors
The Controller authorises the Processor to engage the sub-processors listed in the Privacy Policy (Lovable Cloud, Cloudflare, AI model providers accessed via the Lovable AI Gateway, Resend for transactional email including widget human-handoff alerts and early-access / contact form notifications, and VirusTotal for file-hash malware screening). The Processor will impose equivalent data-protection obligations on sub-processors and remains responsible for their performance. We will give at least 30 days' notice of any new sub-processor by email or in-app; the Controller may object on reasonable data-protection grounds.
6. International transfers
Where personal data is transferred from the EEA, UK, or Switzerland to a country without an adequacy decision, the parties rely on the European Commission's Standard Contractual Clauses (Module 2, Controller-to-Processor) and the UK IDTA / Addendum, incorporated by reference. Docking clause and governing-law selections default to Ireland for EU SCCs and England & Wales for the UK Addendum.
7. Security
The Processor maintains the technical and organisational measures described on the Security page, including encryption in transit, access controls, tenant isolation via row-level security, audit logging, and least-privilege secret management. Measures may evolve; the overall level of protection will not decrease.
8. Audits
On written request no more than once per year the Processor will provide reasonable information to demonstrate compliance with this DPA. Given the Processor's size, on-site audits are only performed where required by a supervisory authority and at the Controller's expense.
9. Liability
Liability under this DPA is subject to the limitations of liability in the Terms of Service, except where mandatory law provides otherwise.
10. Order of precedence
If there is a conflict between this DPA and the Terms of Service in relation to processing of personal data, this DPA prevails.
Contact
Data-protection contact: daniyal@agenticcore.tech.