Data Processing Agreement

This Data Processing Agreement (the "DPA") forms part of the Terms of Service between ClientDone LLC, a Wyoming limited liability company ("Processor", "we", "us"), and the Customer ("Controller", "you") who uses the Service. It governs our processing of personal data on your behalf when you use the Service to collect, store, or transmit information about your own clients or contacts.

This DPA incorporates, where applicable, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) and the UK International Data Transfer Addendum. It is written to satisfy Article 28 of the GDPR, the equivalent provisions of the UK GDPR, Canada PIPEDA, US state privacy laws such as the CCPA/CPRA, and comparable obligations in other jurisdictions.

By creating an account and agreeing to our Terms of Service, you agree to this DPA. No separate signature is required. If your organization requires a counter-signed version, email privacy@clientdone.com.

1. Definitions

• Controller means you, the Customer, who determines the purposes and means of processing of Client Data.
• Processor means ClientDone, which processes Client Data on the Controller's behalf.
• Client Data means personal data relating to your Clients (or other individuals whose data you process through the Service) that we process on your behalf.
• Data Protection Law means all privacy and data protection laws that apply to the processing, including the EU GDPR, UK GDPR, Canada PIPEDA, CCPA/CPRA, and other US state privacy laws, and equivalents.
• Personal Data Breach has the meaning given in Article 4(12) of the GDPR.
• Sub-processor means a third party engaged by ClientDone to process Client Data.
• Other capitalized terms have the meaning given in the Terms of Service or in the GDPR.

2. Subject matter, duration, nature, and purpose of processing

• Subject matter. Providing the Service to the Controller.
• Duration. For the term of the Terms of Service plus the retention periods set out in our Privacy Policy.
• Nature and purpose. Hosting, storage, transmission, display, backup, signature capture, email delivery, invoicing, payment collection (via the payment processor), analytics for the Controller's own use, security, and customer support.
• Types of personal data. Name, email address, phone number, postal address, company name, transaction amounts, signature images, uploaded photos and videos, document text, IP address, user-agent, read-time and scroll-depth telemetry, reactions or selections on deliverables, comments, and other data the Controller chooses to collect.
• Categories of data subjects. The Controller's own clients, leads, team members, collaborators, and other individuals whose data the Controller processes through the Service.

3. Obligations of the Processor

ClientDone will:

• Process Client Data only on the Controller's documented instructions, including on transfers to a third country, unless required otherwise by Data Protection Law. The Terms of Service, this DPA, and the normal operation of the Service are the Controller's standing documented instructions.
• Ensure persons authorized to process Client Data are bound by confidentiality.
• Implement the technical and organizational security measures described in Schedule A.
• Help the Controller respond to data subject requests, including access, rectification, erasure, restriction, objection, portability, and withdrawal of consent.
• Help the Controller comply with obligations to handle Personal Data Breaches, carry out data protection impact assessments, and consult with supervisory authorities.
• On termination of the Service, delete or return Client Data in line with the Controller's choice and our Privacy Policy.
• Make available to the Controller information reasonably necessary to demonstrate compliance with this DPA.

4. Obligations of the Controller

You (the Controller) will:

• Provide each instruction on a lawful basis.
• Give data subjects (your Clients) any notices and obtain any consents required by Data Protection Law for the processing described in this DPA.
• Maintain an up-to-date privacy notice to data subjects that describes the processing.
• Comply with your own obligations as Controller, including security, retention, and data subject rights handling.
• Respond to data subject requests promptly, using ClientDone's features to assist where possible.

5. Sub-processors

The Controller generally authorizes ClientDone to engage the Sub-processors listed in Schedule B. We may add, replace, or remove Sub-processors. We will post an updated list in this DPA and, where practical, notify Customers of material changes at least fourteen (14) days before the change takes effect, by email or in-app notice. If you reasonably object to a new Sub-processor for data protection reasons, tell us within those fourteen days. We will try to address your concern, and if we cannot, you may terminate the Service on written notice and receive a pro-rated refund of any pre-paid fees for the unused period.

Each Sub-processor is bound by written terms imposing data protection obligations substantially the same as those in this DPA.

6. International transfers

The Controller agrees that ClientDone and its Sub-processors may transfer Client Data outside the country of origin as needed to provide the Service. Where a transfer is made from the EU, UK, or Switzerland to a country that has not been declared adequate:

• The EU Standard Contractual Clauses (Module Two, Controller to Processor) are incorporated by reference. The Controller is the data exporter, ClientDone is the data importer. The law of Ireland applies to the SCCs. Supervisory authority: the Data Protection Commission of Ireland. Appendix information is filled from this DPA.
• The UK International Data Transfer Addendum is incorporated by reference where UK personal data is transferred.
• The Swiss FADP addendum is incorporated by reference where Swiss personal data is transferred.

7. Personal Data Breaches

We will notify the Controller without undue delay, and in any case within seventy-two (72) hours of becoming aware, of any Personal Data Breach affecting Client Data. Our notice will describe the nature of the breach (where possible), the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. We will provide reasonable cooperation as the Controller investigates, notifies authorities and affected individuals, and mitigates the breach.

8. Data subject requests

If a data subject sends a request directly to us, we will promptly forward it to the Controller without responding to its substance, unless the Controller instructs otherwise or Data Protection Law requires otherwise. On the Controller's request we will provide reasonable assistance, through the Service's standard features, to help the Controller respond within the time limits set by Data Protection Law.

9. Audits

On reasonable notice and no more than once every twelve (12) months (plus any time required after a Personal Data Breach), the Controller may request information reasonably necessary to demonstrate our compliance with this DPA. We will respond by providing relevant documentation, third-party audit reports, and security attestations. On-site audits are generally not required. If an on-site audit is legally required or mutually agreed, it will be conducted at the Controller's expense, during normal business hours, with reasonable notice, by an independent auditor agreed to in writing, under a non-disclosure agreement.

10. Deletion or return of Client Data

On termination of the Service, the Controller may export Client Data for up to thirty (30) days. After that, we will delete Client Data from the Service, subject to retention periods required by law (for example, seven years for tax records). Backups containing deleted data are overwritten within 35 days of deletion, unless a legal hold applies.

11. Liability and precedence

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. In case of conflict, this DPA controls over the Terms of Service with respect to data protection obligations that Data Protection Law requires to be in a DPA.

12. Changes

We may update this DPA to reflect new legal requirements, new Sub-processors, or changes to our security measures. Material changes follow the notice procedure in section 5 and in the Terms of Service.

Schedule A: Technical and organizational security measures

ClientDone maintains the following measures, which may be updated from time to time to keep pace with evolving threats and standards. Updates will be no less protective than the measures described here.

• Encryption in transit. All Service traffic uses TLS 1.2 or higher.
• Encryption at rest. Databases and object storage use encryption at rest provided by the relevant Sub-processor.
• Access controls. Role-based access within the Service. Administrative access is limited to a small number of authorized individuals, requires multi-factor authentication, and is logged.
• Authentication. Passwords are stored as one-way hashes. Session tokens are issued in HttpOnly, SameSite-Lax, signed cookies.
• Signed URLs. Private files are served via time-limited signed URLs where applicable.
• Rate limiting. Abusable endpoints are rate-limited by IP, user, and token.
• Audit logging. Consequential actions on contracts (view, sign, countersign, edit, send, decline, expire, cancel) are recorded with actor, IP, and timestamp.
• Backups. Regular automated backups, retained for up to 35 days.
• Incident response. Documented procedure, including breach detection, containment, notification, and post-incident review.
• Vendor management. Sub-processors are selected and monitored against baseline security and data protection criteria.
• Personnel. All individuals with access to Client Data are bound by confidentiality and receive training on security and data protection.

Schedule B: Sub-processors

The following Sub-processors are currently engaged. Additional optional integrations used by individual Customers (for example Google Calendar) are not general Sub-processors and are activated only by the Customer.

Contact

For any DPA-related question, email privacy@clientdone.com. For urgent security incidents, email security@clientdone.com.