Data Processing Addendum

Introduction

This Data Processing Addendum ("DPA") forms part of the AccordFlow Terms of Service and governs the processing of personal data by AccordFlow, Inc. ("AccordFlow," "we," "us," or "our") on behalf of our customers ("Customer," "you," or "your").

This DPA applies when AccordFlow processes personal data on behalf of Customer in connection with our contract management services and Customer is subject to data protection laws including the EU General Data Protection Regulation (GDPR) and the California Consumer Privacy Act (CCPA).

Definitions

Roles and Responsibilities

Customer as Data Controller

Customer acts as the Data Controller for any personal data provided to AccordFlow. Customer is responsible for:

• Ensuring lawful basis for processing personal data
• Providing necessary notices to data subjects
• Obtaining required consents from data subjects
• Responding to data subject rights requests
• Ensuring accuracy of personal data provided to AccordFlow

AccordFlow as Data Processor

AccordFlow acts as a Data Processor and will:

• Process personal data only on documented instructions from Customer
• Implement appropriate technical and organizational security measures
• Assist Customer in responding to data subject rights requests
• Notify Customer of any personal data breaches
• Delete or return personal data upon termination of services

Processing Details

Subject Matter and Purpose

AccordFlow processes personal data for the purpose of providing contract management services, including document creation, collaboration, negotiation, and execution.

Categories of Data Subjects

• Customer's employees and contractors
• Customer's business contacts and counterparties
• Individuals mentioned in contracts and related documents

Categories of Personal Data

• Contact information (names, email addresses, phone numbers)
• Professional information (job titles, company affiliations)
• Contract-related information
• User account and authentication data
• Usage and analytics data

Security Measures

AccordFlow implements appropriate technical and organizational measures to ensure the security of personal data, including:

• Encryption of data in transit and at rest using industry-standard algorithms
• Access controls and authentication mechanisms
• Regular security assessments and penetration testing
• Employee training on data protection and security
• Incident response and breach notification procedures
• Regular backup and disaster recovery testing

For detailed information about our security practices, please see our Security page.

Subprocessors

AccordFlow may engage third-party subprocessors to assist in providing our services. We maintain a list of all subprocessors and will:

• Ensure all subprocessors are bound by data protection obligations equivalent to this DPA
• Remain fully liable for any subprocessor's compliance with data protection obligations
• Provide 30 days' notice of any new subprocessors
• Allow Customer to object to new subprocessors on reasonable grounds

Current Subprocessors

Data Subject Rights

AccordFlow will assist Customer in fulfilling data subject rights requests, including:

• Right of access to personal data
• Right to rectification of inaccurate data
• Right to erasure ("right to be forgotten")
• Right to restriction of processing
• Right to data portability
• Right to object to processing

Customer is responsible for responding to data subject requests. AccordFlow will provide reasonable assistance within 30 days of receiving a request from Customer.

International Data Transfers

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). For such transfers, AccordFlow ensures appropriate safeguards are in place:

• Standard Contractual Clauses approved by the European Commission
• Adequacy decisions by the European Commission
• Other appropriate safeguards as required by applicable law

Data Breach Notification

AccordFlow will notify Customer without undue delay upon becoming aware of a personal data breach affecting Customer's data. The notification will include:

• Description of the nature of the breach
• Categories and approximate number of data subjects affected
• Likely consequences of the breach
• Measures taken or proposed to address the breach
• Contact point for more information

Data Retention and Deletion

AccordFlow will retain personal data only for as long as necessary to provide the services or as instructed by Customer. Upon termination of the agreement or upon Customer's request, AccordFlow will:

• Delete all personal data within 30 days
• Provide confirmation of deletion upon request
• Return personal data to Customer if requested prior to deletion
• Ensure all subprocessors also delete the personal data

Audits and Compliance

AccordFlow will make available to Customer information necessary to demonstrate compliance with this DPA and allow for audits. AccordFlow will:

• Provide security certifications and audit reports (SOC 2, ISO 27001)
• Allow Customer to conduct audits upon reasonable notice
• Cooperate with regulatory investigations
• Maintain records of processing activities

Liability

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. AccordFlow's total liability for all claims arising under this DPA shall not exceed the limitation set forth in the Terms of Service.

Contact Information

For questions about this DPA or data protection matters, please contact: