This Data Processing Addendum ("DPA") forms part of the agreement between the customer ("Customer", "Controller") and Project Paced Ltd ("Doctagd", "Processor") governing the processing of personal data through the Doctagd service.
This DPA supplements the Terms of Service and applies where Doctagd processes personal data on behalf of the Customer under applicable data protection laws, including the UK GDPR and EU GDPR where applicable.
1. Parties
Processor
Project Paced Ltd,
International House,
64 Nile Street,
London,
N1 7SR,
United Kingdom
Controller
The customer entity using the Service and determining the purposes and means of processing personal data through the Service.
2. Definitions
"Applicable Data Protection Law" means applicable laws relating to privacy, data protection, or processing of personal data, including the UK GDPR, EU GDPR, and related legislation.
"Customer Personal Data" means personal data processed by Doctagd on behalf of the Customer through the Service.
"Subprocessor" means a third party engaged by Doctagd to process Customer Personal Data.
3. Subject Matter and Duration
This DPA applies to the processing of Customer Personal Data in connection with the provision of the Doctagd service.
Processing continues for the duration of the customer's use of the Service and any applicable retention period permitted under the Terms of Service, operational requirements, or applicable law.
4. Nature and Purpose of Processing
Doctagd processes Customer Personal Data for purposes including:
- document generation
- spreadsheet processing
- template processing
- saved configuration management
- document previews
- generated document delivery
- API execution
- usage metering
- billing support
- authentication and account management
- infrastructure and operational support
- abuse prevention and security monitoring
5. Categories of Personal Data
Depending on Customer usage, Customer Personal Data may include:
- names
- email addresses
- business contact details
- spreadsheet contents
- uploaded templates
- generated documents
- account information
- workflow metadata
- API payloads
- usage records
- job metadata
6. Categories of Data Subjects
Data subjects may include:
- Customer personnel
- Customer clients
- employees
- contractors
- suppliers
- end users
- business contacts
- individuals whose data is included in uploaded spreadsheets or generated documents
7. Customer Obligations
Customer represents and warrants that:
- it has all necessary rights and lawful bases to process Customer Personal Data
- it has provided required notices to data subjects
- its instructions to Doctagd comply with applicable law
- it will not use the Service unlawfully
Customer remains responsible for:
- the accuracy and legality of uploaded data
- determining appropriate retention periods
- responding to data subject requests
- assessing whether the Service is appropriate for regulated or sensitive data
8. Processor Obligations
Doctagd shall:
- process Customer Personal Data only on documented instructions from the Customer, including through use of the Service
- implement reasonable technical and organisational security measures
- restrict personnel access to authorised individuals
- require personnel with access to Customer Personal Data to maintain confidentiality
- assist the Customer reasonably where required under applicable law
- notify the Customer of confirmed personal data breaches where legally required
9. Security Measures
Doctagd maintains technical and organisational measures intended to protect Customer Personal Data, including measures relating to:
- authentication
- access controls
- private storage controls
- encryption in transit
- credential protection
- abuse prevention
- operational monitoring
Customer acknowledges that no system can guarantee absolute security. Further detail is available in the Security overview.
10. Subprocessors
Customer authorises Doctagd to use subprocessors in connection with the Service.
Current subprocessors are listed on the Doctagd Subprocessors page.
Doctagd may update subprocessors from time to time.
Where required by applicable law, Doctagd will maintain appropriate contractual protections with subprocessors.
11. International Transfers
Customer acknowledges that Customer Personal Data may be processed outside the United Kingdom or European Economic Area.
Where required, Doctagd will implement appropriate safeguards intended to support lawful international transfers, including contractual safeguards where applicable.
Certain subprocessors process Customer Personal Data in the United States (for example, Better Auth, Stripe, and Resend) and rely on Standard Contractual Clauses or equivalent transfer mechanisms. The current list of subprocessors and their processing locations is maintained on the Subprocessors page, which is the authoritative source as providers may change over time.
12. Data Subject Requests
To the extent legally required and reasonably possible, Doctagd will provide reasonable assistance to Customer in responding to requests from data subjects.
Customer remains responsible for responding to such requests.
13. Deletion and Return of Data
Customer may delete Customer Content through available Service functionality where applicable.
Following termination or expiration of the Service, Doctagd may delete Customer Personal Data in accordance with:
- operational retention policies
- backup procedures
- legal obligations
- security requirements
- the Terms of Service
Customer is responsible for exporting or backing up any required data before termination.
14. Audit Rights
Given the nature of the Service and shared infrastructure environment, on-site audits are not permitted except where required by applicable law.
Reasonable information regarding security and privacy practices may be provided upon written request, subject to confidentiality obligations and operational limitations.
15. Liability
The liability limitations and exclusions in the Terms of Service apply to this DPA to the maximum extent permitted by law.
16. Governing Law
This DPA is governed by the laws of England and Wales.
17. Order of Precedence
If there is a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA controls to the extent of that conflict.
18. Contact
Privacy and data protection requests may be submitted through the contact page or official support and legal contact channels.