Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the Terms of Service between you ("Controller") and Dokaz ("Processor") and applies where Dokaz processes personal data contained in your Customer Data on your behalf.

1. Roles

For personal data within the database dumps you register, you are the controller and Dokaz is the processor. For account and billing data of your users, Dokaz is an independent controller, governed by the Privacy Policy.

2. Subject matter, duration, nature, and purpose

The subject matter is the provision of the backup-verification Service. Processing continues for the term of the Terms of Service. The nature and purpose of processing is restoring your database dumps in an isolated sandbox and running the assertions you configure to produce verification evidence.

3. Categories of data and data subjects

The categories of personal data and of data subjects are determined by the contents of the database dumps you choose to register, which are within your control. You must not register dumps containing special-category data unless your plan and a separate agreement expressly permit it.

4. Processor obligations

Dokaz processes Customer Data only on your documented instructions (including via the application), ensures personnel with access are bound by confidentiality, implements the security measures in clause 7, and assists you in meeting your own compliance obligations as set out below.

5. Sub-processors

You authorise Dokaz to engage the sub-processors listed on the Sub-processors page. We impose data-protection obligations on each sub-processor no less protective than this DPA, remain responsible for their performance, and give advance notice of any addition or replacement so you may object on reasonable grounds.

6. Data-subject rights and assistance

Taking into account the nature of processing, we assist you with data-subject requests and with data-protection impact assessments and breach obligations. The application's self-service export and deletion tools are the primary means of fulfilling access and erasure requests.

7. Security measures

Drills run in isolated, ephemeral sandboxes destroyed on completion. Evidence is encrypted at rest with per-account envelope encryption and is digitally signed. Access controls, audit logging, encrypted transport, and tenant isolation apply across the Service. Transient working copies of dumps are deleted as soon as a drill finishes.

8. Personal data breach

Dokaz notifies you without undue delay after becoming aware of a personal data breach affecting your Customer Data, with the information reasonably available to assist your own reporting obligations.

9. International transfers

Where processing involves a transfer of personal data across borders, the parties rely on the Standard Contractual Clauses or another lawful transfer mechanism, which are incorporated by reference.

10. Audits

On reasonable written request, and no more than once a year except following a breach or where required by a supervisory authority, Dokaz makes available the information necessary to demonstrate compliance with this DPA.

11. Return and deletion

On termination you may export your data for 30 days. After that, Customer Data is deleted; account closure crypto-shreds the per-account evidence encryption keys, rendering retained evidence permanently undecryptable, except where retention is required by law.

12. Order of precedence

In the event of a conflict between this DPA and the Terms of Service regarding the processing of personal data, this DPA prevails.

DPA questions or a signed copy: legal@dokaz.io.