Data Processing Agreement

Version 2026.05 · Between AttachKit(Processor) and Customer (Controller). Use this as the DPA between your organization and ours. Print to PDF and sign on both sides; we'll countersign on request via our contact form.

1. Background

Customer uses AttachKit(the "Service") and in doing so may have us process Personal Data on Customer's behalf. This DPA forms part of the agreement between Customer and AttachKitand sets out the terms governing Processor's processing of Personal Data as a processor under the GDPR / UK GDPR.

2. What we process (subject matter + duration)

• Subject matter: Provision of the AttachKit Service (PDF fill, sign, redact, send-to-sign, verify, scan, compare).
• Duration: For as long as Customer maintains an active account or until Customer requests deletion (whichever is earlier).
• Nature + purpose:Hosting authentication, subscription state, signing-flow metadata. Document bytes never leave Customer's browser by default — we don't process PDF contents server-side except where Customer explicitly invokes a server-side AI feature (Auto-fill, AI redaction, AI clause review). In those cases, only the necessary slices are sent to our model provider and not retained beyond the request.
• Categories of data:Customer's and end users' email addresses, names, profile fields voluntarily entered, signature image data, payment metadata (via Stripe).
• Categories of data subjects:Customer's end users + their counterparties who are sent a sign request.

3. Processor obligations

• Process Personal Data only on Customer's documented instructions (the Service contract + this DPA + Customer's configuration).
• Ensure personnel with access are subject to confidentiality.
• Implement appropriate technical + organizational measures (see Annex 1).
• Assist Customer in responding to data subject requests (access, rectification, erasure, restriction, portability, objection). Our admin panel provides a GDPR export + delete flow we can invoke on Customer's behalf within 30 days of request.
• Notify Customer without undue delay (and at most within 72 hours) of a personal data breach affecting Customer's data.

4. Sub-processors

Customer authorizes Processor to engage the following sub-processors:

• Google LLC (Google Cloud) — application hosting (US, EU regions available)
• Neon, Inc. — Postgres database hosting
• Resend (Plus Five Five, Inc.) — transactional email
• Stripe, Inc. — payment processing
• Anthropic, PBC (the Claude API; United States) — AI processing (Auto-fill, redaction, clause review). Retention is bounded per Anthropic's commercial API terms (no training on data sent through the API); we don't pass data unless Customer invokes an AI feature.
• Plausible Insights OÜ — privacy-focused web analytics. Cookieless, no cross-site tracking, no third-party fingerprinting. Aggregate page-view counts only. Active only when NEXT_PUBLIC_PLAUSIBLE_DOMAIN is configured on our deployment.

Counsel Mode (local Ollama).When Customer enables Counsel Mode, AI inference for redaction + clause review runs against the user's own Ollama instance on Customer infrastructure. No data leaves the Customer device in this mode; the cloud AI provider is not invoked. Intentionally out of the sub-processor list — this is Customer-controlled infra.

Processor will notify Customer at least 30 days in advance of any new sub-processor, giving Customer the right to object.

5. International transfers

Where Personal Data is transferred outside the EEA/UK, transfers are governed by the EU Standard Contractual Clauses (Module 2 — controller to processor) or the UK International Data Transfer Addendum, as applicable. Processor will assist Customer in completing transfer impact assessments on request.

6. Deletion + return

On termination, Processor will delete or return all Personal Data within 30 days, unless retention is required by law. Customer can trigger immediate deletion via the in-app GDPR delete flow, which cascades across profile, signatures, subscriptions, sessions, and related tables.

7. Audits

On reasonable notice (minimum 30 days) and at Customer's expense, Processor will make available the information necessary to demonstrate compliance with this DPA and allow for audits by Customer or a third-party auditor mandated by Customer. Processor may satisfy this obligation by sharing relevant SOC 2 reports or equivalent third-party attestations from its sub-processors.

Annex 1 — Technical + Organizational Measures

Reproduced here in summary; the full per-control breakdown, cryptography stack, and verification steps live on our security page.

• TLS 1.2+ in transit, AES-256 at rest (sub-processor level for Postgres + filesystem; client-side AES-GCM for PDF payloads in the send-to-sign flow).
• Send-to-sign is encrypted client-side (AES-GCM-256); our server holds only ciphertext. The decryption key travels in the URL fragment (never sent to the server) or, on Max, is ECDH-wrapped per recipient — in every case we cannot decrypt customer documents.
• Authentication via email-OTP + passkeys; admin actions audited to an append-only log surfaced at /admin/audit.
• IP-block list + rate limits on signup-vector endpoints; feature kill switches to pause individual surfaces.
• Bounce + complaint suppression via Resend webhook; deliverability telemetry surfaced per-user.
• Regular dependency upgrades + automated CI (lint + typecheck + build + e2e on every push).

Need a signed countersignature or a redlined version? Terms · Privacy · Contact