DocGen logoDocGen

Legal

Data Processing Agreement

Governs data processing by DocGen on behalf of Controllers

This Data Processing Agreement ("Agreement") is entered into pursuant to applicable data protection laws and forms an integral part of any subscription, terms of service, or master agreement between the parties. It governs the processing of Personal Data by the Processor on behalf of the Controller.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person.
  • Data Subject: The individual to whom the Personal Data relates.
  • Processing: Any operation performed on Personal Data including collection, storage, use, transfer, or deletion.
  • Subprocessor: A third party engaged by the Processor to process Personal Data.
  • Applicable Laws: All data protection laws and regulations relevant to the processing activities under this Agreement.

2. Subject Matter and Duration

This Agreement governs the processing of Personal Data by DocGen on behalf of the Controller in the context of providing AI-powered documentation services. The Agreement shall remain in effect for the duration of the main service agreement or until all Personal Data is deleted or returned to the Controller.

3. Nature and Purpose of Processing

DocGen processes Personal Data only for the following purposes:

  • To provide, maintain, and improve software documentation and code simplification tools.
  • To support user authentication, access management, and collaboration.
  • To provide technical support, training, and account management.
  • To fulfill contractual and legal obligations associated with the Controller's use of DocGen services.

4. Categories of Data Subjects and Personal Data

The Controller determines the categories of Personal Data and Data Subjects. Typical categories include the Controller's employees, contractors, and authorized users, as well as end-users or customers in limited, anonymized formats.

5. Obligations of the Processor (DocGen)

DocGen agrees to:

  • Process Personal Data solely on the documented instructions of the Controller.
  • Ensure confidentiality and train all personnel with access to Personal Data.
  • Implement appropriate technical and organizational security measures.
  • Cooperate with the Controller in responding to data subject requests.
  • Notify the Controller without undue delay upon becoming aware of a data breach.
  • Maintain records of processing activities under its responsibility.
  • Refrain from selling or using Personal Data for marketing, profiling, or resale.

6. Obligations of the Controller

The Controller represents and warrants that it has obtained all necessary consents and legal authority to transfer Personal Data to DocGen, and will not instruct DocGen to process data unlawfully or in breach of applicable laws.

7. Subprocessors

DocGen may engage third-party subprocessors to fulfill its obligations. DocGen maintains an up-to-date list of its current subprocessors, available upon request. The Controller provides general authorization for DocGen to engage subprocessors, provided DocGen imposes equivalent data protection obligations and provides advance notice of changes.

8. International Data Transfers

DocGen may transfer Personal Data across borders as required for hosting, processing, or service delivery. All such transfers will use adequate safeguards in accordance with applicable data transfer mechanisms including Standard Contractual Clauses (SCCs) and adequacy decisions.

9. Security Measures

DocGen implements appropriate technical and organizational measures including:

  • Encryption of data at rest and in transit
  • Role-based access controls (RBAC)
  • Secure user authentication and access logging
  • Regular vulnerability scanning and penetration testing
  • Incident detection, response, and backup recovery protocols

10. Data Subject Rights

DocGen shall provide assistance to help the Controller respond to data subject rights requests (access, correction, deletion, or portability) without undue delay.

11. Data Breach Notification

DocGen will notify the Controller without undue delay (and in any case within 72 hours) upon becoming aware of a Personal Data Breach, including a description of the nature, likely consequences, and measures taken or proposed to address the breach.

12. Audit and Compliance

DocGen agrees to make available all necessary information to demonstrate compliance with this DPA. The Controller may conduct audits (not more than once per year) of DocGen relevant systems and policies with 30 days' prior written notice.

13. Data Return and Deletion

Upon termination of the service agreement, DocGen will delete or return all Personal Data processed on the Controller's behalf within a maximum of 30 days, unless otherwise required by law.

14. Governing Law and Jurisdiction

This Agreement shall be governed by the laws of the Republic of India. Any disputes shall be submitted to the exclusive jurisdiction of the courts located in Delhi NCR, India.

Contact

  • Email: support@docgenai.org
  • Address: 3rd Floor, Orchid Center, Golf Course Road, Sector 53, Gurugram, Haryana 122002, IN