Data Processing Agreement
Template, version 1.0 — last updated 15 April 2026
This document is a template of the data processing agreement that Document Works concludes with its business customers ("Controller"). This DPA forms an inseparable part of the Main Agreement and is drawn up under GDPR art. 28.
Note: this is a template for information purposes. The definitive DPA is provided per agreement on request and may differ on specific points (for example, sector-specific requirements or negotiated annexes).
Parties
Processor: DocumentWorks ("Document Works"), a trade name of Newtech Studio B.V., Dutch Chamber of Commerce 92716474, VAT NL851029279B01.
Controller: the business customer named in the Main Agreement.
1. Definitions
The definitions of the GDPR apply. In addition:
- Main Agreement: the service agreement concluded between the Parties relating to the Document Works service.
- Personal Data: all personal data processed by Document Works on behalf of and at the instruction of the Controller within the scope of the Main Agreement.
2. Subject and duration
Document Works processes Personal Data exclusively for the purpose of providing the Service to the Controller. This DPA applies for the duration of the Main Agreement and ends as soon as all Personal Data have been returned or deleted in accordance with section 11.
3. Nature, purpose and categories
| Nature | Online office suite (email, calendar, contacts, documents, chat, video, AI assistance) |
|---|---|
| Purpose | Delivery of the Service in accordance with the Main Agreement |
| Categories of data subjects | Employees, contractors, customers, suppliers and other relations of the Controller |
| Categories of Personal Data | Identification and contact data, business role data, communication content (email, chat, documents), calendar items, contacts, audit and activity metadata, AI prompts and output |
| Special categories | Not structurally; only if the Controller includes them in the Content |
4. Instructions
Document Works processes Personal Data solely on the written instruction of the Controller. The Main Agreement and this DPA serve as such instructions. Additional instructions may be given in writing (including by email) via the contact point designated in the Main Agreement.
If Document Works is of the opinion that an instruction infringes the GDPR or other applicable law, Document Works will notify the Controller without delay.
5. Confidentiality
Document Works ensures that the persons authorised to process Personal Data are bound by a duty of confidentiality (whether by contract or by statutory obligation).
6. Security (GDPR art. 32)
Document Works implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. A detailed description is set out in our Security Statement. In summary:
- TLS 1.2+ in transit, GPG-encrypted back-ups at rest.
- Encrypted storage of third-party service credentials with a separate key.
- OIDC authentication, optional two-factor.
- Short session tokens for document editing.
- Row-level tenant isolation and RBAC.
- Strict CSP, defensive HTTP headers, rate limiting.
- Centralised audit logging on sensitive actions.
Document Works reserves the right to change the measures taken based on technological progress and risk analysis, provided the level of security remains at least equivalent.
7. Sub-processors (GDPR art. 28(2))
7.1 The Controller grants general authorisation for the use of sub-processors, provided that Document Works complies with this article.
7.2 The current list of sub-processors is publicly available at
document.works/en/legal/sub-processors and contains at least the
identity, the location and the purpose of processing.
7.3 Document Works will inform the Controller at least 30 days in advance of intended additions or replacements of sub-processors. The Controller has the right, within that period, to object in writing with reasons based on GDPR-grounded considerations. If the Parties do not reach a resolution, the Controller has the right to terminate the Main Agreement for the relevant component.
7.4 Document Works imposes on each sub-processor the same data protection obligations as those that apply to Document Works under this DPA.
8. Transfers outside the EEA
Document Works does not transfer Personal Data to countries outside the EEA, unless this is necessary for an integration or future sub-processor activated by the Controller, and in that case exclusively on the basis of an adequacy decision, standard contractual clauses (SCCs under GDPR art. 46) or another valid legal basis under GDPR chapter V.
9. Assistance with data subject rights (GDPR art. 28(3)(e))
Document Works provides, to the extent reasonably possible, assistance to the Controller in responding to data subject requests under GDPR chapter III (right of access, rectification, erasure, restriction, portability, objection). To the extent the time required for this assistance exceeds a reasonable effort, Document Works may charge a reasonable fee.
10. Personal data breaches (GDPR art. 28(3)(f), art. 33)
10.1 Document Works informs the Controller without undue delay — and in principle within 48 hours of discovery — of a personal data breach.
10.2 The notification includes at least: the nature of the breach, the categories and estimated number of data subjects involved, the consequences, and the measures taken or proposed.
10.3 The Controller is responsible for notifying the supervisory authority (GDPR art. 33) and the data subjects (GDPR art. 34), where applicable.
11. Return and deletion (GDPR art. 28(3)(g))
On termination of the Main Agreement, or on an earlier written request from the Controller, Document Works ensures:
- Return of Personal Data in a commonly used machine-readable format, for a period of 30 days after termination.
- Thereafter, deletion of the Personal Data from the live environment.
- Deletion from back-ups takes place within the natural expiry period of those back-ups (up to 30 days rolling).
The Controller receives, on request, written confirmation of the deletion.
12. Audit and information (GDPR art. 28(3)(h))
12.1 Document Works makes available, on reasonable request from the Controller, all information necessary to demonstrate compliance with GDPR art. 28, including the Security Statement, the sub-processor list and relevant parts of reports from external audits/pen-tests (where available).
12.2 The Controller has the right to conduct an on-site audit or have one conducted by an independent auditor, at most once per calendar year, after at least 30 days' prior written notice, on business days during office hours, and without disproportionately disrupting operations. The costs are for the Controller's account, unless the audit reveals a material failure.
13. Liability
The liability limitation of the Main Agreement also applies to this DPA, except to the extent that mandatory law (including GDPR art. 82) provides otherwise.
14. Final provisions
14.1 In case of conflict between this DPA and the Main Agreement, this DPA prevails where the protection of Personal Data is concerned.
14.2 This DPA is governed by Dutch law. Disputes are submitted to the competent court in Amsterdam.
Annex A — Sub-processors (at the time of signing)
See the current list at document.works/en/legal/sub-processors. At the
time of signing:
| Sub-processor | Country | Purpose |
|---|---|---|
| Hetzner Online GmbH | Germany (Falkenstein, Nuremberg) | Hosting and back-up |
| Mistral AI SAS | France (Paris) | AI text, image generation, speech recognition |
Annex B — Security measures
See security for the current set of technical and organisational measures.