Data Processing Addendum

Effective date: 2026-03-23. This Data Processing Addendum describes the baseline data protection terms that apply when Docsift processes personal data on behalf of a customer.

This addendum supplements the customer agreement. If there is a conflict between the customer agreement and this addendum on data protection matters, this addendum controls for those matters.

The customer is the controller, or a processor acting on behalf of its own controller, for customer personal data submitted to the service. Docsift acts as processor for that customer personal data except where Docsift acts as controller for its own business operations such as billing, security, and direct website interactions.

Docsift will process customer personal data only on documented instructions from the customer, including as necessary to provide the service, secure the platform, maintain service reliability, and comply with applicable law.

Processing activities may include hosting, storage, organization, retrieval, structuring, extraction support, export handling, user authentication, logging, and support-related access required to operate the service.

• Categories of data subjects may include customer employees, approvers, vendors, payees, and other individuals reflected in submitted finance records.
• Categories of personal data may include contact details, finance document contents, account metadata, audit events, and integration-related data necessary to complete customer-directed actions.

Docsift is expected to maintain technical and organizational measures appropriate to the risk, including company-scoped access controls, invite-only account provisioning, private storage, auditability for sensitive actions, and operational safeguards around queue processing and maintenance routes.

Docsift may update security measures over time provided that the overall security posture is not materially diminished for the customer’s use case.

Docsift may engage subprocessors to provide infrastructure, hosting, storage, transactional email, and related service functionality. A current subprocessor list is published on the subprocessors page.

Customer-directed integrations and customer-configured AI providers are used only when the customer enables them. Those providers may receive customer data as necessary to complete the requested processing or export task.

Where required, Docsift expects to support lawful international data transfers through appropriate safeguards such as contractual transfer mechanisms.

Docsift will provide reasonable assistance to the customer for responding to data subject requests, security incidents, and regulatory inquiries to the extent such assistance is required by applicable law and relates to customer personal data processed through the service.

Upon termination of the applicable services and subject to legal retention obligations, customer data will be returned or deleted in accordance with the customer agreement and the operational capabilities of the service.

Operational logs, audit records, or limited backups may persist for a reasonable period where required for security, dispute resolution, or legal compliance.