LegitimaBETA

Data Processing Agreement

Last updated: 9/5/2025

GDPR Compliant
Data Processing Overview

This Data Processing Agreement (DPA) describes how DocuMind processes personal data on behalf of our customers in compliance with applicable data protection laws, including the General Data Protection Regulation (GDPR) and California Consumer Privacy Act (CCPA).

Types of Personal Data

Account Information

  • • Name and email address
  • • Account credentials and authentication tokens
  • • Payment and billing information
  • • Communication preferences

Document Content

  • • Uploaded document files and metadata
  • • Extracted text content and analysis results
  • • Chat conversations and AI responses
  • • Document organization and tags

Usage Data

  • • Feature usage patterns and preferences
  • • Technical logs and error reports
  • • Device and browser information
  • • Session duration and interaction metrics
Lawful Basis for Processing

Contract Performance

Processing necessary to provide our document analysis services

Legitimate Interest

Improving our services, security, and customer support

Consent

Marketing communications and optional features

Legal Compliance

Meeting regulatory requirements and legal obligations

Data Processing Activities

Document Analysis

We process your documents to extract insights and provide AI-powered analysis.

Security measure: Documents are processed in secure, isolated environments and are not used to train our AI models without explicit consent.

Service Provision

Account management, authentication, billing, and customer support activities.

Quality Improvement

Analyzing usage patterns to enhance features and fix issues (anonymized data only).

Data Security Measures

Technical Safeguards

  • • End-to-end encryption in transit
  • • AES-256 encryption at rest
  • • Multi-factor authentication
  • • Regular security audits
  • • Automated threat detection

Organizational Measures

  • • Staff security training
  • • Access controls and monitoring
  • • Data minimization practices
  • • Incident response procedures
  • • Vendor security assessments
Data Transfers

We may transfer personal data to third countries or international organizations under the following safeguards:

  • • Standard Contractual Clauses (SCCs) approved by the European Commission
  • • Adequacy decisions for transfers to countries with adequate protection
  • • Binding Corporate Rules for intra-group transfers
  • • Explicit consent for specific transfers when required
Data Subject Rights

Under GDPR and other privacy laws, you have the following rights:

Right to Access

Request copies of your personal data

Right to Rectification

Correct inaccurate information

Right to Erasure

Request deletion of your data

Right to Portability

Export your data in machine-readable format

Right to Object

Object to certain processing activities

Right to Restrict

Limit how we process your data

Data Retention

Retention Periods

  • Account data: Retained while account is active + 30 days
  • Document content: Retained until user deletion or account closure
  • Chat history: Retained for 2 years or until user deletion
  • Analytics data: Anonymized after 13 months
  • Security logs: Retained for 12 months
Contact Information

Data Protection Officer

Email: dpo@documind.ai
Phone: +1 (555) 123-4567

Privacy Inquiries

Email: privacy@documind.ai
Support Portal: help.documind.ai