Loading…

Legal · DPA

Data Processing Agreement

Last updated: March 14, 2026

1. Background

This Data Processing Agreement (“DPA”) forms part of the Master Services Agreement between Dataroom, Inc. (“Processor”) and Customer (“Controller”) for the provision of the Dataroom platform (“Services”). It applies whenever Processor processes Personal Data on behalf of Controller in connection with the Services.

2. Definitions

Terms such as “Personal Data”, “Processing”, “Data Subject”, “Supervisory Authority”, and “Personal Data Breach” have the meanings ascribed to them in the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).

3. Subject matter & duration

Processor processes Personal Data on behalf of Controller for the duration of the Services agreement and for the limited purpose of providing, securing, and improving the Services in accordance with documented Controller instructions.

4. Categories of data subjects and personal data

Data subjects: Controller's employees, customers, prospects, and recipients of documents shared via the Services.
Personal data: name, email address, IP address, device data, document metadata, content of documents uploaded by Controller.
Special categories: only where Controller chooses to upload such data; HIPAA BAA available for healthcare workloads.

5. Processor obligations

Process Personal Data only on documented Controller instructions.
Ensure persons authorized to process Personal Data are bound by confidentiality.
Implement appropriate technical and organizational security measures (Annex II).
Engage Sub-processors only with general written authorization and on equivalent terms.
Assist Controller in fulfilling Data Subject rights requests within reasonable timelines.
Notify Controller without undue delay (within 48 hours) of any Personal Data Breach.
Delete or return all Personal Data within 30 days of termination, unless retention is required by law.

6. International transfers

For transfers of Personal Data outside the EEA, the parties incorporate the EU Commission's Standard Contractual Clauses (Module Two: Controller to Processor, dated 4 June 2021) by reference. The UK Addendum and the Swiss SCCs apply where relevant.

7. Audit rights

Controller may, no more than once per calendar year (and at Controller's expense), audit Processor's compliance with this DPA. Processor will provide the most recent SOC 2 Type II report, penetration test summary, and CAIQ in lieu of on-site audits where reasonable.

8. Sub-processors

The current list of authorized Sub-processors is published at sendmint.com/legal/subprocessors and updated with at least 30 days' notice of any addition.

9. Liability

Liability under this DPA is subject to the limitations set out in the Master Services Agreement, except where applicable data protection law mandates otherwise.

10. Governing law & jurisdiction

This DPA is governed by the laws of the Republic of Ireland for EEA customers and the State of Delaware for all other customers. Disputes are resolved by the competent courts in those jurisdictions, subject to the requirements of applicable data protection law.

Download signed DPA

Most customers can rely on this online DPA without signing a separate document. If your procurement team requires a signed copy, request one at privacy@sendmint.com and we'll send a pre-signed PDF within one business day.

Annex II

Technical and organizational measures.

AES-256 encryption at rest, TLS 1.3 in transit.

Multi-AZ deployment on AWS, with point-in-time recovery (RPO 5 min, RTO 1 hr).

Strict least-privilege engineering access, reviewed quarterly.

SSO, SCIM, MFA enforced for all personnel with production access.

SOC 2 Type II audit conducted annually by an independent CPA firm.

Annual penetration test by a CREST-accredited third party.

Quarterly access reviews and joiner/mover/leaver controls.

Coordinated vulnerability disclosure program with bounty.

Questions on the DPA?

Email privacy@sendmint.com. Same-day reply.

Talk to legal