GDPR Compliance
1. Our commitment
DocFlow is built to comply with Regulation (EU) 2016/679 (the GDPR) and the UK GDPR. We apply the principles of lawfulness, fairness, transparency, purpose limitation, data minimisation, accuracy, storage limitation, integrity, confidentiality, and accountability at every layer of the Service.
2. Controller and processor roles
- For account, billing, and usage data, DocFlow acts as the data controller.
- For the files you upload and any personal data inside them, DocFlow acts as a data processor on your behalf — you remain the controller and we process the files only to provide you with the conversion / editing / capture you request.
3. Security & organisational measures
- TLS 1.2/1.3 in transit, AES-256 at rest;
- Files processed in isolated containers and deleted within one hour by default;
- Role-based access control with least-privilege defaults;
- Mandatory MFA for all employees with production access;
- Detailed audit logging, monitored 24/7;
- Annual penetration testing by an independent third party;
- Incident-response plan with 72-hour breach-notification process;
- Vendor risk reviews of every sub-processor.
4. Sub-processors
We use the sub-processors listed below to deliver the Service. We will give 30 days' notice (by email or in-app) before adding new sub-processors so you can object.
| Sub-processor | Service | Country |
|---|---|---|
| [Hosting provider] | Compute & storage | EU / US |
| Stripe, Inc. | Payments | US |
| Cloudflare, Inc. | DNS, CDN, DDoS protection | Global |
| Google LLC | OAuth sign-in (optional) | US |
| [Email provider] | Transactional email | EU / US |
5. International transfers
Where personal data leaves the EEA / UK, we rely on the European Commission's Standard Contractual Clauses (Decision 2021/914), the UK International Data Transfer Addendum, and (where applicable) the EU–US Data Privacy Framework.
6. Your rights as a data subject
You may exercise your access, rectification, erasure, restriction, portability, and objection rights at any time by emailing [email protected]. You also have the right to lodge a complaint with your local supervisory authority (in the UK: the ICO; in Ireland: the DPC).
7. Data Processing Addendum
Business customers can request a counter-signed Data Processing Addendum (DPA) — see our DPA template or email [email protected].
8. Data Protection Officer
Our DPO can be reached at [email protected] or by post at Palms Sky Conv, 30 T Route du Vieux Flamboyant, Saint-Gilles-Les-Hauts, 97460 Saint-Paul, Réunion, France.