Trust center / Privacy & GDPR
Privacy & GDPR
docs365.ai acts as a data processor under GDPR — your organization remains the controller for personal data in documents you govern. How we map to Article 28 responsibilities, and the boundaries that matter.
Roles
Controller, processor, sub-processor
You
Data controller
Your organization determines why personal data is processed, which documents contain it, who has access, and how long it's retained.
docs365.ai
Data processor
Our layer processes personal data only on your documented instructions, under the terms of our DPA. We don't determine purpose or scope; we operate.
Microsoft + DocuSign
Sub-processors
Microsoft is the platform on which everything runs. DocuSign (when enabled) is the PAdES signing ceremony. Both covered in the DPA.
Article 28 mapping
How our DPA addresses each clause
| Article 28 | What it requires | How we address it |
|---|---|---|
| 28(1) | Sufficient guarantees to implement appropriate technical + organisational measures | Internal ISMS aligned to ISO 27001 controls; Microsoft's own attestations apply to the platform |
| 28(3)(a) | Process only on documented instructions of the controller | DPA + customer configuration define all processing; we don't process on our own initiative |
| 28(3)(b) | Confidentiality obligations on personnel | Employment contracts + NDAs + security training; documented in DPA |
| 28(3)(c) | Security measures per Article 32 | See security posture page for detail |
| 28(3)(d) | Engage sub-processors only with controller authorisation | Current sub-processors listed in DPA; changes notified 30 days in advance |
| 28(3)(e) | Assist controller in responding to data-subject rights requests | Data retrieval, export, and deletion operations available via SharePoint + our admin tooling |
| 28(3)(f) | Assist controller with Articles 32-36 (security, breach notification, DPIA, prior consultation) | Security documentation, breach-notification process, DPIA inputs — all provided on request |
| 28(3)(g) | Return or delete personal data at end of services | Documents remain in your SharePoint (we don't take copies); our service-account access is revoked at contract end |
| 28(3)(h) | Make available information needed to demonstrate compliance; allow audits | Security documentation available to customers; reasonable audit requests accommodated under NDA |
Data subject rights
Assisting with access, rectification, erasure
Data-subject rights requests (Articles 15–22 of GDPR) are directed to you as controller. When a data subject asks you for access to, rectification of, or erasure of their personal data, you determine the response. Our role is to make sure the technical capability to respond exists:
Access (Art. 15)
Documents containing personal data are searchable in SharePoint. Audit logs show what actions happened to specific documents. Both are part of the access response.
Rectification (Art. 16)
Documents can be revised through the normal approval workflow. The change is captured in the audit log. Prior versions remain available (subject to your retention policy).
Erasure (Art. 17)
Documents can be deleted or archived. Note that erasure obligations must be weighed against records-retention obligations under sector regulations (Art. 17(3) exceptions).
Portability (Art. 20)
Documents are native Office formats (Word, PDF, Excel, PowerPoint). Metadata exports via SharePoint. Data portability is not a technical barrier.
Article 33
Breach notification
If a personal-data breach affects customer data processed through our layer, we notify the affected customer's primary compliance contact within 24 hours of our awareness. The notification includes: the nature of the breach, categories and approximate numbers of data subjects concerned, likely consequences, and measures taken or proposed to address the breach.
This is faster than the 72-hour notification clock you have under Article 33(1) with your supervisory authority — giving your compliance team time to assess the breach and prepare their own notification before the regulatory deadline.
Breaches at the underlying platform level (Microsoft's responsibility) flow through Microsoft's own breach-notification process as specified in Microsoft's DPA.
Article 35
DPIA support
For customers whose documented-information processing meets Article 35 DPIA triggers, we provide the processor-side inputs typically required: description of the processing, technical + organisational measures, sub-processor list, data-retention model, and risk-assessment information. Customers running DPIAs should request this package — it's usually part of contracting for regulated customers.
Contact
Privacy + DPO contact
Privacy inquiries, DPA requests, DPIA support, breach-notification coordination, data-subject rights liaison — all at privacy@docs365.ai. Our response target is 3 business days for routine inquiries; faster for breach or rights-request escalations.
Need the DPA or a DPIA input package?
Standard-form DPA available during contracting. Customer-specific DPA addenda, DPIA inputs, and vendor-risk-assessment questionnaires usually turn around in under a business day.