This Data Processing Addendum (DPA) forms part of the agreement between cyang.io ("Processor") and the customer entity using Doclinks for business purposes ("Controller").
1. Purpose and Scope
This DPA applies when Processor processes Personal Data on behalf of Controller in connection with the Service.
2. Definitions
- Controller: Entity determining purposes and means of processing.
- Processor: Entity processing Personal Data on behalf of Controller.
- Personal Data: Information relating to an identified or identifiable person.
- Data Subject: Individual to whom Personal Data relates.
- Subprocessor: Third party engaged by Processor to process Personal Data.
3. Roles of the Parties
Controller is responsible for ensuring a lawful basis for processing and providing required notices to Data Subjects.
Processor processes Personal Data only:
- on documented instructions from Controller,
- to provide and secure the Service,
- to meet legal obligations applicable to Processor.
4. Subject Matter and Duration
Processing covers document delivery, access controls, logging, abuse prevention, and related support operations for the term of the underlying service agreement.
5. Nature and Purpose of Processing
Processing activities may include:
- secure storage and encrypted handling of uploaded files,
- generation and enforcement of controlled share links,
- access logging and audit event recording,
- malware scan and quarantine workflows,
- operational diagnostics and support.
6. Categories of Data Subjects
Depending on customer use, Data Subjects may include:
- employees and contractors,
- clients and vendors,
- recipients of shared documents,
- account administrators.
7. Types of Personal Data
Data processed may include:
- account identifiers and contact data,
- document metadata and access events,
- uploaded document contents,
- technical and security telemetry,
- billing and subscription identifiers.
Special category data should only be processed where Controller has established an appropriate legal basis and safeguards.
8. Confidentiality
Processor ensures that personnel with access to Personal Data are subject to confidentiality obligations and access controls appropriate to their role.
9. Security Measures
Processor maintains technical and organizational safeguards aligned with service risk, including:
- encryption in transit,
- encrypted document storage workflows,
- access controls and least-privilege principles,
- rate limiting and abuse detection,
- security logging and event monitoring,
- incident response procedures.
Additional detail is available in the Security Policy.
10. Subprocessors
Controller authorizes Processor to use subprocessors listed at /legal/subprocessors.
Processor will:
- impose data protection obligations on subprocessors,
- remain responsible for subprocessor performance under this DPA,
- update subprocessor disclosures as material processing dependencies change.
11. Data Subject Rights Assistance
Taking into account processing nature, Processor provides reasonable assistance to Controller in responding to requests for access, correction, deletion, portability, or objection, where required by applicable law.
12. Security Incident Notification
Processor will notify Controller without undue delay after confirming a Security Incident affecting Personal Data processed under this DPA.
Notices typically include:
- incident scope and known impact,
- affected data categories (if known),
- containment status,
- planned remediation steps.
13. DPIA and Prior Consultation Support
Where legally required and reasonably requested, Processor provides information needed for data protection impact assessments and prior consultation obligations.
14. Return and Deletion
Upon termination of the Service, Processor will delete or return Personal Data under Controller instruction, unless retention is required by law, security obligations, or dispute-resolution requirements.
15. International Data Transfers
Where cross-border transfers apply, parties will rely on lawful transfer mechanisms, including standard contractual safeguards where required.
16. Audit and Information Rights
Processor will provide reasonable information demonstrating compliance with this DPA, including policy and control summaries. Additional audits may be addressed through mutually agreed scope and confidentiality terms.
17. Liability and Precedence
Liability and limitation terms for this DPA follow the underlying service agreement unless otherwise required by applicable law.
If this DPA conflicts with the service agreement regarding data processing matters, this DPA controls for those matters.
18. Annex A - Processing Details
| Item | Description |
|---|---|
| Subject matter | Controlled external document delivery and related operations |
| Duration | Term of the service agreement plus limited retention where required |
| Data subjects | Customer users, recipients, business contacts |
| Data categories | Account data, usage metadata, document content, security telemetry |
| Processing purpose | Provide secure sharing, access controls, auditing, abuse prevention |
19. Annex B - Technical and Organizational Measures
| Control area | Measure summary |
|---|---|
| Encryption | TLS in transit and encrypted storage workflows |
| Access control | Role-based permissions, operational least privilege |
| Monitoring | Immutable event logs, abuse telemetry, alerting |
| Malware controls | Scan-first and quarantine-gated delivery states |
| Resilience | Redundancy and incident response procedures |
20. Contact
- privacy@cyang.io
- legal@cyang.io