Propper® Logo
Legal Agreement

Data Processing Agreement

Last Updated: March 30, 2026

Introduction

This Data Processing Agreement ("DPA") forms part of the Master Service Agreement, Terms of Service, or other subscription agreement (the "Agreement") between PropperDocs, Inc. ("Propper") and the entity identified as Customer in the Agreement ("Customer").

This DPA governs Propper's Processing of Personal Data on behalf of Customer in connection with the Services. The terms of this DPA prevail over any conflicting terms in the Agreement with respect to data protection matters.

This DPA is effective as of the Effective Date of the Agreement or, if later, the date Customer accepts this DPA.

1. Definitions

"Applicable Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including:

  • The California Consumer Privacy Act of 2018, as amended by the California Privacy Rights Act ("CCPA")
  • Other U.S. state privacy laws (e.g., Virginia CDPA, Colorado CPA, Connecticut CTDPA, Utah UCPA)
  • The General Data Protection Regulation (EU) 2016/679 ("GDPR")
  • The UK General Data Protection Regulation ("UK GDPR")
  • The Swiss Federal Act on Data Protection ("Swiss FADP")

"Controller" means the entity that determines the purposes and means of Processing Personal Data. Also referred to as "Business" under the CCPA.

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"Personal Data" means any information relating to an identified or identifiable natural person that is Processed by Propper in connection with the Services.

"Process" or "Processing" means any operation performed on Personal Data, including collection, recording, organization, storage, adaptation, alteration, retrieval, consultation, use, disclosure, transmission, erasure, or destruction.

"Processor" means an entity that Processes Personal Data on behalf of a Controller. Also referred to as "Service Provider" under the CCPA.

"Security Incident" means any unauthorized access to, acquisition of, or disclosure of Personal Data that compromises the security, confidentiality, or integrity of such Personal Data.

"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses approved by the European Commission for international transfers of Personal Data, as set forth in Commission Implementing Decision (EU) 2021/914.

"Subprocessor" means any third party engaged by Propper to Process Personal Data on Propper's behalf.

"UK Addendum" means the International Data Transfer Addendum to the EU SCCs issued by the UK Information Commissioner's Office.

2. Roles and Responsibilities

2.1 Roles of the Parties

The Parties acknowledge and agree that:

  • Customer is the Controller (or acts on behalf of a Controller) of Personal Data Processed through the Services
  • Propper is the Processor of Personal Data and Processes Personal Data solely on behalf of Customer in accordance with this DPA

For purposes of the CCPA:

  • Customer is the Business
  • Propper is the Service Provider

2.2 Customer Responsibilities

Customer is responsible for:

  • Determining the lawful basis for Processing Personal Data
  • Providing any required notices to Data Subjects
  • Obtaining any necessary consents or authorizations
  • Ensuring that Customer's instructions to Propper comply with Applicable Data Protection Laws
  • Responding to Data Subject requests (with Propper's assistance as set forth herein)

2.3 Customer Instructions

Customer instructs Propper to Process Personal Data for the following purposes:

  • Providing the Services in accordance with the Agreement
  • Processing initiated by Users in their use of the Services
  • Processing necessary to comply with Customer's documented instructions
  • Processing required to comply with applicable law

Customer's instructions must comply with Applicable Data Protection Laws. If Propper believes an instruction violates Applicable Data Protection Laws, Propper will promptly notify Customer.

3. Data Processing

3.1 Processing Details

The details of Processing are set forth in Annex I (Description of Processing) below.

3.2 Processing Limitations

Propper will:

  • Process Personal Data only on Customer's documented instructions, unless required by applicable law
  • Not sell, share (as defined under CCPA), or use Personal Data for any purpose other than providing the Services
  • Not combine Personal Data with data from other sources except as necessary to provide the Services
  • Treat Personal Data as Confidential Information under the Agreement

3.3 Compliance

Propper will comply with Applicable Data Protection Laws in its Processing of Personal Data on Customer's behalf.

4. Data Subject Rights

4.1 Requests to Customer

Customer is responsible for responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Laws (e.g., access, correction, deletion, portability, objection).

4.2 Requests to Propper

If Propper receives a request directly from a Data Subject, Propper will promptly redirect the Data Subject to Customer and notify Customer of the request, unless prohibited by law.

4.3 Assistance

Taking into account the nature of the Processing, Propper will provide reasonable assistance to Customer in responding to Data Subject requests, including by:

  • Providing access to Personal Data within Propper's possession
  • Correcting, deleting, or restricting Processing of Personal Data as instructed by Customer
  • Providing Personal Data in a structured, commonly used format where required for portability

Propper may charge reasonable fees for assistance beyond what is required to provide the Services.

5. Personnel and Confidentiality

5.1 Personnel

Propper will ensure that personnel authorized to Process Personal Data:

  • Are subject to confidentiality obligations
  • Have received appropriate training on data protection
  • Process Personal Data only as necessary to perform their duties

5.2 Access Limitation

Propper will limit access to Personal Data to personnel who require access to perform the Services.

6. Security

6.1 Security Measures

Propper will implement and maintain appropriate technical and organizational measures to protect Personal Data against unauthorized or unlawful Processing, accidental loss, destruction, or damage. These measures are described in Annex II (Security Measures) below.

6.2 Security Assessment

Propper regularly assesses and updates its security measures to address evolving threats. Propper will not materially reduce the overall security of the Services during the term of the Agreement.

7. Security Incidents

7.1 Notification

Propper will notify Customer without undue delay, and in any event within 72 hours, after becoming aware of a Security Incident affecting Personal Data.

7.2 Notification Content

The notification will include, to the extent known:

  • A description of the nature of the Security Incident, including categories and approximate number of Data Subjects and records affected
  • Contact information for Propper's privacy or security team
  • Likely consequences of the Security Incident
  • Measures taken or proposed to address the Security Incident

7.3 Cooperation

Propper will cooperate with Customer's reasonable requests for additional information and will take appropriate measures to remediate the Security Incident.

7.4 No Admission

Propper's notification of a Security Incident is not an acknowledgment of fault or liability.

8. Subprocessors

8.1 Authorization

Customer grants Propper general authorization to engage Subprocessors to Process Personal Data, subject to the requirements of this Section 8.

8.2 Current Subprocessors

SubprocessorPurposeLocation
Google Cloud PlatformCloud infrastructure, compute, and storageUnited States, Europe
Google Cloud SQL / AlloyDBDatabase hostingUnited States, Europe
SendGrid (Twilio)Transactional email deliveryUnited States
StripePayment processingUnited States

8.3 New Subprocessors

Propper will notify Customer at least fifteen (15) days before engaging a new Subprocessor by updating the Subprocessor list and notifying Customer via email.

8.4 Objection

If Customer has a reasonable, documented objection to a new Subprocessor based on data protection concerns, Customer must notify Propper in writing within fifteen (15) days of receiving notice. The Parties will work in good faith to address Customer's concerns.

If the Parties cannot resolve the objection within thirty (30) days, Customer may terminate the affected Services by providing written notice. Propper will refund prepaid Fees for the unused portion of the Subscription Term.

8.5 Subprocessor Agreements

Propper will enter into written agreements with Subprocessors that impose data protection obligations no less protective than those in this DPA.

8.6 Liability

Propper remains liable to Customer for the acts and omissions of its Subprocessors to the same extent Propper would be liable if performing the Processing directly.

9. International Data Transfers

9.1 Transfer Mechanisms

When Personal Data is transferred from the EEA, UK, or Switzerland to a country not recognized as providing adequate protection, Propper will ensure appropriate safeguards are in place, including:

  • Standard Contractual Clauses: The SCCs are incorporated by reference into this DPA
  • UK Addendum: For transfers from the UK, the UK Addendum is incorporated by reference
  • Swiss Addendum: For transfers from Switzerland, the SCCs apply with the modifications required by Swiss law

9.2 Implementation of SCCs

Where the SCCs apply:

  • Customer is the "Data Exporter" and Propper is the "Data Importer"
  • Module Two (Controller to Processor) applies when Customer is a Controller
  • Module Three (Processor to Processor) applies when Customer is a Processor
  • The optional docking clause (Clause 7) is not included
  • Option 2 (general written authorization) applies to Clause 9(a), with the 15-day notice period specified in Section 8.3
  • The optional language in Clause 11 (independent dispute resolution) is not included
  • The governing law and forum for the SCCs shall be the Republic of Ireland
  • Annexes I and II of the SCCs are set forth in the Annexes to this DPA

9.3 Additional Safeguards

Propper maintains supplementary technical and organizational measures to protect Personal Data during international transfers, including encryption of data in transit and at rest.

10. Audits

10.1 Audit Information

Upon Customer's written request (no more than once per year), Propper will provide information demonstrating compliance with this DPA, which may include:

  • Relevant security certifications (e.g., SOC 2 Type II reports)
  • Third-party audit reports
  • Responses to security questionnaires
  • Relevant policies and procedures

10.2 On-Site Audits

If Customer reasonably determines that the information provided under Section 10.1 is insufficient, Customer may request an on-site audit subject to the following:

  • Written request at least thirty (30) days in advance
  • Scope limited to Propper's Processing of Personal Data for Customer
  • Conducted during normal business hours with minimal disruption
  • Auditor must execute a confidentiality agreement
  • Customer bears all costs of the audit
  • Propper may require that auditors who are competitors execute additional protections

10.3 Confidentiality

Audit reports and related information constitute Propper's Confidential Information.

11. Data Protection Impact Assessments

Upon Customer's reasonable request, Propper will provide information reasonably necessary for Customer to conduct data protection impact assessments or prior consultations with supervisory authorities as required by Applicable Data Protection Laws.

12. Return and Deletion

12.1 During Subscription Term

Customer may export Personal Data at any time during the Subscription Term using the functionality provided in the Services.

12.2 Post-Termination

Following termination or expiration of the Agreement:

  • Propper will retain Personal Data for thirty (30) days to allow Customer to export
  • After thirty (30) days, Propper will delete Personal Data in accordance with its standard practices
  • Propper may retain Personal Data as required by applicable law or for legitimate business purposes (e.g., transaction records for legal compliance)

12.3 Deletion Certification

Upon Customer's written request, Propper will certify deletion of Personal Data.

13. CCPA-Specific Provisions

Where the CCPA applies to Propper's Processing of Personal Data:

13.1 Service Provider Status

Propper is a "Service Provider" as defined in the CCPA. Propper will:

  • Process Personal Data only for the business purposes specified in the Agreement
  • Not sell or share Personal Data
  • Not use Personal Data for any purpose other than providing the Services
  • Not combine Personal Data with other data except as permitted by the CCPA

13.2 CCPA Certification

Propper certifies that it understands and will comply with the restrictions in this Section 13.

13.3 Consumer Requests

Propper will assist Customer in responding to verifiable consumer requests under the CCPA, including requests to know, delete, or correct Personal Data.

14. General

14.1 Conflicts

In the event of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. In the event of conflict between this DPA and the SCCs, the SCCs shall prevail.

14.2 Liability

Liability under this DPA is subject to the limitations set forth in the Agreement.

14.3 Termination

This DPA will terminate automatically upon termination or expiration of the Agreement.

14.4 Amendments

Propper may update this DPA from time to time to reflect changes in Applicable Data Protection Laws. Material changes will be communicated at least thirty (30) days before taking effect.

Annex I: Description of Processing

A. List of Parties

RoleDetails
Data Exporter (Customer)As identified in the Agreement
Data Importer (Propper)PropperDocs, Inc., 8000 Avalon Boulevard, Atlanta, GA 30009 — privacy@propper.ai

B. Description of Transfer

ElementDescription
Subject MatterProvision of electronic signature and document management Services
DurationDuration of the Agreement
Nature and PurposeProcessing Personal Data to enable electronic document creation, delivery, signature, authentication, and storage
Categories of Data SubjectsEmployees and contractors of Customer; Customer's customers and business partners; Transaction Participants (signers, recipients)
Categories of Personal DataContact information (name, email, phone); Account credentials; IP addresses and device information; Electronic signatures; Document contents (as uploaded by Customer); Transaction metadata and audit trails
Sensitive DataCustomer may upload documents containing sensitive data; Propper does not require or request sensitive data
Frequency of TransferContinuous during use of the Services
Retention PeriodDuration of subscription plus 30 days (or as required by law)

C. Competent Supervisory Authority

For EEA transfers: The supervisory authority of the EU member state where Customer is established, or if Customer is not in the EEA, the Irish Data Protection Commission.

For UK transfers: The UK Information Commissioner's Office.

Annex II: Security Measures

Propper implements the following technical and organizational security measures:

1. Access Control

  • Role-based access controls with least-privilege principles
  • Multi-factor authentication for administrative access
  • Unique user identification and authentication
  • Automatic session timeout
  • Access logging and monitoring

2. Data Encryption

  • Encryption of data in transit using TLS 1.2 or higher
  • Encryption of data at rest using AES-256
  • Secure key management practices

3. Network Security

  • Firewalls and intrusion detection/prevention systems
  • DDoS protection
  • Network segmentation
  • Regular vulnerability scanning

4. Physical Security

  • Data hosted in Google Cloud Platform data centers
  • Physical access controls, surveillance, and environmental protections
  • Geographic redundancy

5. Operational Security

  • Documented security policies and procedures
  • Security awareness training for personnel
  • Background checks for personnel with access to Personal Data
  • Incident response procedures

6. Data Protection

  • Regular backups with encryption
  • Disaster recovery capabilities
  • Data deletion procedures

7. Vendor Management

  • Security assessment of Subprocessors
  • Contractual security requirements for Subprocessors

8. Monitoring and Testing

  • Continuous security monitoring
  • Regular penetration testing and vulnerability assessments
  • Security incident logging and analysis

Data Processing Agreement Version 1.0

For questions about this DPA: privacy@propper.ai | support@propper.ai

PropperDocs, Inc. All rights reserved.