Data Processing Addendum
Last Updated: July 16, 2026
This Data Processing Addendum ("DPA") forms part of the TemplateDocs Terms of Service (the "Terms") between ByteSail, operator of TemplateDocs ("TemplateDocs," "Processor," "we," "us," or "our"), and the customer using the Service ("Customer" or "Controller").
By accepting the Terms or using the Service, Customer also accepts this DPA. A countersigned copy may be made available on request.
If there is a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA controls.
1. Definitions
Applicable Data Protection Law means data protection and privacy laws applicable to the processing of Customer Personal Data under this DPA, including, where applicable, the EU General Data Protection Regulation ("GDPR") and equivalent or similar laws.
Customer Data means templates, form submissions, webhook or API payloads, workflow variables and step data, generated documents, workflow email content and recipient information, integration credentials, run data, and other content submitted to or processed through the Service by or on behalf of Customer.
Customer Personal Data means personal data contained in Customer Data that TemplateDocs processes on behalf of Customer.
Controller, Processor, Data Subject, Personal Data, Personal Data Breach, and Processing have the meanings given to them under Applicable Data Protection Law.
Subprocessor means a third party engaged by TemplateDocs to process Customer Personal Data on behalf of Customer in connection with the Service.
2. Roles and Scope
Customer is the Controller of Customer Personal Data, and TemplateDocs is the Processor of Customer Personal Data, except where the parties act in different roles as required by Applicable Data Protection Law.
Customer determines the purposes and essential means of processing Customer Personal Data, including what data is collected through Forms, APIs, webhooks, templates, workflows, documents, and integrations.
TemplateDocs will process Customer Personal Data only:
- to provide, operate, secure, maintain, and support the Service;
- according to Customer's documented instructions, including instructions expressed through Customer's configuration and use of the Service;
- as necessary to prevent abuse and protect the security and integrity of the Service; or
- as required by applicable law.
If TemplateDocs is legally required to process Customer Personal Data contrary to Customer's instructions, TemplateDocs will inform Customer before doing so unless prohibited by law.
The details of processing are described in Annex I.
3. Customer Responsibilities
Customer is responsible for:
- complying with Applicable Data Protection Law in its use of the Service;
- ensuring that it has a valid legal basis and all required rights, permissions, and consents to process Customer Personal Data;
- providing any legally required notices to Data Subjects, including individuals submitting information through Customer's Forms;
- determining what Customer Personal Data is collected and processed;
- ensuring that its instructions to TemplateDocs are lawful; and
- determining whether the Service is appropriate for Customer's particular legal and regulatory requirements.
The Service is not designed for the direct collection or storage of payment card data requiring PCI DSS compliance or for processing protected health information where HIPAA compliance is required.
4. Confidentiality
TemplateDocs will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.
Access to production systems and Customer Personal Data is limited to authorized personnel and is permitted only where reasonably necessary for support, debugging, security, service operation, or legal compliance.
5. Security
TemplateDocs will maintain reasonable technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.
Current measures are described in Annex II.
Customer acknowledges that security measures may evolve over time. TemplateDocs may update its measures provided that the overall level of protection is not materially reduced.
6. Subprocessors
Customer provides general authorization for TemplateDocs to engage Subprocessors to provide the Service.
TemplateDocs will:
- require Subprocessors that process Customer Personal Data to protect that data under obligations consistent with Applicable Data Protection Law;
- remain responsible for the performance of its obligations under this DPA where required by Applicable Data Protection Law; and
- maintain a current list of Subprocessors in this DPA or on a public page referenced from it.
Current Subprocessors are listed in Annex III.
TemplateDocs will use reasonable efforts to notify account owners by email approximately 14 to 30 days before adding or replacing a Subprocessor that materially processes Customer Personal Data.
If Customer reasonably objects to a new Subprocessor on data protection grounds, Customer may contact TemplateDocs during the notice period. The parties will attempt in good faith to resolve the objection. If no reasonable solution is available, Customer may discontinue the affected Service and terminate its account.
Customer-configured third-party destinations, integrations, and SMTP servers are not TemplateDocs Subprocessors merely because Customer instructs TemplateDocs to send Customer Personal Data to them.
7. Data Subject Requests
Taking into account the nature of the processing, TemplateDocs will provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law.
The Service includes controls that allow Customers to access and delete certain Customer Data. Where additional assistance is reasonably required and the relevant Customer Personal Data can be identified, Customer may contact support@templatedocs.io.
If TemplateDocs receives a request directly from a Data Subject relating to Customer Personal Data, TemplateDocs will, where appropriate, direct the Data Subject to Customer and will not independently respond to the substance of the request unless required by law.
8. Personal Data Breaches
TemplateDocs will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.
The notification will include information reasonably available to TemplateDocs that Customer may need to meet its obligations under Applicable Data Protection Law.
TemplateDocs will take reasonable steps to contain, investigate, and mitigate the effects of the breach.
9. Assistance and Compliance Information
Taking into account the nature of the processing and the information available to TemplateDocs, TemplateDocs will provide reasonable assistance to Customer with applicable obligations relating to security, Personal Data Breach notifications, data protection impact assessments, and consultations with supervisory authorities.
TemplateDocs will make available information reasonably necessary to demonstrate compliance with the processor obligations applicable under this DPA.
Where legally required, Customer may request reasonable additional compliance information or an audit. The parties will first seek to satisfy such a request through available documentation, questionnaires, certifications, or other reasonable evidence. Any audit must be proportionate, subject to confidentiality obligations, and conducted in a manner that minimizes disruption to the Service and does not compromise the security or confidentiality of other customers.
10. Return and Deletion of Customer Personal Data
Customer may delete Customer Data through the Service where deletion controls are available.
Upon deletion of Customer Data or termination of the relevant account or organization, TemplateDocs will delete Customer Personal Data in accordance with the Service's deletion and retention processes, except where retention is required by applicable law.
Customer acknowledges that:
- workflow run data and generated files are deleted according to Customer-configurable retention settings and applicable plan defaults;
- deleted data may remain in backups for a limited period before automatic expiration; and
- billing and transaction records held by third parties may be retained where required for legal, tax, accounting, or compliance purposes.
11. International Transfers
TemplateDocs's primary application infrastructure, databases, queues, and file storage are located in Europe.
ByteSail is established in Israel, and authorized personnel may access Customer Personal Data from Israel where necessary to provide and support the Service.
Where Customer Personal Data is transferred to a country or recipient that is not covered by an applicable adequacy decision or other lawful transfer basis, TemplateDocs will use appropriate safeguards as required by Applicable Data Protection Law, which may include applicable standard contractual clauses.
12. Duration and Termination
This DPA remains in effect for as long as TemplateDocs processes Customer Personal Data on behalf of Customer.
Termination of the Terms automatically terminates this DPA, subject to provisions that by their nature must survive while Customer Personal Data remains in TemplateDocs's possession or control.
13. Governing Terms
This DPA forms part of and is subject to the Terms. The liability provisions and governing law provisions of the Terms apply to this DPA unless Applicable Data Protection Law requires otherwise.
14. Contact
Questions or requests relating to this DPA may be sent to:
Email: support@templatedocs.io
ByteSail
23 Eretz Binyamin
Kfar Adummim
Israel
Annex I - Details of Processing
Subject Matter
Processing of Customer Personal Data as necessary to provide the TemplateDocs document automation and workflow service.
Duration
For the duration of Customer's use of the Service and for applicable retention periods described below, unless longer retention is required by law.
Nature and Purpose of Processing
TemplateDocs may collect, receive, store, organize, retrieve, use, transform, generate, transmit, disclose at Customer's direction, secure, and delete Customer Personal Data for purposes including:
- receiving Form submissions, webhook payloads, and API requests;
- executing workflows and evaluating workflow variables and steps;
- storing and processing document templates;
- generating, editing, converting, and delivering documents;
- sending emails and attachments;
- operating customer-configured integrations;
- storing run history and logs;
- providing customer support and troubleshooting;
- securing the Service and preventing abuse; and
- providing customer-invoked AI features.
Categories of Data Subjects
Depending on Customer's use of the Service, Data Subjects may include:
- Customer's employees, contractors, and users;
- Customer's clients and customers;
- form respondents;
- email recipients;
- vendors, partners, and business contacts; and
- any other individuals whose personal data Customer chooses to process through the Service.
Types of Personal Data
Depending on Customer's use of the Service, Customer Personal Data may include:
- names and contact information;
- form responses and submitted field values;
- data contained in webhook and API payloads;
- workflow variables and step inputs and outputs;
- information contained in uploaded templates;
- information contained in generated documents;
- email addresses, email content, and attachments;
- integration credentials and authorization tokens;
- run metadata and operational logs; and
- any other personal data Customer chooses to submit to or process through the Service.
TemplateDocs does not determine or control the categories of personal data that Customer chooses to process.
Retention
- Templates are retained until deleted by Customer.
- Form submissions, workflow run data, step inputs and outputs, logs, and generated workflow documents are retained according to Customer's configured organization retention period and applicable plan defaults. The standard default run-history retention period is 30 days.
- Webhook test samples are retained as needed to configure the input schema and may be replaced by newer samples.
- Documents generated through the direct document-generation API are processed temporarily and are not persisted after delivery by TemplateDocs.
- Temporary files and in-memory generation buffers are deleted after the relevant operation.
- Operational logs may be retained for up to 30 days.
- Database backups are generally retained for up to 7 days.
Annex II - Technical and Organizational Measures
TemplateDocs maintains measures appropriate to the current nature and scale of the Service, including:
Access Control
- Production access restricted to authorized personnel
- Multi-factor authentication for authorized personnel with administrative or production access
- Role-based permissions for organization users
- Access to Customer Personal Data limited to support, debugging, security, service operation, and legal compliance needs
Data Isolation
- Logical separation of customer data by organization
- Organization membership validation
- Database queries scoped to the authenticated organization
- Organization-scoped storage paths
Encryption and Secrets
- TLS/HTTPS for data in transit
- Encryption at rest provided by cloud infrastructure providers
- Integration credentials stored using Google Cloud Secret Manager
Availability and Recovery
- Automated database backups managed by infrastructure providers
- Backup retention of generally up to 7 days
Monitoring and Incident Management
- Google Cloud logging, monitoring, and alerting
- Limited operational logging with content-bearing statements redacted where practicable
- Production debug logging restricted
- Product error telemetry with personal information masked and identifiers hashed
- Incident-response procedures for security incidents and Personal Data Breaches
Annex III - Subprocessors
TemplateDocs currently uses the following Subprocessors in connection with the Service:
| Subprocessor | Purpose | Customer Personal Data | Processing Location |
|---|---|---|---|
| Google Cloud Platform and Google services | Cloud services and infrastructure, logging, secrets management, document processing, and URL-safety scanning | Yes | Primarily European Union; some security services may operate globally |
| Supabase | Database, authentication, file storage, and backups | Yes | European Union |
| Resend | Default workflow email delivery | Yes | United States and European Union |
| Microsoft Azure and Microsoft services | Additional cloud services and document processing | Yes | Depends on the service and configuration |
| OpenAI, Anthropic, and Google AI | Customer-invoked AI features and automated outbound-email moderation | Yes, when applicable | United States and other locations depending on provider and service |
Mixpanel receives masked or pseudonymized product analytics and error telemetry and is configured for EU data residency. TemplateDocs does not intentionally send Customer content to Mixpanel.
Paddle processes account and billing information as merchant of record and does not process Customer Data on behalf of TemplateDocs.
Customer-configured SMTP servers and other third-party destinations selected by Customer are not TemplateDocs Subprocessors solely because TemplateDocs transmits data to them at Customer's instruction.