Data Processing Addendum

Last Updated: July 16, 2026

This Data Processing Addendum ("DPA") forms part of the TemplateDocs Terms of Service (the "Terms") between ByteSail, operator of TemplateDocs ("TemplateDocs," "Processor," "we," "us," or "our"), and the customer using the Service ("Customer" or "Controller").

By accepting the Terms or using the Service, Customer also accepts this DPA. A countersigned copy may be made available on request.

If there is a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA controls.

1. Definitions

Applicable Data Protection Law means data protection and privacy laws applicable to the processing of Customer Personal Data under this DPA, including, where applicable, the EU General Data Protection Regulation ("GDPR") and equivalent or similar laws.

Customer Data means templates, form submissions, webhook or API payloads, workflow variables and step data, generated documents, workflow email content and recipient information, integration credentials, run data, and other content submitted to or processed through the Service by or on behalf of Customer.

Customer Personal Data means personal data contained in Customer Data that TemplateDocs processes on behalf of Customer.

Controller, Processor, Data Subject, Personal Data, Personal Data Breach, and Processing have the meanings given to them under Applicable Data Protection Law.

Subprocessor means a third party engaged by TemplateDocs to process Customer Personal Data on behalf of Customer in connection with the Service.

2. Roles and Scope

Customer is the Controller of Customer Personal Data, and TemplateDocs is the Processor of Customer Personal Data, except where the parties act in different roles as required by Applicable Data Protection Law.

Customer determines the purposes and essential means of processing Customer Personal Data, including what data is collected through Forms, APIs, webhooks, templates, workflows, documents, and integrations.

TemplateDocs will process Customer Personal Data only:

  1. to provide, operate, secure, maintain, and support the Service;
  2. according to Customer's documented instructions, including instructions expressed through Customer's configuration and use of the Service;
  3. as necessary to prevent abuse and protect the security and integrity of the Service; or
  4. as required by applicable law.

If TemplateDocs is legally required to process Customer Personal Data contrary to Customer's instructions, TemplateDocs will inform Customer before doing so unless prohibited by law.

The details of processing are described in Annex I.

3. Customer Responsibilities

Customer is responsible for:

The Service is not designed for the direct collection or storage of payment card data requiring PCI DSS compliance or for processing protected health information where HIPAA compliance is required.

4. Confidentiality

TemplateDocs will ensure that personnel authorized to process Customer Personal Data are subject to appropriate confidentiality obligations.

Access to production systems and Customer Personal Data is limited to authorized personnel and is permitted only where reasonably necessary for support, debugging, security, service operation, or legal compliance.

5. Security

TemplateDocs will maintain reasonable technical and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Current measures are described in Annex II.

Customer acknowledges that security measures may evolve over time. TemplateDocs may update its measures provided that the overall level of protection is not materially reduced.

6. Subprocessors

Customer provides general authorization for TemplateDocs to engage Subprocessors to provide the Service.

TemplateDocs will:

Current Subprocessors are listed in Annex III.

TemplateDocs will use reasonable efforts to notify account owners by email approximately 14 to 30 days before adding or replacing a Subprocessor that materially processes Customer Personal Data.

If Customer reasonably objects to a new Subprocessor on data protection grounds, Customer may contact TemplateDocs during the notice period. The parties will attempt in good faith to resolve the objection. If no reasonable solution is available, Customer may discontinue the affected Service and terminate its account.

Customer-configured third-party destinations, integrations, and SMTP servers are not TemplateDocs Subprocessors merely because Customer instructs TemplateDocs to send Customer Personal Data to them.

7. Data Subject Requests

Taking into account the nature of the processing, TemplateDocs will provide reasonable assistance to Customer in responding to requests from Data Subjects to exercise their rights under Applicable Data Protection Law.

The Service includes controls that allow Customers to access and delete certain Customer Data. Where additional assistance is reasonably required and the relevant Customer Personal Data can be identified, Customer may contact support@templatedocs.io.

If TemplateDocs receives a request directly from a Data Subject relating to Customer Personal Data, TemplateDocs will, where appropriate, direct the Data Subject to Customer and will not independently respond to the substance of the request unless required by law.

8. Personal Data Breaches

TemplateDocs will notify Customer without undue delay after becoming aware of a confirmed Personal Data Breach affecting Customer Personal Data.

The notification will include information reasonably available to TemplateDocs that Customer may need to meet its obligations under Applicable Data Protection Law.

TemplateDocs will take reasonable steps to contain, investigate, and mitigate the effects of the breach.

9. Assistance and Compliance Information

Taking into account the nature of the processing and the information available to TemplateDocs, TemplateDocs will provide reasonable assistance to Customer with applicable obligations relating to security, Personal Data Breach notifications, data protection impact assessments, and consultations with supervisory authorities.

TemplateDocs will make available information reasonably necessary to demonstrate compliance with the processor obligations applicable under this DPA.

Where legally required, Customer may request reasonable additional compliance information or an audit. The parties will first seek to satisfy such a request through available documentation, questionnaires, certifications, or other reasonable evidence. Any audit must be proportionate, subject to confidentiality obligations, and conducted in a manner that minimizes disruption to the Service and does not compromise the security or confidentiality of other customers.

10. Return and Deletion of Customer Personal Data

Customer may delete Customer Data through the Service where deletion controls are available.

Upon deletion of Customer Data or termination of the relevant account or organization, TemplateDocs will delete Customer Personal Data in accordance with the Service's deletion and retention processes, except where retention is required by applicable law.

Customer acknowledges that:

11. International Transfers

TemplateDocs's primary application infrastructure, databases, queues, and file storage are located in Europe.

ByteSail is established in Israel, and authorized personnel may access Customer Personal Data from Israel where necessary to provide and support the Service.

Where Customer Personal Data is transferred to a country or recipient that is not covered by an applicable adequacy decision or other lawful transfer basis, TemplateDocs will use appropriate safeguards as required by Applicable Data Protection Law, which may include applicable standard contractual clauses.

12. Duration and Termination

This DPA remains in effect for as long as TemplateDocs processes Customer Personal Data on behalf of Customer.

Termination of the Terms automatically terminates this DPA, subject to provisions that by their nature must survive while Customer Personal Data remains in TemplateDocs's possession or control.

13. Governing Terms

This DPA forms part of and is subject to the Terms. The liability provisions and governing law provisions of the Terms apply to this DPA unless Applicable Data Protection Law requires otherwise.

14. Contact

Questions or requests relating to this DPA may be sent to:

Email: support@templatedocs.io

ByteSail
23 Eretz Binyamin
Kfar Adummim
Israel


Annex I - Details of Processing

Subject Matter

Processing of Customer Personal Data as necessary to provide the TemplateDocs document automation and workflow service.

Duration

For the duration of Customer's use of the Service and for applicable retention periods described below, unless longer retention is required by law.

Nature and Purpose of Processing

TemplateDocs may collect, receive, store, organize, retrieve, use, transform, generate, transmit, disclose at Customer's direction, secure, and delete Customer Personal Data for purposes including:

Categories of Data Subjects

Depending on Customer's use of the Service, Data Subjects may include:

Types of Personal Data

Depending on Customer's use of the Service, Customer Personal Data may include:

TemplateDocs does not determine or control the categories of personal data that Customer chooses to process.

Retention


Annex II - Technical and Organizational Measures

TemplateDocs maintains measures appropriate to the current nature and scale of the Service, including:

Access Control

Data Isolation

Encryption and Secrets

Availability and Recovery

Monitoring and Incident Management


Annex III - Subprocessors

TemplateDocs currently uses the following Subprocessors in connection with the Service:

SubprocessorPurposeCustomer Personal DataProcessing Location
Google Cloud Platform and Google services

Cloud services and infrastructure, logging, secrets management, document processing, and URL-safety scanning

YesPrimarily European Union; some security services may operate globally
SupabaseDatabase, authentication, file storage, and backupsYesEuropean Union
ResendDefault workflow email deliveryYesUnited States and European Union
Microsoft Azure and Microsoft servicesAdditional cloud services and document processingYesDepends on the service and configuration
OpenAI, Anthropic, and Google AICustomer-invoked AI features and automated outbound-email moderationYes, when applicableUnited States and other locations depending on provider and service

Mixpanel receives masked or pseudonymized product analytics and error telemetry and is configured for EU data residency. TemplateDocs does not intentionally send Customer content to Mixpanel.

Paddle processes account and billing information as merchant of record and does not process Customer Data on behalf of TemplateDocs.

Customer-configured SMTP servers and other third-party destinations selected by Customer are not TemplateDocs Subprocessors solely because TemplateDocs transmits data to them at Customer's instruction.