Data Processing Agreement (EU/EEA)

1. Parties and Scope

This Data Processing Agreement ("DPA") forms part of the customer agreement between the customer organization ("Controller") and Jane Doe Communication AB ("Processor"), org. no. 556663-5321, Björkvägen 20C, 191 41 Sollentuna, Sweden.

It applies when Processor processes personal data on Controller's documented instructions in connection with CLM Forge.

Veeva, Veeva Vault, and Veeva CLM are trademarks of their respective owners. CLM Forge is an independent software service and is not affiliated with, sponsored by, or endorsed by Veeva.

1a. Processing Details (Annex Summary)

Subject matter: Processing of personal data (if included by Controller) in uploaded files and related conversion outputs to provide the CLM Forge conversion service.

Duration: For the term of the customer agreement and subject to the retention and deletion rules described in this DPA and the Privacy Notice.

Nature and purpose: Storage, analysis, extraction of metadata, packaging, and delivery of conversion results, plus security logging and operational support.

Types of personal data: Names and contact details may appear in customer-provided content. Account and access data may include work email, username, role, and organisation membership; security logs may include login timestamps, IP addresses, and device/browser metadata.

Categories of data subjects: Customer organisation users (employees/contractors) and any individuals whose personal data may be included in uploaded content.

Local Runtime / Hybrid clarification: Where CLM Forgeis deployed in a local runtime or hybrid model, customer content processed and stored locally remains under the customer's primary control. In that model, Processor may process only limited metadata necessary for authentication, licensing, account administration, and operational support, unless otherwise explicitly agreed in writing.

2. Processor Commitments (GDPR Article 28)

• Process personal data only on documented instructions from Controller.
• Ensure persons authorised to process personal data are bound by confidentiality obligations.
• Implement appropriate technical and organisational measures (TOMs) to ensure a level of security appropriate to risk (see section 6).
• Assist Controller with data subject requests (Articles 12–23) and compliance obligations, taking into account the nature of processing.
• Assist Controller, where applicable, with security obligations, breach notifications (Articles 33–34), and data protection impact assessments (DPIAs, Article 35).
• Make available information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits as set out in section 7.
• Upon termination, delete or return personal data in accordance with Controller's instructions, subject to applicable legal retention requirements (section 8).
• Not engage another processor (subprocessor) without appropriate contractual protections and transparency as described in section 4.

For Local Runtime or hybrid deployments, these Processor commitments apply only to the extent thatJane Doe Communication AB processes personal data on behalf of Controller through its online services or support activities. Customer remains the primary controller for personal data processed entirely within its own local environment.

3. Default Upload Restriction

Unless explicitly agreed in writing and technically enabled, users must not upload identifiable personal data in conversion workflows.

CLM Forge is not intended for the processing of special categories of personal data under Article 9 GDPR (including health data or patient identifiers), unless explicitly agreed in writing and appropriate controls are enabled.

This includes direct or indirect identifiers such as names tied to identifiable individuals, patient identifiers, insurance/security numbers, personal contact details, or gender where identifying in context.

4. Subprocessors

Processor may engage subprocessors to provide hosting, storage, communications, and operational support services. Subprocessors are engaged under written contracts that provide GDPR-equivalent protections, including confidentiality and security obligations.

Trusted subprocessors may include:

• Supabase (authentication, database, and optional storage fallback infrastructure).
• Cloudflare (R2 object storage for uploaded/generated files when configured).
• Transactional email providers for operational messages.
• Support and operational tooling providers under contract.
• Other contracted infrastructure providers required to run the service.

A current list of subprocessors (including purpose and location) is available upon request and may also be included in a customer Data Processing Agreement schedule where applicable. Processor will provide reasonable prior notice of material changes to subprocessors via documentation or email.

5. International Transfers

Where personal data is transferred outside the EEA, Processor applies lawful transfer mechanisms, including adequacy decisions or Standard Contractual Clauses (SCCs), with supplementary safeguards where required.

5a. AI and Automated Processing

CLM Forge may use automation to extract metadata and generate conversion outputs from uploaded files. Processor does not use customer-uploaded files or generated outputs to train public machine learning models, unless explicitly agreed in writing.

6. Security and Incident Response

Processor implements appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, least-privilege administration, logging, and secure hosting infrastructure.

In the event of a personal data breach affecting customer data, Processor will notify Controller without undue delay after becoming aware of the breach and will provide available information to support Controller's obligations under Articles 33–34 GDPR.

Processor maintains incident response procedures proportionate to risk and will provide remediation updates as information becomes available.

In Local Runtime or hybrid deployments, customer is responsible for the security of its own local environment, including local storage, device security, network controls, backup procedures, and internal access management.

7. Audit and Compliance Evidence

Processor will make available information reasonably necessary to demonstrate compliance with this DPA and GDPR Article 28. Audits may be conducted by an independent third party under the customer agreement's audit framework and subject to reasonable confidentiality, scope, and security constraints.

8. Return and Deletion

Upon termination or expiry of services, Processor will delete or return personal data in accordance with Controller's documented instructions, unless retention is required by applicable law.

Uploaded files and generated outputs are subject to retention and auto-cleanup policies described in the Privacy Notice. Where supported, customers may request extended retention (for example by pinning artifacts) before expiry.

In Local Runtime or hybrid deployments, locally stored customer content remains under customer control and is not subject to deletion by Processor unless separately transferred to Processor systems or otherwise expressly agreed.

9. Governing Terms

This DPA is read together with the customer agreement, Terms of Use, and Privacy Notice. If there is a conflict on data protection matters, the DPA terms prevail.

Service-use restrictions in the Terms of Use, including prohibitions on reverse engineering, extraction of non-public service information, and misuse of confidential information, apply in parallel with this DPA.

10. Contact

General contact: info@janedoe.se

Privacy contact: info@janedoe.se

Legal contact: info@janedoe.se

Security contact: info@janedoe.se