Data Processing Agreement

This DPA applies when a customer acts as a controller or business and Draftbox processes personal data on the customer’s behalf in connection with the Draftbox services.

The subject matter of the processing is the provision of Draftbox, including account management, workspace operations, storage, uploads, search, collaboration, connected third-party service integrations, security, and AI-assisted features requested by the customer.

Processing continues for the duration of the customer’s use of the service and for any additional period required for secure deletion, backup handling, legal compliance, or dispute resolution.

Draftbox may process personal data to:

• Host and operate customer workspaces and user accounts.
• Store, retrieve, version, and organize customer content.
• Process uploads, generate previews, and extract text.
• Enable collaboration, permissions, invitations, and sharing.
• Index customer content, generate summaries, and support retrieval and AI-assisted workflows requested by the customer.
• Process connected-service data from Google Calendar, Google Drive, GitHub, or similar integrations when the customer enables those features.
• Maintain security, logging, and abuse prevention controls.

Data subjects may include the customer’s users, employees, contractors, collaborators, contacts, customers, and other individuals whose personal data is included in customer content.

Personal data may include account identifiers, contact details, profile data, document content, files, attachments, calendar data, repository content, shared workspace data, AI prompts, derived summaries, extracted text, and operational metadata.

Draftbox will process personal data only on documented instructions from the customer, including the customer’s use of service settings, configuration choices, connected integrations, feature invocations, and administrator actions, unless otherwise required by applicable law.

Draftbox will ensure that personnel authorized to process personal data are subject to confidentiality obligations or an appropriate statutory duty of confidentiality.

Draftbox applies technical and organizational security measures appropriate to the risks presented by the processing, including authentication controls, password hashing, session handling, role-based access checks, scoped access to uploads, rate limiting, audit trails for selected sensitive workflows, and redaction or policy controls in supported AI contexts.

Customer authorizes Draftbox to use subprocessors and service providers needed to deliver the service. Current processor-supporting categories include authentication providers, email delivery providers, AI providers, object-storage providers, hosting providers, managed database providers, and source-platform integrations.

As of the date of this page, Draftbox infrastructure may involve providers such as Google, WorkOS, Amazon S3-compatible storage for text-indexable documents and generated image derivatives, Backblaze B2, where enabled, for original non-text uploads and media objects, Resend, and GitHub, depending on the features enabled by the customer.

Where personal data is transferred internationally, Draftbox will implement appropriate transfer safeguards where required by applicable law.

Taking into account the nature of the processing and information available to Draftbox, Draftbox will provide reasonable assistance to help the customer respond to data subject requests and satisfy obligations related to security incidents, impact assessments, and regulatory inquiries, to the extent required by law and reasonably feasible.

Upon termination of the relevant services, Draftbox will delete or return personal data as provided by the service functionality, customer configuration, or applicable law, except to the extent continued retention is required for backup integrity, security, dispute resolution, or legal obligations.

Draftbox will make available information reasonably necessary to demonstrate compliance with this DPA and may satisfy audit-related requests through documentation, security materials, written responses, or other reasonable verification methods.

Where the customer enables Google Calendar, Google Drive, GitHub, or similar connected-service features, Draftbox will process the resulting data only to provide the customer-requested service functionality.

Draftbox will not use data obtained from Google Workspace APIs to develop, improve, or train generalized artificial intelligence or machine learning models.

For DPA-related requests, contact support@fixpro.gr.