DATA PROCESSING AGREEMENT

Last Updated: Sep 9, 2025

Introduction

This Data Processing Agreement, including all exhibits attached hereto (this “DPA”), is entered into between Ace Workflow Inc., a Delaware corporation (“Processor’) and customers of the Processor (each, a “Customer”) in connection with Processor’s provision of services to Customer under any existing, written, and currently valid agreements (including any terms of service, non-disclosure agreements, order forms, or other document that governs) to which this DPA is attached or incorporated by reference (the “Agreement”). This DPA is effective as of the on which such Agreement is signed. This DPA reflects the parties’ agreement with regard to the processing of Customer Personal Data, as defined below.

Definitions

For purposes of this DPA, the terms below have the following meanings.

  1. Affiliate” means any entity that directly or indirectly controls, is controlled by or is under common control with the subject entity, where “control” refers to the power to direct or cause the direction of the subject entity, whether through ownership of voting securities, by contract or otherwise. 
  2. Customer Personal Data” means any data provided by Customer in connection with the Agreement that constitutes Personal Data. 
  3. Data Protection Laws” means, with respect to a party, all privacy, data protection and information security-related laws and regulations applicable to such party’s Processing of Personal Data, including but not limited to, where applicable, the California Consumer Privacy Act, as amended (the “CCPA”), the General Data Protection Regulation (“GDPR”), the United Kingdom General Data Protection Regulation (“UK GDPR”), and the Federal Act on Data Protection of 25 September 2020 (“FADP”).  
  4. Data Subject” means the identified or identifiable natural person who is the subject of Personal Data and includes “Consumer” as this term is defined by applicable Data Protection Law.
  5. Process” or “Processing” means any operation or set of operations which is performed on Personal Data or on sets of Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation or alteration, retrieval, consultation, use, disclosure by transmission, dissemination or otherwise making available, alignment or combination, restriction, erasure or destruction.
  6. Personal Data” means “personal data”, “personal information”, “personally identifiable information” or similar information defined in and governed by Data Protection Laws.
  7. “Restricted Transfer” means (i) where the GDPR applies, a transfer of personal data from the European Economic Area to a country outside of the European Economic Area which is not subject to an adequacy determination by the European Commission; (ii) where the UK GDPR applies, a transfer of personal data from the United Kingdom to any other country which is not based on adequacy regulations pursuant to Section 17A of the United Kingdom Data Protection Act 2018; and (iii) where the FADP applies, a transfer of Personal Data from Switzerland to any country which is not recognized to provide adequate protection by the Swiss Federal Data Protection and Information Commissioner.
  8. Security Incident” means any confirmed unauthorized or unlawful breach of security that leads to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of or access to Personal Data being Processed by Processor. Security Incidents do not include unsuccessful attempts or activities that do not compromise the security of Personal Data, including unsuccessful log-in attempts, pings, port scans, denial of service attacks or other network attacks on firewalls or networked systems. 
  9. “Standard Contractual Clauses” mean the standard contractual clauses for the transfer of Personal Data to third countries pursuant to the GDPR and adopted by the European Commission Decision 2021/914 of 4 June 2021 which is attached herein by linked reference: https://eur-lex.europa.eu/legal-content/EN/TXT/PDF/?uri=CELEX:32021D0914&from=EN 
  1. Subprocessor” means any third party authorized by Processor or its Affiliates to Process any Customer Personal Data.
  2. UK SCC” means the UK ‘International data transfer addendum to the European Commission’s standard contractual clauses for international data transfers’, available at: https://ico.org.uk/media2/migrated/4019539/international-data-transfer-addendum.pdf, as adopted, amended or updated by the UK's Information Commissioner's Office, Parliament or Secretary of State.
  3. Third Party Subprocessor” means any Subprocessor who is not an Affiliate of Processor.

General; Termination

  1. This DPA forms part of the Agreement and except as expressly set forth in this DPA, the Agreement remains unchanged and in full force and effect. If there is any conflict between this DPA and the Agreement, this DPA shall govern.
  2. Any liabilities arising under this DPA are subject to the limitations of liability in the Agreement.   
  3. This DPA will be governed by and construed in accordance with governing law and jurisdiction provisions in the Agreement, unless required otherwise by applicable Data Protection Laws.
  4. This DPA will automatically terminate upon expiration or termination of the Agreement. 

Scope of this DPA

  1. This DPA applies to Processor’s Processing of Customer Personal Data under the Agreement. Both parties acknowledge and agree that Processor is a “service provider” or “processor” and Customer is a “controller” or “business” under applicable Data Protection Laws. 
  2. The parties acknowledge and agree that (a) the subject matter of the Processing under the Agreement is Processor’s provision of the Services; (b) the duration of the Processing is from Processor's receipt of Customer Personal Data until deletion of all Customer Personal Data by Processor in accordance with the Agreement; (c) the nature and purpose of the Processing is to provide the Services; (d) the Data Subjects to whom the Processing pertains are as stated in the Agreement; and (e) the categories of Customer Personal Data are as stated in the Agreement. 

Role and Scope of the Processing

  1. Processor will Process Customer Personal Data only in accordance with Customer’s instructions. By entering into the Agreement, Customer instructs Processor to Process Customer Data to provide the Services and pursuant to any other written instructions given by Customer and acknowledged in writing by Processor as constituting instructions for purposes of this Agreement. Customer acknowledges and agrees that such instruction authorizes Processor to Process Customer Data (a) to perform its obligations and exercise its rights under the Agreement; and (b) to perform its legal obligations and to establish, exercise or defend legal claims in respect of the Agreement.
  2. Processor shall not (a) sell Customer Personal Data; (b) retain, use or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services; or (c) retain, use or disclose the Customer Personal Data outside of the direct business relationship between Processor and Customer. The parties acknowledge and agree that Processor's access to Customer Personal Data does not constitute part of the consideration exchanged by the parties in respect of the Agreement.
  3. Processor will ensure that persons authorized to Process the Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Subprocessing

  1. Customer specifically authorizes Processor to use its Affiliates (if any) as Subprocessors, and generally authorizes Processor to engage Third Party Subprocessors to Process Customer Personal Data. Customer hereby authorizes Processor to engage such Subprocessors listed in Annex II to this DPA. Processor: 
    • shall enter into a written agreement with each Subprocessor, imposing data protection obligations substantially similar to those set out in this DPA; and 
    • remains liable for compliance with the obligations of this Agreement and for any acts or omissions of the Subprocessor that cause Processor to breach any of its obligations under this DPA.  
  2. When any new Third Party Subprocessor is engaged to process Personal Data for a purpose that is not disclosed in Processor’s Privacy Policy https://www.aceworkflow.io/legal/privacy. Processor will notify Customer of the engagement. Processor will give such notice at least ten (10) calendar days before the new Subprocessor Processes any Customer Personal Data, except that if Processor reasonably believes engaging a new Subprocessor on an expedited basis is necessary to protect the confidentiality, integrity or availability of the Customer Personal Data or avoid material disruption to the Services, Processor will give such notice as soon as reasonably practicable. If, within five (5) calendar days after such notice, Customer notifies Processor in writing that Customer objects to Processor's appointment of a new Third Party Subprocessor based on reasonable data protection concerns, the parties will discuss such concerns in good faith and whether they can be resolved. If the parties are not able to mutually agree to a resolution of such concerns, Customer, as its sole and exclusive remedy, may terminate the Agreement for convenience.

Security

  1. Processor shall implement and maintain reasonable technical, administrative, physical, and organizational security measures designed to protect Customer Personal Data from Security Incidents and to preserve the security and confidentiality of the Customer Personal Data (“Security Measures”), as detailed in Annex I.
  2. Customer is responsible for reviewing the information made available by Processor relating to data security and making an independent determination as to whether the Services meet Customer’s requirements and legal obligations under Data Protection Laws. Customer acknowledges that the Security Measures may be updated from time to time upon reasonable notice to Customer to reflect process improvements or changing practices (but the modifications will not materially decrease Processor's obligations as compared to those reflected in such terms as of the Effective Date). 
  3. Upon becoming aware of a confirmed Security Incident, Processor shall notify Customer without undue delay, unless prohibited by applicable law. A delay in giving such notice due to request by law enforcement and/or in light of Processor's legitimate needs to investigate or remediate the matter before providing notice shall not constitute an undue delay. Such notices will describe, to the extent possible, details of the Security Incident, including steps taken to mitigate the potential risks and steps Processor recommends Customer take to address the Security Incident. Without prejudice to Processor's obligations under this Section 7.c., Customer is solely responsible for complying with Security Incident notification laws applicable to Customer and fulfilling any third party notification obligations related to any Security Incidents. Processor's notification of or response to a Security Incident under this Section 7.c. will not be construed as an acknowledgement by Processor of any fault or liability with respect to the Security Incident.
  4. Customer agrees that, without limitation of Processor's obligations under this Section 7, Customer is solely responsible for its use of the Services, including (a) making appropriate use of the Services to ensure a level of security appropriate to the risk in respect of the Customer Data; (b) securing the account authentication credentials, systems and devices Customer uses to access the Services; (c) securing Customer’s systems and devices that it uses with the Services; and (d) maintaining its own backups of Customer Personal Data.

Audits and Reviews for Compliance

To the extent applicable Data Protection Laws include a right for Customer to audit Processor's Processing of Customer Personal Data, Customer will exercise such audit right, not more than once per calendar year and at Customer's expense, and Processor shall respond promptly and adequately with respect to inquiries from the Customer about the Processing of Customer Personal Data and shall make available to the Customer all information reasonably necessary to demonstrate compliance with its obligations under the Data Protection Laws and this DPA. Processor shall allow for audits, including inspections, by the Company or an auditor on its behalf in relation to the Processing of the Customer Personal Data.

Transfers

  1. Where the GDPR, UK GDPR, or Swiss FADP is applicable, if the Processing of Customer Personal Data by Processor (or by its approved Sub-Processor) includes a Restricted Transfer (either directly or through an onward transfer), Processor shall comply with the Standard Contractual Clauses and UK SCCs, which are hereby incorporated. 
  2. In furtherance of the foregoing, the parties agree that: 
    • for purposes of the Standard Contractual Clauses, (a) Customer will act as the data exporter and (b) Processor will act as the data importer;
    • for purposes of Appendix 1 to the Standard Contractual Clauses, the Data Subjects, categories of data, and the processing operations shall be as set out in  Section 4b of this DPA;
    • for purposes of Appendix 2 to the Standard Contractual Clauses, the technical and organizational measures shall be the Security Measures; 
    • upon data exporter's request under the Standard Contractual Clauses, data importer will provide the copies of the Subprocessor agreements that must be sent by the data importer to the data exporter pursuant to Clause 5(j) of the Standard Contractual Clauses, and data importer may remove or redact all commercial information or clauses unrelated to the Standard Contractual Clauses or their equivalent beforehand;
    • the audits described in Clause 5(f) and Clause 12(2) of the Standard Contractual Clauses shall be performed in accordance with Section 8 of this DPA;
    • Customer's authorizations in Section 6 of this DPA will constitute Customer's prior written consent to the subcontracting by Processor of the Processing of Customer Personal Data if such consent is required under Clause 5(h) of the Standard Contractual Clauses; 
    • certification of deletion of Customer Personal Data as described in Clause 12(1) of the Standard Contractual Clauses shall be provided only upon Customer's request; 
    • Clause 7 of the Standard Contractual Clauses shall not be applicable;
    • In Clause 9, option 2 (general written authorization) shall apply and the method for appointing and time period for prior notice of Subprocessor changes shall be as set forth in the Sub-Processing Section of the DPA;
    • In Clause 11, the optional language will not apply, and data subjects shall not be able to lodge a complaint with an independent dispute resolution body;
    • In Clause 17, option 1 shall apply. The parties agree that the Standard Contractual Clauses shall be governed by the laws of the Republic of Ireland;
    • In Clause 18(b) the parties choose the courts of the Republic of Ireland, as their choice of forum and jurisdiction; and
    • the Standard Contractual Clauses shall automatically terminate once the Customer Personal Data transfer governed thereby becomes lawful under Chapter V of the GDPR in the absence of such Standard Contractual Clauses on any other basis.
  3. Terms agreed for the Standard Contractual Clauses are agreed for the UK SCCs.
  4. The UK SCCs shall be governed by the laws of England and Wales, and the competent supervisory authority is the Information Commissioner’s Office.

Data Subject Requests

Processor shall upon Customer’s request (and at Customer’s expense) provide Customer with such assistance as it may reasonably require to comply with its obligations under Data Protection Laws to respond to requests from individuals to exercise their rights under Data Protection Laws (e.g., rights of data access, rectification, erasure, restriction, portability and objection) in cases where Customer cannot reasonably fulfill such requests independently by using the self-service functionality of the Services. If Processor receives a request from a Data Subject in relation to their Customer Personal Data, Processor will advise the Data Subject to submit their request to Customer, and Customer will be responsible for responding to any such request.

Return or Deletion of Data

  1. Processor shall, within sixty (60) days after request by Customer following the termination or expiration of the Agreement, delete all of the Customer Personal Data from Processor's systems. 
  2. Notwithstanding the foregoing, Customer understands that Processor may retain Customer Personal Data if required by law, which data will remain subject to the requirements of this Agreement.

Indemnification

Processor shall indemnify, defend, and hold harmless Company, its affiliates, and their respective officers, directors, and employees from and against all claims and proceedings and all liability, loss, costs, fines, and expenses (including reasonable legal fees) arising in connection with (i) Processor’s unlawful or unauthorized Processing, destruction of, or damage to any Company Personal Data; and/or (ii) Processor’s (including the Processor’s personnel and Sub-Processors) failure to comply with its obligations under this DPA or any further written Processing instructions given by Company in accordance with this DPA.

ANNEX I

TECHNICAL AND ORGANIZATIONAL MEASURES

Measures of Pseudonymisation and Encryption of Personal Data

  • All personal data at rest is encrypted using AES-256.
  • All personal data in transit is encrypted using TLS 1.2 or higher.
  • Passwords and secret authentication data are hashed using industry-standard algorithms (e.g., bcrypt, Argon2).
  • Pseudonymisation is applied to test data and analytical datasets where applicable.
  • Encryption keys are managed through a documented key lifecycle policy, including secure generation, storage, and destruction (aligned with ISO 27001 A.10.1).

Measures for Ensuring Ongoing Confidentiality, Integrity, Availability, and Resilience

  • Access to systems and data is restricted based on role and need-to-know, enforced via a formal Access Control Policy (A.8.1).
  • Redundant infrastructure components are deployed to ensure availability of critical services (A.5.30).
  • Regular data backups are performed and tested in accordance with a backup policy aligned with business continuity objectives (A.5.28).
  • Capacity and resource usage are monitored and tuned regularly (A.5.29).

Measures for Restoring Availability and Access in the Event of an Incident

  • Disaster recovery and business continuity plans are in place, tested at regular intervals (A.5.29, A.5.30).
  • Backups are stored securely and are tested for restoration capability.
  • Incident response and escalation procedures are documented and regularly reviewed (A.5.23–A.5.25).

Processes for Regular Testing, Assessment, and Evaluation

  • Internal audits of the ISMS are conducted on a scheduled basis (Clause 9.2).
  • Management reviews and ISMS performance evaluations occur at least annually (Clause 9.3).
  • Vulnerability assessments are performed regularly; security patches are applied based on a documented change management process (A.5.22).

User Identification and Authorisation

  • Formal processes exist for user registration, access provisioning, and de-provisioning (A.8.2.1).
  • Multifactor authentication is enforced for all privileged or remote access.
  • Privileged access is tightly controlled, logged, and reviewed periodically (A.8.2.3).
  • Password policies enforce minimum strength, change frequency, and protection of authentication data (A.8.2.5–8.2.6).

Protection of Data in Transit

  • All external and internal data transmissions involving personal data are encrypted using secure protocols (TLS 1.2+, SFTP) (A.10.1.1–10.1.2).
  • Policies and technical controls are in place to ensure secure transfer between Ace Workflow and any sub-processors.

Protection of Data in Storage

  • All storage media containing personal data is encrypted (A.5.12).
  • Removable media is prohibited unless authorized and logged, and must follow formal handling and encryption procedures (A.5.13–A.5.15).
  • Secure deletion of storage media is enforced using industry-standard overwriting or destruction (A.5.11).

Physical Security of Locations

  • Access to physical premises is restricted and monitored (A.7.1–A.7.2).
  • Secure areas are protected by badge access, video surveillance, and logging of entries and exits.
  • Environmental safeguards protect against fire, flood, and power loss (A.7.4–A.7.9).

Event Logging and Monitoring

  • Security event logs are generated, protected, and regularly reviewed (A.8.15–A.8.17).
  • Logs include user activity, administrative actions, system access, and exceptions.
  • Logging systems are configured to detect anomalous behavior and raise alerts.

System Configuration and Change Control

  • All systems follow secure baseline configurations with documented hardening procedures (A.8.9).
  • Changes to production systems are managed through a formal change control process (A.8.32–A.8.33).
  • Configurations are reviewed regularly and monitored for unauthorized changes.

Internal Governance and Information Security Management

  • A full ISMS is established, implemented, and maintained under ISO/IEC 27001 (Clauses 4–10).
  • Roles and responsibilities for information security are clearly defined and communicated (Clause 5.3).
  • Employees undergo mandatory security awareness training and regular refreshers (Clause 7.2–7.3).

Certification and Assurance

  • Ace Workflow is pursuing ISO/IEC 27001:2022 certification.
  • Internal audit processes validate ISMS conformance and control effectiveness (Clause 9.2).
  • Supplier due diligence and ongoing monitoring are conducted for all processors and sub-processors (A.5.21).

Data Minimisation and Quality

  • Only data strictly necessary for the defined purpose is collected and retained (A.5.1, A.5.2).
  • Automated and manual data quality checks are performed during collection and processing.
  • Personal data is regularly reviewed for accuracy and relevance.

Data Retention and Disposal

  • Data retention is governed by a documented policy aligned with legal and business requirements (A.5.15).
  • Data is securely deleted at end of lifecycle or upon request, with logs of deletion actions.

Data Subject Rights (Portability, Erasure)

  • Ace Workflow supports data subject requests, including access, rectification, erasure, and data portability, within required timelines.
  • Deletion and export mechanisms are in place to support GDPR Article 17 and Article 20 compliance.

Sub-Processor Security Measures

All sub-processors are contractually obligated to:

  • Implement equivalent security controls to those defined above.
  • Assist the controller in fulfilling its obligations under GDPR (including responding to data subject requests and breach notification).
  • Undergo vetting, risk assessment, and regular security assurance checks.

ANNEX II

List of Sub-Processors

Name of Sub-Processor Services Performed Sub-processor Location
Airtable Customer Data Storage United States
1 Front Street, Floor 28
San Francisco, CA 94111
PandaDoc Customer, Employee and Sub-Contractor Contracts United States
3739 Balboa St. #1083
San Francisco, CA 94121
Xero Accounts United States
1615 Platte Street, Suite 400
Denver, CO 80202
Slack Internal comm United States
500 Howard Street
San Francisco, CA 94105
Copper CRM Sales CRM data United States
2021 Fillmore St PMB2118
San Francisco, CA 94115
Fireflies.ai Call transcriptions United States
5424 Sunol Blvd, Ste 10-531
Pleasanton, CA 94566
Loom Tutorial videos United States
85 2nd Street, Floor 1
San Francisco, CA 94105
OpenAI (ChatGPT) Data processing United States
1455 3rd Street
San Francisco, CA 94158
Anthropic PBC (Claude) Data processing United States
548 Market St, PMB 90375
San Francisco, CA 94104
Calendly Sales CRM data United States
115 E Main St, Ste A1B
Buford, GA 30518
Zapier Data processing United States
548 Market St. #62411
Make Data processing United States
One World Trade Center, 87th Floor
New York, NY 10007