Data Processing Addendum (DPA)
Last updated: 1 June 2026
1. Purpose and status
This DPA sets out Article 28-ready processor terms for customer organizations that use Doqubox to request, receive, or send documents containing personal data.
It is intended to document the main processing commitments between the customer organization and Aer Software Solutions BV, trading as Doqubox. If your organization needs a signed version or additional contractual language, contact support@doqubox.com.
2. Parties and roles
-
Customer organization:Controller for personal data uploaded, requested, exchanged, or otherwise processed through its Doqubox account.
-
Doqubox:Processor for customer content, document exchange metadata, recipient details, and related service data processed on behalf of the customer.
-
Doqubox as controller:Independent controller for limited business data such as billing, account administration, security, and statutory records.
3. Subject matter and duration
The processing concerns secure document exchange, document requests, recipient verification, retention handling, notifications, account administration, support, billing, and security operations.
Processing continues for the duration of the customer relationship and any wind-down period needed to delete, return, or legally retain data.
4. Processing instructions
Doqubox processes customer personal data only on documented customer instructions, including instructions expressed through product configuration, user actions, support requests, or the agreement between the parties.
Doqubox may process data where required by Union or Member State law. If legally permitted, Doqubox will inform the customer before carrying out that legal requirement.
5. Data subjects and data categories
Data subjects may include customers, clients, employees, contractors, applicants, patients, tenants, buyers, sellers, suppliers, and other individuals whose documents are exchanged by the customer.
Personal data may include account details, contact details, file content, document request details, message metadata, verification data, activity records, billing identifiers, and support communications. The customer determines the actual document content uploaded to Doqubox.
6. Security measures
Doqubox maintains technical and organizational measures designed to protect personal data against unauthorized access, loss, misuse, and accidental disclosure. These measures include encryption in transit, encrypted storage, access controls, passkey-based authentication, retention controls, monitoring, and subprocessors selected for EU-oriented operations.
More detail is available on the security page. Customer responsibilities, such as choosing appropriate recipients and downloading documents before expiry, remain important.
7. Confidentiality
Doqubox ensures that personnel authorized to process customer personal data are subject to confidentiality obligations and receive access only where needed for service delivery, support, security, or legal obligations.
8. Subprocessors
Doqubox may use subprocessors for hosting, storage, delivery, payments, analytics, or other service components. Doqubox remains responsible for subprocessors used to process customer personal data and requires suitable data protection commitments from them.
The current list is available on the subprocessors page. Material changes will be reflected there.
9. Data subject requests
Taking into account the nature of the processing, Doqubox will provide reasonable assistance to help customers respond to requests from data subjects, including access, correction, deletion, restriction, objection, and portability requests where applicable.
10. Personal data breaches
Doqubox will notify affected customers without undue delay after becoming aware of a personal data breach involving customer personal data processed by Doqubox, and will provide information reasonably available to support the customer's own notification obligations.
11. Return, deletion, and retention
Doqubox supports automatic deletion of temporary document exchange data and applies retention periods by data category. At the end of service, customer personal data is returned or deleted unless continued retention is required by law or needed for legitimate security, accounting, or dispute handling purposes.
See the retention page for the current retention matrix.
12. Audit and information support
Doqubox will make information reasonably necessary to demonstrate compliance with these processor obligations available to customers, subject to confidentiality, security, and operational limits. Where an audit is required, the parties will agree practical scope, timing, and safeguards in advance.
13. International transfers
Doqubox aims to use EU-based infrastructure and suppliers where practical. If customer personal data is transferred outside the EEA, Doqubox applies appropriate safeguards where required, such as an adequacy decision or Standard Contractual Clauses.
14. Customer responsibilities
- Define lawful purposes and legal bases for the documents requested or sent.
- Use suitable wording in document requests and avoid collecting data that is not needed.
- Manage account access, recipient details, retention expectations, and internal downloads carefully.
- Inform Doqubox promptly if a support request involves sensitive or urgent data protection issues.
For signed DPA terms, security questions, or procurement review, contact support@doqubox.com.