1. Purpose

This page outlines key data processing commitments between Doqubox and customer organizations where Doqubox processes personal data as a processor under GDPR Article 28.

2. Roles

• Customer organization: controller.
• Doqubox (Aer Software Solutions BV): processor.

3. Processing framework

Doqubox processes personal data only on documented customer instructions, to the extent required to provide the agreed service.

This includes process data related to document requests and transfers (such as sender/recipient details, subject lines, status, and metadata), alongside file content where processed by the customer organization within the service.

4. Core processor obligations

• Confidentiality commitments for authorized personnel.
• Appropriate technical and organizational security measures.
• Support for data subject rights requests.
• Personal data breach notification without undue delay.
• Support for security, DPIA, and compliance obligations.
• Information sharing and reasonable audit support.
• Deletion or return of data at service end, unless legal retention applies.

5. Subprocessors

Doqubox uses subprocessors for specific service components. See our current list on the subprocessors page.

6. International transfers

When transfers outside the EEA occur, appropriate safeguards are applied, such as adequacy decisions or Standard Contractual Clauses (SCCs), where required.