Get in touch

Draftable Support

Start Your 5-Day Free Trial

By submitting this form, I consent to receiving communications from Draftable.
Thanks!
Your message has been sent.
Oops! Something went wrong while submitting the form.
Draftable Support

Data Processing Addendum

Version Date 1 April 2026

This Data Processing Addendum with its appendices (together, this "DPA") is incorporated into the agreement between the Service Provider and Customer that references it (the "Agreement"). The "Service Provider" means Draftable Pty Ltd or the entity identified as such in the Agreement (as applicable). This DPA is effective as of the effective date of the Agreement.

1. Data Processing.

1.1 Scope and Roles. This DPA applies when the Service Provider Processes Customer Personal Data in providing the Services under the Agreement. The parties agree that Customer is the Controller (or a Processor acting on another Controller's behalf) and the Service Provider is the Processor (or Sub-processor, as applicable) with respect to Customer Personal Data. This DPA does not apply to the Service Provider's Processing of Personal Data in its capacity as a Controller (such as account registration and billing data), which is governed by the Service Provider's Privacy Policy.

1.2 Processing Details. The Service Provider will only Process Customer Personal Data in accordance with the Agreement, this DPA (including Appendix A), and the applicable Order Form or SOW (together, the "Documented Instructions"). The Service Provider will promptly inform Customer if it becomes aware that the Documented Instructions violate Data Protection Laws.

1.3 Customer Obligations. Customer is responsible for ensuring that it has all necessary consents and legal bases for the disclosure and Processing of Customer Personal Data under this DPA. Customer will not submit special categories of Personal Data (under GDPR Article 9) or Personal Data relating to criminal convictions and offences (under GDPR Article 10) to the Service Provider for Processing, unless expressly agreed in writing.

1.4 Compliance. Each party will comply with all Data Protection Laws applicable to its performance under this DPA.

2. Duration. his DPA remains in effect until the later of (a) the expiration or termination of the Agreement, and (b) the deletion of Customer Personal Data in accordance with clause 7.

3. Security and Confidentiality. The Service Provider will implement and maintain appropriate technical and organisational measures to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, and unauthorised disclosure or access, as described in Appendix B (the "Security Measures"). The Service Provider will take appropriate steps to ensure compliance with the Security Measures by its employees, agents, contractors, and Subprocessors to the extent applicable to their scope of performance, including ensuring that all persons authorised to Process Customer Personal Data are bound by appropriate confidentiality obligations.

4. Subprocessors.

4.1 Authorisation. Customer generally authorises the Service Provider to engage Subprocessors in accordance with this clause 4. The Service Provider's current Subprocessors are listed in the Subprocessors List. The Service Provider will update the Subprocessors List at least 30 days before appointing a new Subprocessor.

4.2 Objections. Customer may object to a new Subprocessor on reasonable grounds related to the protection of Customer Personal Data by notifying the Service Provider in writing within 15 days of a Subprocessor change notification, in which case the Service Provider may satisfy the objection by: (a) not using the new Subprocessor to Process Customer Personal Data; (b) taking corrective steps requested by Customer; or (c) ceasing to provide the parts of the Services that involve the new Subprocessor. If none of these options are reasonably available and the objection has not been resolved within 15 days, either party may terminate the affected Order Form or SOW and the Service Provider will refund a pro rata share of any prepaid fees for the unexpired portion of the term.

4.3 Requirements. The Service Provider will enter into a written agreement with each Subprocessor containing data protection obligations equivalent to those in this DPA. The Service Provider will be liable for the acts and omissions of its Subprocessors to the same extent it would be liable if performing the relevant Processing directly.

5. Data Subject Requests. If the Service Provider receives a request from a Data Subject exercising rights under Data Protection Laws that relates to Customer Personal Data, the Service Provider will (a) advise the Data Subject to submit the request to Customer directly, and (b) promptly notify Customer of the request. Where required by Data Protection Laws, the Service Provider will provide reasonable assistance to Customer in fulfilling the request to the extent Customer is unable to address it on its own.

6. Government and Third-Party Requests. Unless prohibited by applicable law, the Service Provider will promptly notify Customer of any valid legal process or governmental request compelling the Service Provider to disclose Customer Personal Data and will redirect the request to Customer where possible. The Service Provider will not disclose Customer Personal Data to any third party except in accordance with this DPA, the Documented Instructions, or as required by applicable law.

7. Data Deletion. Within 30 days following the effective date of termination or expiry of the Agreement, the Service Provider will delete Customer Personal Data in its possession or control, unless retention is required by applicable law. Customer is responsible for exporting any Customer Personal Data it wishes to retain prior to the expiry of this 30-day period.

8. Personal Data Breaches.

8.1 Notification. The Service Provider will notify Customer promptly (and in any event within 72 hours) after becoming aware of a Personal Data Breach. The notification will describe: (a) the nature of the Personal Data Breach, including, if known, the categories and approximate number of Data Subjects and Personal Data records concerned; (b) the measures the Service Provider has taken, or plans to take, to respond to and mitigate the breach; and (c) the Service Provider's point of contact for the breach. If the Service Provider cannot provide all information in the initial notification, it will provide the information as soon as it is available.

8.2 Response. The Service Provider will promptly take all actions it deems necessary and advisable to identify and remediate the cause of a Personal Data Breach.

8.3 General. The Service Provider's notification of or response to a Personal Data Breach does not constitute an acknowledgement of fault or liability.

9. Audits.

9.1 Reports. On Customer's request, and subject to the confidentiality provisions of the Agreement, the Service Provider will make available to Customer copies of, or extracts from, relevant third-party audit reports or certifications related to the security of the Services.

9.2 Audit Rights. Customer may request an audit of the Service Provider's compliance with this DPA if required by Data Protection Laws and compliance cannot be demonstrated by less burdensome means (including under clause 9.1). Any such audit will: (a) be subject to at least 30 days' prior written notice; (b) not occur more than once in any 12-month period (unless required by a supervisory authority); (c) be conducted at a mutually agreed time and scope; and (d) be subject to the confidentiality provisions of the Agreement.

10. Impact Assessments. Taking into account the nature of the Processing and the information available to the Service Provider, the Service Provider will, when required by Data Protection Laws, provide reasonable assistance to Customer with data protection impact assessments and prior consultations with supervisory authorities, in each case to the extent related to the Service Provider's Processing of Customer Personal Data.

11. International Data Transfers.

11.1 Transfers from the EEA. Where a transfer of Customer Personal Data from the EEA is not subject to an applicable adequacy decision (a "Restricted Transfer"), the SCCs are incorporated into this DPA and apply as follows: (a) Module Two (controller-to-processor) applies where Customer is a Controller, and Module Three (processor-to-processor) applies where Customer is a Processor; (b) in Clause 7, the optional docking clause does not apply; (c) in Clause 9(a), Option 2 applies and the notice period for Subprocessor changes is as set out in clause 4 of this DPA; (d) in Clause 11(a), the optional language does not apply; (e) in Clause 17, Option 1 applies and the governing law is that of Ireland; (f) in Clause 18(b), disputes will be resolved before the courts in Dublin, Ireland; (g) Annexes I, II, and III of the SCCs are completed with the information in Appendices A and B to this DPA and the Subprocessors List.

11.2 Transfers from the UK. Where a Restricted Transfer is made from the UK, the UK Transfer Addendum is incorporated into this DPA and applies to the transfer, completed with the information in clause 11.1, Appendices A and B, and the Subprocessors List. Both "Importer" and "Exporter" are selected in Table 4.

11.3 Transfers from Switzerland. Where a Restricted Transfer is made from Switzerland, the SCCs apply as modified in clause 11.1, except that: (a) the competent supervisory authority is the Swiss Federal Data Protection and Information Commissioner; (b) references to "Member State" refer to Switzerland; and (c) references to the GDPR refer to the Swiss Federal Act on Data Protection.

11.4 Precedence. If any provision of this clause 11 is inconsistent with the SCCs, the SCCs prevail.

12. Liability. Each party's liability arising out of or related to this DPA is subject to the limitation of liability provisions of the Agreement.

13. Conflict. In the event of conflict between the Agreement, this DPA, and the SCCs, the following order of precedence applies: the SCCs; then this DPA; then the Agreement.

14. Modifications. The Service Provider may update this DPA where: (a) the change is required to comply with applicable law; or (b) the change does not materially reduce the security of the Services, does not expand the scope of the Service Provider's Processing, and does not have a material adverse impact on Customer's rights under this DPA.

15. Definitions. Capitalised terms not defined in this DPA or the Agreement have the following meanings:

"Controller" means the entity that determines the purposes and means of Processing Personal Data.

"Customer Personal Data" means the Personal Data contained within Customer Data (as defined in the Agreement).

"Data Protection Laws" means all data protection and privacy laws directly applicable to a party's Processing of Personal Data under the Agreement, including European Data Protection Laws and, where applicable, the Privacy Act 1988 (Cth).

"Data Subject" means the identified or identifiable natural person to whom Personal Data relates.

"European Data Protection Laws" means the GDPR; the UK GDPR; and any national data protection laws or implementing regulations made under them.

"GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).

"Personal Data" means any information relating to an identified or identifiable natural person.

"Personal Data Breach" means a breach of the Service Provider's security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Personal Data.

"Process" and "Processing" mean any operation performed on Personal Data, including collection, recording, organisation, storage, adaptation, retrieval, use, disclosure, alignment, restriction, erasure, or destruction.

"Processor" means the entity that Processes Personal Data on behalf of a Controller.

"SCCs" means the standard contractual clauses for international transfers annexed to the European Commission's implementing decision 2021/914, including as incorporated into the UK Transfer Addendum where applicable.

"Services" means the software, platform, support services, or other services provided by the Service Provider under the Agreement.

"Subprocessor" means any Processor engaged by the Service Provider to Process Customer Personal Data on the Service Provider's behalf in connection with the Services.

"Subprocessors List" means the list of Subprocessors available at http://www.draftable.com/legal/subprocessors.

"UK GDPR" means the EU GDPR as saved into United Kingdom law by virtue of section 3 of the European Union (Withdrawal) Act 2018.

"UK Transfer Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses, published by the UK Information Commissioner's Office on 21 March 2022.

Appendix A — Details of Processing

A. Parties

Data exporter: Customer (as identified in the Agreement or applicable Order Form). Role: Controller or Processor.

Data importer: The Service Provider (as identified in the Agreement). Address: Level 4, 180 Flinders Street, Melbourne, Victoria 3000, Australia. Contact: legal@draftable.com. Role: Processor or Sub-processor.

The parties agree that execution of the Agreement (including online acceptance of an Order Form) constitutes execution of this Appendix A.

B. Description of Processing

Categories of Data Subjects: Customer's employees, contractors, and end users who use the Services; individuals whose Personal Data may be contained in data or documents submitted to the Services.

Categories of Personal Data: Contact details (such as name and email address) provided during account setup, onboarding, or support interactions; telemetry and diagnostic data transmitted by the software which may incidentally contain Personal Data; data or document content submitted to the Services which may contain Personal Data.

Sensitive Data: None expected. Customer will not submit sensitive or special category Personal Data unless expressly agreed in writing.

Frequency of Transfer: Continuous during the term of the Agreement.

Nature and Purpose of Processing: Processing Customer Personal Data as necessary to provide the Services under the Agreement, including hosting and storage, data processing and extraction, telemetry and diagnostics, technical support, and incident resolution.

Retention: Customer Personal Data is retained for the duration of the Agreement and deleted in accordance with clause 7 of this DPA.

C. Competent Supervisory Authority

The competent supervisory authority determined in accordance with Data Protection Laws.

Appendix B — Technical and Organisational Measures

As of the date of this DPA, the Service Provider's Security Measures include the following:

Access Control. The Service Provider restricts access to Customer Personal Data to personnel with a defined need-to-know. User access controls address timely provisioning and de-provisioning of accounts.

Data Security. The Service Provider maintains technical safeguards to ensure the security and confidentiality of Customer Personal Data, including logical segregation of customer data in production environments.

Encryption. The Service Provider uses encryption at rest and in transit between public networks in accordance with industry-standard practice.

Business Continuity. The Service Provider maintains business continuity, backup, and disaster recovery plans to minimise loss of service. These plans are tested at regular intervals.

Vulnerability Management. The Service Provider regularly performs vulnerability scans and applies security patches in accordance with its patching schedule. Penetration testing is conducted at least annually.

Personnel. All personnel with access to Customer Personal Data are bound by appropriate confidentiality obligations and are required to complete security awareness training.

Governance. The Service Provider maintains an information security program that is reviewed at least annually.