DocuFlag is a document compliance assistant for immigration professionals, not an immigration advisory service. Consulate requirements may change. Always verify with official sources.
DocuFlag

Data Processing Agreement

GDPR Article 28 — Last updated: March 2026

This Data Processing Agreement (“DPA”) forms part of the agreement between the customer (“Controller”) and DocuFlag (“Processor”) for the provision of the DocuFlag service. This DPA is entered into pursuant to Article 28 of the General Data Protection Regulation (EU) 2016/679 (“GDPR”).

1. Definitions

  • “Controller” means the customer (visa agency or immigration professional) who uses DocuFlag.
  • “Processor” means DocuFlag (operated by DocuFlag).
  • “Data Subjects” means the visa applicants whose personal data is processed through the service.
  • “Personal Data” means any information relating to an identified or identifiable natural person processed under this DPA.
  • “Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • “Data Breach” means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Personal Data.

2. Scope of processing

Subject matterAI-assisted document compliance checking for Schengen visa applications
DurationFor the term of the Controller's DocuFlag subscription
Nature of processingAutomated analysis of documents against published consulate requirements via EU-hosted infrastructure and AI
PurposeTo assist immigration professionals in verifying that client documents meet published visa requirements
Categories of data subjectsVisa applicants whose documents are submitted by the Controller
Types of personal data
  • Identity data (names, dates of birth, nationalities, passport numbers) — transient, in-memory only
  • Financial data (account numbers, balances, transaction history) — transient, in-memory only
  • Travel data (itineraries, bookings, insurance details) — transient, in-memory only
  • Biometric data (passport photographs) — transient, in-memory only (Article 9 special category)
  • Document metadata (filenames, file types, page counts) — stored
  • Structured analysis results (field extractions, compliance observations) — stored
  • Encrypted case data blobs (if optional E2EE cloud storage is enabled) — stored as encrypted blobs on AWS S3 (EU region); server cannot decrypt; 180-day TTL with automatic expiry

Special category data (Article 9): Passport photographs may constitute biometric data. Even transient in-memory processing constitutes processing under GDPR. The Controller is responsible for obtaining explicit consent from Data Subjects (Article 9(2)(a)) before submitting passport documents for analysis.

3. Controller's instructions

The Processor shall process Personal Data only on documented instructions from the Controller, unless required to do so by EU or Member State law. The Controller's instructions are as set out in this DPA and the Terms of Service. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data protection provisions.

4. Confidentiality

The Processor shall ensure that all persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is limited to personnel who require it to provide the service.

5. Security measures (Article 32)

The Processor implements the following technical and organisational measures to ensure a level of security appropriate to the risk:

  • Documents are processed in-memory on EU-hosted infrastructure and are never written to disk, logged, or cached
  • All data in transit is encrypted via TLS 1.2 or higher
  • Analysis sessions are authenticated via short-lived tokens (5-minute expiry)
  • Role-based access control per organisation
  • Audit logging of all analysis events (non-PII metadata only)
  • Database encryption at rest
  • Optional E2EE cloud storage: three-layer key hierarchy — passphrase-derived KEK (PBKDF2, 600,000 iterations) wrapping RSA-OAEP 4096-bit keypair, which wraps per-organisation AES-256-GCM data encryption key. Server stores only encrypted blobs and encrypted key material; server cannot decrypt

A full risk assessment is available in our Data Protection Impact Assessment.

6. Sub-processors

The Controller grants general written authorisation for the Processor to engage the following sub-processors:

Sub-processorPurposeLocationData retention
OpenAI (EU endpoint)AI-powered document analysisEUZero (not stored)
Hetzner Online GmbHEU VPS infrastructureEUNot stored (in-memory)
AWS (Amazon Web Services EMEA SARL)E2EE cloud storage (encrypted blobs only)EU (eu-west-1 / eu-central-1)180-day TTL, auto-expiry
StripePayment processingUS/EUPer Stripe policy

The Processor shall notify the Controller at least 30 days before engaging any new sub-processor. The Controller may object to a new sub-processor in writing within that period. If the objection cannot be reasonably resolved, the Controller may terminate the agreement. The Processor ensures that all sub-processors are bound by data protection obligations equivalent to those in this DPA.

7. Data subject rights (Articles 15–22)

The Processor shall assist the Controller in responding to requests from Data Subjects exercising their rights under the GDPR, including rights of access, rectification, erasure, restriction, portability, and objection. DocuFlag provides case deletion and data export functionality for this purpose. Any requests received directly by the Processor from Data Subjects will be promptly redirected to the Controller.

8. Data breach notification (Articles 33–34)

The Processor shall notify the Controller without undue delay and in any event within 72 hours after becoming aware of a Personal Data Breach. The notification shall include:

  • The nature of the breach, including where possible the categories and approximate number of Data Subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects

The Processor shall cooperate with the Controller and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.

9. Data protection impact assessment (Articles 35–36)

The Processor has conducted a Data Protection Impact Assessment, available at /dpia. The Processor shall assist the Controller with their own DPIA obligations if required, and with any prior consultation with supervisory authorities under Article 36.

10. Data deletion and return

Upon termination of the service, the Processor shall delete all Personal Data within 30 days. The Controller may export their data before termination using the built-in export functionality. Audit logs may be retained for up to 6 years as required for professional record-keeping obligations, after which they will be deleted.

Documents submitted for analysis are never stored by the Processor — they are processed in-memory only and discarded immediately after analysis.

If the Controller has enabled optional E2EE cloud storage, encrypted blobs stored on AWS S3 are subject to a 180-day TTL and are automatically deleted upon expiry. The Controller may also delete encrypted cloud data at any time via the application interface.

11. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28. The Controller (or their appointed third-party auditor) may conduct an audit of the Processor's compliance with this DPA once per year with at least 30 days' written notice. The Processor shall cooperate and provide access to relevant information, systems, and personnel.

12. International data transfers

All processing occurs within the European Union. Documents are processed by the Processor's EU-hosted analysis server and forwarded to OpenAI's EU endpoint (eu.api.openai.com). No Personal Data is transferred outside the European Economic Area. If a transfer outside the EEA becomes necessary in the future, the Processor shall ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

13. Liability

Each party shall be liable for damages caused by processing that infringes the GDPR, in accordance with Article 82. The Processor shall be liable only for damage caused by processing where it has not complied with obligations of the GDPR specifically directed to processors, or where it has acted outside of or contrary to the Controller's lawful instructions. Liability under this DPA is subject to the limitations set out in the Terms of Service.

14. Term and termination

This DPA is effective for the duration of the Controller's DocuFlag subscription. Termination of the subscription automatically triggers the data deletion provisions in section 10. The obligations in this DPA that by their nature should survive termination (including confidentiality, liability, and data deletion) shall survive.

15. Governing law

This DPA is governed by the laws of England and Wales, consistent with the Terms of Service. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.

Contact

For questions about this DPA, contact: [email protected]

This DPA is provided as a template and should be reviewed by qualified legal counsel before reliance. DocuFlag recommends that Controllers consult with their own legal advisors regarding their data protection obligations.