1. Roles and responsibilities
For account, billing, and commercial relationship data, DocExtract Pro acts as data controller.
For business documents and data imported by customers (invoices, validations, exports), DocExtract Pro acts as a data processor on customer instructions.
2. Applied GDPR principles
- Data minimization.
- Specified, explicit, and legitimate purposes.
- Limited and documented retention periods.
- Integrity, confidentiality, and access traceability.
- Ability to respond to rights requests.
3. Processing record (summary)
- User account and role management.
- Processing imported invoices and AI extraction of accounting fields.
- Operational notifications (validation, anomalies, payment deadlines).
- Critical action logging (audit log).
- Management of API/webhook/accounting connector integrations.
4. Data subject rights
Data subjects have rights of access, rectification, erasure, restriction, objection, and portability under applicable regulation.
Requests can be sent to privacy@getdocextract.com.
5. Technical and organizational measures
- Encryption of data in transit.
- Logical isolation of workspaces.
- Role-based permission model (RBAC).
- Audit trail for sensitive actions.
- Application monitoring and operational security management.
6. Data breach handling
In case of a security incident affecting personal data, DocExtract Pro applies an internal procedure: qualification, containment, remediation, documentation, and, where required, legal notification within applicable timelines.
7. Subprocessors and transfers
Subprocessors are selected based on security and compliance criteria. International transfers, when applicable, are governed by appropriate safeguards (standard contractual clauses and supplementary measures).
8. Contractual documentation (DPA)
A Data Processing Agreement (DPA) can be established with business customers to formalize respective responsibilities and protection measures.
9. Contact and complaints
Privacy contact: privacy@getdocextract.com.
If you believe your rights are not respected, you may also contact your competent supervisory authority (CNIL in France).