Data Processing Agreement (DPA)

Last Updated: May 21, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service or any other written agreement entered into between Contractzy (“Processor”, “we”, “our”, or “us”) and the customer (“Controller” or “you”) governing the use of Contractzy’s contract lifecycle management platform and related services.

Contractzy recognizes the importance of protecting Personal Data and is committed to processing such data responsibly, securely, and in compliance with applicable global data protection laws, including the General Data Protection Regulation (GDPR), UK GDPR, and other applicable privacy regulations.

‍

1. Definitions

‍

Controller

The entity that determines the purposes and means of processing Personal Data.

Processor

Contractzy, which processes Personal Data on behalf of the Controller.

Personal Data

Any information relating to an identified or identifiable natural person processed through the Services.

Sub-Processor

Any third-party entity engaged by Contractzy to support the delivery of the Services involving the processing of Personal Data.

DPO

The designated Data Protection Officer responsible for overseeing privacy and data protection compliance.

‍

2. Scope of Processing

‍

Contractzy processes Personal Data solely for the purpose of providing, maintaining, securing, and improving the Services in accordance with the Controller’s documented instructions and applicable contractual obligations.

This includes activities such as:

Hosting and storing customer contract data
Facilitating contract execution workflows
Managing user authentication and permissions
Sending transactional communications and notifications
Monitoring system performance and security
Maintaining audit logs and compliance records

Contractzy does not sell customer data, profile users for advertising purposes, or process Personal Data for unrelated commercial activities.

‍

3. Categories of Data Processed

‍

Depending on the Services used, Contractzy may process the following categories of Personal Data:

User account information
Contract metadata
Contract documents and attachments
Business contact information
Email communication data
Usage analytics and audit logs
Workflow, approval, and signature records
IP addresses and device/browser information
Customer support and communication records

The exact nature and extent of data processed depends on the features and integrations enabled by the Controller.

‍

4. Data Subject Rights

‍

Contractzy shall, to the extent legally permitted, promptly notify the Controller if it receives a request from a Data Subject relating to:

Access to Personal Data
Rectification or correction
Erasure (“Right to be Forgotten”)
Restriction of processing
Data portability
Objection to processing
Withdrawal of consent where applicable

Contractzy will provide commercially reasonable assistance to help the Controller fulfill such requests in accordance with applicable data protection laws.

For additional information regarding how Personal Data is handled, please review our Privacy Policy.

‍

5. Authorized Sub-Processors

‍

To provide, maintain, and support the Services, Contractzy engages trusted third-party Sub-Processors that may process Personal Data on our behalf.

Sub-Processor	Location	Purpose
Amazon Web Services (AWS)	Global / India / Singapore / USA	Cloud hosting, storage, and infrastructure
Razorpay Software Private Limited	India	Payment processing in India
DocuSign	USA / Global	Electronic signature services
Zoho Sign	India / Global	Electronic signature services
emSigner	India	Electronic signature services
Digio	India	Electronic signature and KYC services
OnlyOffice	Global	Document editing and collaboration
Mailgun	USA / Global	Transactional email delivery

Contractzy ensures that all Sub-Processors are subject to contractual obligations and data protection commitments that provide safeguards no less protective than those outlined in this DPA.

Contractzy may update its list of Sub-Processors from time to time as operational or technical requirements evolve.

‍

6. Security Measures

‍

Contractzy maintains appropriate technical and organizational safeguards designed to protect Personal Data against unauthorized access, disclosure, alteration, loss, or destruction.

Encryption

Data encrypted in transit using TLS 1.2+
Encryption at rest using industry-standard encryption mechanisms
Secure HTTPS communication across platform services

Access Controls

Role-Based Access Control (RBAC)
Principle of least privilege
Multi-factor authentication for internal systems
Restricted production environment access

Monitoring & Logging

Continuous system activity monitoring
Audit logs and access tracking
Security event monitoring and alerting
Infrastructure and application performance monitoring

Infrastructure & Operational Security

Secure cloud hosting environments
Regular software and infrastructure updates
Internal access management procedures
Backup and disaster recovery mechanisms

Incident Response

Contractzy maintains internal procedures for identifying, managing, investigating, and responding to security incidents and data breaches.

Where legally required, Contractzy will notify affected customers without undue delay after becoming aware of a confirmed breach involving Personal Data.

‍

7. International Data Transfers

‍

Where Personal Data is transferred outside the applicable jurisdiction, Contractzy implements appropriate safeguards to ensure lawful and secure cross-border data transfers.

Such safeguards may include:

Contractual data protection obligations
Standard Contractual Clauses (SCCs) where applicable
Industry-standard encryption and security measures
Vendor due diligence and compliance reviews

For customers subject to GDPR or UK GDPR requirements, applicable transfer mechanisms may apply where legally required.

‍

8. Data Retention, Deletion & Return

‍

Contractzy retains Personal Data only for as long as necessary to provide the Services, comply with legal obligations, resolve disputes, and enforce contractual agreements.

Upon termination or expiration of the Services, Contractzy will, upon written request and subject to applicable legal obligations:

Return customer data, or
Securely delete Personal Data from its systems within a commercially reasonable timeframe

Certain information may be retained where required by law, regulation, tax obligations, fraud prevention requirements, or legitimate security and audit purposes.

Backup copies may persist temporarily in secure archival systems before being automatically deleted according to retention schedules.

‍

9. Audit & Compliance

‍

Upon reasonable written request, Contractzy may provide relevant information regarding its security and compliance practices to demonstrate adherence to this DPA.

Any audit or assessment requests must:

Be reasonable in scope
Avoid disruption to operations
Protect the confidentiality and security of other customers
Comply with Contractzy’s security and access procedures

Contractzy reserves the right to satisfy audit requests through the provision of existing compliance documentation, certifications, or third-party audit reports where appropriate.

‍

10. Data Protection Officer (DPO)

‍

Contractzy has appointed a Data Protection Officer (DPO) responsible for overseeing privacy and data protection compliance matters.

‍

DPO Contact Details

Data Protection Officer
Contractzy Privacy Team
Email:

‍

11. Contact Information

For privacy, security, compliance, or data protection-related inquiries, please contact:

Email: privacy@contractzy.io
Website: Contractzy