InkDraft

Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of InkDraft's Legal Terms and applies when InkDraft, operated by Hiestand Digital ("we", "us", "InkDraft"), processes personal data on behalf of a customer using InkDraft (the "Customer"). It gives effect to Article 28 GDPR, the equivalent UK GDPR provisions, and Article 9 of the Swiss Federal Act on Data Protection (FADP). Where it conflicts with the Legal Terms on the processing of Customer personal data, this DPA prevails.

1. Roles

For personal data contained in Customer content, transcripts, generated documents, signer details, comments, and related workflow data, the Customer is the controller and InkDraft is the processor. For account administration, billing, security, and legal-compliance data, InkDraft acts as an independent controller as described in the Privacy Policy.

2. Processing Instructions

InkDraft processes Customer personal data only on the Customer's documented instructions, including to provide, secure, and support the Services, and as required by applicable law. The Services as configured by the Customer, together with the Legal Terms and this DPA, constitute the Customer's complete documented instructions. InkDraft will not use Customer personal data for its own purposes and will not sell it. InkDraft will not use Customer personal data to train or improve its own or any third party's models; it may use only de-identified or aggregated data that no longer identifies any individual to operate and improve the Services. If InkDraft considers an instruction to infringe applicable data protection law, it will inform the Customer without undue delay.

3. Confidentiality, Security and Access

InkDraft restricts access to Customer personal data to authorized personnel and service providers who are bound by confidentiality obligations and need access to provide the Services. Authorized support personnel may access a Customer workspace, including by temporarily signing in to a user's account ("impersonation"), where reasonably necessary to provide support, investigate suspected abuse, fraud, or security incidents, or comply with law; such access is logged. InkDraft maintains technical and organizational measures designed to protect personal data against unauthorized access, loss, alteration, or disclosure.

4. AI Processing

InkDraft uses AI providers to generate draft documents and related outputs from Customer-provided content. InkDraft is not a law firm and generated outputs are drafts for human review. For OpenRouter-backed AI processing, InkDraft configures requests to route only to providers that do not collect customer content and to zero-data-retention endpoints where OpenRouter supports that control.

5. Sub-processors

InkDraft may engage the sub-processors listed in the Privacy Policy (/legal/privacy-policy) to process Customer personal data. InkDraft imposes data protection obligations on each sub-processor no less protective than those in this DPA and remains responsible for their processing. InkDraft will update the published list before authorizing any new sub-processor and, for Customers who request change notifications at info@inkdraft.io, will give at least 30 days' notice. The Customer may object on reasonable data-protection grounds within 30 days; if the parties cannot resolve the objection, the Customer may terminate the affected Services as its sole remedy.

6. International Transfers

Where personal data is transferred internationally, InkDraft relies on appropriate safeguards where required by applicable law, such as the European Commission's standard contractual clauses, the UK Addendum/IDTA, the Swiss-U.S. Data Privacy Framework, or other lawful transfer mechanisms.

7. Assistance

Taking into account the nature of the processing, InkDraft will provide reasonable assistance for data subject requests, security obligations, data protection impact assessments, and regulator consultations where required by applicable law. Requests by data subjects of the Customer that reach InkDraft directly will be redirected to the Customer.

8. Security Incidents

InkDraft will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer personal data, and will provide information reasonably available to help the Customer meet its legal obligations.

9. Deletion or Return

Upon termination of the Services, InkDraft will, at the Customer's choice, delete or return Customer personal data, except to the extent retention is required by applicable law or permitted by Section 9.1. The Customer may request deletion or return by emailing info@inkdraft.io; absent a request within 30 days of termination, InkDraft may delete Customer personal data in the ordinary course.

9.1 Evidence retention

Where documents have been shared, electronically signed, or paid for through the Services, InkDraft retains a limited set of records as evidence even after a Customer deletes its account or content. Specifically, InkDraft retains electronic-signature evidence (signer name, email, signature image, and signing timestamp) and payment records. These records are kept only as long as necessary to establish, exercise, or defend legal claims, prevent fraud, and meet financial and legal-retention obligations, and are then deleted. The signing IP address and browser user-agent are deleted automatically 90 days after signing.

10. Audits

InkDraft will make available to the Customer information reasonably necessary to demonstrate compliance with this DPA. Where the Customer reasonably requires further verification, InkDraft will respond to a documentation-based audit request; on-site inspection is a last resort, limited to once per year (absent a regulator requirement or a known breach), on reasonable prior notice during business hours, subject to confidentiality and at the Customer's cost.

11. Processing Annex

  • Subject matter: Processing of personal data to provide the InkDraft Services (AI-assisted generation, editing, sharing, electronic signature, and payment collection for business documents).
  • Duration: The term of the Customer's use of the Services, plus the retention periods in Section 9 and the Privacy Policy.
  • Nature and purpose: Hosting, storage, transmission, AI-assisted text generation, electronic-signature workflow, payment facilitation, support, security, and abuse prevention, on the Customer's behalf.
  • Types of personal data: Identification and contact data (names, email addresses); organization and counterparty details; the contents of transcripts, uploaded documents, and generated documents (which may contain personal data of the Customer's clients, counterparties, and other third parties); signer details (name, email, signature image, signing timestamp, IP address, user-agent); comments; and related workflow metadata.
  • Categories of data subjects: The Customer's personnel and users; the Customer's clients, counterparties, and prospects; document signers and recipients; and other individuals referenced in content the Customer provides.
  • Special categories: Not intended. The Customer must not submit special-category data except as incidentally contained in free-text content; the Legal Terms restrict regulated-data use.