DATA PROCESSING AGREEMENT
Version 1.0 — Last updated April 2026
1. PARTIES
This Data Processing Agreement ("Agreement") is entered into between:
Data Controller ("Controller"): The customer who creates an account on the PARAFEER platform and uses the service to send documents for electronic signing.
Data Processor ("Processor"): Young Tomorrow, operating under the trade name PARAFEER, registered at Peppelveld 23, 6658LX Beneden-Leeuwen, The Netherlands.
This Agreement forms an integral part of the Terms of Service and is entered into at the moment the Controller creates an account on the PARAFEER platform.
2. SUBJECT AND DURATION
Subject: The Processor processes personal data on behalf of the Controller in the context of providing the PARAFEER electronic document signing platform.
Duration: This Agreement is effective for as long as the Controller has an active account on the PARAFEER platform. Upon account deletion, processing ceases and data is deleted in accordance with the retention periods described in this Agreement.
Nature of Processing: Storage, retrieval, transmission, and deletion of personal data as necessary to facilitate electronic document signing, audit trail generation, and email notifications.
3. TYPES OF PERSONAL DATA
The Processor processes the following categories of personal data on behalf of the Controller:
- Account data: Name, email address, password (hashed)
- Contact data: Names and email addresses of document recipients
- Document data: Document content, templates, and merge field values
- Signature data: Electronic signatures (typed or drawn), timestamps, consent records
- Audit trail data: IP addresses, browser/device information, geolocation (when consented), page view timestamps
- Billing data: Payment information processed through Mollie (the Processor does not store payment card details)
4. CATEGORIES OF DATA SUBJECTS
- Account holders: Users who create and manage accounts on the platform
- Team members: Users invited to a tenant organisation by the account holder
- Document signers: Individuals who receive, review, and sign documents
- Document viewers and CC recipients: Individuals who receive documents for viewing or informational purposes
5. OBLIGATIONS OF THE PROCESSOR
The Processor shall:
- Process personal data only on documented instructions from the Controller, unless required by EU or Member State law
- Ensure that persons authorised to process the personal data have committed themselves to confidentiality
- Implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk
- Not engage another processor without prior written authorisation of the Controller (see Section 7 for approved sub-processors)
- Assist the Controller in responding to requests from data subjects exercising their rights under GDPR
- Assist the Controller in ensuring compliance with obligations related to security, breach notification, data protection impact assessments, and prior consultation
- At the choice of the Controller, delete or return all personal data upon termination of the service, and delete existing copies unless EU or Member State law requires storage
- Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28
6. SECURITY MEASURES
The Processor implements the following technical and organisational measures:
- Encryption in transit: All data transmitted between users and the platform is encrypted using TLS 1.2 or higher
- Access control: Multi-tenant data isolation with tenant-scoped database queries; multi-factor authentication available for all users
- Password security: Passwords are hashed using bcrypt; password complexity requirements enforced
- Content Security Policy: Strict CSP headers with nonce-based inline script protection
- Document integrity: SHA-256 hashing of documents at time of signing to ensure tamper detection
- Audit logging: Comprehensive audit trail of all document lifecycle events including IP addresses, timestamps, and user agents
- Secure deployments: Zero-downtime atomic deployments with automated rollback capabilities
- Data hosting: All data is stored within the European Union (DigitalOcean Amsterdam data centre)
7. SUB-PROCESSORS
The Controller authorises the use of the following sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| DigitalOcean | Cloud hosting and data storage | Amsterdam, EU |
| MailerSend | Transactional email delivery | EU |
| Mollie | Payment processing | Amsterdam, EU |
The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors, giving the Controller the opportunity to object to such changes.
8. DATA RETENTION
The Processor applies the following retention periods:
- Signed documents: Automatically deleted 7 days after completion. Download links are provided to all parties upon completion.
- Ad-hoc signer data: Name and email stored on the document record only. Deleted when the document is deleted. No separate contact record is created.
- Contact data: Retained for as long as the Controller's account is active, or until manually deleted by the Controller.
- Account data: Retained until account deletion is requested by the Controller.
- Audit logs: Retained for as long as the associated document exists.
9. DATA BREACH NOTIFICATION
In the event of a personal data breach, the Processor shall:
- Notify the Controller without undue delay and no later than 48 hours after becoming aware of the breach
- Provide the Controller with sufficient information to enable the Controller to meet its obligation to notify the supervisory authority and data subjects
- Cooperate with the Controller in investigating, mitigating, and remediating the breach
The notification shall include at minimum: the nature of the breach, categories and approximate number of data subjects concerned, likely consequences, and measures taken or proposed to address the breach.
10. RIGHTS OF DATA SUBJECTS
The Processor shall assist the Controller in fulfilling requests from data subjects exercising their rights under GDPR, including:
- Right of access (Article 15)
- Right to rectification (Article 16)
- Right to erasure (Article 17)
- Right to restriction of processing (Article 18)
- Right to data portability (Article 20)
- Right to object (Article 21)
If a data subject contacts the Processor directly, the Processor shall promptly forward the request to the Controller.
11. AUDITS AND INSPECTIONS
The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and GDPR Article 28.
The Processor shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Controller shall provide reasonable notice and the audit shall be conducted during normal business hours.
12. INTERNATIONAL DATA TRANSFERS
The Processor does not transfer personal data outside the European Economic Area (EEA). All data is stored and processed within EU data centres.
Should a transfer outside the EEA become necessary, the Processor shall inform the Controller in advance and ensure appropriate safeguards are in place in accordance with GDPR Chapter V.
13. GOVERNING LAW
This Agreement is governed by the laws of The Netherlands. Any disputes arising from this Agreement shall be submitted to the competent court in The Netherlands.
14. CONTACT
For questions about this Data Processing Agreement, contact us: