Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") supplements the Terms of Service and governs the processing of personal data that ACORD.AR S.A.S. ("Processor") carries out on behalf of the User ("Controller") in the framework of providing the electronic signature service, pursuant to Article 28 of the General Data Protection Regulation (GDPR) and Argentina's Personal Data Protection Act (Ley 25.326).

This DPA applies when the User uploads documents containing personal data of third parties to the Platform.

The User (Controller): determines the purposes and means of processing personal data contained in documents. Is responsible for obtaining the consent or legal basis necessary for the processing of such data pursuant to Art. 6 of the GDPR.

ACORD.AR S.A.S. (Processor): processes personal data solely according to the Controller's instructions and for the exclusive purpose of providing the electronic signature service, pursuant to Art. 28 of the GDPR.

Pursuant to Art. 28(3) of the GDPR, the Processor undertakes to:

a) Process personal data only in accordance with the Controller's documented instructions, including transfers of data to third countries (Art. 28(3)(a) GDPR).

Ensure that personnel authorized to process personal data have committed to confidentiality (Art. 28(3)(b) GDPR).

Implement appropriate technical and organizational security measures pursuant to Art. 32 of the GDPR.

Not engage another processor without the Controller's prior authorization (Art. 28(2) GDPR). Current sub-processors are listed in section 4.

Assist the Controller in fulfilling its obligations towards data subjects (Arts. 15-22 GDPR) and in data protection impact assessments (Art. 35 GDPR).

Delete or return all personal data upon termination of the service (Art. 28(3)(g) GDPR), subject to legal retention obligations.

Make available to the Controller the information necessary to demonstrate compliance and allow audits (Art. 28(3)(h) GDPR).

Current sub-processors are:

- Cloud infrastructure providers: data storage and processing (SOC 2 Type II, ISO 27001 certified).

Email service providers: sending transactional notifications.

Payment service providers: financial transaction processing (PCI DSS certified).

The Controller will be notified thirty (30) days in advance of any change in sub-processors. The Controller may object to a new sub-processor pursuant to Art. 28(2) of the GDPR.

Pursuant to Art. 33 of the GDPR, the Processor shall notify the Controller without undue delay, and in any event within seventy-two (72) hours of becoming aware of a security breach affecting personal data.

The notification shall include:

The nature of the breach, including the categories and approximate number of affected data subjects.

The contact details of the data protection officer or point of contact.

The likely consequences of the breach.

The measures taken or proposed to remedy the breach.

The Processor shall cooperate with the Controller in the investigation, mitigation and notification to the supervisory authority and affected data subjects when required.

This DPA remains in effect as long as the Processor processes personal data on behalf of the Controller. Confidentiality obligations and those derived from the GDPR survive indefinitely.