Free for 30 days on Scale.Start free
Legal

Data Processing Addendum

Dock’s standard Data Processing Addendum. Drafted for GDPR Article 28 compliance and structured for click-wrap acceptance at signup. A counter-signed PDF copy is available on request for procurement records (see section 20). Material redlines (custom liability caps, audit frequency beyond what is offered here, alternative transfer routes) are negotiable via security@trydock.ai.

Effective: May 10, 2026

1. Parties and scope

This Data Processing Addendum (the “DPA”) forms part of the agreement between Vector Apps, Inc., a Delaware corporation (“Vector Apps”, “we”, the Processor), and the customer entity named in the agreement under which the Dock service is provided (“Customer”, “you”, the Controller). The DPA applies to all processing of Personal Data we perform on Customer’s behalf in connection with the Dock service (the Service).

Where the underlying agreement and this DPA conflict, this DPA controls with respect to processing of Personal Data.

2. Definitions

Terms not defined here have the meaning given in Regulation (EU) 2016/679 (the “GDPR”), the UK Data Protection Act 2018 as amended (the “UK GDPR”), and the California Consumer Privacy Act of 2018 as amended (the “CCPA”), as applicable. Personal Datameans any information relating to an identified or identifiable natural person processed by us on Customer’s behalf. Sub-processormeans any third party engaged by us to process Personal Data on Customer’s behalf. Data Subject means the natural person to whom Personal Data relates.

3. Roles

For all Personal Data processed in connection with the Service, Customer is the Controller (or, where Customer is itself a processor for an upstream party, Customer is the upstream party’s authorized processor) and Vector Apps is the Processor.

4. Subject matter and duration of processing

We process Personal Data for the duration of the underlying agreement plus any retention period required by applicable law. The subject matter is the provision of the Service: operating a multi-user workspace where humans and AI agents read and write shared data, including authentication, authorization, content storage, comment threads, outbound webhooks, and audit logging.

5. Nature and purpose of processing

Our processing operations on Customer’s Personal Data are limited to those reasonably necessary to:

  • Authenticate Data Subjects who attempt to access the Service.
  • Store, retrieve, modify, and delete content Data Subjects create within the Service.
  • Deliver event notifications to webhook endpoints Customer configures.
  • Maintain audit logs that record changes to Customer workspaces.
  • Communicate with Data Subjects in connection with the Service (transactional and security email only).
  • Resolve support requests Customer or Data Subjects submit.
  • Maintain backups and perform disaster recovery.

6. Categories of Personal Data

The Service is general-purpose; Customer determines what Personal Data is uploaded. Typical categories include:

  • Account identifiers: email address, display name, organization name, workspace name, role assignment.
  • Authentication artifacts: session tokens (Customer-issued), API key hashes (we never see plaintext after creation), OAuth token hashes.
  • User-generated content: rows, document bodies, comments, attachments uploaded by Data Subjects.
  • Technical telemetry: IP address prefix, coarse user-agent, request identifiers, timestamps.
  • Support correspondence: emails and attachments submitted to support channels.

We do not request or knowingly process special categories of Personal Data (Article 9 GDPR) such as health information, biometric data, genetic data, or data revealing racial or ethnic origin, political opinions, religious beliefs, trade union membership, or sexual orientation, except where Customer chooses to upload such data into its own workspaces. Customer is responsible for ensuring lawful basis for any such processing.

7. Categories of Data Subjects

Data Subjects whose Personal Data is processed include: Customer’s employees and authorized users; the end-users of Customer’s products if Customer chooses to represent end-user information inside its workspaces; third parties whose information Customer includes in workspace content.

8. Customer instructions

We process Personal Data only on documented instructions from Customer, including with regard to transfers to third countries, unless required to do otherwise by Union or Member State law. Customer’s acceptance of this DPA and use of the Service in accordance with the underlying agreement constitutes its documented instructions for the processing described in this DPA. Additional or alternative instructions may be issued by Customer in writing and must be agreed by both parties.

We will inform Customer if, in our opinion, an instruction infringes applicable data protection law.

9. Confidentiality

We ensure that personnel authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Personnel access to Customer Personal Data is limited to named individuals on a need-to-know basis; the current access controls are described at /security.

10. Security of processing

We implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing as well as the risk of varying likelihood and severity for the rights and freedoms of natural persons. The current measures are described in detail at /security and include, at a minimum: encryption in transit (TLS 1.3), encryption at rest (AES-256), authentication of all data access, audit logging of state changes, network-egress controls against private-network exfiltration, content sanitization, rate-limit enforcement on a distributed backend, and a documented incident response procedure.

Vector Apps reserves the right to update its security measures from time to time, provided that any update will not materially diminish the security of Personal Data.

11. Sub-processors

Customer grants Vector Apps general authorization to engage sub-processors for the provision of the Service. The current list of sub-processors is published at /subprocessors and is updated when sub-processors are added or removed. We will provide notice of changes to the sub-processor list at least thirty (30) days before the change takes effect, by updating the published list and (for customers on a paid plan with an executed DPA) by email to the address on file.

Customer may object to a proposed change to the sub-processor list on reasonable data-protection grounds by written notice within thirty (30) days of our notice. If the objection cannot be resolved, Customer’s sole remedy is termination of the underlying agreement with respect to services that cannot be provided without the disputed sub-processor, and we will refund pre-paid fees for unused service periods.

We remain responsible for the acts and omissions of our sub-processors as if those acts and omissions were our own. We impose data-protection obligations on each sub-processor no less protective than those in this DPA.

12. International transfers

Vector Apps is established in the United States. Primary data storage is in US-East-1. Where Customer is established in the European Economic Area, the United Kingdom, or Switzerland and the Service involves a transfer of Personal Data from those regions to the United States or to another country not subject to an adequacy decision, the parties agree that the EU Standard Contractual Clauses (Module Two: Controller-to-Processor) approved by Commission Implementing Decision (EU) 2021/914, together with the UK Addendum issued under section 119A of the UK Data Protection Act 2018 where applicable, are incorporated into this DPA by reference. The parties act as Data Exporter and Data Importer respectively. Annex I (Description of the transfer), Annex II (Technical and organizational measures), and Annex III (List of sub-processors) of the SCCs are completed by reference to sections 4 through 11 of this DPA and to /security and /subprocessors.

13. Data Subject rights

Taking into account the nature of the processing, we assist Customer by appropriate technical and organizational measures, insofar as possible, for the fulfilment of Customer’s obligation to respond to requests for exercising the Data Subject’s rights laid down in Chapter III of the GDPR (access, rectification, erasure, restriction, portability, objection) and equivalent rights under the UK GDPR and CCPA.

Where a Data Subject contacts Vector Apps directly with a request that concerns Personal Data processed on Customer’s behalf, we will forward the request to Customer without undue delay and will not respond to the Data Subject directly except to acknowledge receipt and confirm onward forwarding.

14. Personal data breaches

We will notify Customer of a Personal Data Breach affecting Customer’s Personal Data without undue delay after becoming aware of it, and in any case within seventy-two (72) hours where the breach is likely to result in a risk to the rights and freedoms of natural persons. The notification will, to the extent known at the time of notice and updated as further information becomes available, describe the nature of the breach, the categories and approximate number of Data Subjects and Personal Data records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its effects.

We will cooperate with Customer’s investigation and notification obligations, including providing information reasonably required for Customer to meet its own notification duties to supervisory authorities and Data Subjects.

15. Audits and inspections

Customer has the right to audit Vector Apps’ compliance with this DPA. The audit right is exercised by: (a) requesting and reviewing the most recent third-party attestation reports, summary penetration test results, and the current security policy; (b) submitting a security questionnaire to security@trydock.ai for response within thirty (30) days; (c) for Customers on Scale or Enterprise plans, requesting an on-site or remote audit conducted by Customer or by a mutually-agreed third-party auditor at Customer’s expense, no more than once per twelve (12) month period, on at least sixty (60) days’ written notice, during regular business hours, and subject to a customary non-disclosure agreement.

16. Return and deletion of Personal Data

On termination or expiration of the underlying agreement, and at Customer’s choice, we will (at Customer’s option) return all Personal Data to Customer in a structured, commonly used, and machine-readable format, or delete all Personal Data, within thirty (30) days, except to the extent retention is required by applicable law. We will provide a written confirmation of completion upon Customer’s request.

Backups containing Personal Data are subject to Vector Apps’ standard backup retention, which currently is up to fourteen (14) days for object storage and up to fourteen (14) days for the primary database point-in-time recovery window on the Scale plan. Personal Data in backups is overwritten in the normal backup cycle.

17. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability set forth in the underlying agreement. Nothing in this DPA limits the liability of either party to the extent such limitation is prohibited by applicable data protection law.

18. Term

This DPA takes effect on the date Customer accepts the underlying agreement and this DPA at signup, and continues for the term of the underlying agreement and thereafter as long as Vector Apps processes Customer Personal Data. See section 20 for the acceptance mechanism.

19. Governing law and jurisdiction

This DPA is governed by the law and subject to the jurisdiction stated in the underlying agreement, except where applicable data protection law mandates otherwise (in which case that law applies to the extent of the conflict).

20. Acceptance

Default path: signup consent checkbox. The Dock signup flow presents a consent checkbox alongside links to the Terms of Service, the Privacy Policy, and this DPA. Affirming the checkbox and completing signup constitutes acceptance of all three on behalf of the Customer entity for which the account is being created. The Continue button is disabled until the checkbox is affirmed; this is the affirmative action required for click-wrap acceptance. The user completing signup represents that they have authority to bind the Customer entity.

Counter-signed PDF (optional, for procurement records). Customers whose internal procurement processes require an executed PDF on file may print the version published at trydock.ai/dpa, sign on behalf of the Customer entity, and email a scanned copy to security@trydock.ai. We will counter-sign within one business day and return the executed PDF to the same address. The executed PDF and the click-wrap acceptance are legally equivalent; the PDF exists for the customer’s archival convenience.

Redlines. Indicate any proposed redlines in the email body when requesting a counter-signed copy. Standard redlines (cap adjustments within ordinary commercial bounds, specifying named sub-processor objections) are accepted without further negotiation. Custom redlines that alter material terms (liability allocation, audit cadence, transfer mechanism beyond SCCs + UK Addendum) are reviewed within five business days.

21. Updates to this DPA

We may update this DPA from time to time to reflect changes in applicable law, sub-processor arrangements, or our operations. Material updates will be reflected in an updated effective date and notified to Customers on a paid plan with an executed DPA at least thirty (30) days before they take effect, unless the change is required by law or addresses a security risk that requires faster action. Continued use of the Service after the effective date of an update constitutes acceptance of the updated DPA, subject to any objection right granted in this DPA or by applicable law.