Start a trial Request a demo Request a demo
Request a demo
Contact sales

Data Processing Agreement

This Data Processing Agreement (“DPA”) is incorporated into the agreement between PandaDoc, Inc. (“PandaDoc”) and Customer (each a “Party” and jointly the “Parties”) that governs Customer’s use of PandaDoc’s Services (the “Agreement”). All capitalized terms not defined herein shall have the meaning set forth in the Agreement. This DPA is effective as of the effective date of the Agreement (the “Effective Date”).

 

1.  DEFINITIONS

 

      “Affiliate” means any entity that directly or indirectly controls, is controlled by, or is under common control with the applicable party to this Agreement, where “control,” means direct or indirect ownership of or authority to direct more than 50% of the voting interests of the subject entity.

 

      “Applicable Privacy Laws” means, to the extent applicable to a Party, all applicable data protection or privacy laws and regulations that apply to the Processing of Customer Personal Data under the Agreement.

 

      “Controller” shall have the meanings given to it under Applicable Privacy Laws.

 

      “Customer” means the individual or entity that has entered into the Agreement and agreed to the incorporation of this DPA into the Agreement.

 

      “Customer Content” means any text, personal information, document layouts, source code, pictures, video, images, audio materials, graphics, documents, data files or any other content that Customer or its Users uploads or submits to the Online Services. “Customer Content” does not include usage, statistical, learned, or technical information that does not reveal the actual contents of Customer Content.

 

      “Customer Personal Data” means Personal Data contained within Customer Content.

 

      “Data Subject” means an identified or identifiable natural person.

 

      “Personal Data” means any information relating to, identifying, describing or capable of being associated with a Data Subject or a household. “Personal Data” as used herein only applies to Personal Data for which PandaDoc is a Processor.

 

      “Process” means any operation or set of operations performed upon Personal Data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, alignment, combination, restriction, erasure, destruction, or disclosure by transmission, dissemination or otherwise making available.

 

      “Processor” shall have the meanings given to it under Applicable Privacy Laws.

 

      “Security Practices” means PandaDoc’s Security Practices, as updated from time to time, and accessible on the Site.

 

      “Site” means PandaDoc’s website at www.pandadoc.com and any website linked from such website that is owned or controlled by PandaDoc.   

 

      “Subprocessor” means any individual or entity engaged by or on behalf of PandaDoc to Process Customer Personal Data in connection with PandaDoc’s services.

 

      “Supervisory Authority” means an independent public authority established by Applicable Privacy Law. 

 

2.  PROCESSING OF CUSTOMER PERSONAL DATA

 

      2.1.  Roles of the Parties. The parties acknowledge and agree that with regard to the Processing of Customer Personal Data, Customer is the Controller and PandaDoc is the Processor, and that each Party is solely responsible for its compliance with Applicable Privacy Laws and for fulfilling any of its related obligations to third parties, including Data Subjects and Supervisory Authorities.

 

      2.2.  Customer’s Responsibilities. Customer is solely responsible for complying with all Controller obligations under Applicable Privacy Laws in relation to Customer Personal Data. This includes, but is not limited to, being responsible for (a) the accuracy Customer Personal Data, (b) the means by which Customer acquires, discloses and Processes such Customer Personal Data, (c) properly implementing access and use controls, features and functionalities to maintain appropriate security, protection, deletion, and backup of Customer Personal Data; and (d) Customer’s compliance with laws as it relates to the foregoing. Customer’s instructions to PandaDoc for Processing Customer Personal Data will comply with Applicable Privacy Laws and will be authorized with all required rights, permissions and consents. PandaDoc will be entitled to rely solely on Customer’s instructions relating to Customer Personal Data Processed by PandaDoc.  

 

      2.3.  PandaDoc’s Processing Responsibilities.

 

          2.3.1.  PandaDoc will Process Customer Personal Data in accordance with the Applicable Privacy Laws directly applicable to the provisioning of PandaDoc’s Services. PandaDoc shall only Process Customer Personal Data: (i) in accordance with the Agreement and Order(s), or as necessary to provide the Services and prevent or address technical problems with the Services or violations of the Agreement or DPA; (ii) to comply with other reasonable written instructions provided by Customer (e.g., via email or support tickets), and (iii) as required by law (in such a case, the processor shall inform the controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest). Exhibit 1 (Details of Processing of Customer Personal Data) further describes the details of PandaDoc’s processing of Customer Personal Data. 

 

          2.3.2.  PandaDoc will promptly notify Customer if PandaDoc reasonably believes Customer’s instructions to Process Customer Personal Data violate Applicable Privacy Laws.

 

          2.3.3.  Any individual authorized by PandaDoc to access Customer Personal Data will: (i) only access Customer Personal Data to the extent necessary to perform PandaDoc’s Processing obligations under the Agreement and this DPA; (ii) be subject to confidentiality obligations at least as restrictive as those described in the Agreement and this DPA; and (iii) be subject to appropriate training relating to the Processing of Customer Personal Data.

 

          2.3.4.  PandaDoc will not assess the type or substance of Customer Content to identify whether it is Customer Personal Data or is subject to any specific legal requirements.

 

          2.3.5.  Following termination of the DPA, PandaDoc will return or delete (at Customer’s choice) Customer Content in accordance with Section 4.4 (Return and Deletion) of the Agreement.

 

          2.3.6.  Notwithstanding any other provision of this DPA, technical, statistical, learned, or other Usage Data, and payment, billing, profile, or other account information, is not Customer Content, and is processed by PandaDoc as a Controller pursuant to its publicly posted Privacy Notice (available on the Site).

 

3.  DATA SUBJECT REQUESTS

 

      3.1.  PandaDoc will promptly notify Customer in writing (including via email) following receipt and verification of any requests PandaDoc receives directly from a Data Subject pertaining to Customer Personal Data (each, a “Data Subject Request”).PandaDoc may only respond directly to a Data Subject request: (a) to confirm that such request relates to Customer; (b) as required by applicable law; or (c) with the written consent of Customer.

 

      3.2.  PandaDoc will provide Customer access to Customer Personal Data via the Services to allow Customer to respond to Data Subject Requests. To the extent Customer is unable to access Customer Personal Data on its own and to the extent legally permitted under Applicable Privacy laws, PandaDoc will, upon Customer’s written request, provide reasonable assistance to Customer to access the Customer Personal Data required for Customer to respond to such Data Subject Request. Except as provided herein, PandaDoc, as processor, has no intention to respond to or fulfill any Data Subject Requests.

 

4.  SUBPROCESSORS

 

      4.1.  List of Current Subprocessors. PandaDoc’s list of Subprocessors is accessible at https://www.pandadoc.com/legal/subprocessors/ (“Subprocessor List”) and may be updated by PandaDoc from time to time in accordance with this DPA. 

 

      4.2.  Appointment of Subprocessors. Customer acknowledges and agrees that (a) PandaDoc’s Affiliates may be retained as Subprocessors; and (b) PandaDoc and PandaDoc’s Affiliates may engage third-party Subprocessors in connection with the provision of the Services. PandaDoc or a PandaDoc Affiliate will enter into a written agreement with each Subprocessor that includes data protection obligations for Processing Customer Personal Data at least as protective as those in this DPA.

 

      4.3.  Objection Right for New Subprocessors.

 

          4.3.1.  Customer may reasonably object to PandaDoc’s use of a new Subprocessor by notifying PandaDoc of its objection in writing within 30 business days after PandaDoc adds the new Subprocessor to the Site. Such notice must be timely and explain the Customer’s reasonable grounds for the objection; otherwise PandaDoc will deem the appointment of the new Subprocessor authorized by Customer.

 

          4.3.2.  In the event Customer objects to a new Subprocessor pursuant to this DPA, PandaDoc will use commercially reasonable efforts to make available to Customer a change in PandaDoc’s Services or recommend a commercially reasonable change to Customer’s configuration of PandaDoc Services to avoid the Processing of Customer Personal Data by the new Subprocessor. If PandaDoc is unable to address Customer’s objection within sixty (60) days of receipt of Customer’s written notice, PandaDoc will notify Customer via email. Upon receipt of PandaDoc’s notice, Customer may, by written notice to PandaDoc within thirty (30) days of PandaDoc’s notice, terminate the applicable Services which cannot be provided without the use of the new Subprocessor, and receive a pro-rata refund of prepaid fees covering the terminated portion of the applicable Services.

 

      4.4.  PandaDoc Liability for Subprocessors. In accordance with Applicable Privacy Laws, PandaDoc is responsible for its Subprocessors acts and omissions in relation to PandaDoc’s obligations under this DPA.

 

5.  SECURITY

 

      5.1.  Controls for the Protection of Customer Content. PandaDoc shall maintain appropriate technical and organizational measures designed to protect and  secure Customer Content, as set forth in the Security Practices located at https://www.pandadoc.com/legal/security-practices/ (the “Security Practices”). 

 

      5.2.  Customer acknowledges that, through its Users, Customer: (a) controls the type and substance of Customer Content, and (b) sets User permissions to access Customer Content; therefore, Customer is responsible for evaluating whether the functionality of PandaDoc’s Services meets Customer’s security obligations relating to Customer Personal Data under Applicable Privacy Laws.

 

6.  CUSTOMER AUDIT RIGHTS

 

      6.1.  PandaDoc will use external auditors to annually audit and verify the adequacy of its security measures and controls (“Audit”). The Audit will: (a) be performed by independent third party security professionals at PandaDoc’s selection and expense; (b) include testing of the security measures and controls of the online Services, performed according to AICPA SOC2 standards or such other alternative standards substantially equal to AICPA SOC2, that results in the generation of, at a minimum, a SOC2 report or the substantive equivalent; and (c) include penetration testing of the online Services and result in the generation of a penetration test report. The reports generated by the Audit (“Reports”) will be made available to Customer upon written request no more often than annually subject to the confidentiality obligations of the Agreement or a mutually-agreed non-disclosure agreement.

 

      6.2.  Upon Customer’s written request, PandaDoc will provide reasonable assistance to Customer in relation to data protection impact assessments and consultations with Supervisory Authorities, taking into account the nature of PandaDoc’s Processing activities and the information available to PandaDoc. If Customer requires information for its compliance with Applicable Privacy Laws in addition to the Reports and any additional information PandaDoc has the ability to provide, at Customer’s sole expense and written request and to the extent Customer is unable to access the additional information on its own, PandaDoc will allow for and cooperate with a Customer mandated audit by a third party auditor in relation to PandaDoc’s Processing of Customer Personal Data (“Customer Audit”), provided that:

 

          6.2.1.  Customer provides PandaDoc reasonable advance notice including the identity of the auditor and the anticipated date and scope of the Customer Audit;

          6.2.2.  PandaDoc approves the auditor by notice to Customer, with such approval not to be unreasonably withheld;

          6.2.3.  Customer and the auditor act to avoid causing any damage, injury, or disruption to PandaDoc’s business in the course of such Customer Audit; and

          6.2.4.  Customer initiates only one Customer Audit in any calendar year unless otherwise required by a Supervisory Authority.

 

7.  CUSTOMER CONTENT INCIDENT MANAGEMENT

 

      7.1.  PandaDoc shall notify Customer in writing (via email) without undue delay, but in no event more than forty-eight (48) hours, after discovery of the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Content (a “Customer Content Incident”).

 

      7.2.  PandaDoc will investigate and mitigate or remediate a Customer Content Incident in accordance with PandaDoc’s security incident policies and procedures (“Incident Management”). 

 

      7.3.  Subject to PandaDoc’s legal obligations, PandaDoc will provide Customer with information available to PandaDoc as a result of its Incident Management, including the nature of the incident, specific information disclosed (if known), and any relevant mitigation efforts or remediation measures (“Incident Information”), for Customer to comply with its obligations under Applicable Privacy Laws as a result of a Customer Content Incident.

 

      7.4.  The obligations herein shall not apply to incidents that are caused by Customer, Customer’s authorized users or any non-PandaDoc products or services.

 

8.  INTERNATIONAL TRANSFERS

 

      8.1.  The Parties acknowledge and agree that the Processing of Customer Personal Data by PandaDoc may involve an international transfer of Customer Personal Data from Customer to PandaDoc (“International Transfer”). Customer acknowledges that, as of the Effective Date, PandaDoc’s primary processing activities are in the United States.

 

      8.2.  To the extent that PandaDoc Processes Customer Personal Data originating from and protected by Applicable Privacy Laws in one of the jurisdictions listed in Exhibit 4 (Jurisdiction Specific Terms), then the jurisdiction’s applicable terms will apply in addition to the terms of this DPA.

 

      8.3.  To the extent that Customer’s use of the Services requires a valid transfer mechanism to lawfully transfer Customer Personal Data from a jurisdiction (i.e., the European Economic Area (“EEA”), the UK, Switzerland or any other jurisdiction listed in Exhibit 4) to PandaDoc located outside of that jurisdiction (a “Transfer Mechanism”), the terms and conditions of Exhibit 3 (Cross Border Transfer Mechanisms) will apply.

 

      8.4.  If any Transfer Mechanism fails as a lawful data transfer mechanism for an International Transfer, the Parties will act in accordance with Section 10.2 (Variations in Applicable Privacy Laws) of this DPA. 

 

9.  DATA PROTECTION OFFICER


PandaDoc’s data protection officer in the United States, EU and UK, can be reached at privacyteam@pandadoc.com.

 

10.  MISCELLANEOUS

 

      10.1.  Termination. The parties agree that this DPA and, if applicable, the Standard Contractual Clauses, shall terminate automatically upon the later of (i) termination of the Agreement; or (ii) the expiration or termination of all Orders. Any obligation imposed on either party under this DPA in relation to the Processing of Customer Personal Data that would reasonably be interpreted to survive any termination or expiration of this DPA, shall survive.

 

      10.2.  Variations in Applicable Privacy Laws. If any variation is required to this DPA as a result of a change in or subsequently enacted Applicable Privacy Laws, either Party may provide written notice to the other Party of that change in law. The Parties will then negotiate in good faith any variations to this DPA necessary to address such changes, with a view to agreeing and implementing those or alternative variations as soon as practicable, provided that such variations are reasonable with regard to the functionality and performance of the Services and PandaDoc’s business operations.

 

      10.3.  Amendment. Unless otherwise expressly stated herein, this DPA may be modified only by a written agreement executed by an authorized representative of each Party. The waiver of any breach of this DPA will be effective only if in writing, and no such waiver will operate or be construed as a waiver of any subsequent breach.

 

      10.4.  Severance. Should any provision of this DPA be invalid or unenforceable, then the remainder of this DPA shall remain valid and in force. The invalid or unenforceable provision shall be either (i) amended as necessary to ensure its validity and enforceability, while preserving the parties’ intentions as closely as possible or, if this is not possible, (ii) construed in a manner as if the invalid or unenforceable part had never been contained therein.

 

      10.5.  Order of Precedence. In the event of any conflict or inconsistencies between this DPA and any other written agreement between the parties (including the Agreement), this DPA shall prevail. In the event of conflict between the SCCs and this DPA, the SCCs shall prevail.

 

      10.6.  Governing Law and Dispute Resolution. This DPA and any dispute or claim arising out of and/or in connection with it or its subject matter or formation (including non-contractual disputes or claims) shall be governed by, and construed in accordance with, the governing law and dispute resolution terms of the Agreement.

 

      10.7.  Liability. As between the Parties to this DPA, each Party’s liability and remedies under this DPA are subject to the liability limitations and damages exclusions set forth in the Agreement, as well as the indemnification provisions set forth in the Agreement.

 

      10.8.  Notices. Unless otherwise expressly stated herein, the parties will provide notices under this DPA in accordance with the Agreement, provided that all such notices may be sent via email.

 

      10.9.  Enforcement.  Regardless of who is a Controller of Customer Personal Data, unless otherwise required by law: (a) only Customer will have any right to enforce any of the terms of this DPA against PandaDoc; and (b) PandaDoc’s obligations under this DPA, including any applicable notifications, will only be to Customer. 

 

                                                                                                                                                                        

 

 

EXHIBIT 1: DETAILS OF PROCESSING / TRANSFERRING OF CUSTOMER PERSONAL DATA

 

This Exhibit 1 includes certain details of the Processing of Personal Data as required by Article 28(3) of the GDPR and details about the description of transfer as required by Annex II, Part B of the Standard Contractual Clauses approved by the European Commission in decision 2021/914 (as relevant).

 

       1.  Subject matter and duration of the Processing of Personal Data:

                 The subject matter and duration of the Processing of Personal Data are set out in the Agreement and this DPA.

 

       2.  The nature and purpose of the Processing of Personal Data:

                 The nature and purpose of the Processing of Personal Data by PandaDoc is that which is reasonably required to facilitate or support the provision of the Services as described under the Agreement and this DPA.

 

       3.  Types of Personal Data and Categories of Data Subjects:

                 The types of Personal Data and categories of Data Subjects, including sensitive data if any, about whom the Personal Data relates are determined and controlled by Customer in its sole discretion

 

       4.  Obligations and Rights of the Controller:

                 The obligation and rights of Customer are set out in the Agreement and this DPA.

 

       5.  Applicable security measures:

                 The applicable security measures to protect the Personal Data, including sensitive data if any, are contained in Exhibit 2.

 

       6.  Frequency of the transfer:

                 The transfer is continuous for the duration of the Agreement.

 

       7.  Transfers to sub-processors:

                 The subject matter, nature, and duration of the processing by subprocessors is described at https://www.pandadoc.com/legal/subprocessors/

 

                                                                                                                                                                        

 

 

EXHIBIT 2: TECHNICAL AND ORGANIZATIONAL SECURITY MEASURES

 

This Exhibit 2 will serve as Annex II to the Standard Contractual Clauses where applicable.

 

PandaDoc’s technical and organizational security measures are set forth at https://www.PandaDoc.com/legal/security-practices/.

 

                                                                                                                                                                        

 

 

EXHIBIT 3: CROSS BORDER TRANSFER MECHANSIMS

 

1.  Definitions.

 

      1.1.  “Standard Contractual Clauses” means, depending on the circumstances unique to any Customer, any of the following:

 

            1.1.1.  EEA Standard Contractual Clauses;

            1.1.2.  UK Standard Contractual Clauses; and

            1.1.3.  Swiss Standard Contractual Clauses.

 

      1.2.  “EEA Standard Contractual Clauses” or “EEA SCCs” means the Standard Contractual Clauses approved by the European Commission in decision 2021/914.

 

      1.3.  “UK Standard Contractual Clauses” or “UK SCCs” means the “International Data Transfer Addendum to the EU Commission Standard Contractual Clauses” issued by the Information Commissioner under s.119A(1).of the DPA 2018.

 

      1.4.  “Swiss Standard Contractual Clauses” or “Swiss SCCs” means the EEA SCCs.

 

2.  EEA Standard Contractual Clauses. For International Transfers from the EEA that are not subject to a European Union adequacy decision, the EEA SCCs will apply in the following manner:

 

      2.1.  Module Two (Controller to Processor) will apply where Customer is a Controller of Customer Personal Data and PandaDoc is a Processor of Customer Personal Data.

 

      2.2.  The EEA SCCs will be completed as follows:

 

            2.2.1.  In Clause 7, the optional docking clause will not apply;

            2.2.2.  In Clause 9, Option 2 will apply and the time period and process for providing objections to Subprocessor changes will be as set out in Section 4 of this DPA;

            2.2.3.  In Clause 11, the optional language will not apply;

            2.2.4.  In Clause 17, Option 1 will apply, and the EEA SCCs will be governed by Irish law;

            2.2.5.  In Clause 18(b), disputes shall be resolved before the courts of Ireland;

            2.2.6.  Annex I, Part A will be completed as follows:

 

                       Data Exporter name and address: Customer and authorized Affiliates name and addresses. 

 

                       Contact person’s name, position and contact details: Customer’s account owner and email address provided to PandaDoc as may be updated by Customer.

 

                       Activities relevant to the data transferred under these Clauses: PandaDoc Services described in the Agreement and any applicable Customer Order.

 

                       Data Exporter Role: As described in Section 2 of this DPA.

 

                       Signature & Date: By entering into the DPA, Data Exporter is deemed to have signed the SCCs incorporated herein, including their Annexes, as of the Effective Date.

 

                       Data Importer name and address: PandaDoc, Inc., 548 Market St PMB 185308, San Francisco, CA, 94104-5401, US.

 

                       Contact person’s name, position and contact details: PandaDoc Privacy – privacyteam@pandadoc.com; PandaDoc Security – security@pandadoc.com

 

                       Activities relevant to the data transferred under these Clauses: PandaDoc Services described in the Agreement and any applicable Customer Order.

 

                       Data Importer Role: As described in Section 2 of this DPA.

 

                       Signature & Date: By entering into the DPA, Data Importer is deemed to have signed the SCCs incorporated herein, including their Annexes, as of the Effective Date.

 

            2.2.7.  Annex II, Part B will be completed as described in Exhibit 1.

 

            2.2.8.  Annex I, Part C: in accordance with clause 13 of the EEA SCCs, the competent supervisory authority is identified as follows:

 

                       Where the data exporter is established in an EU Member State: The supervisory authority with responsibility for ensuring compliance by the data exporter with Regulation (EU) 2016/679 as regards the data transfer shall act as competent supervisory authority.

 

                       Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) and has appointed a representative pursuant to Article 27(1) of Regulation (EU) 2016/679: The supervisory authority of the Member State in which the representative within the meaning of Article 27(1) of Regulation (EU) 2016/679 is established shall act as the competent supervisory authority.

 

                       Where the data exporter is not established in an EU Member State, but falls within the territorial scope of application of Regulation (EU) 2016/679 in accordance with its Article 3(2) without however having to appoint a representative pursuant to Article 27(2) of Regulation (EU) 2016/679: Data Commission, Ireland shall act as the competent supervisory authority.

 

            2.2.9.  Exhibit 2 serves as Annex II of the EEA Standard Contractual Clauses.

 

3.  The UK Standard Contractual Clauses. For International Transfers from the UK that are not subject to a UK adequacy decision, the UK SCCs will be deemed executed between the Parties and will be completed with relevant information from the EU SCCs, as set out in section 2 of this Exhibit 3. The options “Exporter” and “Importer” shall be deemed checked in Table 4 of the UK SCCs. The start date of the UK SCCs shall be the Effective Date. 

 

4.  Swiss Standard Contractual Clauses. For International Transfers from Switzerland that are not subject to a Swiss adequacy decision, the EEA SCCs will apply as set out in section 2 of this Exhibit 3 with the following modifications:

 

      4.1.  references to “Regulation (EU) 2016/679” shall be interpreted as references to the Swiss Federal Data Protection Act to the extent applicable;

 

      4.2.  references to specific Articles of “Regulation (EU) 2016/679” shall be replaced with the equivalent article or section of the Swiss Federal Data Protection Act to the extent applicable; 

 

      4.3.  references to “EU”, “Union”, “Member State” and “Member State law” shall be replaced with references to “Switzerland” or “Swiss law” (as applicable); 

 

      4.4.  in Clause 18(c) the term “member state” shall not be interpreted in such a way as to exclude data subjects in Switzerland from the possibility of suing for their rights in their place of habitual residence (i.e., Switzerland);

 

      4.5.  Clause 13(a) and Part C of Annex I are not used and the “competent supervisory authority” is the Swiss Federal Data Protection and Information Commissioner;

 

      4.6.  references to the “competent supervisory authority” and “competent courts” shall be replaced with references to the “Swiss Federal Data Protection and Information Commissioner” and “applicable courts of Switzerland”; and

 

      4.7.  in Clause 17, the EU SCCs shall be governed by the laws of Switzerland.

 

5.  Data Privacy Framework

 

PandaDoc is certified to the EU-U.S. and Swiss-U.S. Data Privacy Frameworks, and the UK Extension to the EU-U.S. Data Privacy Framework and the commitments they entail. PandaDoc agrees to notify Customer if it makes a determination that it can no longer meet its obligation to provide the same level of protection as is required by the principles of the Data Privacy Frameworks.

 

                                                                                                                                                                        

 

 

EXHIBIT 4: JURISDICTION SPECIFIC TERMS

 

1.  United States

 

      1.1.  The definition of “Applicable Privacy Law” includes any federal or state data protection laws in effect and applicable to PandaDoc’s Processing of Customer Personal Data in the United States.

 

      1.2.  The terms “business”, “commercial purpose”, “service provider”, “sell” and “personal information” have the meanings given in the Applicable Privacy Law in the context of Customer Personal Data that is Processed Pursuant to this DPA.

 

      1.3.  With respect to Customer Personal Data, PandaDoc is a service provider under Applicable Privacy Law.

 

      1.4.  PandaDoc will not (a) sell or share Customer Personal Data; (b) retain, use, or disclose any Customer Personal Data for any purpose other than for the specific purpose of providing the Services, including retaining, using or disclosing the Customer Personal Data for a commercial purpose other than providing the Services, including to provide services to a different customer; (c) retain, use, or disclose the Customer Personal Data outside of the direct business relationship between PandaDoc and Customer; or (d) combine Customer Personal Data with other Personal Data that PandaDoc receives from another entity or collects from individuals, except as permitted by applicable law or as authorized by Customer.

 

      1.5.  The Parties acknowledge and agree that the Processing of Customer Personal Data authorized by Customer’s instructions described in this DPA is integral to and encompassed by PandaDoc’s provision of the Services and the direct business relationship between the Parties. PandaDoc agrees to inform Customer if, in its reasonable opinion, PandaDoc can no longer meet its applicable obligations under this Applicable Privacy Law.

 

      1.6.  Notwithstanding anything in the Agreement or any Order Form entered in connection therewith, the Parties acknowledge and agree that PandaDoc’s access to Customer Personal Data does not constitute part of the consideration exchanged by the Parties in respect of the Agreement.

 

      1.7.  To the extent that any Services Usage Data is considered Customer Personal Data, PandaDoc is the business with respect to such data and will Process such data in accordance with its Privacy Notice. 

 

      1.8.  Customer shall have the right to take reasonable and appropriate steps to (a) verify that PandaDoc uses the personal information that it received from, or on behalf of, Customer in a manner consistent with this DPA so that Customer can meet its obligations under Applicable Privacy Law. This right may encompass performing Customer Audits in accordance with this DPA; (b) stopping and remediating PandaDoc’s unauthorized use of Customer Personal Data; and (c) taking any such other remediation efforts reasonably agreed upon by the parties. By way of example, and in accordance with the Agreement, Customer may require PandaDoc to provide documentation that verifies that PandaDoc no longer retains or uses Customer personal information of Data Subjects who have made a valid request of Customer to delete their personal information.

 

      1.9.  PandaDoc certifies that it understands and will comply with the obligations set forth in this DPA and the Agreement, including restrictions on its Processing of Customer personal information.

 

2.  EEA

 

      2.1.  The definition of “Applicable Privacy Law” includes the General Data Protection Regulation (EU 2016/679) (“GDPR”).

 

      2.2.  When PandaDoc engages a Subprocessor, it will:

 

            2.2.1.  require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

 

            2.2.2.  require any appointed Subprocessor to agree in writing to only process data in a country that the European Union has declared to have an “adequate” level of protection; or to only process data under the terms of the EEA  Standard Contractual Clauses.

 

      2.3.  Notwithstanding anything to the contrary in this DPA or in the Agreement (including, without limitation, either party’s indemnification obligations), neither party will be responsible for any GDPR fines issued or levied under Article 83 of the GDPR against the other party by a regulatory authority or governmental body in connection with such other party’s violation of the GDPR.

 

3.  Switzerland

 

      3.1.  The definition of “Applicable Privacy Law” includes the Swiss Federal Act on Data Protection.

 

      3.2.  When PandaDoc engages a Subprocessor, it will:

 

            3.2.1.  require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

 

            3.2.2.  require any appointed Subprocessor to agree in writing to only process data in a country that the government of Switzerland has declared to have an “adequate” level of protection; or to only process data under the Swiss SCCs. 

 

      3.3.  To the extent allowed and required by the Swiss Federal Act on Data Protection, a Data Subject may bring legal proceedings against the data exporter and/or data importer before the courts of Switzerland.

 

      3.4.  To the extent required by the version of the Swiss Federal Act on Data Protection then in effect, the applicability of the Standard Contractual Clauses will be interpreted to include data pertaining to legal entities as Customer Personal Data.

 

4.  United Kingdom

 

      4.1.  References in this DPA to GDPR will be deemed to be references to the corresponding laws of the United Kingdom (including the UK GDPR and Data Protection Act 2018).

 

      4.2.  When PandaDoc engages a Subprocessor, it will:

 

            4.2.1.  require any appointed Subprocessor to protect Customer Personal Data to the standard required by applicable Data Protection Laws, such as including the same data protection obligations referred to in Article 28(3) of the GDPR, in particular providing sufficient guarantees to implement appropriate technical and organizational measures in such a manner that the processing will meet the requirements of the GDPR; and

 

            4.2.2.  require any appointed Subprocessor to agree in writing to only process data in a country that the government of the United Kingdom has declared to have an “adequate” level of protection; or to only process data under the UK SCCs. 

 

Updated: May 2025

Archived version – provided for informational purposes only