This Data Processing Addendum ("DPA") forms part of and is incorporated by reference into the Docshark Terms and Conditions (the "Terms") between Sharkforce Inc., a corporation incorporated under the laws of Canada (federal) ("Sharkforce," "we," "us," or "our"), and the Customer that accepts the Terms ("Customer," "you," or "your"). It applies where Sharkforce processes personal data on Customer's behalf in connection with Docshark (the "Services"). Docshark is operated from Canada and offered to Customers in multiple countries. This DPA reflects Sharkforce's standard processor commitments. It does not require a separate signature: by accepting the Terms, both parties agree to this DPA. If you have a separately signed Master Services Agreement or data processing agreement with Sharkforce, that signed agreement controls to the extent of a conflict. This DPA is provided as Sharkforce's standard terms and is not legal advice to Customer. Customer remains responsible for determining the requirements that apply to its own processing.
1. Definitions and roles
Capitalized terms not defined here have the meaning given in the Terms. "Applicable Data Protection Law" means privacy and data protection laws that apply to a party's processing of Customer Personal Data, including the Personal Information Protection and Electronic Documents Act (PIPEDA) and substantially similar provincial laws in Canada; Quebec's Law 25; the EU General Data Protection Regulation (GDPR); the UK GDPR and Data Protection Act 2018; the Swiss Federal Act on Data Protection (FADP); US state privacy laws including the California Consumer Privacy Act as amended by the CPRA; the Saudi Personal Data Protection Law (PDPL), the United Arab Emirates Federal Decree-Law No. 45 of 2021 on the Protection of Personal Data, Egypt's Personal Data Protection Law (No. 151 of 2020), Brazil's Lei Geral de Proteção de Dados (LGPD), and Australia's Privacy Act 1988; and any other privacy or data protection law that applies to a party's processing of Customer Personal Data. "Customer Personal Data" means personal data within Customer Data that Sharkforce processes on Customer's behalf. For Customer Personal Data, Customer acts as the controller or business (or as a processor acting for another controller), and Sharkforce acts as the processor or service provider.
2. Scope and instructions
Sharkforce will process Customer Personal Data only on Customer's documented instructions, which include the Terms, Customer's configuration and use of the Services, and any further written instructions Customer gives. Sharkforce will inform Customer if, in its opinion, an instruction infringes Applicable Data Protection Law, unless legally prohibited from doing so. Sharkforce will not process Customer Personal Data for its own independent purposes. Aggregated or de-identified data that no longer identifies any individual is not Customer Personal Data.
3. Details of processing
Subject matter: provision of the Docshark electronic signing and document services. Duration: the Subscription Term plus any retention period described in the Docshark Privacy Notice and the Terms. Nature and purpose: collecting, recording, hashing, sealing, storing, transmitting, and producing evidence of electronic signing transactions. Types of personal data: names and typed legal names, email addresses, phone numbers used for one-time codes, signature field values, hashed IP addresses, user-agent strings (stored hashed and, where retained in full, encrypted at rest), signing-session identifiers, consent records, audit events, and the contents of documents and envelopes that Customer chooses to process. Categories of data subjects: Customer's signers, senders, authorized users, and administrators.
4. Sharkforce obligations
Sharkforce will: (a) process Customer Personal Data only as set out in Section 2; (b) ensure that personnel authorized to process Customer Personal Data are bound by confidentiality obligations; (c) implement and maintain the security measures described in Section 5; (d) taking into account the nature of processing, assist Customer by appropriate technical and organizational measures, insofar as possible, to respond to data subject requests as described in Section 8; (e) assist Customer with security, breach notification, and data protection impact assessments as described in Sections 5 and 9; and (f) delete or return Customer Personal Data as described in Section 11.
5. Security measures
Sharkforce maintains technical and organizational measures designed to protect Customer Personal Data, which currently include: transport encryption (HTTPS/TLS) for data in transit; encryption at rest provided by our database and object-storage infrastructure providers; application-level encryption applied to selected sensitive identifiers (including signer user-agent values); SHA-256 integrity hashing of source and sealed documents at send, consent, and seal stages; a tamper-evident, hash-chained audit log; PAdES sealing of completed PDFs and RFC 3161 trusted timestamping where enabled; one-time codes for signer identity verification where configured; storage of IP addresses only as one-way hashes; least-privilege access controls for production systems; and logging and monitoring of security-relevant events. Sharkforce does not currently hold SOC 2 or ISO 27001 certifications and does not represent that it does. Sharkforce may update its measures provided the protections are not materially reduced.
6. Subprocessors
Customer provides general authorization for Sharkforce to engage subprocessors to process Customer Personal Data. The current list is published at /legal/subprocessors. Sharkforce will impose data protection obligations on each subprocessor that are substantially equivalent to those in this DPA, and Sharkforce remains responsible for the acts and omissions of its subprocessors as if they were its own. Sharkforce will give at least thirty (30) days' prior notice before adding or replacing a subprocessor that processes Customer Personal Data. Customer may object on reasonable data protection grounds within fourteen (14) days of that notice; Sharkforce will work in good faith to address the objection, and if it cannot, Customer may terminate the affected Services as its sole remedy for the objection.
7. International transfers
Where Sharkforce processes Customer Personal Data that is subject to the GDPR and transfers it to a country that has not received an adequacy decision, the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) are incorporated into and form part of this DPA, with Module Two (controller to processor) applying where Customer is a controller and Module Three (processor to processor) applying where Customer is itself a processor. For transfers subject to the UK GDPR, the UK International Data Transfer Addendum to the EU Standard Contractual Clauses applies. For transfers subject to the Swiss FADP, the Standard Contractual Clauses apply with the adaptations required by the FADP and Swiss regulator guidance. The annexes required by these clauses are completed by the processing details in Section 3, the security measures in Section 5, and the subprocessor list referenced in Section 6. Docshark is operated from Canada, and subprocessors may process Customer Personal Data in Canada and the United States.
8. Data subject requests
Taking into account the nature of the processing, Sharkforce will assist Customer, by appropriate technical and organizational measures and insofar as reasonably possible, in fulfilling Customer's obligation to respond to requests from data subjects to exercise their rights, including access, correction, deletion, portability, restriction, objection, and withdrawal of consent. If Sharkforce receives a request directly from a data subject relating to Customer Personal Data, it will, where lawful, direct the data subject to Customer.
9. Personal data breach
Sharkforce will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to it to help Customer meet its own notification obligations, including the nature of the breach, the categories and approximate number of data subjects and records affected where known, the likely consequences, and the measures taken or proposed. Sharkforce's notification is not an acknowledgment of fault or liability. Suspected incidents may be reported to [email protected].
10. Audits
Sharkforce will make available to Customer information reasonably necessary to demonstrate compliance with this DPA. Sharkforce will allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer, no more than once per twelve (12) months, on at least thirty (30) days' written notice, during business hours, subject to confidentiality obligations and at Customer's expense, and provided that audits do not compromise the security or confidentiality of other customers' data. Where available, Sharkforce may satisfy an audit request by providing relevant security documentation or third-party assessments.
11. Deletion and return
On expiry or termination of the Services, Sharkforce will, at Customer's choice, delete or return Customer Personal Data, and delete existing copies, except where retention is required by Applicable Data Protection Law or for the integrity of completed signing evidence. Completed envelopes and audit evidence may be retained for the periods described in the Docshark Privacy Notice. Data in backups is deleted in the ordinary course of backup rotation.
12. US state privacy laws
For Customer Personal Data subject to the CCPA as amended by the CPRA, Sharkforce acts as a service provider. Sharkforce will not sell or share such personal information, will not retain, use, or disclose it for any purpose other than performing the Services and the limited business purposes permitted by law, and will not combine it with personal information from other sources except as permitted by the CCPA. Sharkforce certifies that it understands and will comply with these restrictions.
13. PIPEDA and Canadian processing
Where PIPEDA or substantially similar provincial law applies, Sharkforce processes Customer Personal Data as a service provider acting on Customer's behalf and on Customer's instructions. Customer is responsible for providing required notices to, and obtaining required consents from, signers and other data subjects, including any additional obligations under Quebec's Law 25 for Customer's own processing.
14. Precedence and changes
This DPA prevails over the Terms with respect to the processing of Customer Personal Data. A separately signed Master Services Agreement or data processing agreement between the parties prevails over this DPA to the extent of a conflict. Sharkforce may update this DPA to reflect changes in law or its processing practices, provided the updates do not materially reduce the protections for Customer Personal Data; material changes will be communicated as required by law.
15. Contact
Questions about this DPA, data processing, or international transfers: [email protected]. Sharkforce Inc. (Canada, federal corporation), Attention: Privacy Office.