Data Processing Addendum
This Data Processing Addendum (“DPA”) forms part of the agreement between Latchwork Systems (“Processor”) and the Customer (“Controller”) for use of Latchwork Cadence, and applies where we process personal data on Customer’s behalf.
1. Scope and roles
Customer is the controller of personal data contained in Customer Data; Latchwork is the processor. Latchwork processes such data only on documented instructions from Customer, including as configured through the Service.
2. Details of processing
Subject matter and duration: processing of personal data contained in Customer Data for the duration of the agreement, plus the post-termination export and deletion period. Nature and purpose: hosting and storage of obligation records and documents, delivery of notification email to data subjects designated by Customer (owners, approvers, signers), execution of approval and signing workflows including signature audit trails, and related support. Categories of data subjects:Customer’s personnel and the counterparties, approvers, and signers Customer designates. Categories of personal data: names, email addresses, business contact details, signature data and signing audit metadata (IP address, timestamps, authentication events), and any personal data Customer includes in items and documents. Customer agrees not to submit special categories of data requiring heightened protection unless the parties agree in writing.
3. Confidentiality and personnel
Personnel authorized to process personal data are bound by confidentiality obligations and receive appropriate data protection training. Access is limited to what is necessary to operate and support the Service.
4. Security
Latchwork implements appropriate technical and organizational measures, including encryption in transit and at rest, tenant isolation, role-based access control, audit logging, and tested backup and recovery procedures, as described at /security.
5. Subprocessors
Customer authorizes the subprocessors listed at /legal/subprocessors. Latchwork imposes data protection obligations on each subprocessor that are no less protective than those in this DPA and remains responsible for their performance. We will provide notice of changes to that list; Customer may object on reasonable data protection grounds within 30 days of notice, and if the parties cannot resolve the objection Customer may terminate the affected subscription with a pro-rata refund of prepaid fees.
6. Data subject requests
Taking into account the nature of processing, Latchwork will assist Customer with reasonable measures to respond to data subject requests. Requests received directly by Latchwork will be forwarded to Customer where appropriate.
7. Personal data breach
Latchwork will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably required for Customer’s own notification obligations.
8. International transfers
Where processing involves transfers from the EEA to countries without an adequacy decision, the parties rely on the EU Standard Contractual Clauses (Module Two, controller-to-processor), incorporated by reference into this DPA. For transfers from the UK, the UK International Data Transfer Addendum applies; for Switzerland, the SCCs apply as adapted by Swiss data protection law.
9. Deletion and return
Upon termination, Customer may export Customer Data for 30 days, after which Latchwork deletes it except where retention is required by law.
10. Audits
Latchwork will make available information reasonably necessary to demonstrate compliance with this DPA and will allow audits by Customer or an agreed independent auditor, no more than annually and on reasonable notice.
11. Liability and precedence
Each party’s liability under this DPA is subject to the limitations of liability in the Terms of Service. If this DPA conflicts with the Terms, this DPA controls as to processing of personal data; if the Standard Contractual Clauses conflict with this DPA, the Clauses control.
Executed copies
Govern-tier customers can request a countersigned DPA by emailing legal@latchworksystems.com.

