On this page
- 1. Introduction
- 2. Parties and Roles
- 3. Scope of Processing
- 4. Processing Details
- 5. Customer Instructions
- 6. Confidentiality
- 7. Security Measures
- 8. Subprocessors
- 9. International Transfers
- 10. Assistance With Data Subject Requests
- 11. Data Breach Notification
- 12. Return or Deletion of Data
- 13. Audits and Information Requests
- 14. Customer Responsibilities
- 15. Limitation
- 16. Contact
This Data Processing Addendum (the "DPA") forms part of the agreement between you (the "Customer") and Globe Astral LLC governing your use of Documintly (the "Service").
It applies whenever you upload, create, store, share, or otherwise process personal data through the Service, including within invoices, documents, PDFs, templates, signatures, QR codes, client records, and shared links.
If any term of this DPA conflicts with our Terms of Service, this DPA controls with respect to the processing of personal data. For questions about this DPA, contact us at legal@documintly.com.
1. Introduction
Documintly is a document workspace that lets you create and manage invoices, edit and mask PDFs, collect electronic signatures, generate QR codes, build templates, manage client records, and share documents through controlled links with view and download tracking.
When you use these features, you may upload or generate content that contains personal data about your own clients, customers, recipients, employees, or other individuals. This DPA explains how that personal data is processed, the responsibilities of each party, and the safeguards we apply.
This DPA is entered into by:
- Customer, the party that holds a Documintly account and submits personal data to the Service, acting as the data controller; and
- Globe Astral LLC, a Wyoming limited liability company that owns and operates Documintly, acting as the data processor.
2. Parties and Roles
For personal data that you upload to or create within the Service:
- You (the Customer) act as the data controller. You decide what personal data is entered into Documintly, why it is processed, and who it relates to. You are responsible for having a lawful basis and the necessary rights and permissions to process that data.
- Documintly / Globe Astral LLC acts as the data processor. We process that personal data only on your behalf and in accordance with your documented instructions, as set out in this DPA and the Terms of Service.
Where Globe Astral LLC determines the purposes and means of processing for its own operational purposes (for example, account administration, billing, security, and improving the Service), it acts as an independent controller, and that processing is governed by our Privacy Policy rather than this DPA.
For clarity, "personal data," "data controller," "data processor," "data subject," "processing," and "subprocessor" have the meanings given to them under applicable data protection laws.
3. Scope of Processing
This DPA applies to the processing of personal data that you submit to the Service in your capacity as controller. This includes personal data contained in:
- Invoices and invoice line items, including client and recipient details
- Documents and PDFs you upload, edit, or mask
- Templates you create or save to your template library
- Electronic signatures and signed documents
- QR codes and their encoded values
- Client records and contact information
- Shared links and the view or download events associated with them
We process this personal data only to provide, secure, maintain, and support the Service, and only as instructed by you or as necessary to perform our obligations under the Terms of Service.
4. Processing Details
The following table describes the processing carried out under this DPA.
| Detail | Description |
|---|---|
| Subject matter | Provision of the Documintly document, invoicing, signature, QR code, template, client management, and secure sharing services. |
| Duration | For the term of your Documintly account, plus any limited retention periods described in Section 12 and our Privacy Policy (including the 30-day trash retention and account deletion timelines). |
| Nature and purpose | Hosting, storing, transmitting, displaying, editing, generating, sharing, and tracking documents and related records; processing necessary to operate features you choose to use. |
| Categories of data subjects | Your clients, customers, invoice recipients, document recipients, signatories, business contacts, employees, and any other individuals whose personal data you include in your content. |
| Types of personal data | Names, email addresses, phone numbers, postal and billing addresses, company details, invoice amounts and line items, signatures, document contents you choose to upload, and metadata such as document view and download events. You should not upload special categories of personal data unless strictly necessary and lawful. |
Subject matter
The subject matter of the processing is the personal data you submit to Documentintly so that we can provide the Service to you.
Duration
We process personal data for as long as your account is active and you continue to store the relevant content, and for the limited additional periods needed to operate trash retention, complete account deletion, comply with legal obligations, and resolve disputes.
Nature and purpose
The nature and purpose of the processing is to operate the Service features you use, including storing files in private storage, generating signed URLs for access, sending shared links, tracking views and downloads, and producing exports such as PDFs.
Categories of data subjects
Data subjects are determined entirely by you and consist of the individuals whose personal data you choose to include in invoices, documents, signatures, QR codes, client records, and shared links.
Types of personal data
The types of personal data are determined entirely by you. You control what content is uploaded or created and are responsible for ensuring it is appropriate and lawful.
5. Customer Instructions
We process personal data only on your documented instructions, including with regard to international transfers, unless we are required to process it by applicable law. Where we are required by law to process personal data beyond your instructions, we will inform you of that legal requirement before processing unless the law prohibits us from doing so.
Your instructions are reflected in:
- This DPA
- The Terms of Service
- Your configuration and use of features within the Service, including which clients, documents, and shared links you create and how you set sharing options
If we believe an instruction infringes applicable data protection law, we will inform you without undue delay.
6. Confidentiality
We ensure that personnel authorized to process personal data are bound by appropriate obligations of confidentiality, whether by contract or statutory duty, and are trained to handle personal data securely. Access to your personal data is limited to personnel who need it to provide, secure, or support the Service.
7. Security Measures
We implement and maintain appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage. These measures include:
- Isolation of customer data through per-user access controls and row-level security, so that each account can access only its own records.
- Private storage for uploaded files, with access granted through short-lived signed URLs rather than public links.
- Encryption in transit using industry-standard TLS, and encryption at rest provided by our infrastructure subprocessors.
- Authentication and session management handled by a dedicated authentication provider, including secure password handling.
- Controlled sharing, where documents and invoices are shared through links that you create and can revoke, with view and download tracking surfaced to you.
- Access controls that limit internal access to production data to authorized personnel.
- Bot and abuse protection for relevant forms and flows.
We may update these measures over time, provided that the overall level of protection is not materially reduced.
8. Subprocessors
You authorize us to engage subprocessors to help provide the Service. We impose data protection obligations on our subprocessors that are no less protective than those in this DPA, and we remain responsible for their performance of those obligations.
Our current subprocessors include:
| Subprocessor | Purpose |
|---|---|
| Supabase | Authentication, database, and private file storage. |
| Vercel | Application hosting, deployment, and content delivery. |
| Stripe | Subscription billing and payment processing. |
| Resend | Transactional and notification email delivery, including feedback messages. |
| Cloudflare Turnstile | Bot detection and abuse prevention on forms and flows. |
| Upstash | Caching, rate limiting, and ephemeral state, where enabled. |
| Analytics, monitoring, or error logging providers | Service performance monitoring and error diagnostics, where enabled. |
We will inform you of any intended changes concerning the addition or replacement of subprocessors, giving you the opportunity to object on reasonable data protection grounds. If you reasonably object and we cannot accommodate your objection, you may discontinue use of the affected feature or terminate your account in accordance with the Terms of Service.
9. International Transfers
Our subprocessors may process personal data in countries other than the one in which you are located, including the United States. Where personal data is transferred across borders, we and our subprocessors rely on appropriate safeguards recognized under applicable data protection law, such as standard contractual clauses or equivalent transfer mechanisms, where required.
By submitting personal data to the Service, you instruct us to carry out such transfers as necessary to provide the Service.
10. Assistance With Data Subject Requests
Taking into account the nature of the processing, we provide reasonable assistance to help you respond to requests from data subjects to exercise their rights under applicable data protection law, such as access, correction, deletion, restriction, objection, and portability.
Because you control the content you upload, you can directly access, edit, export, and delete most personal data within your account using the Service's features. Where you require additional assistance that only we can provide, you may contact us at legal@documintly.com, and we will respond within a reasonable timeframe.
If we receive a request directly from one of your data subjects, we will not respond to it ourselves except on your instructions or as required by law, and we will, where permitted, refer the request to you.
11. Data Breach Notification
If we become aware of a personal data breach affecting personal data processed on your behalf, we will notify you without undue delay after becoming aware of it. Our notification will, to the extent available, describe the nature of the breach, the likely consequences, and the measures taken or proposed to address it.
We will provide reasonable cooperation and information to help you meet any breach notification obligations you may have toward regulators or affected data subjects.
12. Return or Deletion of Data
Within the Service, you can delete invoices, documents, templates, signatures, QR codes, client records, and shared links at any time. Deleted items are moved to trash and are permanently removed after the retention period described in our Privacy Policy (generally 30 days), after which associated files are removed from storage.
On termination or expiry of your account, we will, at your choice and to the extent technically feasible, delete or return the personal data processed on your behalf, and delete existing copies, unless applicable law requires continued storage. Routine backups are overwritten or expire on a rolling basis in the ordinary course of operations.
13. Audits and Information Requests
We will make available to you information reasonably necessary to demonstrate compliance with this DPA, and will allow for and contribute to audits, including inspections, conducted by you or an auditor you mandate, subject to reasonable and proportionate conditions.
To the extent possible, we will satisfy audit requests by providing relevant documentation, summaries of our security practices, or subprocessor information, rather than granting direct access to systems. Any audit must be conducted during business hours, with reasonable advance notice, in a manner that does not disrupt our operations or compromise the confidentiality or security of other customers' data.
14. Customer Responsibilities
As the data controller, you are responsible for:
- Ensuring you have a valid lawful basis and all necessary rights, consents, and permissions to upload and process the personal data you submit to the Service.
- Providing any required notices to your data subjects.
- Configuring the Service appropriately, including managing who you share documents and invoices with and revoking shared links when access should end.
- Not uploading personal data that you are not permitted to process, and avoiding the upload of special categories of personal data unless strictly necessary and lawful.
- Responding to data subject requests and regulator inquiries that relate to your use of the Service, with our reasonable assistance as described above.
You are responsible for the accuracy, quality, and legality of the personal data you submit and the means by which you acquired it.
15. Limitation
This DPA is subject to the limitations of liability and other terms set out in the Terms of Service, except where applicable data protection law provides otherwise. Nothing in this DPA limits any rights that data subjects may have under applicable data protection law.
This DPA does not create any obligations beyond those required under applicable data protection law and the Terms of Service, and it does not transfer to us any responsibility for decisions you make as the controller.
16. Contact
For any questions, instructions, or requests relating to this Data Processing Addendum, contact:
Globe Astral LLC Owner and operator of Documintly
Email: legal@documintly.com
We will route your message to the appropriate team and respond within a reasonable timeframe.