Legal · GDPR Art. 28
Data Processing Agreement
Last updated: 6 May 2026 · Effective immediately upon acceptance
This Agreement is accepted electronically by checking the acceptance box at registration or first login. The date and time of acceptance is recorded on your account.
This Data Processing Agreement ("Agreement") is entered into between:
Data Controller: you, the landlord or property manager using the Docaira platform.
Data Processor: Docaira, operated by its founder, based in Sweden (contact: team@docaira.com).
1. Definitions
Terms used in this Agreement ("personal data", "data subject", "processing", "controller", "processor", "supervisory authority") have the meanings given in GDPR (EU) 2016/679.
2. Details of Processing
| Element | Details |
|---|---|
| Subject matter | Tenant document collection for property rental purposes |
| Duration | For the duration of the Controller's Docaira subscription, plus applicable retention periods |
| Nature of processing | Collection, storage, AI-assisted communication, automated deletion |
| Purpose | Enabling landlords to securely request and receive required documents from tenants |
| Types of personal data | Identity documents (passport, national ID), financial documents (pay stubs, employment letters, bank statements), contact information (email address) |
| Categories of data subjects | Prospective and current tenants of the Controller |
3. Processor Obligations
The Processor shall:
- Process personal data only on documented instructions from the Controller. The case configuration you create in Docaira (document types requested, tenant email) constitutes such instructions.
- Ensure that all persons authorised to process the data are bound by confidentiality obligations.
- Implement the technical and organisational security measures described in clause 6.
- Respect the sub-processor rules in clause 4 and obtain prior authorisation before engaging new sub-processors.
- Assist the Controller in fulfilling data subject rights requests as described in clause 5.
- Delete all personal data upon termination as described in clause 8.
- Make available all information necessary to demonstrate compliance with Article 28 GDPR upon request.
4. Sub-processors
The Controller grants general written authorisation for the Processor to engage sub-processors for the purposes of providing the Service, including providers of cloud infrastructure, transactional email, payment processing, authentication, and AI-assisted features.
The Processor shall inform the Controller of any intended addition or replacement of a sub-processor at least 14 days in advance by email to the address registered on the account and via a notice on the platform. The Controller has the right to object to such changes on reasonable grounds within that period. If the Controller objects and the parties cannot reach a resolution, the Controller may terminate this Agreement in accordance with clause 10.
The Processor shall impose data protection obligations on all sub-processors that are no less protective than those set out in this Agreement, by way of a written contract. The Processor remains fully liable to the Controller for the performance of any sub-processor that fails to fulfil its obligations.
Where sub-processors are located outside the EU/EEA, transfers are made subject to appropriate safeguards under Art. 46 GDPR, including Standard Contractual Clauses approved by the European Commission. An up-to-date list of sub-processors is available on request by emailing team@docaira.com.
5. Assistance to the Controller
The Processor shall assist the Controller in responding to data subject rights requests under GDPR Chapter III (access, rectification, erasure, restriction, portability, objection). If a data subject contacts the Processor directly, the Processor will forward the request to the Controller within 5 business days.
The Processor shall also assist the Controller in ensuring compliance with Articles 32–36 GDPR relating to security obligations, breach notification, and data protection impact assessments where required by the nature of the processing.
6. Security Measures
The Processor implements the following technical and organisational measures:
- Encryption in transit: TLS 1.2 or higher for all data transmitted between clients and servers.
- Access control: Landlord data requires authenticated JWT tokens. Tenant upload links are single-use scoped tokens that cannot access other cases.
- Automatic data deletion: Uploaded tenant documents are automatically and irrecoverably deleted 30 days after case creation via a scheduled process running daily at 03:00 UTC.
- Audit logging: All data access, upload, and deletion events are logged with timestamps, user identifiers, and IP addresses. Logs are retained for 90 days.
- Rate limiting: All API endpoints are rate-limited to prevent brute-force and denial-of-service attacks.
- Least privilege: Internal access to production data is restricted to essential personnel only, bound by confidentiality agreements.
- Input validation: File uploads are restricted by MIME type and size. Document names are sanitised to prevent path traversal attacks.
7. Personal Data Breaches
In the event of a personal data breach affecting Controller data, the Processor shall notify the Controller without undue delay and at the latest within 72 hours of becoming aware, by email to the address registered on the account.
The notification will include, to the extent known at the time: the nature of the breach, categories and approximate number of data subjects and records affected, likely consequences, and measures taken or proposed to address the breach.
The Controller is responsible for notifying the competent supervisory authority (IMY) and affected data subjects where required by Art. 33–34 GDPR.
8. Return and Deletion of Data
Tenant documents are automatically deleted 30 days after case creation regardless of account status (see clause 6). Chat history and received document records are also cleared at this time.
Upon termination of the Controller's account, all remaining case data will be purged within 30 days. The Controller may request a data export prior to account closure by emailing team@docaira.com.
Landlord account data (email, name) will be deleted within 30 days of account closure. Payment records are retained for 7 years as required by Swedish accounting law.
9. Audit Rights
The Controller may, with at least 30 days' prior written notice to team@docaira.com, request information about the Processor's data processing activities covered by this Agreement. Such requests may be fulfilled by providing security documentation, process descriptions, or other relevant materials.
10. Liability
Each party's liability under this Agreement is subject to the limitations set out in the Docaira Terms of Service. Nothing in this Agreement excludes or limits either party's liability for breaches of GDPR where such limitation is prohibited by applicable law.
11. Governing Law
This Agreement is governed by the laws of Sweden. Disputes shall be submitted to Stockholm District Court as court of first instance.
12. Acceptance and Updates
This Agreement is accepted electronically when you check the acceptance box during registration or first login on the Docaira platform. The date and time of acceptance is recorded and stored on your account.
We will notify you of material changes to this Agreement by email at least 14 days before they take effect. Continued use of the platform after the effective date constitutes acceptance of the updated Agreement.
Contact for DPA queries: team@docaira.com