Data Processing Addendum
Last updated: June 29, 2026
Draft for review. This Data Processing Addendum (“DPA”) template is a starting point and is not legal advice. It must be reviewed and adapted by qualified counsel — including the schedules, transfer mechanisms (e.g. EU Standard Contractual Clauses, UK Addendum), and your legal entity — before it is offered or signed. Bracketed items like [Company legal name] need to be completed. If you need a countersigned DPA today, contact us.
1. Scope and roles
This DPA forms part of the agreement between [Company legal name] (“LangParse”, “Processor”) and the customer (“Customer”, “Controller”) for use of the LangParse services (the “Services”), as governed by our Terms of Service. For Customer Personal Data processed through the Services, the Customer is the controller (or processor on behalf of its own customers) and LangParse acts as processor (or sub-processor). Where LangParse processes data as its own controller (e.g. account administration), our Privacy Policy applies.
2. Definitions
“Customer Personal Data” means personal data contained in the documents and data the Customer submits to the Services. “Data Protection Laws” means all applicable laws relating to data protection and privacy, including the EU/UK GDPR, the CCPA/CPRA, and the Australian Privacy Act, as applicable. Terms such as “controller”, “processor”, “data subject”, “personal data”, and “processing” have the meanings given in the Data Protection Laws.
3. Processing of Customer Personal Data
- Instructions. LangParse processes Customer Personal Data only on the Customer’s documented instructions, including as set out in the Terms, this DPA, and the Customer’s use of the Services, unless required by law (in which case we will notify the Customer where permitted).
- Subject matter & duration. Processing lasts for the term of the agreement and the retention periods configured by the Customer.
- Nature & purpose. Conversion of documents into structured data, and related storage, processing, and support.
- Types of data & data subjects. Determined by the documents the Customer submits; see the schedule of processing details. [Complete the schedule.]
4. Confidentiality
LangParse ensures that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
5. Security
LangParse implements appropriate technical and organizational measures to protect Customer Personal Data, including encryption in transit and at rest, multi-tenant isolation, a hardened API behind a web application firewall, per-key rate limiting, and audited staff access. Further detail is on our Security page. [Attach the measures as a schedule for contractual certainty.]
6. Sub-processors
The Customer authorizes LangParse to engage sub-processors to provide the Services, principally Amazon Web Services (hosting) and Amazon Bedrock (model inference). LangParse imposes data-protection obligations on each sub-processor that are no less protective than this DPA and remains responsible for their performance. A current list of sub-processors is available on request, and we will give notice of intended changes so the Customer may object on reasonable grounds. [Define the notice mechanism and period.]
7. International transfers
The Customer chooses its data-residency region (US or Australia today). Where Customer Personal Data is transferred across borders, the parties will rely on an appropriate transfer mechanism, such as the EU Standard Contractual Clauses and the UK International Data Transfer Addendum, which are incorporated by reference where applicable. [Confirm the mechanisms and complete the SCC modules/annexes with counsel.]
8. Data subject requests
Taking into account the nature of the processing, LangParse will assist the Customer by appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. If LangParse receives such a request directly, it will refer the data subject to the relevant Customer.
9. Personal data breaches
LangParse will notify the Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data, and will provide information reasonably available to assist the Customer in meeting its notification obligations. [Specify the notification timeframe, e.g. within 72 hours.]
10. Audits
LangParse will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, subject to reasonable confidentiality, scheduling, and frequency limits. Where available, third-party reports or certifications may be provided to satisfy audit requests.
11. Deletion and return
On termination of the Services, or earlier on the Customer’s request, LangParse will delete or return Customer Personal Data in accordance with the Customer’s configuration and the Terms, except where retention is required by law.
12. Liability and precedence
Each party’s liability under this DPA is subject to the limitations and exclusions in the agreement. In the event of a conflict between this DPA and the Terms regarding the processing of Customer Personal Data, this DPA prevails. [Confirm with counsel.]
13. Requesting a signed DPA
To execute a countersigned DPA for your organization, reach out via our contact page or email legal@langparse.dev.