RenderDoc
RenderDoc
Sign InGet Started

Data Processing Agreement

Last updated: January 8, 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between RenderDoc and Customer.

1. Introduction

This Data Processing Agreement ("DPA") is entered into by and between:

  • RenderDoc ("Processor", "we", "us") - the provider of the document generation API platform
  • Customer ("Controller", "you") - the entity using RenderDoc services

This DPA applies to the processing of Personal Data by RenderDoc on behalf of the Customer in connection with the provision of the RenderDoc document generation API services.

By using RenderDoc services, you agree to this DPA. If you are entering into this DPA on behalf of a company or other legal entity, you represent that you have the authority to bind that entity.

2. Definitions

For the purposes of this DPA, the following definitions apply:

  • "Personal Data" means any information relating to an identified or identifiable natural person, as defined in applicable Data Protection Laws.
  • "Data Protection Laws" means all applicable laws relating to data protection and privacy, including the EU General Data Protection Regulation (GDPR), UK GDPR, and other applicable national laws.
  • "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
  • "Data Subject" means the individual to whom Personal Data relates (e.g., document recipients).
  • "Sub-processor" means any third party engaged by RenderDoc to process Personal Data on behalf of the Customer.
  • "Security Incident" means any unauthorized access, acquisition, use, or disclosure of Personal Data.

3. Scope and Roles

3.1 Controller and Processor

For the purposes of this DPA:

  • The Customer is the Data Controller for Personal Data of document recipients
  • RenderDoc is the Data Processor, processing Personal Data on behalf of the Customer

3.2 Categories of Data Subjects

Personal Data processed under this DPA may relate to:

  • Document recipients (individuals whose data appears in documents generated via RenderDoc)
  • Customer's end users and customers

3.3 Types of Personal Data

RenderDoc processes the following categories of Personal Data:

  • Names and contact information (if provided in document templates)
  • Any Personal Data included in document content or template variables
  • Document generation metadata (timestamps, template used)
  • IP addresses and device information (for analytics)

3.4 Purpose of Processing

RenderDoc processes Personal Data solely for:

  • Generating PDF and Excel documents on behalf of the Customer
  • Providing document generation analytics and reporting
  • Storing generated documents temporarily for download
  • Maintaining service security and preventing abuse

4. Processor Obligations

RenderDoc agrees to:

4.1 Processing Instructions

  • Process Personal Data only on documented instructions from the Customer
  • Not process Personal Data for any purpose other than providing the services
  • Inform the Customer if we believe an instruction violates Data Protection Laws

4.2 Confidentiality

  • Ensure that personnel processing Personal Data are bound by confidentiality obligations
  • Limit access to Personal Data to personnel who need it to perform services

4.3 Security Measures

RenderDoc implements appropriate technical and organizational measures, including:

  • Encryption of data in transit (TLS via CloudFlare)
  • Encryption of data at rest (Railway infrastructure storage-level encryption)
  • Secure credential storage (bcrypt hashing for passwords and API keys)
  • Access controls and authentication (JWT, API keys, 2FA)
  • Regular security monitoring and logging
  • DDoS protection (CloudFlare WAF)

4.4 Data Retention

RenderDoc implements a three-tier data retention system designed for GDPR compliance:

Tier 1: Full Logs (30 Days)

  • Document content: NOT stored - processed in memory and immediately discarded after generation
  • Generated documents: Stored temporarily (configurable, default 7 days) for download via signed URLs
  • Document metadata: Full details retained for 30 days

Tier 2: Archived Data (5 Years)

  • Personal data: REMOVED after 30 days (GDPR compliance - no PII in archives)
  • Basic metadata: Template used, status, error category, timestamps
  • Document count: Number only, not individual details

Tier 3: Daily Summaries (Indefinite)

  • Aggregated metrics only: Total generated, successful, failed per day/template
  • No individual data: Cannot identify specific documents or recipients

Other Data

  • Webhook events: Retained for 30 days
  • Deleted records: Permanently removed after 30-day soft-delete period

4.5 Data Removal Requests

Data Subjects can request removal of their data directly from RenderDoc:

  • Submit a removal request at app.renderdoc.dev/data-removal
  • Email verification is required to prove identity
  • Upon verification, RenderDoc removes any identifiable data from our systems
  • Requests are processed within 30 days as required by GDPR
  • Note: Document logs older than 30 days already have personal data removed

4.6 Assistance with Data Subject Rights

RenderDoc will assist the Customer in responding to Data Subject requests by providing:

  • Data export capabilities via API
  • Data deletion upon Customer request
  • Access to document generation logs (within retention period)

5. Sub-processors

5.1 Authorized Sub-processors

The Customer authorizes RenderDoc to engage the sub-processors listed on our Sub-processors page.

5.2 Sub-processor Obligations

RenderDoc ensures that each sub-processor:

  • Is bound by data protection obligations no less protective than this DPA
  • Provides sufficient guarantees for appropriate technical and organizational measures

5.3 Changes to Sub-processors

RenderDoc will:

  • Maintain an up-to-date list of sub-processors on our website
  • Notify Customers of any intended changes to sub-processors via email or dashboard notification
  • Provide Customers with the opportunity to object to new sub-processors within 30 days

6. Security Incident Notification

In the event of a Security Incident affecting Personal Data, RenderDoc will:

  • Notify the Customer without undue delay (and in any event within 72 hours) after becoming aware of the incident
  • Provide information about the nature of the incident, categories of data affected, and approximate number of Data Subjects
  • Describe the likely consequences and measures taken to address the incident
  • Cooperate with the Customer's investigation and mitigation efforts

Notification will be sent to the email address associated with the Customer's account.

7. International Data Transfers

RenderDoc and its sub-processors process data primarily in the United States. For transfers of Personal Data from the European Economic Area (EEA), United Kingdom, or Switzerland:

  • We rely on Standard Contractual Clauses (SCCs) approved by the European Commission
  • Our sub-processors maintain appropriate transfer mechanisms (SCCs, binding corporate rules, or adequacy decisions)
  • We implement supplementary measures where necessary to ensure adequate protection

8. Audits and Compliance

RenderDoc will:

  • Make available information necessary to demonstrate compliance with this DPA
  • Allow for and contribute to audits conducted by the Customer or an independent auditor (with reasonable notice and during business hours)
  • Provide security documentation and compliance certifications upon request

9. Data Deletion and Return

Upon termination of services or upon Customer request:

  • RenderDoc will delete or return all Personal Data within 30 days
  • Customer may export their data using our data export features before termination
  • RenderDoc may retain data where required by applicable law, with continued protection under this DPA

10. Controller Obligations

The Customer agrees to:

  • Ensure a valid legal basis exists for processing Personal Data (e.g., consent, legitimate interest, contract)
  • Provide any required notices to Data Subjects about how their data will be processed
  • Respond to Data Subject requests using tools provided by RenderDoc
  • Not use RenderDoc services to generate documents containing illegal or harmful content
  • Maintain appropriate security measures for API keys and account credentials
  • Promptly notify RenderDoc of any Data Subject requests or complaints

11. Liability

Each party's liability under this DPA is subject to the limitations set forth in the Terms of Service.

RenderDoc shall not be liable for any claims arising from the Customer's failure to comply with Data Protection Laws or their own privacy obligations.

12. Term

This DPA:

  • Becomes effective when the Customer begins using RenderDoc services
  • Remains in effect for the duration of the Customer's use of RenderDoc services
  • Survives termination with respect to any Personal Data retained by RenderDoc

13. Updates to this DPA

RenderDoc may update this DPA to reflect changes in Data Protection Laws or our processing activities. We will notify Customers of material changes via email or dashboard notification at least 30 days before they take effect.

14. Contact

For questions about this DPA or to exercise data protection rights, contact us at:

  • Email: privacy@renderdoc.dev
  • Address: RenderDoc, Delivstat Technology Solutions, 7/A, Thanal, Kodungoor, Vazhoor, Kottayam, Kerala, India - 686504

See our full list of sub-processors for details on third parties that process data on our behalf.

Related Documents