Data Processing Addendum

Last updated: July 1, 2026

This Data Processing Addendum (“DPA”) forms part of the agreement between Latchwork Systems (“Processor”) and the Customer (“Controller”) for use of Latchwork Cadence, and applies where we process personal data on Customer’s behalf.

1. Scope and roles

Customer is the controller of personal data contained in Customer Data; Latchwork is the processor. Latchwork processes such data only on documented instructions from Customer, including as configured through the Service.

2. Nature and purpose of processing

Hosting and storage of obligation records and documents, delivery of notification email to data subjects designated by Customer (owners, approvers, signers), execution of approval and signing workflows, and related support. Categories of data subjects and personal data are determined by Customer’s use of the Service.

3. Confidentiality and personnel

Personnel authorized to process personal data are bound by confidentiality obligations and receive appropriate data protection training. Access is limited to what is necessary to operate and support the Service.

4. Security

Latchwork implements appropriate technical and organizational measures, including encryption in transit and at rest, tenant isolation, role-based access control, audit logging, and tested backup and recovery procedures, as described at /security.

5. Subprocessors

Customer authorizes the subprocessors listed at /legal/subprocessors. We will provide notice of changes to that list; Customer may object on reasonable data protection grounds within 30 days of notice.

6. Data subject requests

Taking into account the nature of processing, Latchwork will assist Customer with reasonable measures to respond to data subject requests. Requests received directly by Latchwork will be forwarded to Customer where appropriate.

7. Personal data breach

Latchwork will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and will provide information reasonably required for Customer’s own notification obligations.

8. International transfers

Where processing involves transfers from the EEA, UK, or Switzerland to countries without an adequacy decision, the parties rely on Standard Contractual Clauses incorporated by reference into this DPA.

9. Deletion and return

Upon termination, Customer may export Customer Data for 30 days, after which Latchwork deletes it except where retention is required by law.

10. Audits

Latchwork will make available information reasonably necessary to demonstrate compliance with this DPA and will allow audits by Customer or an agreed independent auditor, no more than annually and on reasonable notice.

Executed copies

Govern-tier customers can request a countersigned DPA by emailing hello@latchworksystems.com.