Data Processing Agreement
Last updated March 2026
1. Parties
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Token ("Processor") and the user or their organisation ("Controller") and governs the processing of personal data on behalf of the Controller when they use the Token service.
For the purposes of this DPA, the Controller is the Token user who creates a workspace and controls what data is shared through it. The Processor is Token.
2. Subject matter and duration of processing
Subject matter: The processing concerns personal data submitted by the Controller's recipients ( signatories, viewers, and downloaders of shared documents) through the Controller's workspace.
Duration: Processing continues for as long as the Controller's account and workspace are active, and for up to 30 days following account deletion while data is removed from backups.
3. Nature and purpose of processing
Purpose: To provide the Controller with a secure document sharing service. Specifically: encrypting and storing documents, enforcing access controls, recording NDA acceptances, and delivering access logs — all as directed by the Controller.
Nature: Collection, storage, encryption, access management, and deletion of personal data. The Processor does not use personal data for its own purposes.
4. Types of personal data
The following categories of personal data may be processed:
- Recipient name, email address, company, and physical address (from NDA forms)
- Recipient IP address and user agent string (from access logs — captured at the time of room access)
- Controller account email and workspace identifier (for account management purposes)
Special categories: The Processor does not intentionally process any special categories of personal data (e.g., health, racial or ethnic origin, political opinions). Controllers must not upload files containing special categories of personal data unless appropriate safeguards are in place.
5. Security measures
The Processor implements the following technical and organisational security measures:
- Encryption at rest: All uploaded files are encrypted client-side using AES-256-GCM before storage.
- Encryption in transit: TLS 1.2+ for all data transmissions.
- Access controls: Role-based access controls for internal systems; least-privilege principle applied.
- Monitoring: Access logging for all data operations; anomaly detection on internal accounts.
- Sub-processor controls: Written DPAs with all sub-processors; sub-processors only process data necessary to deliver their service.
6. Data subject rights
The Controller is responsible for responding to data subject requests from their recipients. Upon request, the Processor will:
- Provide the Controller with a machine-readable export of all data associated with a specific data subject within 30 days.
- Delete all data associated with a specific data subject within 30 days of a confirmed deletion request from the Controller.
- Assist the Controller in fulfilling any other data subject rights requests, to the extent technically feasible.
Data subjects may also contact the Processor directly at privacy@token.fyi to exercise their rights.
7. Sub-processors
The Processor uses the following sub-processors:
| Sub-processor | Purpose | Country |
|---|---|---|
| Railway | Hosting, compute, and database | United States |
| Twilio SendGrid | Transactional email delivery | United States |
The Controller may object to a new sub-processor by contacting privacy@token.fyi within 30 days of receiving notice of a change.
8. Data breach notification
In the event of a personal data breach that is likely to result in a risk to the rights and freedoms of data subjects, the Processor will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach.
Notifications will be sent to the Controller's account email. It is the Controller's responsibility to ensure this email address is kept current.
9. Audits
The Processor makes available information and documentation necessary to demonstrate compliance with this DPA. Controllers may request a copy of our most recent security audit report (if available) or a summary of our technical and organisational security measures by emailing security@token.fyi.
10. Return and deletion
Upon termination of the Controller's account, the Processor will — at the Controller's choice — either return a complete export of all workspace data as a JSON archive, or permanently delete all personal data within 30 days.
Data removed from active systems may persist in backups for up to 30 additional days before being permanently overwritten.