Legal · LaunchDocs
Data Processing Agreement
Version 1.2 · Effective 25 June 2026
Preamble
This Data Processing Agreement (“DPA”) forms part of the LaunchDocs subscription agreement between LaunchDocs (“Processor”) and your organization (“Controller”). It governs how Personal Data uploaded to any LaunchDocs platform product by EU-region organizations is processed.
1.Scope
This DPA applies to all Personal Data processed by LaunchDocs on behalf of the Controller through any LaunchDocs platform product including LaunchProcure, LaunchBid, LaunchDocs, and LaunchCompliance, including RFP submissions, source documents, vendor profiles, evaluation data, and generated procurement content.
2.Sub-processors & Data Residency
EU-region organizations have their Personal Data processed exclusively within the European Economic Area (EEA) through the following sub-processors:
- Mistral AI — large language model inference. Registered: 15 rue des Halles, 75001 Paris, France (French company, EU-incorporated, SIREN 952 418 325). Infrastructure: Microsoft Azure, Sweden and Norway (EEA). Customer data is not used to train Mistral AI models (opted out by default for API customers per Mistral DPA Section 2.3). Mistral AI DPA · Mistral sub-processors
- MongoDB Atlas — primary data store. Location: Frankfurt, Germany (AWS eu-central-1). Backup: within eu-central-1 region.
- LaunchDocs application servers. Location: to be confirmed — exact EU availability zone required from hosting provider. Confirmation pending.
- Authentication — custom JWT implementation, processed within the LaunchDocs application servers (no third-party identity provider).
- Resend (Plus Five Five, Inc.) — email communications. Location: Ireland (EEA).
- Stripe Inc — payment and billing only. Location: United States. Stripe processes billing data only (payment card information and subscription details). Procurement content, RFP data, and document content are never transmitted to Stripe.
Personal Data is not transferred outside the European Economic Area except for payment processing via Stripe as described above, which is covered by Standard Contractual Clauses. Sub-processor changes will be notified to the Controller no less than 30 days in advance, during which time the Controller may object in writing to legal@launchdocs.ai.
3.Roles & Responsibilities
The Controller determines the purposes and means of processing. LaunchDocs processes Personal Data only on documented instructions from the Controller, including this DPA and subsequent written instructions issued through the LaunchDocs platform.
4.Security Measures
LaunchDocs maintains the following technical and organisational measures:
- TLS 1.2+ encryption for all data in transit
- AES-256 encryption for data at rest
- Role-based access control on all internal systems
- Audit logging of security-relevant events, AI processing calls, score overrides, exports, and account lifecycle actions. Read operations are not individually logged.
- Incident response procedures (documented and maintained)
- No automated decision-making with legal or significant effect is performed. All AI-generated outputs are advisory only and require explicit human confirmation before use in any procurement decision. This is enforced technically within the platform and logged in the audit trail.
5.Data Subject Rights
LaunchDocs will assist the Controller in fulfilling its obligations under GDPR Articles 12–22 by:
- Providing relevant data extracts within 72 hours of written request from the Controller
- Deleting specific data records upon documented instruction from the Controller
- Flagging any data subject request received directly by LaunchDocs to the Controller immediately
LaunchDocs will not respond directly to data subject requests without explicit written instruction from the Controller. Data subject requests received directly by LaunchDocs will be forwarded to the Controller at the registered organization contact email within 24 hours. The Controller remains solely responsible for all data subject communications.
6.Breach Notification
LaunchDocs will notify the Controller without undue delay and no later than 48 hours of becoming aware of any Personal Data Breach affecting the Controller’s data, including:
- Nature of the breach and data categories affected
- Approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
This 48-hour internal window leaves the Controller a meaningful margin against the 72-hour notification obligation to the relevant supervisory authority under GDPR Article 33.
7.Audits
The Controller has the right to audit LaunchDocs’ compliance with this DPA. LaunchDocs will make available all documents and information reasonably necessary to demonstrate compliance within 14 days of written request.
For on-site audits:
- Minimum 30 days written notice required
- Conducted during normal business hours
- Costs borne by the Controller
- LaunchDocs may provide a current third-party security assessment in lieu of on-site audit, without prejudice to the Controller’s right to conduct their own audit
Audits of sub-processor Mistral AI are subject to Mistral AI’s audit terms at legal.mistral.ai/terms/data-processing-addendum (Section 9), which require 90 days advance notice and an independent joint auditor.
8.AI Processing & Human Oversight
All AI-generated content produced through LaunchDocs EU is:
- Processed exclusively using Mistral AI within the EEA (Microsoft Azure, Sweden and Norway)
- Subject to mandatory human review before any export or procurement decision
- Logged in a persistent audit trail retained for 6 years
- Clearly marked as AI-assisted on all exported documents
Customer data submitted to Mistral AI is not used to train Mistral AI models. This opt-out applies by default for all API customers per Mistral AI’s Data Processing Addendum Section 2.3.
LaunchDocs does not make autonomous procurement decisions. All outputs require explicit human approval in compliance with the EU AI Act.
9.Data Retention
Personal Data will be retained for the duration of the subscription plus 30 days. Prior to deletion, LaunchDocs will provide the Controller with a complete export of all Controller Personal Data in machine-readable format (JSON) within 14 days of written request. Controllers may initiate a data export at any time through the platform settings without contacting support.
Upon confirmed export or expiry of the 30-day period, LaunchDocs will permanently delete all Controller Personal Data from production systems within 30 days. Atlas database backups roll off per MongoDB Atlas default retention schedules (7-day continuous plus monthly snapshots). Written confirmation of production-system deletion is provided within 7 days. Configurable retention periods are on the product roadmap for Q3 2026 — until then the retention windows described above are applied uniformly.
10.Governing Law
LaunchDocs is operated by Kimberly Rowden, Entrepreneur Individuel, SIREN 104560511, registered in France. Contact: legal@launchdocs.ai.
This DPA is governed by the laws of France and the General Data Protection Regulation (EU) 2016/679 as applicable. Any disputes arising from this DPA shall be subject to the jurisdiction of the French courts, without prejudice to the Controller’s right to lodge a complaint with their local supervisory authority (in Ireland: the Data Protection Commission, www.dataprotection.ie).
11.Term & Termination
This DPA remains in effect for the duration of the subscription agreement. Termination of the subscription automatically terminates this DPA, subject to the data deletion obligations in Section 9.
12.International Transfers
LaunchDocs does not transfer Personal Data outside the European Economic Area except as noted in Section 2 (Stripe, for billing purposes only, covered by Standard Contractual Clauses). In the event that any future sub-processor requires a transfer outside the EEA, LaunchDocs will:
- Notify the Controller no less than 30 days in advance
- Ensure appropriate safeguards are in place (Standard Contractual Clauses or adequacy decision)
- Obtain Controller’s explicit consent before proceeding
- Update this DPA and Schedule 1 accordingly
13.Data Portability & Export
The Controller may export all of their Personal Data at any time through the platform settings. Exports are provided in JSON format within 24 hours of request. This right exists independently of termination and does not require the Controller to be in an active subscription to exercise within the 30-day post-termination window.
For the executable version of this DPA or to request a Schedule 1 (Sub-processor List), contact legal@launchdocs.ai.