This Privacy Policy applies to all users of the DocuActions AI platform, website, and related services. By using our platform, you acknowledge that you have read and agree to the practices described herein.
About This Privacy Policy
DocuActions AI, Inc. (“DocuActions AI,” “we,” “our,” or “us”) is committed to protecting the privacy, confidentiality, and security of personal and organizational data. This Privacy Policy (“Policy”) describes how we collect, use, process, store, share, and protect information obtained through our AI-powered SaaS platform, including all associated applications, APIs, integrations, and websites (collectively, the “Platform” or “Services”).
DocuActions AI is an enterprise-grade AI platform that captures voice and audio conversations, generates real-time transcripts, processes documents, and automates downstream workflows—including the creation of tasks, summaries, reports, and emails—through integrations with leading collaboration tools such as Zoom, Google Workspace, and Microsoft 365.
Given the nature of our Services—which involve the processing of voice recordings, meeting content, and sensitive business communications—we have designed this Policy to meet the highest standards of transparency, data stewardship, and regulatory compliance.
This Policy applies to: (1) individuals who visit our website or create accounts (“Users”); (2) organizations and enterprises that subscribe to our platform (“Customers”); (3) authorized end users operating within a Customer’s account (“End Users”); and (4) any individual whose data may be processed as part of our Services. If you are an End User operating within a Customer’s account, your use of the platform may also be governed by your organization’s own privacy policies.
This Policy should be read alongside our Terms of Service and any applicable Data Processing Agreement (“DPA”) executed with enterprise Customers. In the event of a conflict between this Policy and a signed DPA, the DPA shall take precedence with respect to the processing of Customer data.
We encourage you to read this Policy in full. If you have questions or concerns, please contact our Privacy Team using the information provided in Section 14 (Contact Us).
What Information We Collect
We collect several categories of information to provide, maintain, secure, and improve our Services. The information we collect depends on how you interact with our Platform and what features your organization has enabled. We do not sell personal data, and we collect only what is necessary to deliver our Services.
2.1 User-Provided Account Information
When you create an account, register for our Services, or otherwise engage with DocuActions AI directly, you may provide us with the following categories of personal data:
Identity Information
Full name, professional title, and profile photograph (if provided).
Contact Information
Work or personal email address, phone number, and business mailing address.
Organizational Details
Company or agency name, department, industry sector, and organizational size.
Billing Information
Payment details, invoicing address, and subscription plan data, processed via PCI-DSS compliant payment processors.
Authentication Credentials
Encrypted account passwords, multi-factor authentication tokens, and SSO identifiers.
Preferences & Settings
Communication preferences, notification settings, and platform configuration choices.
2.2 Audio Recordings and Transcripts
The primary function of our Platform involves the capture and processing of voice and audio data. When you use the DocuActions AI recording or integration features, we may collect and process:
- Voice and audio recordings of meetings, conversations, calls, or dictations initiated by you or your organization.
- Machine-generated transcripts derived from those recordings using AI-powered speech-to-text processing.
- Speaker identification data where applicable, including speaker labels and diarization metadata.
- Timestamps and session metadata associated with recorded interactions.
- Documents uploaded by users for AI-assisted processing, summarization, or action extraction.
Audio recordings and transcripts may contain sensitive personal information about meeting participants, including individuals who are not registered users of DocuActions AI. Organizations deploying our Services are responsible for ensuring that all participants have been appropriately informed of recording and processing activities in accordance with applicable laws in their jurisdiction. DocuActions AI processes this data strictly on behalf of, and under the instructions of, the Customer organization.
2.3 Automatically Collected Usage Data
When you access or use our Platform, we automatically collect certain technical and behavioral data to ensure service performance, security, and reliability:
| Data Type | Examples | Purpose |
|---|---|---|
| Device & Browser Data | Browser type/version, operating system, device identifiers, screen resolution | Platform compatibility and rendering optimization |
| Network Data | IP address (anonymized), general geographic region, ISP | Security monitoring, fraud detection, regional compliance |
| Session & Interaction Logs | Pages visited, features used, session duration, clicks, feature engagement patterns | Service improvement and UX optimization |
| Performance Metrics | API response times, error logs, system crash reports, latency records | System reliability and debugging |
| Authentication Logs | Login timestamps, access events, session tokens, MFA activity | Account security and unauthorized access detection |
2.4 Integration Data from Third-Party Platforms
When you authorize connections between DocuActions AI and third-party platforms, we collect and process data from those integrations to deliver our automated workflow Services:
Zoom
Meeting metadata, participant lists, cloud recording files, meeting IDs, and scheduling data accessed via Zoom’s official API with your OAuth authorization.
Google Workspace
Google Calendar events, Google Meet session data, Gmail message metadata (as authorized), Google Drive documents shared with the platform.
Microsoft 365
Microsoft Teams meeting data, Outlook calendar and email metadata, OneDrive documents, and SharePoint content as authorized via Microsoft Graph API.
Other Platforms
Data from any additional integrations (e.g., CRM, project management tools) you authorize, limited strictly to the permissions you explicitly grant.
We access third-party integration data only to the extent necessary to perform the specific function you have authorized (e.g., transcribing a Zoom meeting or creating a task in a connected project management tool). We do not use integration data for any purpose beyond the scope of your authorization.
How We Use Your Information
We use the information we collect for specific, legitimate, and clearly defined purposes. We do not use your data in ways inconsistent with the purposes described at the time of collection. The following outlines our primary use cases:
3.1 Service Delivery and Core Platform Functionality
The primary purpose for which we process your data is to deliver the DocuActions AI Services you have contracted for. This includes authenticating your account and managing your session, enabling audio capture and real-time or asynchronous transcription, processing transcripts and documents through our AI engine to extract action items, decisions, and key insights, and generating automated outputs including task assignments, email drafts, reports, and workflow triggers routed to your designated platforms.
3.2 AI Processing — Transcription and Intelligent Automation
Our AI processing pipeline converts raw audio into structured, actionable data. This involves applying speech recognition models to generate verbatim or summarized transcripts, using natural language processing (NLP) to identify action items, tasks, commitments, and deadlines, analyzing document content to extract relevant data points for downstream automation, and routing AI-generated outputs to your integrated platforms based on your configured workflow rules.
DocuActions AI does not use Customer audio recordings, transcripts, documents, or AI-generated outputs to train, fine-tune, or improve general-purpose AI models without your explicit, written consent. Enterprise Customers may configure their accounts to opt out of any product analytics that involve content review. Model improvements are governed exclusively by your organization’s DPA.
3.3 Customer Support
We process your information to respond to support requests, diagnose and troubleshoot technical issues, and resolve billing or account disputes. Support interactions may be logged and retained for quality assurance and regulatory audit purposes.
3.4 Security Monitoring and Fraud Prevention
We analyze usage data, access logs, and system telemetry to detect, investigate, and respond to unauthorized access, data breaches, abuse, and other security threats. This includes monitoring for anomalous behavior patterns, enforcing rate limiting and access controls, and conducting forensic analysis following a security incident.
3.5 Platform Improvement and Analytics
We use aggregated and de-identified usage metrics—never raw Customer content—to understand how our Services are used, identify areas for improvement, measure feature adoption, and inform product development. All analytics performed for this purpose are conducted on anonymized, non-personally identifiable data unless you have explicitly consented otherwise.
3.6 Legal and Compliance Obligations
We may process and retain data to fulfill our obligations under applicable law, respond to valid legal process (subpoenas, court orders, or regulatory inquiries), enforce our Terms of Service, and protect the legal rights and interests of DocuActions AI, our Customers, and third parties.
3.7 Legal Basis for Processing (GDPR)
For individuals in the European Economic Area (EEA) and United Kingdom, we process personal data under the following legal bases as defined in the General Data Protection Regulation (GDPR):
| Processing Activity | Legal Basis (GDPR Article) |
|---|---|
| Account creation and service delivery | Article 6(1)(b) — Performance of a contract |
| Security monitoring and fraud detection | Article 6(1)(f) — Legitimate interests |
| Legal compliance and regulatory obligations | Article 6(1)(c) — Legal obligation |
| Marketing communications (if opted in) | Article 6(1)(a) — Consent |
| AI model improvement (if consented) | Article 6(1)(a) — Explicit consent |
| Special category data (e.g., health-related audio) | Article 9(2)(a) — Explicit consent |
Our Role in Data Processing
Understanding our role in the data processing ecosystem is fundamental to compliance. DocuActions AI operates in dual capacities depending on the nature of the data and context in which it is processed:
4.1 DocuActions AI as Data Controller
DocuActions AI acts as an independent Data Controller with respect to personal data that we collect and determine the purposes and means of processing for our own business operations. This includes personal data collected through our public website (e.g., contact form submissions and marketing inquiries), account registration and authentication data, billing and payment records, customer support correspondence, and data used for our own security, analytics, and business operations.
As a Data Controller, we bear full responsibility for ensuring this data is processed lawfully, transparently, and in accordance with all applicable data protection regulations, including GDPR and CCPA.
4.2 DocuActions AI as Data Processor
When processing data on behalf of our enterprise Customers—including audio recordings, meeting transcripts, documents, and AI-generated outputs uploaded or generated within the platform—DocuActions AI acts exclusively as a Data Processor. In this capacity, we:
- Act only on the documented instructions of the Customer (the Data Controller).
- Do not independently determine the purposes or means of processing Customer data.
- Impose equivalent data protection obligations on all sub-processors we engage.
- Assist Customers in fulfilling their own obligations under applicable data protection law.
- Return or delete Customer data upon termination of Services, as instructed.
- Provide Customers with all information necessary to demonstrate compliance with applicable obligations.
Enterprise Customers who require a formally executed Data Processing Agreement (DPA) as required under GDPR Article 28, CCPA service provider agreements, or other regulatory frameworks may request our standard DPA by contacting us at contact@docuaction.io. We are prepared to execute DPAs that include Standard Contractual Clauses (SCCs) for international data transfers.
4.3 Sub-Processors
We engage a limited number of vetted third-party sub-processors to support the delivery of our Services. All sub-processors are bound by written agreements that impose data protection standards no less protective than those described in this Policy. We maintain and publish a current list of our sub-processors, and enterprise Customers under a DPA are notified in advance of any material changes to our sub-processor list, providing the opportunity to object before such changes take effect.
How We Share Your Information
DocuActions AI does not sell, rent, auction, or trade personal data to any third party, under any circumstances. We do not monetize your data through advertising networks. Your data is not a product.
5.1 Sharing with Authorized Service Providers
We share data with a carefully selected set of third-party service providers who perform functions on our behalf under strict contractual obligations. These providers are permitted to process data only for the specific purpose for which they were engaged and are prohibited from using your data for their own commercial purposes. Service provider categories include:
| Service Category | Purpose | Data Shared |
|---|---|---|
| Cloud Infrastructure (e.g., AWS, Azure) | Hosting, storage, and compute services | Encrypted platform data |
| AI/ML Processing | Speech-to-text and NLP model inference | Audio and text (encrypted in transit) |
| Payment Processors (PCI-DSS compliant) | Subscription billing and payment handling | Payment credentials (never stored by us) |
| Email Delivery | Transactional emails and notifications | Name, email address |
| Customer Support Software | Support ticket management | Support correspondence and account identifiers |
| Security & Monitoring | Threat detection and incident response | Anonymized access logs |
5.2 Integration Partners (Your Direction)
When you authorize integrations with third-party platforms such as Zoom, Google Workspace, or Microsoft 365, data is shared with those platforms at your explicit direction, under their respective privacy policies and terms. DocuActions AI is not responsible for the privacy practices of third-party platforms. You should review each platform’s privacy policy before authorizing integrations.
5.3 Business Transfers
In the event of a merger, acquisition, reorganization, asset sale, or bankruptcy, your information may be transferred to or shared with a successor entity. We will provide advance notice of any such transaction and ensure that the acquiring entity is bound by data protection commitments no less protective than those in this Policy. You will have the right to request deletion of your data prior to any such transfer.
5.4 Legal Compliance and Law Enforcement
We may disclose your information to government authorities, regulators, or law enforcement agencies when we are legally required to do so, including in response to a valid subpoena, court order, warrant, or regulatory directive. Prior to disclosure, we will, where legally permitted, notify the relevant Customer or User so they have the opportunity to seek a protective order. We do not voluntarily disclose user data to government entities without legal compulsion, and we maintain records of all legal process received.
5.5 Protection of Rights
We may disclose information where we believe in good faith that such disclosure is necessary to prevent fraud, protect the security or integrity of our platform, enforce our Terms of Service, or protect the rights, property, or safety of DocuActions AI, our Customers, Users, or the public.
How Long We Keep Your Data
DocuActions AI retains personal data only for as long as is necessary to fulfill the purposes for which it was collected, comply with applicable legal obligations, resolve disputes, and enforce our agreements. We do not retain data indefinitely. Our retention practices are designed to balance operational necessity with the principle of data minimization.
6.1 Retention Schedule
| Data Category | Default Retention Period | Configurable? |
|---|---|---|
| Account and profile data | Duration of account + 30 days post-termination | Partial (deletion on request) |
| Audio recordings | 90 days (default); configurable by Customer | Yes — 7 days to 7 years |
| Transcripts and summaries | 1 year (default); configurable by Customer | Yes — Customer-defined policy |
| AI-generated outputs (tasks, emails, reports) | 1 year (default) | Yes |
| Usage and access logs | 12 months (rolling) | No (security obligation) |
| Billing and financial records | 7 years (legal/tax obligation) | No |
| Support and correspondence | 3 years | No |
| Legal hold data | Duration of legal proceedings | No |
6.2 Customer-Managed Retention Policies
Enterprise Customers have the ability to configure custom data retention policies through the DocuActions AI administrative console. Administrators may define shorter or longer retention periods for audio recordings, transcripts, and AI outputs within the bounds permitted under applicable law and their subscription tier. Custom retention policies are executed automatically by our secure deletion system and are documented in Customer audit logs.
6.3 Secure Deletion Practices
Upon expiration of the applicable retention period, or upon receipt of a verified deletion request, data is deleted using the following standards: logical deletion from active databases is completed within 30 days, cryptographic erasure is applied to encrypted data stores (rendering data irretrievable), backup copies are purged according to our backup rotation schedule (within 90 days maximum), and deletion is confirmed and logged in our compliance audit trail.
Upon termination or expiration of a Customer’s subscription, we provide a 30-day data export window during which Customers may download all of their data. After the 30-day window closes, Customer data is permanently and irreversibly deleted from all live systems and queued for removal from backup infrastructure within 90 days. Written certification of deletion is available upon request under enterprise agreements.
How We Protect Your Data
DocuActions AI has implemented a comprehensive, layered security architecture based on industry best practices and international security standards. We recognize that the data processed on our platform — including audio recordings and business communications — is sensitive, and we treat its protection as a core organizational responsibility.
Encryption in Transit (TLS 1.2 / TLS 1.3)
All data transmitted between your devices and our servers is encrypted using Transport Layer Security (TLS 1.2 minimum; TLS 1.3 preferred). This includes all API communications, web application traffic, audio file transfers, and integration data flows. We enforce HTTPS across all platform endpoints and implement HSTS (HTTP Strict Transport Security) to prevent protocol downgrade attacks.
Encryption at Rest (AES-256)
All data stored on our infrastructure—including audio recordings, transcripts, documents, database records, and backup files—is encrypted at rest using AES-256 encryption, the same standard used by leading financial institutions and government agencies. Encryption keys are managed through a dedicated Key Management Service (KMS) with hardware-backed security modules (HSMs), and keys are rotated regularly.
Role-Based Access Control (RBAC)
Access to data within the DocuActions AI platform is governed by a granular Role-Based Access Control system. Access is granted on a strict need-to-know and least-privilege basis. Administrative access to Customer data by DocuActions AI personnel is restricted, logged, requires multi-party authorization for sensitive operations, and is subject to periodic access review and recertification audits.
Secure Cloud Infrastructure
Our platform is hosted on enterprise-grade, SOC 2 Type II and ISO 27001 certified cloud infrastructure. We leverage virtual private cloud (VPC) network isolation, security group policies, Web Application Firewall (WAF) protection, DDoS mitigation services, and automated vulnerability scanning. All cloud provider relationships are governed by written data processing agreements.
Continuous Monitoring & Audit Logging
We maintain comprehensive, tamper-evident audit logs of all access to Customer data, administrative actions, system events, and API calls. Security Information and Event Management (SIEM) tooling provides real-time alerting on anomalous behavior. Logs are retained for a minimum of 12 months and are available to enterprise Customers via our compliance dashboard.
Multi-Factor Authentication (MFA) & SSO
All DocuActions AI user accounts support and strongly encourage multi-factor authentication. Enterprise Customers can enforce mandatory MFA for all users within their organizational account. We support SAML 2.0 and OAuth 2.0-based Single Sign-On (SSO) for integration with corporate identity providers including Okta, Azure Active Directory, and Google Workspace.
Penetration Testing & Vulnerability Management
We conduct independent third-party penetration testing at least annually and maintain a responsible disclosure and vulnerability management program. Critical vulnerabilities are remediated within 24–72 hours of confirmed identification. We conduct automated dependency scanning and code analysis as part of our secure software development lifecycle (SSDLC).
Incident Response
We maintain a formal, documented Incident Response Plan (IRP) tested through annual tabletop exercises. In the event of a confirmed data breach affecting personal data, we will notify affected Customers and, where legally required, relevant supervisory authorities, within 72 hours of confirmed discovery, in accordance with GDPR Article 33 and applicable breach notification laws.
Compliance Frameworks & Data Sovereignty
DocuActions AI has architected its platform and operational practices to meet the requirements of multiple regulatory and industry compliance frameworks. Our compliance program is maintained by a dedicated team and reviewed regularly to address evolving regulatory requirements. The following frameworks govern our data handling practices:
SOC 2 Type II Alignment
Our platform is aligned with the AICPA SOC 2 Trust Services Criteria across all five Trust Service Categories:
- Security — Unauthorized access protection via RBAC, MFA, and encryption
- Availability — Uptime SLAs, disaster recovery, and redundant infrastructure
- Confidentiality — Data classification, access controls, and NDA enforcement
- Processing Integrity — Accurate, complete, and authorized data processing
- Privacy — Aligned with AICPA’s privacy principles and applicable regulations
HIPAA-Ready Architecture
DocuActions AI’s infrastructure is designed to support deployments requiring HIPAA compliance for healthcare organizations and sensitive clinical workflows.
- Business Associate Agreement (BAA) available for covered entities
- PHI handling aligned with HIPAA Security Rule safeguards
- AES-256 encryption for ePHI at rest and in transit
- Workforce access controls and audit logging for PHI access
- Configurable data minimization policies for sensitive environments
GDPR Compliance (EU/UK)
We fully comply with the General Data Protection Regulation (EU 2016/679) and the UK GDPR for all data subjects in the European Economic Area and United Kingdom.
- Lawful basis documented for each processing activity
- Data subject rights honored: access, rectification, erasure, portability
- Data Processing Agreements (DPAs) with Standard Contractual Clauses (SCCs)
- Records of Processing Activities (RoPA) maintained
- DPA/DPDT: 72-hour breach notification compliance
- Data Protection Impact Assessments (DPIAs) conducted for high-risk processing
CCPA & CPRA Compliance
We comply with the California Consumer Privacy Act (CCPA) as amended by the California Privacy Rights Act (CPRA) for California residents and businesses.
- No sale or sharing of personal data for cross-context behavioral advertising
- Right to Know: categories and purposes of data collection
- Right to Delete: verified deletion requests honored within 45 days
- Right to Correct inaccurate personal information
- Right to Opt-Out of sale/sharing (no sale occurs)
- Service Provider agreements restrict secondary use of Customer data
Data Encryption Standards
End-to-end cryptographic protection is applied across the entire data lifecycle on our platform.
- TLS 1.3 for all data in transit (minimum TLS 1.2)
- AES-256-GCM for all data at rest
- Customer-managed encryption keys (CMEK) available on Enterprise tier
- HSM-backed key management with regular key rotation
- Secure key storage in dedicated KMS
- Encrypted backup storage with separate key custody
FedRAMP Authorization
DocuActions AI is actively pursuing FedRAMP authorization to serve U.S. federal government agencies and regulated federal contractors.
- FedRAMP authorization: In Progress — not yet certified
- NIST SP 800-53 control alignment underway
- Engaging a Third-Party Assessment Organization (3PAO)
- Government-specific deployment environment in development
- Contact us for our current Government Readiness Roadmap
8.1 Data Sovereignty and Residency
We understand that many enterprise and government Customers require data to remain within specific geographic boundaries. DocuActions AI offers configurable data residency options for enterprise accounts. Customers may elect to have their data processed and stored within specific regions, including the United States, the European Union, or other supported regions. Data residency commitments are formalized in Customer DPAs and contractual agreements. Default data processing occurs within secure U.S.-based data centers hosted on FedRAMP-authorized cloud infrastructure providers.
8.2 International Data Transfers
When personal data is transferred from the European Economic Area, United Kingdom, or Switzerland to our systems in the United States or other jurisdictions, such transfers are conducted using appropriate legal mechanisms including Standard Contractual Clauses (SCCs) approved by the European Commission, the EU-US Data Privacy Framework (where applicable), and supplementary technical measures to ensure equivalent protection of transferred data.
Third-Party Integrations & Data Handling
DocuActions AI integrates with leading enterprise collaboration and productivity platforms to automate workflows and surface actionable intelligence from your communications. The following describes how data is handled within each major integration category:
9.1 Zoom Integration
When you authorize the DocuActions AI Zoom integration, we access your Zoom account via the official Zoom API using OAuth 2.0 authorization. We may access meeting recordings (where cloud recording is enabled and authorized by the meeting host), meeting metadata (meeting ID, title, date, duration, participant display names), and Zoom Webinar data (if authorized). We act as a Zoom App Marketplace application and comply with Zoom’s Platform Usage Policy and API Terms. We do not access any Zoom account settings, payment information, or data beyond the explicit permissions you grant during the OAuth flow. Revoking the Zoom integration at any time will immediately terminate our API access to your Zoom account.
9.2 Google Workspace Integration
The Google Workspace integration connects DocuActions AI with Google Calendar, Google Meet, Gmail (limited, with explicit authorization), and Google Drive. We use Google’s OAuth 2.0 authentication and request only the minimum necessary API scopes required to perform the specific function you have enabled. Google Calendar access allows us to retrieve meeting schedules and create follow-up task events. Google Drive access enables retrieval and processing of documents you designate for AI action extraction. Our use of Google user data is limited to the purposes disclosed in this Policy and complies with Google’s API Services User Data Policy, including its Limited Use requirements.
9.3 Microsoft 365 Integration
Our Microsoft 365 integration connects to Microsoft Teams, Outlook Calendar, and OneDrive via the Microsoft Graph API under your organization’s Azure Active Directory authorization. We request delegated or application permissions only as required for your enabled features, and all Microsoft integration requests are governed by Microsoft’s privacy and API terms. Enterprise deployments may leverage tenant-level controls to restrict the scope of our Graph API access to specific organizational units or security groups.
9.4 Third-Party Responsibility Boundaries
DocuActions AI is not responsible for the privacy or security practices of third-party integration platforms. When you connect our Services to Zoom, Google, Microsoft, or any other external platform, that platform’s own privacy policy and terms of service govern their handling of your data. We strongly recommend reviewing the privacy documentation of each platform you connect. DocuActions AI cannot guarantee, control, or be held liable for changes to third-party platform APIs, data handling practices, or compliance postures.
9.5 API and Webhook Data
Enterprise Customers who use the DocuActions AI REST API or configure outbound webhooks to transmit data to their own systems or third-party destinations are responsible for the security of those receiving systems and data pipelines. We recommend using our webhook signing verification mechanism and enforcing HTTPS-only endpoints for all webhook destinations.
Government & Security Readiness
DocuActions AI is committed to building the security posture and compliance infrastructure necessary to serve federal, state, and local government agencies, defense contractors, regulated industries, and other security-sensitive organizations. The following describes our current government readiness capabilities and our ongoing compliance roadmap:
10.1 Secure Architecture Principles
Our platform is designed according to a Defense-in-Depth security model. We apply security controls at the network, application, data, and identity layers. Our cloud infrastructure leverages zero-trust network architecture principles, including micro-segmentation of services, mandatory mutual TLS (mTLS) for internal service-to-service communication, and ephemeral access tokens for all privileged operations.
10.2 Access Control Policies
Access to sensitive systems and Customer data by DocuActions AI personnel is governed by our formal Access Control Policy. All employees and contractors undergo background verification appropriate to their role prior to being granted system access. Access is provisioned on the principle of least privilege, reviewed quarterly, and revoked immediately upon role change or employment termination. Administrative access to production systems requires just-in-time (JIT) provisioning, multi-party approval, and is fully logged with session recording for sensitive operations.
10.3 Comprehensive Audit Logging
Our platform maintains detailed, tamper-evident audit logs capturing all data access events, authentication activities, administrative actions, API calls, configuration changes, and system events. Logs are stored in a write-once, append-only format in a dedicated security log store separate from primary application infrastructure. Enterprise and government Customers may access their organization’s audit logs directly through the administrative dashboard or via our SIEM-compatible log export API.
10.4 FedRAMP Authorization Status
DocuActions AI is actively pursuing FedRAMP authorization. We are currently aligning our control environment with NIST SP 800-53 Rev. 5 controls and are in the process of engaging a CISA-approved Third-Party Assessment Organization (3PAO) to conduct our formal security assessment. We do not currently hold FedRAMP authorization and do not claim certification. Federal agencies and regulated contractors should contact us directly at contact@docuaction.io to discuss our current security posture and government readiness roadmap before making procurement decisions.
10.5 Incident Reporting and Disclosure
In the event of a security incident affecting government or regulated data, DocuActions AI is committed to timely, transparent, and documented notification to affected organizations in accordance with applicable federal and state incident reporting requirements. Government Customers under enterprise agreements benefit from dedicated incident escalation contacts and agreed notification timelines outlined in their contractual agreements.
Your Privacy Rights
DocuActions AI respects and upholds the privacy rights of all individuals whose data we process. The specific rights available to you may vary depending on your location and applicable law; however, we extend the following rights broadly to all Users and, where applicable, to End Users within Customer accounts:
Right to Access
You may request a copy of the personal data we hold about you, including information about how it is used and with whom it is shared.
Right to Delete
You may request the deletion of your personal data. We will honor verified deletion requests within 30 days, subject to legal retention obligations.
Right to Correct
You may request correction of inaccurate or incomplete personal information we hold about you.
Right to Portability
You may request your personal data in a structured, commonly used, and machine-readable format for transfer to another service.
Right to Opt-Out
You may opt out of marketing communications and any optional data processing at any time. We do not sell data, so no sale opt-out is required.
Right to Restrict
You may request that we restrict certain processing activities while a dispute is pending or during review of a deletion or correction request.
Right to Object
You may object to processing based on our legitimate interests. We will assess and respond to all objections in good faith.
Right to Complain
You have the right to lodge a complaint with your applicable supervisory authority if you believe your data rights have been violated.
11.1 How to Exercise Your Rights
To submit a data rights request, please contact our Privacy Team at contact@docuaction.io with the subject line “Privacy Rights Request.” Please include your full name, email address associated with your account, and a description of the right you wish to exercise. We may need to verify your identity before processing your request to protect against unauthorized access or deletion. We will acknowledge your request within 5 business days and provide a substantive response within 30 days (or 45 days where legally permitted with notice).
11.2 Note Regarding Customer-Controlled End User Data
If you are an End User operating within an organization’s DocuActions AI account, your data rights are primarily exercised through your organization (the Customer). We will cooperate fully with Customers in honoring their obligations to fulfill your data rights requests and will route requests received directly from End Users to the appropriate Customer account administrator where applicable.
11.3 California Residents — Additional Rights
California residents are entitled to the rights described above under the CCPA/CPRA, including the right to know, right to delete, right to correct, right to opt-out of sale (which is not applicable as we do not sell data), and the right to non-discrimination for exercising your privacy rights. To submit a Verifiable Consumer Request under the CCPA, contact us at contact@docuaction.io. We will not discriminate against you—including by denying services or charging different prices—for exercising your CCPA rights.
Cookies & Tracking Technologies
Our website and platform use cookies and similar tracking technologies to enable core functionality, analyze usage, and improve the user experience. We are committed to providing clear, meaningful control over non-essential tracking.
12.1 Types of Cookies We Use
| Cookie Category | Purpose | Consent Required? |
|---|---|---|
| Strictly Necessary | Authentication session management, CSRF protection, security tokens, and load balancing. These are essential for the platform to function. | No — technically essential |
| Functional / Preference | Remembering your language, UI preferences, dashboard layout, and notification settings between sessions. | No — core usability |
| Analytics | Aggregated, anonymized data on how users navigate our website and platform, used exclusively for product improvement (e.g., page views, feature adoption, error rates). | Yes — opt-in via cookie banner |
| Marketing / Advertising | We do not deploy third-party advertising cookies or behavioral tracking for advertising purposes on our platform or website. | Not applicable |
12.2 Analytics Technology
Where analytics are enabled by your consent, we use privacy-respecting analytics tools configured to anonymize IP addresses, disable cross-site tracking, and store no personally identifiable information in analytics systems. We do not use advertising networks, retargeting pixels, or third-party behavioral tracking technology.
12.3 Your Cookie Choices
When you first visit our website, you will be presented with a cookie consent banner that allows you to accept or decline non-essential cookies. You may change your cookie preferences at any time through the “Cookie Preferences” link in our website footer. You may also control cookies directly through your browser settings; however, disabling strictly necessary cookies may affect platform functionality. Note that opt-out preferences are stored locally and may be reset if you clear your browser data.
12.4 Do Not Track
We respect browser-level “Do Not Track” (DNT) signals. When a DNT signal is detected, we do not activate analytics or optional tracking cookies for that session. We support the Global Privacy Control (GPC) signal as a valid opt-out mechanism under applicable law, including the CPRA.
Updates to This Privacy Policy
We may update this Privacy Policy periodically to reflect changes in our Services, data practices, applicable law, or regulatory requirements. We are committed to providing meaningful notice of material changes so that you can make informed decisions about your continued use of our platform.
13.1 How We Notify You of Changes
For material changes—those that significantly affect how we collect, use, or share your data, or that substantially affect your rights—we will provide advance notice by sending a notification email to the primary account email address on file at least 30 days prior to the effective date of the change, displaying a prominent notice on our platform dashboard or website upon your next login, and updating the “Effective Date” and “Version” fields at the top of this Policy.
For non-material or clarifying changes—such as formatting updates, corrections of typographical errors, or minor reorganization that does not change the substance of our data practices—we may update this Policy without advance individual notice and will update the “Last Reviewed” date accordingly.
13.2 Continued Use
Your continued use of the DocuActions AI platform following the effective date of a material policy update constitutes your acceptance of the revised Privacy Policy. If you do not agree with the updated Policy, you must cease using the platform and contact us at contact@docuaction.io to close your account and request deletion of your data prior to the effective date.
13.3 Archived Versions
Prior versions of this Privacy Policy are archived and available upon request to support transparency and audit requirements. Enterprise Customers may request a copy of any previously effective policy version by contacting our Privacy Team.
Version 2.0 — Effective June 1, 2025: Expanded HIPAA-Ready architecture section, added FedRAMP In-Progress status, updated CCPA/CPRA provisions to reflect CPRA amendments, added Customer-managed retention policy details, and enhanced Government Readiness section. Version 1.0 was effective from the original platform launch.
How to Reach Us
We take privacy seriously and welcome questions, feedback, and requests from our Users and Customers. If you have any questions about this Privacy Policy, wish to exercise your data rights, report a privacy concern, or discuss a Data Processing Agreement, please use the following contact channels:
For questions about this Policy, data rights requests, compliance inquiries, and DPA requests.
For general information, enterprise sales inquiries, and partnership discussions.
To report a suspected security vulnerability or data breach. Please include “SECURITY” in the subject line.
DocuActions AI, Inc.
Privacy & Compliance Team
Email: contact@docuaction.io
We aim to acknowledge all privacy inquiries within 2 business days and provide a substantive response within 30 days of receipt. For time-sensitive data rights requests under GDPR or CCPA, we prioritize responses in accordance with applicable regulatory timelines.
Supervisory Authority Complaints
If you are located in the European Economic Area and believe we have not adequately addressed your privacy concerns, you have the right to lodge a complaint with your local data protection supervisory authority. In the United Kingdom, complaints may be directed to the Information Commissioner’s Office (ICO). In the United States, CCPA-related complaints may be directed to the California Privacy Protection Agency (CPPA). We encourage you to contact us first so we may have the opportunity to resolve any concerns before escalation.