Data Processing Addendum

This Data Processing Addendum ("DPA") forms part of the agreement between NotarialOS Inc. ("NotarialOS") and the customer entity identified in the underlying Order Form or Master Services Agreement ("Customer"). It governs NotarialOS' processing of Personal Data on Customer's behalf under the Data Privacy Act of 2012 (R.A. 10173) and its Implementing Rules and Regulations.

Last updated: May 04, 2026

1. Definitions

Capitalized terms not defined here have the meaning given in the Data Privacy Act of 2012 ("DPA Act") and the issuances of the National Privacy Commission ("NPC"). For purposes of this DPA:

  • "Personal Data" means any Personal Information and Sensitive Personal Information processed by NotarialOS on Customer's behalf in connection with the Service.
  • "Customer Personal Data" means Personal Data submitted by or on behalf of Customer for processing by NotarialOS as a Personal Information Processor.
  • "Sub-processor" means any third party engaged by NotarialOS to process Customer Personal Data.
  • "Security Incident" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Customer Personal Data.

2. Roles and scope

For Customer Personal Data uploaded by Customer to the Service, Customer acts as Personal Information Controller and NotarialOS acts as Personal Information Processor.

NotarialOS separately acts as Personal Information Controller in relation to (a) account, billing, and usage data of Customer's authorized users for the operation of the Service; and (b) data NotarialOS is required to process and retain in its capacity as a Supreme Court-accredited Electronic Notarization Facility under A.M. No. 24-10-14-SC — including identity verification artifacts, the electronic notarial book, session recordings, and audit trails. Customer acknowledges that NotarialOS' obligations as a Controller for these regulated records take precedence over conflicting Customer instructions.

3. Subject matter, duration, nature, and purpose

  • Subject matter — Provision of the NotarialOS Service.
  • Duration — For the term of the underlying agreement, plus any retention required by law.
  • Nature of processing — Hosting, storage, transmission, identity verification, recording, sealing, and audit trail generation in support of electronic notarial acts.
  • Purpose — To enable Customer to obtain compliant electronic notarial acts under Philippine law.

4. Categories of data and data subjects

  • Categories of data — name, contact details, government-issued ID details and images, facial / liveness data, voice and video recordings, electronic signatures, document content, transaction metadata, and audit logs.
  • Categories of data subjects — Customer's authorized users, signers and counterparties to documents Customer submits, and individuals identified within those documents.

5. NotarialOS' obligations as Processor

NotarialOS will:

  • Process Customer Personal Data only on Customer's documented instructions, including the underlying agreement, this DPA, and Customer's lawful use of the Service — except where required to act otherwise by Philippine law (in which case NotarialOS will inform Customer of that legal requirement, unless prohibited from doing so)
  • Ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations
  • Implement and maintain the technical and organizational security measures described in our Security page, consistent with NPC Circular 16-01 and industry practice
  • Provide reasonable assistance, taking into account the nature of processing, to enable Customer to respond to data subject requests and to comply with Customer's obligations under the DPA Act
  • Make available information reasonably necessary to demonstrate compliance with this DPA

6. Sub-processors

Customer authorizes NotarialOS to engage Sub-processors to provide the Service, subject to a written contract that imposes data protection obligations no less protective than those in this DPA. NotarialOS maintains a current list of Sub-processors and will provide it on request to [email protected]. NotarialOS will provide reasonable advance notice of intended changes to its Sub-processor roster. Customer may object on reasonable data protection grounds; if the parties cannot agree on an alternative arrangement, Customer may terminate the affected portion of the Service for the relevant period.

7. Security and Security Incidents

NotarialOS will maintain commercially reasonable safeguards consistent with NPC Circular 16-01 and the Security page above. NotarialOS will notify Customer without undue delay after becoming aware of a Security Incident affecting Customer Personal Data, and will provide information reasonably necessary for Customer to fulfil its own breach notification obligations to the NPC and affected data subjects.

8. Data subject rights

Where a data subject contacts NotarialOS to exercise rights under the DPA Act in respect of Customer Personal Data, NotarialOS will, where lawful, refer the data subject to Customer and assist Customer in responding. Customer is responsible for substantively responding to data subject requests in respect of Customer Personal Data.

9. Cross-border transfers

NotarialOS primarily processes Customer Personal Data on infrastructure located in the Philippines. Where Sub-processors process Customer Personal Data outside the Philippines, NotarialOS will ensure that appropriate safeguards are in place — including contractual clauses, recognized standards, and provider certifications — consistent with the DPA Act and NPC issuances.

10. Audits

On reasonable prior written notice and no more than once per calendar year (except following a Security Incident or upon written request from a competent authority), Customer or its independent auditor may, subject to confidentiality obligations and at Customer's cost, audit NotarialOS' compliance with this DPA. NotarialOS may satisfy its audit obligations by providing reports of independent third-party audits or certifications already in place.

11. Return and deletion

On termination or expiry of the underlying agreement, NotarialOS will, at Customer's choice, return or delete Customer Personal Data within a commercially reasonable period — except for (a) Customer Personal Data that NotarialOS is required to retain by Philippine law, including notarial records under A.M. No. 24-10-14-SC, and (b) routine backups, which will be deleted in the ordinary course of NotarialOS' backup retention cycle.

12. Liability

Each party's liability arising out of or in connection with this DPA is subject to the exclusions and limitations of liability set out in the underlying agreement.

13. Governing law

This DPA is governed by the laws of the Republic of the Philippines and is subject to the exclusive jurisdiction of the courts of Taguig City, Metro Manila, Philippines.

14. Order of precedence

In the event of any conflict between this DPA and the underlying agreement in respect of the processing of Customer Personal Data, this DPA prevails.

15. Contact

Questions about this DPA should be sent to our Data Protection Officer at [email protected].

Need a counter-signed DPA?

For procurement teams that require an executed copy on company letterhead, we can deliver one as part of the demo and onboarding flow.

Book a demo