Last updated: 28 June 2026.
This page summarises how Docutati processes the documents you upload, for business, legal, medical and enterprise customers who need data-processing terms on file. A countersigned DPA is available on request at [email protected].
For the documents you upload, you (the customer) are the data controller and Docutati is the data processor. Docutati processes the documents only to produce the analysis, translation or transcription you request.
All document processing runs on private infrastructure that Docutati owns and operates in the EU. Documents are never sent to any third-party AI provider, and are never transferred outside the EU. Because there is no transfer to a third country, Standard Contractual Clauses are not required.
Your document content has no AI sub-processor — it is processed only on Docutati's own EU hardware. Stripe processes payment data only (never your documents) as an independent processor, and an email provider delivers your result link (your email address only, never the document).
Uploaded documents and generated results are automatically and permanently deleted within 7 days. Only minimal order records (e.g. payment reference, email) are kept as required for accounting and legal obligations.
Documents are handled by an isolated, network-restricted worker with no internet access. Traffic is encrypted in transit, and only minimal technical logs (retained up to 90 days) are kept to secure the service and prevent abuse. No profiling and no cross-site tracking.
Your documents are never used to train any model, and there is no account or user profile — nothing to aggregate, sell or leak.
Because documents are deleted within 7 days and never leave the EU, most data-subject requests are satisfied by design. Docutati will assist with access, correction or deletion requests at [email protected].
Try it — no sign-up →