Enterprise Agreement

Document Custody Agreement

Additional terms for organizations using Document Custody Mode.

Last updated: January 15, 2026

About This Agreement

This Document Custody Agreement ("DCA") supplements the main Terms of Service and applies only to organizations that have opted into Document Custody Mode. In this mode, Ordiva acts as a legal custodian of your documents, with specific obligations and responsibilities outlined below.

1. Definitions

  • "Documents" means files uploaded to Ordiva under Document Custody Mode
  • "Custodian" means Ordiva, as the party maintaining custody of Documents
  • "Customer" means the organization that owns the Documents
  • "Legal Hold" means a preservation directive requiring retention of specific Documents
  • "Retention Policy" means the rules governing how long Documents are retained

2. Scope of Custody

2.1 What Ordiva Stores

Under Document Custody Mode, Ordiva will store:

  • Documents uploaded through the Ordiva platform
  • Document metadata (filename, upload date, uploader, file type, size)
  • Document versions and version history
  • Access logs showing who accessed each document and when
  • Attestations and annotations associated with documents

2.2 Custody Transfer

Upon upload, custody of the Document transfers to Ordiva. Ordiva becomes responsible for:

  • Secure storage and protection of the Document
  • Maintaining Document integrity
  • Controlling access according to Customer's settings
  • Producing Documents upon authorized request

3. Security Obligations

Ordiva commits to the following security measures:

3.1 Encryption

  • Documents encrypted at rest using AES-256
  • Documents encrypted in transit using TLS 1.3
  • Encryption keys managed through secure key management systems
  • Customer-managed keys available for Enterprise Plus customers

3.2 Access Control

  • Role-based access control enforced
  • Access permissions configurable by Customer administrators
  • All access logged and auditable
  • Multi-factor authentication available

3.3 Infrastructure

  • SOC 2 Type II certified infrastructure
  • Regular penetration testing and vulnerability assessments
  • Geographic redundancy for disaster recovery
  • Minimum 99.9% uptime SLA

4. Retention and Deletion

4.1 Retention Policies

  • Customer configures retention policies through the platform
  • Default retention: indefinite until deleted by Customer
  • Automatic deletion available based on time-based rules
  • Retention policies can be applied per document type or category

4.2 Legal Holds

  • Customer can place legal holds on documents or document sets
  • Legal holds suspend automatic deletion
  • Legal holds can only be released by authorized administrators
  • Hold history is logged and auditable

4.3 Deletion

  • Customer can delete documents at any time (unless under legal hold)
  • Deleted documents are soft-deleted for 30 days (recoverable)
  • After 30 days, documents are permanently deleted from all systems
  • Deletion includes all versions and associated metadata

5. Document Production

5.1 Customer Requests

Customer administrators can export documents at any time through the platform.

5.2 Third-Party Requests

If Ordiva receives a legal request (subpoena, court order) for Customer documents:

  • Ordiva will notify Customer promptly (unless legally prohibited)
  • Customer will have opportunity to object or quash
  • Ordiva will comply with valid legal process
  • Ordiva will produce only documents specifically identified in the request

5.3 Chain of Custody

Ordiva maintains complete chain of custody records including:

  • Upload timestamp and uploader identity
  • All access events with timestamps
  • All modifications and version changes
  • Download and export events
  • Hash values for integrity verification

6. Data Integrity

  • SHA-256 hash computed for each document upon upload
  • Hash verified periodically and upon access
  • Integrity failures trigger immediate alert
  • Version history maintained for all modifications
  • Original upload preserved alongside any modified versions

7. Termination

7.1 Data Export

Upon termination of this agreement:

  • Customer has 90 days to export all documents
  • Export available in original formats with metadata
  • Audit logs available for export
  • Ordiva will provide reasonable assistance for data migration

7.2 Post-Termination Deletion

After the 90-day export period:

  • All documents will be permanently deleted
  • Deletion certificate provided upon request
  • Audit logs retained for 7 years per compliance requirements

8. Liability

8.1 Ordiva's Liability

Ordiva accepts liability for:

  • Security breaches resulting from Ordiva's negligence
  • Data loss due to Ordiva's systems or practices
  • Failure to comply with Customer's retention policies
  • Unauthorized disclosure of documents

9. Audit Rights

Customer may request:

  • Annual SOC 2 Type II report (provided under NDA)
  • Penetration test results (summary)
  • Security questionnaire completion
  • On-site audit with 30 days notice (Enterprise Plus only, limited to once per year)

11. Acceptance

By enabling Document Custody Mode for your organization, you acknowledge that you have read, understood, and agree to be bound by this Document Custody Agreement in addition to the main Terms of Service.

12. Contact

For questions about this agreement or Document Custody Mode:

Email: hello@mmekeservices.com
Enterprise Support: support@mmekeservices.com