1. Parties & Roles
This DPA is between the customer (the Controller) and PaperAPI (the Processor). PaperAPI processes personal data only on documented instructions from the Controller.
2. Subject Matter & Duration
Subject matter: Providing HTML-to-PDF rendering and related dashboard services. Duration: The term of the customer's use of PaperAPI services, until deletion or return of personal data as described below.
3. Nature & Purpose of Processing
- •Receive HTML and assets via API calls to generate PDFs on the Controller's behalf.
- •Store generated PDFs temporarily according to Controller-defined retention settings.
- •Provide dashboard access, logs, usage metrics, and billing records for the services.
4. Types of Data & Data Subjects
Personal data submitted by the Controller through the service, which may include contact details, identifiers, and content embedded in HTML/PDF payloads. Data subjects may include the Controller's customers, employees, or other individuals whose data appears in the Controller's content.
5. Controller Instructions
PaperAPI processes personal data solely on documented instructions provided via the API, dashboard settings, or written communications. If required by law to process beyond these instructions, PaperAPI will inform the Controller unless legally prohibited.
6. Confidentiality
PaperAPI ensures personnel authorized to process personal data are bound by confidentiality obligations and receive appropriate training on data protection.
7. Security Measures
PaperAPI implements technical and organizational measures appropriate to the risk, including encryption in transit and at rest, access controls, network isolation, logging, and vulnerability management. Additional details are available on the Security page.
8. Subprocessors
PaperAPI may engage subprocessors to support service delivery. Current subprocessors are listed at paperapi.de/subprocessors. PaperAPI ensures subprocessors are bound by data protection obligations no less protective than those in this DPA. The Controller may subscribe to updates via that page.
9. International Data Transfers
PaperAPI processes data exclusively within the European Union. No data is transferred to third countries. Infrastructure locations are detailed on the Data Residency page.
10. Assistance with Data Subject Requests
Taking into account the nature of processing, PaperAPI will assist the Controller by providing appropriate technical and organizational measures to respond to requests for data subject rights (access, rectification, erasure, restriction, portability, objection). Requests can be coordinated via privacy@paperapi.de.
11. Personal Data Breach Notification
PaperAPI will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller data. Notifications will describe the nature of the breach, likely consequences, and measures taken or proposed to address it.
12. Deletion or Return
Upon termination of services or at the Controller's choice, PaperAPI will delete or return personal data and delete existing copies unless retention is required by EU or Member State law. Controllers can configure retention or request deletion via the dashboard or by contacting legal@paperapi.de.
13. Audits & Compliance
PaperAPI will provide information reasonably necessary to demonstrate compliance with Article 28 GDPR and will allow for audits by the Controller or an appointed auditor, subject to reasonable notice, scope, and confidentiality.
14. Liability
Liability under this DPA follows the limitations and exclusions set forth in the underlying Terms of Service, except where prohibited by applicable law.
15. Governing Law
This DPA is governed by and construed in accordance with the governing law and venue specified in the PaperAPI Terms of Service.
How to request a signed copy
For a countersigned DPA, email legal@paperapi.de with your company details and signatory information. We will return a signed PDF.