PaperAPI logoPaperAPI
Log inGet started

Compliance

GDPR Compliance

PaperAPI is designed for GDPR compliance from the ground up. All data processing happens exclusively in the EU with full transparency and control.

EU-Only Hosting Statement

PaperAPI infrastructure operates exclusively within the European Union.

  • All servers and compute resources are located in EU data centers
  • Database and object storage remain within EU borders
  • No data transfers to the United States or other non-EU regions
  • Backups and disaster recovery systems are also EU-hosted

See our Data Residency page for specific region details.

Data Processing Agreement (DPA)

A Data Processing Agreement is available for all customers.

Our DPA covers the terms under which we process personal data on your behalf, including:

  • Subject matter and duration of processing
  • Nature and purpose of processing
  • Types of personal data processed
  • Categories of data subjects
  • Processor obligations and rights
  • Security measures and breach notification
  • Subprocessor management

Read our DPA.

Request a signed DPA: legal@paperapi.de.

Roles: Processor vs. Controller

You (the Customer)

Data Controller

You determine the purposes and means of processing personal data. You decide what HTML content to send and what data appears in generated PDFs.

PaperAPI

Data Processor

We process personal data solely on your behalf and according to your instructions (via API calls). We do not use your data for any other purpose.

This means you remain in control of the data. We simply provide the infrastructure to convert HTML to PDF according to your specifications.

Subprocessors

We engage a limited number of subprocessors to provide our services. All subprocessors are carefully vetted and bound by appropriate data protection agreements.

Current subprocessors:

  • Stripe: Payment processing (EU data residency enabled)
  • Hetzner Cloud: Infrastructure (Frankfurt, Germany – EU)

For the complete and up-to-date list, see our Subprocessors page.

Data Subject Rights

As a data processor, we support you in fulfilling data subject rights requests under GDPR:

  • Right to access: We can provide logs and metadata for specific API keys
  • Right to erasure: PDFs can be deleted on-demand or use no-store mode
  • Right to rectification: You control input data; we process as instructed
  • Right to data portability: Generated PDFs are in standard format

If you receive a data subject rights request related to PDFs generated via PaperAPI, contact privacy@paperapi.de for assistance.

Security Measures

PaperAPI implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption at rest and in transit (TLS 1.2+, AES-256)
  • Access controls and API key authentication
  • Network isolation and SSRF protection
  • Regular security updates and monitoring

See our Security page for complete details.

Data Breach Notification

In the unlikely event of a personal data breach affecting your data, we will notify you without undue delay and within 72 hours of becoming aware of the breach, as required by GDPR Article 33.

Notifications will include:

  • Nature of the breach
  • Categories and approximate number of data subjects affected
  • Likely consequences
  • Measures taken or proposed to address the breach

GDPR Questions or DPA Request

For GDPR-related inquiries or to request a signed DPA, contact legal@paperapi.de.

Security →Privacy Policy →Subprocessors →Data Residency →