Last updated: May 28, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between PaperStack Infrastructure ("PaperStack", "we", "us", "data processor") and the customer ("you", "data controller") for the provision of the PaperStack API service.
This DPA reflects the parties' agreement with respect to the Processing of Personal Data by PaperStack on behalf of the Customer in connection with the Service, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK Data Protection Act 2018.
The Customer is the Data Controller of Personal Data submitted to the PaperStack API. PaperStack is the Data Processor acting on documented instructions from the Customer. The Customer retains full control over the Personal Data and is responsible for compliance with GDPR Article 5 (Principles relating to processing of personal data).
PaperStack processes Personal Data solely for the purpose of providing the API service, including authentication (email addresses for API keys), billing (payment information via Razorpay), and technical support communications.
| Category | Details |
|---|---|
| Personal Data Processed | Email address, name, billing information (processed by Razorpay), API usage metadata |
| Categories of Data Subjects | API users, customers, and their end-users |
| Processing Purpose | API authentication, service delivery, billing, support, usage monitoring |
| Processing Duration | Duration of the agreement plus 90 days retention for audit purposes unless deletion is requested earlier |
As the Data Controller, the Customer is responsible for responding to Data Subject requests under GDPR Articles 15–22. PaperStack will assist the Customer by:
Data subjects may contact PaperStack directly at support@paperstack.qzz.io. We will forward the request to the Customer within 7 days.
The Customer authorizes PaperStack to engage the following Sub-processors:
PaperStack will notify the Customer 30 days in advance of any new Sub-processor engagement.
PaperStack implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:
PaperStack will notify the Customer without undue delay (within 48 hours) upon becoming aware of a Personal Data breach affecting Customer data. Notification will include:
Upon termination of the Service or upon the Customer's request, PaperStack will delete all Personal Data within 90 days, except where retention is required by applicable law. Customers may request immediate deletion via the dashboard settings page or by emailing support@paperstack.qzz.io.
This DPA shall be governed by and construed in accordance with the laws of India, except where GDPR or UK DPA jurisdiction takes precedence by law.
For DPA-related inquiries, data deletion requests, or data protection concerns:
Email: support@paperstack.qzz.io
PaperStack Infrastructure
India