Skip to content

Data Processing Agreement

Last updated: May 28, 2026

1. Introduction

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PaperStack Infrastructure ("PaperStack", "we", "us", "data processor") and the customer ("you", "data controller") for the provision of the PaperStack API service.

This DPA reflects the parties' agreement with respect to the Processing of Personal Data by PaperStack on behalf of the Customer in connection with the Service, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR") and the UK Data Protection Act 2018.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person as defined under GDPR Article 4(1).
  • "Processing" means any operation performed on Personal Data as defined under GDPR Article 4(2).
  • "Data Controller" means the Customer who determines the purposes and means of Processing Personal Data.
  • "Data Processor" means PaperStack which Processes Personal Data on behalf of the Data Controller.
  • "Sub-processor" means any third party engaged by PaperStack to Process Personal Data.

3. Scope and Roles

The Customer is the Data Controller of Personal Data submitted to the PaperStack API. PaperStack is the Data Processor acting on documented instructions from the Customer. The Customer retains full control over the Personal Data and is responsible for compliance with GDPR Article 5 (Principles relating to processing of personal data).

PaperStack processes Personal Data solely for the purpose of providing the API service, including authentication (email addresses for API keys), billing (payment information via Razorpay), and technical support communications.

4. Data Processing Details

CategoryDetails
Personal Data ProcessedEmail address, name, billing information (processed by Razorpay), API usage metadata
Categories of Data SubjectsAPI users, customers, and their end-users
Processing PurposeAPI authentication, service delivery, billing, support, usage monitoring
Processing DurationDuration of the agreement plus 90 days retention for audit purposes unless deletion is requested earlier

5. Data Subject Rights

As the Data Controller, the Customer is responsible for responding to Data Subject requests under GDPR Articles 15–22. PaperStack will assist the Customer by:

  • Providing access to Personal Data stored in the customer's account.
  • Deleting Personal Data upon the Customer's request (subject to retention requirements).
  • Rectifying inaccurate Personal Data.
  • Restricting Processing of Personal Data where applicable.

Data subjects may contact PaperStack directly at support@paperstack.qzz.io. We will forward the request to the Customer within 7 days.

6. Sub-processors

The Customer authorizes PaperStack to engage the following Sub-processors:

  • Appwrite — Database, authentication, and file storage (EU/Central India regions).
  • Cloudflare — CDN, DDoS protection, edge functions (global edge network).
  • Razorpay — Payment processing (PCI DSS compliant).
  • Vercel — Application hosting (US/EU regions).
  • Resend — Email delivery (US regions).

PaperStack will notify the Customer 30 days in advance of any new Sub-processor engagement.

7. Security Measures

PaperStack implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption at rest (AES-256) and in transit (TLS 1.3).
  • API authentication via HMAC-signed webhook payloads and API key verification.
  • Access control with least-privilege principle for infrastructure access.
  • Regular security audits and penetration testing.
  • Incident response procedures with 24-hour notification to affected customers.

8. Data Breach Notification

PaperStack will notify the Customer without undue delay (within 48 hours) upon becoming aware of a Personal Data breach affecting Customer data. Notification will include:

  • Nature of the breach.
  • Categories and approximate number of Data Subjects and records concerned.
  • Likely consequences and mitigation measures taken or proposed.
  • Contact details for the Data Protection Officer or relevant point of contact.

9. Data Deletion

Upon termination of the Service or upon the Customer's request, PaperStack will delete all Personal Data within 90 days, except where retention is required by applicable law. Customers may request immediate deletion via the dashboard settings page or by emailing support@paperstack.qzz.io.

10. Governing Law

This DPA shall be governed by and construed in accordance with the laws of India, except where GDPR or UK DPA jurisdiction takes precedence by law.

11. Contact

For DPA-related inquiries, data deletion requests, or data protection concerns:

Email: support@paperstack.qzz.io

PaperStack Infrastructure

India