Data Processing Addendum
Processor terms for business customers
This Data Processing Addendum (DPA) outlines Papereg's commitments when processing personal data on behalf of customers. This document is provided for transparency and is subject to legal review before formal execution. Please contact us if you need a signed DPA for your procurement process.
1. Scope & Application
This DPA applies when Papereg processes personal data on behalf of the Customer ("Data Controller") as part of providing the Papereg platform services. It supplements any existing service agreement between the parties.
Papereg acts as a Data Processor with respect to workspace form submissions, file uploads, and any personal data contained therein. Papereg acts as a Data Controller for user account data necessary to operate the service.
2. Processing Instructions
Papereg processes personal data only in accordance with the Customer's documented instructions, which include:
- Collecting and storing form submissions as configured by the Customer
- Processing uploaded documents through AI extraction when initiated by authorized workspace users
- Syncing submission data to connected third-party apps as configured by the Customer
- Sending email notifications and webhook events as configured by the Customer
- Generating reports from submission data as requested by authorized workspace users
3. Categories of Data
Data Subjects
- Customer's employees and workspace members
- Individuals who submit forms (public or workspace)
- Individuals whose data appears in uploaded documents
Categories of Personal Data
The specific categories depend on how the Customer configures their forms. Common examples include:
- Contact information (name, email, phone, address)
- Employment information (job title, department, employee ID)
- Health and safety information (when used in healthcare or incident forms)
- Financial information (when used in expense or billing forms)
- File attachments (which may contain any type of personal data)
4. Security Measures
Papereg implements the following technical and organizational measures to protect personal data:
| Measure | Implementation |
|---|---|
| Data isolation | Schema-based multi-tenancy with PostgreSQL schema per workspace |
| Encryption in transit | HTTPS with HSTS; database SSL |
| Encryption at rest | AES-GCM encryption for sensitive integration secrets |
| Authentication | bcrypt password hashing; SHA-256 token hashing; role-based access control |
| Access control | Configurable workspace permissions; field-level role restrictions; form-scoped authorization |
| Audit logging | Logged access to submissions, exports, API calls, and reports |
| Input validation | Server-side field allowlisting; HTML sanitization; SSRF prevention |
| Rate limiting | Per-workspace API limits; per-IP public form limits |
For a complete description of security controls, see our Security page.
5. Subprocessors
Papereg uses the following subprocessors for the delivery of its services:
| Subprocessor | Purpose | Location |
|---|---|---|
| Anthropic | AI document analysis | United States |
| Amazon Web Services (S3) | File storage | United States |
| Resend | Email delivery | United States |
Papereg will notify the Customer before adding or replacing a subprocessor, providing the Customer an opportunity to object.
6. Data Subject Rights
Papereg will assist the Customer in fulfilling data subject requests (access, rectification, erasure, portability) to the extent technically feasible. The Customer can:
- Export submission data via CSV, Excel, or API
- Delete individual submissions through the registry interface or API
- Delete entire workspaces, which removes all associated data
For requests that cannot be fulfilled through the platform, contact us at privacy@papereg.com.
7. Incident Notification
In the event of a personal data breach, Papereg will notify the Customer without undue delay after becoming aware of the breach. The notification will include:
- Description of the nature of the breach
- Categories and approximate number of data subjects affected
- Likely consequences of the breach
- Measures taken or proposed to address the breach
Honest disclosure
Formal incident notification timelines (e.g., 72 hours as required by GDPR) are not yet contractually committed. We are working toward establishing formal SLAs.
8. Data Deletion on Termination
Upon termination of the service agreement, at the Customer's choice:
- Export: Customer can export all data via CSV, Excel, or the API before termination
- Deletion: Deleting a workspace removes the entire tenant schema and all associated data from the database
- File attachments stored in S3 are deleted when the workspace is removed
9. Audit & Information Rights
Papereg will make available to the Customer the information necessary to demonstrate compliance with data processing obligations. This includes:
- This DPA and the Security page as current documentation of measures in place
- The Security Questionnaire as a summary of our security posture
- Audit logs accessible through the platform and compliance reports
On-site audits are not available at this time. For additional information requests, contact us at privacy@papereg.com.
Need a Signed DPA?
If your organization requires a formally executed DPA, please contact us. We can provide a signable version of this document tailored to your requirements.
Security questions?
If you have questions about our security practices or need additional information for your procurement process, we're here to help.
Contact Us