Data Processing Agreement (DPA) Reference
Effective Date: May 10, 2026 Document Version: May 2026 Legally Binding Original Language: English
This Data Processing Agreement Reference (the "DPA Reference") is incorporated into and forms an integral part of the Master Service Agreement ("MSA") between PaperOffice and Customer. Capitalized terms not defined herein shall have the meanings set forth in the MSA.
This document describes how PaperOffice provides Customer with the Data Processing Agreement required under Article 28 of the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and equivalent obligations under the Spanish LOPDGDD and other applicable data protection laws.
1. Purpose and Scope
1.1 Article 28 GDPR
Where PaperOffice processes personal data on behalf of Customer in connection with the Services, the relationship between Customer (as Controller) and PaperOffice (as Processor) must be governed by a written agreement that meets the requirements of Article 28(3) GDPR. This DPA Reference describes how that agreement is provided.
1.2 Self-Service Compliance Package Generator
PaperOffice provides a self-service Compliance Package generator within the Services. The Compliance Package generator produces a complete, customer-specific document containing:
(a) Cover Sheet — Customer-specific commercial and contact information used to populate the Agreement;
(b) Data Processing Agreement (DPA) — A complete agreement under Article 28 GDPR addressing the requirements of Article 28(3) including subject matter, duration, nature and purpose, type of personal data, categories of data subjects, obligations of the Processor, and the rights of the Controller;
(c) Technical and Organizational Measures (TOM) — Documentation of the technical and organizational measures implemented by PaperOffice in accordance with Article 32 GDPR;
(d) Sub-Processor List — The current list of sub-processors engaged by PaperOffice for the Services.
1.3 Multi-Language Support
The Compliance Package may be generated in any of thirty-five (35) supported languages. The English-language version is the legally binding version. Translations into other languages are provided as convenience translations only and are not legally binding. In the event of any discrepancy, the English version prevails.
2. How to Generate the Compliance Package
2.1 Access
The Compliance Package generator is accessible to Account Owners and authorized administrators within the Account interface, typically under the "Compliance" or "Legal" section.
2.2 Generation Process
The generation process consists of:
(a) Customer Information — Customer provides or confirms its commercial and contact information (legal name, address, VAT identification number, primary contact, data protection contact);
(b) Language Selection — Customer selects the desired language (with English as the legally binding version);
(c) Generation — The system generates a customer-specific Compliance Package as a multi-page PDF document;
(d) Download or Acceptance — Customer downloads the document for review and may indicate acceptance through the in-platform mechanism.
2.3 Acceptance and Effectiveness
The Compliance Package, once accepted by Customer through the in-platform mechanism (or by countersignature where offered), becomes a binding agreement between the Parties effective on the date of acceptance and remains in effect for the duration of the Subscription Term. Acceptance through the in-platform mechanism has the same legal effect as a written signature.
2.4 Updates and Re-Generation
Customer may re-generate the Compliance Package at any time, for example to:
(a) Reflect updated Customer information;
(b) Reflect updated sub-processor information;
(c) Generate a copy in a different language;
(d) Refresh the document in case of internal review cycles.
3. Incorporation into the Agreement
3.1 Reference Incorporation
The Compliance Package, once generated and accepted by Customer, is hereby incorporated into and forms an integral part of the Agreement under Section 13.2 of the MSA. This incorporation operates by reference and does not require a separate countersignature, except where applicable law requires a written form not satisfied by electronic acceptance.
3.2 Status as DPA
The "Data Processing Agreement" section of the generated Compliance Package constitutes the Article 28 GDPR DPA between the Parties.
3.3 Status as TOM
The "Technical and Organizational Measures" section of the generated Compliance Package constitutes PaperOffice's Article 32 GDPR documentation of technical and organizational measures.
3.4 Status as Sub-Processor List
The "Sub-Processor List" section of the generated Compliance Package constitutes the authoritative current list of sub-processors engaged by PaperOffice, as referenced in the Sub-Processor List Template document.
4. Order of Precedence
4.1 Conflict between MSA and DPA
In the event of conflict between this MSA (or any other Agreement Document) and the DPA contained in the Compliance Package with respect to the processing of personal data:
(a) The DPA shall prevail with respect to matters of personal data processing;
(b) The MSA and other Agreement Documents shall prevail with respect to all other matters.
4.2 Conflict between Customer-Specific Order and DPA
Where Customer's Order Form contains specific data protection terms, the Order Form shall prevail over the standard DPA generated through the Compliance Package generator, except where the Order Form is silent on a matter addressed in the DPA, in which case the DPA applies.
5. Joint Controllership and Independent Controller Scenarios
5.1 Default Role Allocation
Under the standard Services, the Parties' roles are typically as follows:
(a) PaperOffice as Processor — For Customer Data uploaded by Customer to the Services and processed on Customer's instructions, PaperOffice acts as Processor and Customer acts as Controller;
(b) PaperOffice as Independent Controller — For account, billing, and authentication data processed by PaperOffice for its own purposes (managing the contractual relationship, billing, fraud prevention, security), PaperOffice acts as an independent Controller and processes such data in accordance with its Privacy Policy.
5.2 No Joint Controllership by Default
PaperOffice and Customer are not joint controllers under Article 26 GDPR by default. Where a specific feature or use case may give rise to joint controllership, the Parties shall agree separately on the allocation of responsibilities.
6. Customer's Responsibility as Controller
6.1 Lawful Basis
Customer is responsible for ensuring a valid legal basis under Article 6 GDPR (and, for special-category data, Article 9 GDPR) for any personal data uploaded to or processed through the Services.
6.2 Data Subject Notices and Consent
Customer is responsible for providing all required notices to data subjects (typically in Customer's privacy policy or equivalent) and for obtaining any required consents.
6.3 Data Subject Rights
Customer is responsible for handling data subject rights requests (access, rectification, erasure, restriction, portability, objection) directed to Customer. PaperOffice will provide reasonable assistance to Customer in handling such requests, as further detailed in the DPA.
6.4 Records of Processing
Customer is responsible for maintaining records of processing activities as required under Article 30 GDPR.
6.5 Data Protection Impact Assessments
Customer is responsible for conducting Data Protection Impact Assessments where required under Article 35 GDPR. PaperOffice will provide reasonable assistance with information about the Services to support Customer's assessments.
7. Standard Contractual Clauses
7.1 SCCs Included
Where personal data is transferred outside the European Economic Area to PaperOffice or its sub-processors, the relevant European Commission Standard Contractual Clauses (Decision (EU) 2021/914 of 4 June 2021, "SCCs") are deemed incorporated into the Compliance Package, with the appropriate module(s) determined by the role allocation of the relevant transfer.
7.2 Module Selection
The applicable SCC modules are determined by the data flow:
(a) Module Two (Controller-to-Processor) — Where Customer (as Controller) transfers personal data to PaperOffice (as Processor) outside the EEA;
(b) Module Three (Processor-to-Sub-Processor) — Where PaperOffice (as Processor) transfers personal data to a sub-processor outside the EEA;
(c) Other Modules — Where a different role allocation applies, the appropriate module is incorporated.
7.3 Annexes to SCCs
The annexes to the SCCs (description of transfer, technical and organizational measures, list of sub-processors) are populated based on the Compliance Package and the customer-specific information provided.
7.4 Transfer Impact Assessment
PaperOffice maintains a transfer impact assessment for transfers requiring SCCs, available to Customer upon reasonable request and subject to confidentiality.
8. UK GDPR and Other Jurisdictions
8.1 UK GDPR
Where Customer is established in the United Kingdom or processes personal data of UK data subjects, the DPA generated through the Compliance Package generator is supplemented by the UK Information Commissioner's International Data Transfer Agreement (IDTA) or the UK Addendum to the EU SCCs, as applicable.
8.2 Swiss Federal Act on Data Protection
Where Customer is established in Switzerland or processes personal data of Swiss data subjects, the DPA is supplemented by appropriate adjustments to comply with the Swiss Federal Act on Data Protection (FADP) as revised.
8.3 Other Jurisdictions
For data subjects in other jurisdictions (such as California Consumer Privacy Act, Brazil's LGPD, and similar), Customer is responsible for assessing applicability and the Parties shall cooperate to address any specific requirements.
9. Data Breach Notification
9.1 PaperOffice's Obligation
PaperOffice will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer's personal data, in accordance with Article 33(2) GDPR and as further detailed in the DPA.
9.2 Notification Channel
Notification will be sent to the data protection or privacy contact registered for the Account, with backup notification to the Account Owner. Customer is responsible for keeping these contacts current.
9.3 Information Provided
Notification will include the information required under Article 33(3) GDPR to the extent then known, supplemented as additional information becomes available during the investigation.
10. Audit Rights
10.1 Audit Frequency and Scope
Customer's audit rights are detailed in the DPA. As a general matter, Customer's audit rights are exercised in a manner that:
(a) Does not unduly disrupt PaperOffice's operations;
(b) Respects the confidentiality of PaperOffice's other customers' data and PaperOffice's confidential information;
(c) Reasonably relies on third-party audits, certifications (such as ISO 27001, SOC 2), and assurance reports where available.
10.2 Costs
Costs of routine audits are borne by Customer. Costs arising from audits triggered by a confirmed breach by PaperOffice are borne by PaperOffice.
11. Term and Termination
11.1 Duration
The DPA remains in effect for the duration of the Subscription Term plus the period during which PaperOffice processes personal data on Customer's behalf in connection with termination obligations (including data return or deletion).
11.2 Post-Termination Data Handling
Upon termination of the Subscription, PaperOffice will, at Customer's choice (made within thirty (30) days of termination), either return Customer Data to Customer or delete Customer Data, subject to applicable legal retention obligations, as further detailed in Section 7.5 of the MSA and the DPA.
12. Updates
12.1 DPA Updates
PaperOffice may update the standard DPA template from time to time to reflect changes in law, regulatory guidance, or operational practice. Material updates are subject to the modification provisions in Section 11 of the MSA.
12.2 TOM Updates
PaperOffice continuously improves its technical and organizational measures. Updates to the TOM are reflected in the Compliance Package generator and may take effect immediately, subject to the requirement that the level of protection is maintained or improved.
12.3 Sub-Processor Updates
Sub-processor updates are governed by the Sub-Processor List Template and the DPA.
13. Contact
For questions regarding the DPA, the Compliance Package generator, or data protection matters generally, contact:
PaperOffice Enterprise Operations, S.L.U. Privacy / Data Protection: privacy@paperoffice.ai Legal: legal@paperoffice.ai
To generate the Compliance Package, log in to the Services and navigate to the Compliance section of the Account interface.
14. Order of Precedence
In the event of conflict between this DPA Reference and: (a) the customer-specific Compliance Package generated through the in-platform tool, the Compliance Package (in particular the DPA section therein) shall prevail for matters of personal data processing; (b) the MSA, the DPA prevails for matters of personal data processing while the MSA prevails for all other matters; (c) any other Agreement Document, the order set forth in Section 1.2 of the MSA applies.
Last updated: May 10, 2026
© 2002–2026 PaperOffice Enterprise Operations S.L.U. All rights reserved.