Sub-Processor List
Effective Date: May 10, 2026 Document Version: May 2026 Legally Binding Original Language: English
This Sub-Processor List is incorporated into and forms an integral part of the Master Service Agreement ("MSA") and the Data Processing Agreement ("DPA") between PaperOffice and Customer. Capitalized terms not defined herein shall have the meanings set forth in the MSA or the DPA.
This document lists the sub-processors engaged by PaperOffice to provide the Services. The list is maintained as part of the in-platform Compliance Package generator and is updated as PaperOffice's sub-processor relationships change.
1. Purpose
1.1 Article 28 GDPR Compliance
This Sub-Processor List supports PaperOffice's transparency obligations under Article 28(2) and Article 28(4) of the EU General Data Protection Regulation (GDPR — Regulation (EU) 2016/679) and equivalent obligations under the Spanish LOPDGDD and other applicable data protection laws.
1.2 Authoritative Source
The authoritative, current Sub-Processor List for Customer's specific use of the Services is the version generated through the in-platform Compliance Package generator (see Section 13.2 of the MSA and the DPA Reference document). The Compliance Package is generated on demand, includes a customer-specific cover sheet, and reflects the sub-processors actually engaged at the time of generation.
This document serves as a template and reference for the structure and content of the Sub-Processor List. The actual list applicable to Customer is the generated Compliance Package version.
2. Categories of Sub-Processors
PaperOffice engages sub-processors in the following functional categories. Specific sub-processors within each category are identified in the generated Compliance Package.
2.1 Infrastructure and Hosting
Sub-processors providing physical or virtualized infrastructure for the operation of the Services, including data center facilities, network connectivity, server hardware operation, cloud compute resources (where used), and similar.
Typical Information per Sub-Processor:
- Legal name and registered address
- Service description
- Data processed (categories of personal data, where applicable)
- Geographic location of processing (region/country)
- Transfer mechanism (where outside EEA)
- Certifications or assurance (e.g., ISO 27001, SOC 2)
2.2 Storage and Backup
Sub-processors providing storage, archival, and backup services for Customer Data and operational data.
2.3 AI Model and Inference Providers
Sub-processors providing third-party AI models, inference endpoints, or related AI infrastructure where used as part of the Services. Where PaperOffice operates AI inference on its own infrastructure, this category may be limited or absent for the relevant AI Tier.
2.4 Payment Processing
Sub-processors processing payments on behalf of PaperOffice, including credit card processing, SEPA direct debit, invoicing platforms, and tax compliance.
Typical Sub-Processors in This Category:
- Stripe (or comparable payment processors)
- Payment-method-specific aggregators
- Tax compliance platforms
2.5 Communication and Notification
Sub-processors providing communication infrastructure, including transactional email delivery, SMS/text messaging, and push notification delivery.
2.6 Customer Support Tooling
Sub-processors providing tooling used by PaperOffice support staff, including ticket management, knowledge management, video conferencing, and similar.
2.7 Security and Monitoring
Sub-processors providing security monitoring, threat detection, vulnerability scanning, log aggregation, and observability services.
2.8 Identity and Authentication
Sub-processors providing identity-related services, including identity verification, authentication, and federated single sign-on.
2.9 Analytics and Telemetry
Sub-processors providing aggregate analytics on Service usage, performance, and reliability. Personal-data exposure to such sub-processors is minimized through aggregation and pseudonymization.
2.10 Professional Services
Where applicable, sub-processors providing professional services such as legal advisors, auditors, and similar, with limited and incidental access to personal data only as necessary for their professional services.
3. Information Provided per Sub-Processor
For each sub-processor listed in the generated Compliance Package, PaperOffice provides the following information where applicable:
(a) Sub-Processor Name — Legal entity name;
(b) Address — Registered or principal place of business address;
(c) Service Description — A description of the service performed for PaperOffice;
(d) Data Categories — The categories of personal data processed by the sub-processor (where applicable);
(e) Data Subject Categories — The categories of data subjects whose personal data is processed (where applicable);
(f) Geographic Location of Processing — Country or region where the sub-processor processes data;
(g) Transfer Mechanism — Where processing occurs outside the European Economic Area (EEA), the legal mechanism for data transfer (Adequacy Decision, Standard Contractual Clauses, Binding Corporate Rules, or other approved mechanism);
(h) Sub-Processor Contact — Privacy or data protection contact at the sub-processor (where publicly available).
4. Notification of Changes
4.1 Right to Engage New Sub-Processors
PaperOffice has Customer's general authorization to engage new sub-processors and to replace existing sub-processors, subject to the notification and objection rights set forth in this Section 4 and the DPA.
4.2 Notification Method
PaperOffice will provide notification of new sub-processors or material changes to existing sub-processor relationships through one or more of the following channels:
(a) In-Product Notification — Notification within the Account interface;
(b) Email Notification — Notification to the Account Owner's registered email and to any privacy or data protection contact registered for the Account;
(c) Updated Compliance Package — Updated Sub-Processor List available through the Compliance Package generator;
(d) Public Page — Updates posted on a publicly accessible sub-processor information page where maintained.
4.3 Advance Notice Period
Where reasonably possible, PaperOffice will provide at least thirty (30) days' advance notice before engaging a new sub-processor that will have access to Customer Data containing personal data. Shorter notice may apply where:
(a) The change is required to address a security, integrity, or compliance issue;
(b) The change is required to maintain Service continuity (e.g., emergency replacement of a failed sub-processor);
(c) The change does not materially affect the protection of personal data;
(d) Applicable law requires shorter notice or precludes advance notice.
4.4 Customer's Right to Object
Customer has the right to object to the engagement of a new sub-processor on reasonable grounds related to data protection. Customer's objection must be:
(a) Submitted to privacy@paperoffice.ai within the applicable notice period;
(b) Specific in identifying the sub-processor objected to;
(c) Reasoned with respect to data protection concerns (general dissatisfaction or commercial preference is not a reasonable ground).
4.5 Resolution of Objections
Upon receipt of a reasoned objection, the Parties shall discuss the objection in good faith. Possible outcomes include:
(a) PaperOffice provides additional information addressing the concern;
(b) PaperOffice agrees to apply additional safeguards;
(c) PaperOffice maintains the engagement, in which case Customer may terminate the affected Subscription effective at the end of the then-current billing cycle by written notice within thirty (30) days, with no refund of pre-paid Fees except where required by mandatory law;
(d) PaperOffice agrees not to use the objected-to sub-processor for Customer's specific account, where technically and commercially feasible.
4.6 Continued Operation During Objection Process
During the objection period and any good-faith resolution discussions, PaperOffice may continue to engage the sub-processor for Service continuity purposes, subject to appropriate safeguards.
5. PaperOffice's Liability for Sub-Processors
5.1 Liability Standard
PaperOffice remains liable to Customer for the acts and omissions of its sub-processors with respect to the processing of personal data, in accordance with Article 28(4) GDPR and as further detailed in the DPA, subject to the limitations of liability set forth in Section 10 of the MSA.
5.2 Sub-Processor Obligations
PaperOffice imposes contractual obligations on its sub-processors equivalent to those imposed on PaperOffice under the DPA, in accordance with Article 28(4) GDPR. Such obligations include:
(a) Processing personal data only on documented instructions;
(b) Confidentiality;
(c) Implementation of appropriate technical and organizational measures;
(d) Sub-processor engagement only with prior authorization;
(e) Cooperation with data subject rights requests and supervisory authority inquiries;
(f) Assistance with breach notification, data protection impact assessments, and prior consultations;
(g) Deletion or return of personal data at the end of the engagement;
(h) Audit rights.
6. International Data Transfers
6.1 Primary Processing in the EEA
PaperOffice's primary production processing occurs within the European Economic Area (EEA).
6.2 Transfers Outside the EEA
Where personal data is transferred to sub-processors outside the EEA, PaperOffice ensures an adequate level of protection through one of the legally recognized transfer mechanisms:
(a) Adequacy Decision — Where the European Commission has determined the destination country offers adequate protection;
(b) Standard Contractual Clauses (SCCs) — Where the relevant SCCs (including the EU Commission's 2021 module-based SCCs) are executed with the sub-processor;
(c) Binding Corporate Rules — Where the sub-processor has approved Binding Corporate Rules in place;
(d) Other Approved Mechanism — Where another mechanism approved under Chapter V of the GDPR applies.
6.3 Supplementary Measures
Where required by the Schrems II decision (CJEU C-311/18) or subsequent jurisprudence, PaperOffice implements supplementary measures (such as encryption, pseudonymization, contractual additions) to ensure an adequate level of protection.
6.4 Transfer Impact Assessments
For transfers requiring Standard Contractual Clauses, PaperOffice conducts transfer impact assessments and documents the conclusions, available to Customer upon reasonable request and subject to confidentiality.
7. Sub-Processor Audits
7.1 Audit Rights
PaperOffice maintains the right to audit its sub-processors with respect to data protection compliance, either directly, through an independent third-party auditor, or by reliance on recognized industry-standard certifications (such as ISO 27001, SOC 2 Type II, or equivalent).
7.2 Customer's Right to Information
Customer may request information regarding sub-processor audits, certifications, or compliance assurances by writing to privacy@paperoffice.ai. PaperOffice will respond with publicly available information promptly and with confidential information subject to appropriate confidentiality undertakings.
7.3 No Direct Audit by Customer
Customer does not have a direct right to audit sub-processors, except to the extent required by applicable mandatory law and as further detailed in the DPA.
8. Updates to This Document
8.1 Update Authority
PaperOffice may update this Sub-Processor List from time to time to reflect changes in sub-processor relationships, in accordance with the procedures in Section 4.
8.2 Effective Date of Updates
Updates take effect on the date specified in the notification, subject to Customer's objection rights under Section 4.4.
8.3 Historical Versions
PaperOffice retains historical versions of this Sub-Processor List as part of its compliance documentation, available upon reasonable request.
9. Order of Precedence
In the event of conflict between this Sub-Processor List and: (a) the customer-specific Compliance Package generated through the in-platform tool, the generated Compliance Package shall prevail for matters of factual sub-processor identification; (b) the DPA, the DPA shall prevail for matters of data protection legal interpretation; (c) the MSA, the MSA shall prevail for matters of general legal interpretation.
10. Contact
For questions regarding sub-processors, transfers, or data protection compliance, contact:
PaperOffice Enterprise Operations, S.L.U. Privacy: privacy@paperoffice.ai Legal: legal@paperoffice.ai
For the current Sub-Processor List applicable to Customer, generate the Compliance Package through the in-platform tool (see DPA Reference document).
Last updated: May 10, 2026
© 2002–2026 PaperOffice Enterprise Operations S.L.U. All rights reserved.