Skip to content

Data Processor Agreement

  1. This Data Processor Agreement (“Agreement”) is made between: 

    The Customer (Data Controller) 
    Any individual or entity using the services of Paperdrop Limited, referred to as the “Customer” or “Data Controller.”

    The Supplier (Data Processor) 
    Name: Paperdrop Limited 
    Address: Allia Future Business Centre, London Road, Peterborough PE2 8AN 
    Contact: hello@paperdrop.com

    Effective Date
    The date on which the Customer begins using the services provided by Paperdrop Limited, or the date of mutual agreement between the parties.

    Contract Number/Reference
    The reference number or agreement name is as provided in the primary service contract or subscription agreement between Paperdrop Limited and the Customer.

    1. Introduction

    1.1. This Agreement governs the processing of personal data by the Supplier on behalf of the Customer, ensuring compliance with the General Data Protection Regulation (GDPR) (EU 2016/679) and the Data Protection Act 2018, where applicable. 
    1.2. The terms of this Agreement apply to the processing of personal data in connection with the Supplier’s provision of services to the Customer under the [insert main service agreement name, e.g., "SaaS Subscription Agreement"]. 

    1. Definitions

    For the purpose of this Agreement, the following terms shall have the meanings given below: 

    • Data Protection Laws: GDPR and any other applicable data protection or privacy laws. 
    • Personal Data: Any information relating to an identified or identifiable natural person. 
    • Processing: Any operation performed on personal data, including collection, storage, alteration, retrieval, and deletion. 
    • Subprocessor: Any third party engaged by the Supplier to process personal data. 
    • Data Subject: The individual whose personal data is being processed. 
    • Supervisory Authority: The Information Commissioner’s Office (ICO) in the UK or any other relevant data protection authority. 
    1. Subject Matter of the Processing

    3.1. The Supplier processes personal data solely for the purpose of providing the SaaS services as described in the main agreement between the Parties. 

    1. Duration of Processing

    4.1. The processing of personal data shall continue for the duration of the contract between the Parties unless terminated earlier as per the terms of this Agreement or the main service agreement. 

    1. Type of Data and Categories of Data Subjects

    5.1. Types of Personal Data: This may include, but is not limited to: 

    • Names 
    • Email addresses 
    • IP addresses 
    • Other user-related identifiers and metadata 

    5.2. Categories of Data Subjects: 

    • Customers 
    • End users of the SaaS services 
    • Employees of the Customer or its affiliates 
    1. Data Processor Obligations

    6.1. The Supplier agrees to: 

    • Only process personal data in accordance with the documented instructions of the Customer, unless required to do so by law. 
    • Implement appropriate technical and organisational measures to ensure the security of personal data. 
    • Ensure that personnel authorised to process personal data are bound by confidentiality obligations. 
    • Assist the Customer in fulfilling its obligations regarding data subjects’ rights, such as access, rectification, and deletion requests. 
    • Notify the Customer without undue delay in the event of a personal data breach. 
    • Provide the Customer with necessary information to demonstrate compliance with the obligations under this Agreement. 
    1. Data Controller Obligations

    7.1. The Customer is responsible for: 

    • Ensuring that it has a lawful basis for processing the personal data provided to the Supplier. 
    • Providing clear instructions to the Supplier regarding the processing of personal data. 
    • Responding to data subjects’ rights requests and ensuring compliance with data protection laws. 
    1. Subprocessing

    8.1. The Supplier may engage subprocessors in accordance with this Agreement. 
    8.2. The Supplier will ensure that any subprocessor engaged complies with the obligations equivalent to those set out in this Agreement. 
    8.3. The Supplier shall inform the Customer of any intended changes concerning the addition or replacement of subprocessors, giving the Customer the opportunity to object to such changes. 

    1. Transfers of Data

    9.1. The Supplier shall not transfer personal data outside the European Economic Area (EEA) or the UK without the Customer’s prior written consent unless such transfer is permitted under the Data Protection Laws. 
    9.2. If data is transferred outside the EEA or the UK, appropriate safeguards will be in place as required by GDPR, such as Standard Contractual Clauses (SCCs) or equivalent mechanisms. 

    1. Security Measures

    10.1. The Supplier shall implement appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access, including: 

    • Encryption of personal data where appropriate. 
    • Regular security audits and risk assessments. 
    • Measures to ensure the ongoing confidentiality, integrity, and availability of personal data. 
    • Regular data backups and disaster recovery procedures. 
    1. Personal Data Breach

    11.1. In the event of a personal data breach, the Supplier shall notify the Customer without undue delay and assist the Customer in meeting its obligations under Articles 33 and 34 of the GDPR. 
    11.2. The notification must include the nature of the breach, the categories and approximate number of data subjects affected, the categories and approximate number of personal data records affected, and any measures taken or proposed to address the breach. 

    1. Data Subject Rights

    12.1. The Supplier shall promptly notify the Customer if it receives any request from a data subject relating to their personal data. 
    12.2. The Supplier shall assist the Customer in responding to such requests, where possible, in accordance with the Customer’s instructions. 

    1. Termination

    13.1. Upon termination of the main service agreement, the Supplier shall, at the choice of the Customer, either delete or return all personal data processed on behalf of the Customer, unless required by law to retain such data. 

    1. Indemnification

    14.1. The Supplier shall indemnify and hold the Customer harmless from any claims, damages, or losses arising out of the Supplier’s breach of this Agreement or the Data Protection Laws. 

    1. Governing Law and Jurisdiction

    15.1. This Agreement shall be governed by the laws of England and Wales. 
    15.2. Any disputes arising from this Agreement shall be resolved in the courts of England and Wales.