Data Processing Agreement

Data Processing Agreement

Last Updated: 14 March 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between PDF Ghost ("Processor") and you ("Controller") and governs the processing of personal data by PDF Ghost on your behalf, in accordance with Article 28 of the General Data Protection Regulation (GDPR).

By using PDF Ghost and uploading documents that contain personal data, you enter into this DPA.

1. Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person contained within documents uploaded to PDF Ghost.
  • Processing: Any operation performed on Personal Data, including storage, fingerprinting, retrieval, and deletion.
  • Sub-Processor: A third party engaged by the Processor to process Personal Data on behalf of the Controller.

2. Scope and Purpose of Processing

2.1 Subject Matter

The Processor processes Personal Data solely for the purpose of providing the PDF fingerprinting and leak detection services described in the Terms of Service.

2.2 Duration

Processing continues for the duration of your use of the Service plus any applicable retention period as described in the Terms of Service and Privacy Policy.

2.3 Nature of Processing

  • Receiving and storing uploaded PDF documents
  • Generating uniquely fingerprinted copies of documents
  • Storing fingerprinted artifacts for leak detection purposes
  • Deleting documents and artifacts in accordance with the retention schedule

2.4 Types of Personal Data

Any personal data contained within PDF documents uploaded by the Controller, which may include but is not limited to: names, addresses, identification numbers, financial data, or any other personal data the Controller includes in uploaded documents.

2.5 Categories of Data Subjects

Recipients of fingerprinted documents and any individuals whose personal data is contained within uploaded documents, as determined by the Controller.

3. Controller Obligations

The Controller shall:

  • Ensure it has a lawful basis under GDPR for the processing of Personal Data through the Service
  • Ensure it has provided appropriate notice to data subjects regarding the processing
  • Ensure all documents uploaded contain only Personal Data that the Controller is authorized to process
  • Comply with all applicable data protection laws

4. Processor Obligations

4.1 Processing Instructions

The Processor shall process Personal Data only on documented instructions from the Controller, which are defined by the Controller's use of the Service features. The Processor shall inform the Controller if it believes an instruction violates GDPR.

4.2 Confidentiality

The Processor ensures that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

4.3 Security Measures

The Processor implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • Encryption of data in transit (TLS/SSL)
  • Encryption of data at rest
  • Access controls and authentication mechanisms
  • Regular security assessments
  • Automated deletion of data according to the retention schedule

4.4 Sub-Processing

The Processor uses the following categories of Sub-Processors:

  • Payment processing: For subscription and purchase transactions (Merchant of Record)
  • Cloud infrastructure: For compute, storage, and data processing
  • Email services: For transactional email delivery
  • Analytics: Privacy-focused, anonymized usage analytics
  • Authentication providers: OAuth identity providers (Google, GitHub)

The Processor shall inform the Controller of any intended changes to Sub-Processors and give the Controller the opportunity to object to such changes. The current sub-processor list is maintained in our Privacy Policy.

4.5 Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under GDPR (access, rectification, erasure, restriction, portability, objection) by providing appropriate technical and organizational measures, insofar as this is possible.

4.6 Breach Notification

The Processor shall notify the Controller without undue delay, and in any case within 48 hours, after becoming aware of a personal data breach affecting Personal Data processed on behalf of the Controller.

4.7 Data Protection Impact Assessment

The Processor shall assist the Controller with data protection impact assessments and prior consultations with supervisory authorities, where required, by providing relevant information about the processing.

4.8 Deletion and Return

Upon termination of the Service or upon Controller's request, the Processor shall delete all Personal Data processed on behalf of the Controller, unless applicable law requires retention. Deletion follows the retention schedule defined in the Terms of Service:

  • Source PDF documents are deleted after fingerprinting processing completes
  • Fingerprinted artifacts are deleted after the plan-specific retention period expires
  • Draft jobs are automatically deleted after the plan-specific draft retention period

5. Audits

The Controller has the right to conduct audits (or appoint an independent auditor) to verify the Processor's compliance with this DPA. Audits shall be conducted with reasonable prior notice (at least 30 days), during normal business hours, and shall not unreasonably interfere with the Processor's operations. The Controller shall bear the costs of any audit.

6. International Transfers

Where Personal Data is transferred outside the European Economic Area, the Processor ensures appropriate safeguards are in place, including:

  • Transfers to countries with an EU adequacy decision
  • EU Standard Contractual Clauses (SCCs) where no adequacy decision exists
  • EU-US Data Privacy Framework certification for applicable US-based sub-processors

7. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability set out in the Terms of Service, to the maximum extent permitted by applicable law.

8. Term and Termination

This DPA is effective for the duration of the Controller's use of the Service. It terminates automatically when the Service agreement ends. Obligations regarding deletion of Personal Data survive termination.

9. Governing Law

This DPA is governed by the laws of the Republic of Austria, without regard to conflict of law provisions. For consumer contracts, mandatory consumer protection laws of the consumer's country of residence apply.

To request a signed copy of this DPA or if you have questions, contact us at [email protected].