Data Processing Agreement
Last updated: June 30, 2026
This Data Processing Agreement (the “DPA”) forms part of, and is governed by, the Terms of Service between you (“Customer”) and Paprhq Inc., a corporation organized under the laws of the State of Florida, United States (“Papr”). It applies where Papr processes Personal Data on Customer’s behalf in connection with the Service and reflects the parties’ obligations under applicable data protection law, including the EU General Data Protection Regulation (“GDPR”) and the UK GDPR.
1. Roles of the parties
For Personal Data that Customer submits to the Service about its clients and contacts, Customer is the controller and Papr is the processor. Papr processes such Personal Data only on Customer’s documented instructions — which include the Terms, this DPA, and Customer’s use of the Service — unless required to act otherwise by law.
2. Nature of the processing
- Subject matter & purpose: providing the invoicing Service — creating, sending, and managing invoices, reminders, payments records, and related communications.
- Duration: for as long as Customer uses the Service, plus any limited retention described in the Privacy Policy.
- Categories of data subjects: Customer’s clients, contacts, and team members.
- Types of Personal Data: names, email addresses, postal and billing addresses, phone numbers, tax/VAT identifiers, and invoice and payment details that Customer chooses to enter.
Customer must not submit special categories of Personal Data (e.g. health or biometric data) to the Service. The Service is not designed to process such data.
3. Confidentiality & security
Papr ensures that personnel authorized to process Personal Data are bound by confidentiality obligations, and maintains appropriate technical and organizational measures to protect Personal Data as required by Article 32 GDPR. A description of those measures is on our Security page.
4. Sub-processors
Customer grants Papr general authorization to engage the sub-processors below to help provide the Service. Papr imposes data protection terms on each sub-processor no less protective than this DPA, and remains responsible for their performance. Some sub-processors are engaged only when Customer enables the relevant feature (for example, SMS) or consents (for example, analytics).
| Sub-processor | Purpose | Location |
|---|---|---|
| Hostinger | Application hosting & database | EU / regional |
| Resend | Transactional email delivery | United States |
| Twilio | SMS reminders (when enabled) | United States |
| Amazon Web Services | File & backup storage (when enabled) | United States |
| Product analytics (with consent) | United States | |
| Meta | Advertising measurement (with consent) | United States |
| Anthropic | AI-assisted features (when used) | United States |
Papr will give Customer reasonable notice of any intended addition or replacement of a sub-processor. To receive change notifications, contact support@paprhq.com.
5. International transfers
Where processing involves transferring Personal Data out of the EEA or the UK to a country without an adequacy decision, the transfer is made under appropriate safeguards — the European Commission’s Standard Contractual Clauses (and the UK International Data Transfer Addendum where applicable), or another lawful transfer mechanism such as the EU-US Data Privacy Framework.
6. Data subject requests
Taking into account the nature of the processing, Papr will assist Customer with appropriate technical and organizational measures, insofar as possible, to respond to requests from data subjects exercising their rights. The Service also lets Customer access, export, correct, and delete the Personal Data it holds.
7. Personal data breach
Papr will notify Customer without undue delay after becoming aware of a Personal Data breach affecting Customer’s Personal Data, and will provide reasonable information to help Customer meet its own notification obligations.
8. Return & deletion
On termination of the Service, Papr will, at Customer’s choice, delete or return Customer’s Personal Data, and delete existing copies unless retention is required by law. Customer can export its data from the Service at any time before termination.
9. Audits
Papr will make available information reasonably necessary to demonstrate compliance with this DPA and will allow for and contribute to audits, including inspections, conducted by Customer or an auditor it mandates, subject to reasonable confidentiality and security conditions.
10. General
Except as modified here, the Terms remain in full force, and each party’s liability under this DPA is subject to the limitations in the Terms. If there is a conflict between this DPA and the Terms regarding the processing of Personal Data, this DPA controls.
Questions about this DPA, or to request a countersigned copy, contact support@paprhq.com. Paprhq Inc. is a corporation organized under the laws of the State of Florida, United States.