This is the current standard PDFCrowd Data Processing Agreement template. To complete and accept it for your account, sign in and review the agreement from your account settings.

PDFCrowd Data Processing Agreement

This Data Processing Agreement ("DPA") forms part of the agreement for the PDFCrowd service operated by Pdfcrowd s.r.o. ("Pdfcrowd", "we", "us", or "our"). It applies when Pdfcrowd processes Customer Personal Data as a processor on behalf of the customer identified below ("Customer" or "Controller").

1. Parties

Controller
[Customer legal name]
[Customer registered address], [Customer city], [Customer postal code], [Customer country]
Contact: [Customer contact name], [Customer contact email]

Processor
Pdfcrowd s.r.o.
Registered office: Kostelní náměstí 506/1, 288 02 Nymburk, Czech Republic
Company ID: 107 86 546
Registered in the Commercial Register kept by the Municipal Court in Prague, Section C, File No. 348410
Contact: PDFCrowd Support, support@pdfcrowd.com

2. Definitions

"GDPR" means Regulation (EU) 2016/679. "UK GDPR" means the United Kingdom General Data Protection Regulation as defined in the Data Protection Act 2018. "Data Protection Laws" means the GDPR and, where applicable, the UK GDPR and the Data Protection Act 2018. Terms such as "personal data", "processing", "controller", "processor", "subprocessor", "personal data breach", and "data subject" have the meanings given in the applicable Data Protection Laws.

"Customer Personal Data" means personal data that Customer submits to the PDFCrowd service for processing by Pdfcrowd as processor.

This DPA does not apply to personal data that Pdfcrowd processes as a controller, which is described in the PDFCrowd Privacy Policy.

3. Customer Instructions

  1. Customer instructs Pdfcrowd to process Customer Personal Data as necessary to provide, operate, secure, and support the PDFCrowd service as described in this DPA, the Terms of Service, and Annex 1.
  2. Customer's documented instructions include Customer's use and configuration of the PDFCrowd service, including API requests, uploaded files, submitted HTML, converted URLs, conversion settings, account settings, support requests, and other written instructions accepted by Pdfcrowd.
  3. Pdfcrowd will not process Customer Personal Data for other purposes unless required by EU, UK, or Member State law applicable to Pdfcrowd. If such law requires processing, Pdfcrowd will inform Customer before processing unless that law prohibits notice on important public-interest grounds.
  4. If Pdfcrowd believes that a Customer instruction violates applicable Data Protection Laws, Pdfcrowd will inform Customer. Pdfcrowd may suspend the affected instruction until Customer confirms, amends, or withdraws it.
  5. Customer is responsible for having a lawful basis and all required notices and permissions for Customer Personal Data submitted to the PDFCrowd service.

4. Processing Details

The subject matter, duration, nature, purpose, personal data types, and data subject categories are described in Annex 1.

5. Security and Confidentiality

  1. Pdfcrowd will implement appropriate technical and organisational measures under Data Protection Laws, including GDPR and UK GDPR Article 32 where applicable, taking into account the nature of the processing and the risks to data subjects. Current measures are described in Annex 2.
  2. Pdfcrowd will ensure that persons authorised to process Customer Personal Data are bound by confidentiality obligations.

6. Subprocessors

  1. Customer gives Pdfcrowd general authorisation to engage subprocessors for the PDFCrowd service.
  2. Current subprocessors are listed at https://pdfcrowd.com/subprocessors/.
  3. Pdfcrowd will notify Customer before adding or replacing a subprocessor and will give Customer an opportunity to object.
  4. Pdfcrowd will impose data protection obligations on each subprocessor that are no less protective than the obligations in this DPA, as applicable to the subprocessor's processing.
  5. Pdfcrowd remains responsible to Customer for the performance of its subprocessors' data protection obligations.

7. International Transfers

Pdfcrowd s.r.o. is established in the European Union. For UK customers, transfers to Pdfcrowd in the EEA are covered by UK adequacy regulations for the EEA. Where Pdfcrowd transfers Customer Personal Data to a subprocessor outside the EEA, or outside the UK where UK GDPR applies, Pdfcrowd will use a valid transfer mechanism under GDPR Chapter V or UK GDPR international transfer rules, such as an adequacy decision or UK adequacy regulations, the EU-US Data Privacy Framework or the UK Extension to the EU-US Data Privacy Framework where applicable, EU Standard Contractual Clauses, the UK International Data Transfer Agreement, or the UK Addendum to the EU Standard Contractual Clauses.

8. Assistance

  1. Taking into account the nature of the processing, Pdfcrowd will reasonably assist Customer with data subject requests relating to Customer Personal Data.
  2. Pdfcrowd will reasonably assist Customer with security, breach notification, data protection impact assessment, and prior consultation obligations under Data Protection Laws, including GDPR and UK GDPR Articles 32 to 36 where applicable, to the extent related to Pdfcrowd's processing of Customer Personal Data.

9. Personal Data Breach

Pdfcrowd will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Personal Data. Pdfcrowd will provide information reasonably available to Pdfcrowd to help Customer meet its breach notification obligations.

10. Deletion and Return

Pdfcrowd does not retain copies of uploaded files, submitted HTML, or generated output files after they are no longer needed to perform the conversion and make the result available. These files and submitted HTML are deleted from active processing systems within 30 minutes after the conversion and any output availability period are complete. Pdfcrowd does not create backup copies of uploaded files, submitted HTML, or generated output files.

Converted URLs may be kept in Customer's conversion log according to Customer's account retention setting. The default retention period is 14 days, and Customer can set URL retention to no storage.

On termination of the services, or on Customer's written request, Pdfcrowd will delete or return Customer Personal Data unless applicable law requires continued storage.

11. Information and Audit

Pdfcrowd will make available information reasonably necessary to demonstrate compliance with this DPA. If that information is not sufficient, Customer may request an audit on reasonable prior notice, no more than once per year unless required by a supervisory authority or following a personal data breach affecting Customer Personal Data. Audits must not compromise the security, confidentiality, or availability of PDFCrowd or other customers' data.

12. Term

This DPA remains in effect while Pdfcrowd processes Customer Personal Data on behalf of Customer.

Annex 1: Processing Details

Subject matter Providing the PDFCrowd document conversion service.
Duration For the term of the customer's use of the service and any period needed to perform the conversion, make the output available, support customers, secure the service, prevent abuse, or meet legal obligations. Uploaded files, submitted HTML, and generated output files are deleted from active processing systems within 30 minutes after the conversion and any output availability period are complete. Pdfcrowd does not create backup copies of uploaded files, submitted HTML, or generated output files. Converted URLs may be kept in Customer's conversion log according to Customer's account retention setting; the default is 14 days and Customer can set URL retention to no storage.
Nature and purpose Receiving source documents, URLs, files, HTML, API requests, and related metadata; converting documents; returning output; operating, securing, and supporting the service.
Data subjects Individuals whose personal data is included in Customer content or related service metadata, as determined by Customer.
Personal data Customer content submitted for conversion and related metadata. The content may include any personal data Customer chooses to submit.
Special categories Not intended. Customer must not submit special-category personal data unless Customer has a lawful basis and the submission is necessary for Customer's use of the service.

Annex 2: Technical and Organisational Measures

  • Encrypted transport for service access using HTTPS/TLS.
  • Access controls limiting production access to authorised personnel.
  • Authentication and role-based administrative access where applicable.
  • Logging and monitoring for service operation, security, and abuse prevention.
  • Logical separation of customer accounts and service data.
  • Service infrastructure backups and recovery procedures for continuity.
  • Subprocessor due diligence and written data protection terms.
  • Incident response procedures for suspected personal data breaches.

Annex 3: Subprocessors

The current subprocessor list is available at https://pdfcrowd.com/subprocessors/.