Data Processing Agreement (DPA)
Final DPA available at API launch — preview text below for review.
1. Parties
This Data Processing Agreement is entered into between pdf.xhub.io (operating entity disclosed in the legal notice) as the data processor, and the customer organization (the “Controller”) registered for the service via the workspace owner’s account.
2. Roles
pdf.xhub.io acts as Auftragsverarbeiter (data processor) under Article 28 GDPR. The Controller determines the purposes and means of processing personal data submitted to the service. The processor processes personal data only on documented instructions of the Controller.
3. Subject Matter
Subject matter of processing is the generation of PDF documents on behalf of the Controller. This includes accepting templates and input data via the API, rendering documents, returning the resulting PDF, and storing logs and usage records as required for billing, security, and abuse-prevention purposes.
4. Sub-Processors
The Controller authorizes the engagement of the following sub-processors. Any new sub-processor will be announced with at least 30 days’ notice; the Controller may object during the notice window.
| Sub-processor | Purpose | Region | DPA |
|---|---|---|---|
| Hetzner Online GmbH | Hosting (Compute, DB, Object Storage) | Germany | Signed |
| Cloudflare Inc. | CDN + WAF + DDoS | EU PoPs primary; global anycast | Signed (SCC) |
| Stripe Payments Europe | Billing + Tax | Ireland | Signed |
| Sentry GmbH | Error monitoring | Germany | Signed |
| Grafana Labs | Logs / Metrics / Traces | EU Cloud | Signed |
| Resend Inc. (EU) | Transactional email | EU region | Signed |
| HashiCorp Vault (self-hosted) | Secrets management | Hetzner FRA | n/a (self-hosted) |
| Scaleway SAS | Secondary EU region | France | Signed (Phase 2) |
5. Data Subject Rights
The processor assists the Controller in fulfilling data subject rights under Articles 15–22 GDPR (access, rectification, erasure, restriction, portability, objection). Self-service tooling in the Console covers the most common requests; remaining requests are handled within 30 days via dpo@pdf.xhub.io.
6. Security Measures
TLS 1.3 in transit; AES-256 at rest (LUKS disk-level, pgcrypto column-level for PII, SSE-S3 for object storage). API keys are stored as SHA-256 hashes; revocation propagates within 60 seconds. Render workers run sandboxed (gVisor + Chromium built-in sandbox) with network egress restricted to a SSRF-blocking outbound proxy. Production access requires MFA and is reviewed quarterly.
7. Notification of Breaches
The processor will notify the Controller without undue delay after becoming aware of a personal data breach, and in any event such that the Controller can satisfy its 72-hour notification obligation under Article 33 GDPR. The notification will include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and the measures taken or proposed.
Available at API launch. Until then, contact dpo@pdf.xhub.io to request the draft.