gPdf render/edge
Data processing addendum v2026-05

Data Processing Addendum

GDPR Article 28 Data Processing Addendum for gPdf. Customer is the controller; gPdf is the processor. Standard Contractual Clauses, sub-processor list and breach-notification timelines included.

Effective Last updated
Summary

gPdf acts as a data processor on behalf of customers under GDPR Article 28. The customer is the controller. The DPA covers SCCs for international transfers, breach notification within 72 hours, sub-processor flow-down terms, and end-of-engagement data deletion.

How to use this page

This page is the public version of the gPdf Data Processing Addendum. The signed counterpart that becomes part of your contract is identical in substance and is delivered as a PDF on request.

To execute a DPA, use our contact form and provide your organisation legal name and signing contact. You will receive a counter-signed copy by email, typically within one business day.

Roles

For the purposes of GDPR (and the UK GDPR, LGPD, PIPEDA and equivalent regimes):

  • Customer is the controller of personal data submitted to the gPdf API.
  • gPdf is the processor, acting only on documented instructions from the Customer.

The Customer remains responsible for the lawfulness of the personal data they submit (including obtaining any consents required from data subjects).

What gPdf does as processor

gPdf processes Customer-submitted personal data for one purpose only: to render the requested PDF and return it. Specifically:

  • We receive the DocumentRequest JSON over TLS.
  • We render the PDF inside a Cloudflare Workers V8 isolate.
  • We return the PDF in the HTTP response.
  • We release the in-memory buffers when the response stream completes.

We do not retain, log, sample, train on, or onward-transfer the personal data in DocumentRequest payloads. Operational logs (HTTP status + duration) are retained for 30 days and contain no request bodies.

International transfers

When personal data leaves the EEA / UK / Switzerland for processing in a third country, the parties rely on:

  • The European Commission Standard Contractual Clauses (Module 2: Controller → Processor) approved under EU Decision 2021/914.
  • The UK International Data Transfer Addendum to those SCCs where the UK GDPR applies.
  • Equivalent mechanisms approved by the relevant supervisory authority where neither of the above applies.

The Customer can request a fully-executed SCC pack via our contact form.

Approved sub-processors

Sub-processorServiceRegion
Cloudflare, Inc.Edge runtime + DNS + DDoS protectionGlobal edge
Stripe, Inc.Payment processing (no PDF content reaches Stripe)US, EU
(Transactional email provider — disclosed under NDA on contract)Account + billing emailsEU

We notify the customer via email at least 30 days before adding or replacing a sub-processor. The Customer can object by replying to that email; we will then either drop the proposed sub-processor or work in good faith on a substitute.

Security measures

The technical and organisational measures gPdf takes are described in the security policy. The headlines:

  • TLS 1.3 in transit.
  • No document persistence (the gPdf rendering pipeline does not write submitted content to durable storage).
  • Cloudflare Workers V8 isolate sandboxing.
  • Hashed-storage API keys with rotation supported.
  • Operational logs scoped to metadata only.

Personal-data breach notification

Where required by Article 33, gPdf notifies the affected Customer within 72 hours of becoming aware of a personal-data breach. The notification includes:

  • The nature of the breach.
  • The categories and approximate volume of personal data and data subjects affected.
  • The likely consequences.
  • The measures taken or proposed.

Audit rights

The Customer can request, no more than once per 12 months, evidence of compliance with this DPA. We respond with the most recent SOC 2 Type II report (post-Q3 2026), penetration-test summary, and any other certifications then in scope. On-site audits require ≥ 30 days’ written notice and reasonable scope.

End of engagement

When the contract ends, gPdf:

  1. Stops processing personal data on the Customer’s behalf at termination.
  2. Deletes operational metadata for the account within 30 days, retaining only billing records required by tax law.
  3. Provides written confirmation of deletion on request.

Because gPdf does not store submitted document content, there is nothing to “return” — the data has already left our systems on a per-request basis.

Conflicts

If anything in this DPA conflicts with the Customer’s main subscription agreement, this DPA prevails for matters governed by GDPR. For all other matters, the main subscription agreement prevails.