Data processing agreement

Last updated 31 May 2026. This is the data processing agreement that governs Paperclip.inc’s processing of personal data on your behalf.

This Data Processing Agreement (“DPA”) forms part of the agreement between Paperclip.inc OÜ (registry code 17517227, Sepapaja tn 6, 15551 Tallinn, Harju Maakond, Estonia) (“Paperclip”, “Processor”) and the customer identified in the order or account (“Customer”, “Controller”) for the Paperclip hosted service (the “Service”). It governs Paperclip’s processing of personal data on the Customer’s behalf and takes effect on the date the underlying agreement (the “Agreement”) is entered into.

Where the Customer’s content includes personal data that the Customer controls, Paperclip is the processor and the Customer is the controller. For Paperclip’s own account, billing, and telemetry data, Paperclip is a controller and that processing is governed by the Paperclip privacy policy, not this DPA.

1. Definitions

Terms such as “controller”, “processor”, “personal data”, “processing”, “data subject”, “personal data breach”, and “supervisory authority” have the meanings given in the GDPR (Regulation (EU) 2016/679). “Applicable Data Protection Law” means the GDPR, the UK GDPR, and, to the extent it applies to the Customer’s use of the Service, the California Consumer Privacy Act as amended (“CCPA”). “Customer Personal Data” means personal data that Paperclip processes on the Customer’s behalf under the Agreement. “Subprocessor” means any processor engaged by Paperclip to process Customer Personal Data.

2. Roles and scope of processing

2.1 Paperclip processes Customer Personal Data only as a processor on the Customer’s behalf, and only for the purposes set out in Annex I.

2.2 The subject matter, duration, nature and purpose of the processing, the types of personal data, and the categories of data subjects are described in Annex I.

2.3 Each party complies with its obligations under Applicable Data Protection Law. The Customer is responsible for the lawfulness of the personal data it provides and of its processing instructions.

3. Processing on documented instructions

3.1 Paperclip processes Customer Personal Data only on the Customer’s documented instructions, including as to transfers, unless required by EU or member-state law to do otherwise; in that case Paperclip informs the Customer of that legal requirement before processing, unless the law prohibits it.

3.2 The Agreement, this DPA, and the Customer’s use and configuration of the Service (including model-provider settings) are the Customer’s complete and documented instructions. Additional instructions outside the Service require written agreement.

3.3 Paperclip informs the Customer if, in its opinion, an instruction infringes Applicable Data Protection Law.

3.4 No training on Customer Personal Data. Paperclip does not use Customer Personal Data to train, fine-tune, or improve machine-learning models, and does not use it for any purpose other than providing and securing the Service, except on the Customer’s documented instruction.

4. Confidentiality

Paperclip ensures that persons authorised to process Customer Personal Data are bound by an appropriate duty of confidentiality.

5. Security

5.1 Paperclip implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking account of Article 32 GDPR. Those measures are described in Annex II.

5.2 Paperclip may update its security measures provided the updates do not materially reduce the overall level of protection.

6. Subprocessors

6.1 The Customer gives general authorisation for Paperclip to engage Subprocessors. The Subprocessors in use as of the effective date are listed in Annex III.

6.2 Before adding or replacing a Subprocessor, Paperclip gives the Customer reasonable prior notice (for example, by updating the published list or by email). The Customer may object on reasonable data-protection grounds within 15 days. If the parties cannot resolve the objection, the Customer may terminate the affected part of the Service.

6.3 Paperclip imposes data-protection obligations on each Subprocessor that are no less protective than those in this DPA, including the no-training commitment in clause 3.4 to the extent the Subprocessor processes content, and remains liable for its Subprocessors’ performance.

7. Assistance to the Customer

7.1 Taking account of the nature of the processing, Paperclip assists the Customer by appropriate technical and organisational measures, insofar as possible, in responding to requests from data subjects exercising their rights. The Service also lets the Customer export, correct, and delete data directly.

7.2 Paperclip assists the Customer in ensuring compliance with its obligations under Articles 32 to 36 GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of the processing and the information available to Paperclip.

8. Personal data breach

8.1 Paperclip notifies the Customer without undue delay, and in any event within 72 hours, after becoming aware of a personal data breach affecting Customer Personal Data.

8.2 The notice includes, to the extent known, the nature of the breach, the likely consequences, and the measures taken or proposed. Paperclip provides further information as it becomes available.

9. Deletion or return

On termination of the Service, Paperclip deletes Customer Personal Data within 30 days, and certifies deletion on request, unless EU or member-state law requires storage. Backups are purged on the cycle described in the privacy policy. The Customer can export its data before termination.

10. Audits

10.1 Paperclip makes available the information necessary to demonstrate compliance with Article 28 GDPR, in the form of current security documentation and a completed security questionnaire.

10.2 Where that information is not sufficient, the Customer (or an independent auditor it mandates, who is not a Paperclip competitor and is bound by confidentiality) may audit Paperclip’s processing, at the Customer’s cost, no more than once per year, on at least 30 days’ notice, during business hours, and without disrupting Paperclip’s operations.

11. International transfers

11.1 Customer Personal Data is hosted in the European Union. Paperclip does not transfer Customer Personal Data outside the European Economic Area except where covered by an appropriate safeguard under Chapter V GDPR, such as an adequacy decision or the European Commission’s standard contractual clauses.

11.2 Where the standard contractual clauses apply to a transfer made through the Service, they are incorporated into this DPA by reference, with Paperclip as data exporter or importer as the configuration requires, and Annex I and Annex II completing the relevant SCC annexes.

12. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Agreement. Nothing in this DPA limits liability that cannot be limited under Applicable Data Protection Law.

13. CCPA terms

To the extent the CCPA applies, Paperclip acts as a “service provider” and processes Customer Personal Data only to provide the Service. Paperclip does not sell or share that data, and does not retain, use, or disclose it for any purpose other than performing the Service or as permitted by the CCPA.

14. General

14.1 If there is a conflict between this DPA and the Agreement on the processing of personal data, this DPA prevails.

14.2 This DPA is governed by the law and jurisdiction stated in the Agreement, except where Applicable Data Protection Law requires otherwise.

---

Annex I: Details of processing

• Subject matter: Paperclip’s provision of the hosted AI agent and orchestration Service.
• Duration: For the term of the Agreement, plus the deletion period in clause 9.
• Nature and purpose: Hosting, running, and orchestrating Customer-configured AI agents, including routing prompts and required context to the Customer-configured model provider, and providing related account, telemetry, and support functions.
• Types of personal data: Determined by the Customer. May include account and contact details of the Customer’s users, and any personal data the Customer or its users include in issues, routines, skills, prompts, approvals, and the context provided to agents. The Customer controls what it submits and should avoid submitting special-category data unless agreed in writing.
• Categories of data subjects: Determined by the Customer. May include the Customer’s personnel, end users, and any individuals referenced in content the Customer submits.

Annex II: Technical and organisational measures

• Access control: Role-based access with least privilege. The production control plane is not exposed to the public internet and is restricted by network allowlisting. Application secrets are held in a dedicated secrets manager and are not committed to source control. Multi-factor authentication is enforced on all staff accounts.
• Encryption: In transit, TLS 1.2 and above throughout, with HSTS on the public site. At rest, the database is encrypted with AES-256, and backup storage (Cubbit) is encrypted and fragmented across EU nodes.
• Network and infrastructure security: Hosted on Hetzner Cloud in the EU (Nuremberg). Single-tenant, hardened Kubernetes cluster with network isolation, and the database reachable only from inside the cluster.
• Logging and monitoring: The platform is continuously monitored, with centralised log aggregation (30-day retention), metrics, and dashboards covering system health and capacity.
• Backups and recovery: Continuous WAL archiving plus daily scheduled base backups of the production database to EU object storage (Cubbit, Italy), with 30-day retention. Restorability is verified by restore drills that recover the database into an isolated environment and confirm a healthy state.
• Data minimisation: Only the prompt and required context are sent to model providers; no billing or unrelated organisation data.
• Model-provider controls: Paperclip routes inference through Tensorix (Ireland), an EU-incorporated inference provider that processes the request inside the EU/EEA with zero data retention, or to a self-hosted endpoint the Customer controls. Paperclip routes Customer Personal Data only to model endpoints in the EU/EEA (or to a self-hosted endpoint the Customer designates); it does not route Customer Personal Data to model endpoints hosted outside the EU/EEA.
• Vulnerability and patch management, secure development: Infrastructure managed as code, with all changes landing through pull request and CI. Automated dependency and container-image vulnerability scanning runs on every change, and Paperclip conducts periodic third-party penetration testing.
• Personnel: Personnel authorised to process Customer Personal Data are bound by confidentiality obligations and follow Paperclip’s documented internal security practices.
• Incident response: Documented breach-response process aligned to the 72-hour notice in clause 8.

Annex III: Subprocessors

Subprocessor	Purpose	Location / safeguard
Hetzner	Cloud hosting and managed database	Germany; EU-incorporated company, EU-hosted (no transfer outside the EEA)
Cubbit	Object storage and backups	Italy; EU-incorporated company, data stored across the EU (no transfer outside the EEA)
Tensorix	EU-sovereign model gateway for inference	Ireland; EU-incorporated company, inference on EU infrastructure with zero data retention (no transfer outside the EEA)
mailbox.org	Transactional and support email	Germany; EU-incorporated company, EU-hosted (no transfer outside the EEA)
Plausible	Cookieless website analytics	Estonia; EU-incorporated company, EU-hosted. No cookies, no personal data, no transfer outside the EEA
Mouseflow	Heatmaps and session recordings (consent-gated)	Denmark; EU-incorporated company, EU-hosted. No transfer outside the EEA

Note: Vatly (Netherlands) acts as merchant of record and is an independent controller for the payment and tax data it handles, so it is not a Subprocessor under this DPA. It is addressed in the Terms and the Privacy Policy.