This Smallpdf Data Processing Agreement [https://smallpdf.com/dpa] (“DPA”) reflects our mutual agreement with respect to the Processing of Personal Data by us on behalf of you in connection with the Smallpdf Team Plan and Smallpdf Business Plan under the Smallpdf Terms of Service between you and us.
This DPA is supplemental to, and forms an integral part of, the Term of Services and is effective upon your acceptance of the Terms of Services. In case of any conflict or inconsistency with the Terms of Services, this DPA will take precedence over the Terms of Services to the extent of such conflict or inconsistency.
We may update the DPA from time to time. If you have an active Smallpdf Team or Smallpdf Business subscription, we will let you know when we do via email or via in-app notification.
The term of this DPA will follow the term or our agreement under the Terms of Services. Terms not otherwise defined in this DPA will have the meaning as set forth in the Terms of Services
This Data Processing Agreement as updated from time to time by Processor (as defined below) is concluded between
[Customer] (hereinafter „Controller“)
Smallpdf AG, a company incorporated under the laws of Switzerland, with its registered offices at Steinstrasse 21, 8003 Zürich, Switzerland (hereinafter „Processor“)
(together also referred to as the “Parties” and each also referred to as a “Party“)
1.1. “Controller”, “Processor”, “Personal Data”, “process/processing, “data subject”, “technical and organizational measures”, “supervisory authority” and “processing on behalf of a Controller” shall be interpreted in accordance with the General Data Protection Regulation (EU) 2016/ 679 (“GDPR”).
1.2. Processor processes Personal Data on behalf of Controller for the provision of PDF document editing, compressing, conversion and electronic signature services according to Art. 4 (2), 28 GDPR solely based on this Data Processing Agreement (“DPA”).
1.3. Beginning and duration of the processing depends on the duration of the Controller’s use of Processor’s services mentioned under 1.2.
2.1. The purpose of the processing activity is for Processor to provide Controller with PDF document editing, compressing, conversion and electronic signature services (the “Services”).
2.2. Within the scope of this DPA, the following categories of Personal Data will be processed:
Content of the uploaded documents
Data of signatories for the electronic signature services, including email address, time and date of signature, electronic signatures, document status
2.3. Within the scope of this DPA, the following categories of Data Subjects may be subjected to processing, depending on the content of the uploaded documents:
Business partners of Controller
Other individuals whose personal data is contained in the uploaded documents
3.1. Processor shall process Personal Data in accordance with Controller’s instructions. The instructions included in this DPA and the instructions given by Controller when using the parametrization possibilities within the Services shall be deemed the respective instructions for the purposes of this DPA. Additional instructions may only be issued where mutually agreed between the Parties in writing or in a documented electronic form (e.g. via e-mail or via customer support).
3.2. Changes of the subject-matter of the processing or of procedures shall be coordinated between Controller and Processor and established in writing or in a documented electronic form.
3.3. It is within the sole responsibility of Controller to assess the legitimacy of the processing. This includes the handling of data subjects’ rights requests.
4.1. Processor processes Personal Data solely within the scope of this DPA and on instructions of the Controller, unless required otherwise so by European Union or member state law to which Processor is subject. In such a case, Processor shall inform Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
4.2. Processor ensures that persons authorized to process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
4.3. Processor shall use reasonable efforts to support Controller in fulfilling the rights of data subjects according to Art. 12 to 22 GDPR by Controller and in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR taking into account the nature of processing and the information available to the Processor. Where Processor has to assist Controller to meet Controller’s legal obligations as stated in section 4.3, Controller shall reimburse Processor any reasonable additional costs associated with the provision of such assistance.
5.1. On request of the Controller, Processor shall provide the Controller with information necessary to demonstrate compliance with Processor’s obligations, including of the implementation of technical and organizational measures.
5.2. The Processor shall provide Controller with appropriate means of information, such as carrying out a self-audit and providing the Controller with respective information, or providing attestations, certifications, reports or extracts thereof from independent bodies (e.g. external auditors) or other suitable certifications.
5.3. If Controller has reasonable doubts regarding the documents provided by Processor under 5.2 and provides Processor with an explanation of such doubts, Controller or an independent renowned third party auditor instructed by Controller can verify compliance of the Processor under 5.1, including through an on-site inspection.
5.4. Such on-site audit shall be announced by Controller to Processor at least two weeks in advance. It shall be performed during usual business and operating hours, taking into account Processor’s business interests. Processor is entitled to make such inspection condition to the conclusion of a market-standard non-disclosure agreement.
5.5. Controller shall immediately inform Processor if errors or irregularities are detected throughout the examination.
5.6. Controller shall remunerate any additional costs incurred by Processor due to such audit under 5.3 to 5.5.
6.1. Processor shall immediately inform Controller if, in its opinion, an instruction infringes the GDPR or other European Union or member state data protection provisions.
6.2. Processor shall provide adequate support to Controller regarding Controller’s obligations according to Art. 33 and 34 GDPR.
6.3. Controller shall reimburse Processor any reasonable additional costs associated with the provision of assistance according to section 6.2.
7.1. Processor shall be entitled to use sub-Processor for fulfilling its contractual obligations. Upon request, Processor shall provide a list of sub-Processor involved in data processing under this DPA.
7.2. Processor shall inform Controller without undue delay upon the assignment of a new sub-processor, thereby giving Controller the opportunity to object to such changes based on important reasons within 14 days of the notification by Processor. In this case, Processor may terminate the affected parts of the services without penalty by providing written notice of termination.
7.3. Processor shall ensure by entering into agreement with sub-Processor to impose at least substantially equivalent obligations on sub-Processor which Processor has assumed under this DPA.
7.4. Processor shall remain liable to Controller for its sub-processors’ obligations.
If personal data is transferred to a third country outside the European Union/Economic Area by Processor, Processor shall ensure that the requirements of Art. 44 et seq. GDPR are met.
9.1. Processor takes appropriate technical and organizational measures according to Art. 32 GDPR, in order to ensure a level of protection adequate to the risk. Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Art. 32 GDPR.
9.2. Processor shall implement the technical and organizational measures according to Art. 32 GDPR listed in Annex 1.
After the termination of data processing under this DPA, Processor shall, upon Controller’s written notice, delete or return the personal data, insofar as retention is not required by applicable laws.
If this DPA contradicts other agreements concluded between the Parties, the provisions of this DPA shall take precedence.
Processor has implemented the following technical und organizational measures, which may be adapted from time to time based on technological progress:
Confidentiality (Art. 32 (1) b GDPR)
Physical access control:
The data centers we use are secured through physical barrier controls at relevant access points, electronic access control validation or validation by human security personnel, ID badge requirements, need-based access privilege limitations and electronic intrusion detection systems. Appropriate video surveillance is in place and all relevant access points are maintained in a secure (locked) state. All physical access to the data centers is logged.
Our business premises are protected with key control measures, including additional keys being required for critical information.
Electronic access control:
The data centers we use are protected through access controls and policies for the network, including firewalls (or equivalent) and authentication controls. User access to the data centers is logged.
For access to our IT systems, personal user accounts with user names and passwords are set up for authorized personnel. We have a password policy with minimum standard requirements for password length and composition.
We have a two-factor authentication policy for critical services and key users.
Access to our IT systems is granted following a need to know & least privilege approach.
We have a company policy that allows using only laptops with encrypted disk storage, and it is not allowed to connect external hard drives (e.g. USB, SD card) to the company laptops.
Unauthorized external access to our critical systems is prevented by VPN and two-factor authentication.
Access to our critical systems is logged.
We use different environments for staging and production.
Integrity (Art. 32 (1) b GDPR)
Access to our data centers is logged. The log data is protected against unauthorized access.
Our staging environment is accessible only using a VPN connection.
Every employee that needs to connect via VPN has their own credentials to use the VPN.
All our environments (both staging and productions) use HTTPS to secure transport data.
Uploaded files by our users are generally deleted from our infrastructure within one hour or two weeks, depending on whether or not the service is accessed via a user account, unless the user chooses to save or reopen them, which triggers further retention in line with our deletion concept.
Internally, we document who receives or changes critical data through log files.
We encrypt data in transit.
Availability and Resilience, including ability to restore the availability (Art. 32 (1) b, c GDPR)
For the data centers we use, we have a backup strategy in place and create regular backups to restore data in case of emergency. The data centers also have an electronic intrusion prevention system.
We use firewalls (or similar technologies) and anti-virus protection.
We conduct security & data protection trainings for our employees.
We have an emergency recovery plan.
Process for regularly testing, assessing and evaluation the effectiveness of the technical and organizational measures (Art. 32 (1) d GDPR
We have a standard Data Processing Agreement.
We have privacy policies for the affected data subjects.
We are ISO 27001-certified.
We have a process to fulfill data subject rights’ requests.
We conduct data protection impact assessments, to the extent necessary.
We have a GDPR training concept.
We have a data protection officer.
We have a GDPR representative in the UK and EU.
Incident Response Management:
We have a well-defined, internal process to handle security incidents.
Data protection by design and by default:
We delete user files in line with user choices and our data retention scheme (see above, under Integrity).
We have a process to fulfil data subject rights’ requests.
We limit data access of our personnel following a need to know & least privilege approach.
Order control: No data processing within the meaning of Art. 28 GDPR without corresponding instructions from the Controller (pre-evaluation and selection of providers, order management)
We sign Data Processing Agreements with each supplier who has access to personal data.
We have a process to choose suitable providers in line with privacy requirements.
We document contract conclusion.
We regularly audit the compliance of our suppliers with access to personal data.