PaperHero Logo
PaperHero

Data Processing Agreement

Last updated: 27 June 2026

This Data Processing Agreement ("DPA") forms part of the contract between you (the "Controller") and blaumedia GmbH (the "Processor") and governs the processing of personal data that you upload to or generate in PaperHero, where you act as controller under Art. 28 GDPR. It applies automatically when you use PaperHero to process personal data of third parties.

1. Subject matter and roles

The Processor processes personal data on behalf of the Controller solely to provide the PaperHero service. The Controller remains responsible for the lawfulness of the processing and for the content it uploads.

2. Duration

This DPA applies for as long as the Processor processes personal data on behalf of the Controller, i.e. for the term of the underlying contract.

3. Nature of processing, types of data and data subjects

  • •Nature and purpose: storage, text recognition (OCR), indexing for search, AI-assisted analysis, sharing and related document-management operations.
  • •Types of personal data: any personal data contained in the documents, files, metadata and AI inputs that the Controller uploads or generates (which may include names, contact details, contract and financial data and other content).
  • •Categories of data subjects: as determined by the Controller's content — typically the Controller, its family members, customers, contractual partners or other individuals referenced in the documents.

4. Obligations of the Processor

  • •Process personal data only on the documented instructions of the Controller (which include the use of the Service's features); inform the Controller if an instruction infringes data-protection law.
  • •Ensure that persons authorized to process the data are bound to confidentiality.
  • •Implement the appropriate technical and organizational measures set out in section 7.
  • •Assist the Controller, taking into account the nature of processing, in responding to data-subject requests and in meeting its obligations under Art. 32–36 GDPR.
  • •At the Controller's choice, delete or return the personal data after the end of the provision of services, unless storage is required by law.
  • •Make available the information necessary to demonstrate compliance and allow for and contribute to audits.
  • •Notify the Controller without undue delay of a personal data breach affecting the Controller's data.

5. Sub-processors

The Controller grants general authorization for the engagement of sub-processors. The Processor currently engages the sub-processors listed in its Privacy Policy (in particular Hetzner for hosting, and Requesty.ai together with OpenAI, Anthropic, Google and Mistral for AI processing via EU-located endpoints).

The Processor will inform the Controller of any intended changes concerning the addition or replacement of sub-processors and will give the Controller the opportunity to object on reasonable data-protection grounds. If the Controller objects, the Processor may terminate the affected service or contract.

The Processor imposes data-protection obligations on its sub-processors that are equivalent to those in this DPA.

6. Data-subject rights and assistance

The Processor supports the Controller, as far as possible and with appropriate technical and organizational measures, in fulfilling data-subject requests. PaperHero provides self-service export and deletion functions for this purpose.

7. Technical and organizational measures

  • •End-to-end encryption of documents; encryption keys protected by the user's password; optional device-only key storage.
  • •Encryption in transit (TLS) and password hashing with scrypt.
  • •Logical isolation of each customer's data in a separate database and storage area (multi-tenancy separation).
  • •Access controls, role-based permissions and optional two-factor authentication.
  • •Hosting within the EU (Germany) on access-controlled infrastructure, with backups and logging.
  • •Documented processes for incident response and deletion.

8. International transfers

Processing under this DPA takes place within the EU. The Processor does not transfer the Controller's document data to third countries; AI processing is performed via EU-located endpoints.

9. Liability and order of precedence

Liability is governed by the underlying contract and the GDPR. In the event of conflict between this DPA and the Terms of Use regarding data protection, this DPA prevails.

10. Deletion and return

Upon termination, the Processor deletes the Controller's personal data in accordance with its Privacy Policy (access disabled immediately, erasure within 30 days), unless a legal retention obligation applies.

Contact

To request a counter-signed copy of this DPA or for data-protection questions:

privacy@paperhero.io

blaumedia GmbH
Friedrich-Ebert-Hof 6
22763 Hamburg
Germany

Back to Impressum
Data Processing Agreement - PaperHero