Data Processing Agreement

This ConvertiblePDF Data Processing Agreement ("DPA") reflects our mutual agreement regarding the processing of personal data by us on your behalf in connection with ConvertiblePDF plans under the ConvertiblePDF Terms of Service between you and us.
This DPA is supplemental to, and forms an integral part of, the Terms of Service and is effective upon your acceptance of the Terms of Service. In the event of any conflict or inconsistency with the Terms of Service, this DPA shall take precedence over the Terms of Service to the extent of such conflict or inconsistency.
We may update the DPA from time to time. If you have an active subscription, we will let you know when we do via email or in-app notification.
The term of this DPA will follow the term or our agreement under the Terms of Service. Terms not otherwise defined in this DPA shall have the meaning set forth in the Terms of Service.
This DPA, as updated from time to time by the Procurer (as defined below), is entered into between
[Client] (hereinafter "Controller")
and
ConvertiblePDF (hereinafter referred to as "Processor")
(together also referred to as the "Parties" and each also referred to as a "Party")

1. General Provisions

1.1. "Controller", "Processor", "Personal Data", "process/processing", "data subject", "technical and organisational measures", "supervisory authority" and "processing on behalf of a Controller" shall be interpreted in accordance with the General Data Protection Regulation (EU) 2016/ 679 ("GDPR").
1.2. The Data Processor processes Personal Data on behalf of the Controller for the provision of services for editing, compressing, converting and electronically signing PDF documents pursuant to Art. 4 (2), 28 GDPR exclusively on the basis of this Data Processing Agreement ("DPA").
1.3. The commencement and duration of the processing shall depend on the duration of the Controller's use of the DPA services referred to in Section 1.2.

2. Specifics of the processing of personal data

2.1. The purpose of the processing activity is for the Procurer to provide the Controller with the services of editing, compressing, converting and electronically signing PDF documents (the "Services").
2.2. In the context of this DPA, the following categories of Personal Data will be processed:
Content of the uploaded documents
Data of the signatories of the e-signature services, including e-mail address, time and date of signature, electronic signatures, status of the document
2.3. In the context of this DPA, the following categories of Data Subjects may be processed, depending on the content of the uploaded documents:
Customers
Employees
Suppliers
Other persons whose personal data are contained in the documents uploaded.

3. Rights and obligations of the controller; instructions

3.1. The Controller shall process Personal Data in accordance with the Controller's instructions. The instructions included in this DPA and the instructions given by the Controller when using the parameterisation possibilities within the Services shall be considered the respective instructions for the purposes of this DPA. Further instructions may only be given if agreed between the parties in writing or in documented electronic form (e.g. by e-mail or via customer support).
3.2. Changes in the subject matter of processing or procedures must be coordinated between the controller and the processor and agreed upon in writing or in documented electronic form.
3.3. It is the sole responsibility of the Controller to assess the lawfulness of the processing. This includes the handling of requests for data subjects' rights.

4. Obligations of the Processor

4.1. The Processor shall process personal data only within the scope of this DPA and on the instructions of the Controller, unless otherwise required by the law of the European Union or the Member State to which the Processor is subject. In such a case, the Processor will inform the Controller of such legal requirement prior to processing, unless such law prohibits such information for important reasons of public interest.
4.2. The Processor shall ensure that persons authorised to process personal data have committed themselves to confidentiality or are subject to an appropriate statutory duty of confidentiality.
4.3. The Processor shall make reasonable efforts to support the Controller in fulfilling the rights of data subjects under Art. 12-22 GDPR by the Controller and in ensuring compliance with the obligations under Articles 32-36 GDPR, taking into account the nature of the processing and the information available to the Processor. If the Processor needs to assist the Controller to comply with the Controller's legal obligations as set out in section 4.3, the Controller shall reimburse the Processor for any reasonable additional costs associated with providing such assistance.

5. Processor's Notification Obligations

5.1. The Processor shall notify the Controller immediately if, in its opinion, an instruction is in breach of the GDPR or other EU or Member State data protection provisions.
5.2. The Processor shall provide appropriate support to the Controller regarding the Controller's obligations under Articles 33 and 34 GDPR.
5.3. The Controller shall reimburse the Data Processor for any reasonable additional costs associated with the provision of support pursuant to section 5.2.

6. Technical and organisational measures in accordance with Article 32 GDPR

6.1. The Processor shall take appropriate technical and organisational measures in accordance with Article 32 GDPR to ensure a level of protection appropriate to the risk. The Processor shall assist the Controller in ensuring compliance with the obligations under Art. 32 GDPR.
6.2. The Processor shall implement the technical and organisational measures pursuant to Art 32 GDPR.

7. Obligations of the Processor after cessation of processing

After the termination of data processing under this DPA, the Procurer shall, upon written notice from the Controller, erase or return the personal data to the extent that retention is not required by applicable law.