Data Processing Agreement

This Data Processing Agreement (the "DPA") forms an integral part of the Terms of Service concluded between the Customer ("Controller") and the operator of this Pluma instance ("Processor", "we"), whose full legal identification is set out in the Impressum. It reflects the parties' agreement with regard to the processing of Personal Data on behalf of the Controller and is concluded pursuant to Article 28 (3) of Regulation (EU) 2016/679 ("GDPR").

1. Subject matter and scope

This DPA governs the processing by the Processor of Personal Data on behalf of the Controller in connection with the provision of the Service. In the event of any conflict between this DPA and the Terms of Service with regard to the processing of Personal Data, this DPA shall prevail.

2. Definitions

Terms used in this DPA shall have the meanings ascribed to them in Article 4 GDPR. "Service" has the meaning given to it in the Terms of Service. "Sub-processor" means any third party engaged by the Processor to process Personal Data on its behalf in connection with the Service.

3. Roles of the parties

With respect to Personal Data processed under this DPA, the Customer is the Controller and Pluma is the Processor within the meaning of Articles 4 (7) and 4 (8) GDPR. Each party shall comply with its respective obligations under applicable data protection law.

4. Duration and termination

This DPA enters into force on acceptance of the Terms of Service and remains in effect for so long as the Processor processes Personal Data on behalf of the Controller. The obligations of confidentiality (section 8) survive termination for so long as required by their nature.

5. Description of the processing

The subject matter, duration, nature, purpose, types of Personal Data, and categories of data subjects are described in Annex I.

6. Controller instructions and warranties

The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country or an international organisation, unless required to do so by Union or Member State law to which the Processor is subject. In such a case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

The Controller's documented instructions are set out in this DPA, in the Terms of Service, and in the Customer's configuration of the Service (including its choice of features, regions, and sub-processor categories). Additional or modified instructions issued by the Controller must be given in text form to the address designated in section 16.

If the Processor considers that an instruction infringes applicable data protection law, it shall inform the Controller without undue delay (Article 28 (3) sentence 3 GDPR).

The Controller warrants that it has, and shall maintain for the duration of the processing, a valid legal basis under Article 6 GDPR (and, where applicable, Article 9 GDPR) for the processing of Personal Data through the Service and that it has complied with its information obligations vis-à-vis data subjects (Articles 13 and 14 GDPR).

7. Obligations of the Processor

In accordance with Article 28 (3) GDPR the Processor shall:

1. process Personal Data only on documented instructions from the Controller in accordance with section 6;
2. ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality (section 8);
3. take all measures required pursuant to Article 32 GDPR (section 9);
4. respect the conditions referred to in Article 28 (2) and (4) GDPR for engaging another processor (section 10);
5. taking into account the nature of the processing, assist the Controller by appropriate technical and organisational measures, insofar as this is possible, for the fulfilment of the Controller's obligation to respond to requests for exercising the data subject's rights laid down in Chapter III GDPR (section 11);
6. assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR, taking into account the nature of processing and the information available to the Processor (sections 9 and 12);
7. at the choice of the Controller, delete or return all Personal Data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless Union or Member State law requires storage of the Personal Data (section 16);
8. make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller (section 14).

8. Confidentiality

The Processor shall ensure that any person authorised to process Personal Data under this DPA is bound by an obligation of confidentiality of equivalent scope, whether by contract or statute, that extends beyond the end of their engagement.

9. Technical and organisational measures

The Processor shall implement and maintain the technical and organisational measures set out in Annex II to ensure a level of security appropriate to the risk (Article 32 GDPR). The Processor may modify those measures from time to time, provided that the level of protection is not materially reduced.

10. Sub-processors

The Controller grants the Processor general written authorisation to engage Sub-processors for the purposes of providing the Service (Article 28 (2) sentence 2 GDPR). The Sub-processors engaged at the effective date of this DPA are listed in Annex III.

The Processor shall inform the Controller of any intended change concerning the addition or replacement of Sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes on reasonable data-protection grounds. Where the Controller objects within the notice period and the Processor is unable to provide an acceptable alternative, either party may terminate the affected portion of the Service for cause.

The Processor shall impose on every Sub-processor, by way of a written contract, the same data-protection obligations as are set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organisational measures so that the processing meets the requirements of the GDPR. Where a Sub-processor fails to fulfil its data-protection obligations, the Processor remains fully liable to the Controller for the performance of that Sub-processor's obligations.

11. Assistance with data subject rights

Taking into account the nature of the processing and the information available to it, the Processor shall assist the Controller by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Controller's obligation to respond to requests by data subjects for the exercise of their rights under Articles 15 to 22 GDPR.

Where the Processor receives such a request directly from a data subject, it shall not respond to that request other than to refer the data subject to the Controller, and shall promptly notify the Controller. The Controller is responsible for responding to data subject requests; the Processor's assistance is provided to the extent reasonably necessary and at the Controller's expense, save where mandatory law provides otherwise.

12. Personal data breaches

The Processor shall notify the Controller without undue delay, and in any event within 48 hours, of becoming aware of a personal data breach (Article 4 (12) GDPR) affecting Personal Data processed under this DPA. The notification shall describe the nature of the breach, the likely consequences, the measures taken or proposed to address the breach, and, where applicable, measures to mitigate its possible adverse effects, to the extent such information is then available. Information missing at the time of the initial notification shall be provided as and when it becomes available.

The Processor shall further assist the Controller, taking into account the nature of processing and the information available to it, in complying with the Controller's obligations under Articles 33 and 34 GDPR.

13. International transfers

All processing under this DPA takes place within the European Economic Area. Where Personal Data must exceptionally be transferred to a country outside the EEA — for example, in connection with provider support — the Processor shall ensure that the transfer is governed by an appropriate transfer mechanism under Chapter V GDPR, in particular by Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914) or an applicable adequacy decision of the European Commission.

14. Audit rights

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or by another auditor mandated by the Controller and bound by appropriate confidentiality obligations.

The Controller shall give the Processor reasonable advance notice of any intended audit (not less than 30 days, except in cases of urgency such as a confirmed personal data breach) and shall conduct such audits in a manner that does not unreasonably interfere with the Processor's normal business operations. Audits shall be limited to one per calendar year, save where mandatory law or a confirmed material breach requires further audits. The Controller bears the costs of any audit it commissions, save where the audit reveals a material breach of the Processor's obligations, in which case the Processor bears the reasonable costs of the audit.

The Processor may satisfy the audit obligations set out in this section by providing the Controller with relevant third-party certifications, audit reports, or other comparable evidence (for example, ISO 27001 statements of applicability) where such evidence reasonably demonstrates the requested compliance.

15. Liability

The liability of the parties under this DPA is governed by Article 82 GDPR and by the limitations of liability set out in the Terms of Service, save where mandatory law provides otherwise.

16. Final provisions and contact

The Processor's data protection contact for matters arising under this DPA is [email protected]. A counter-signed paper original of this DPA may be requested via the same address.

On termination of the contract, the Processor shall delete or return all Personal Data processed under this DPA at the Controller's choice and shall delete existing copies within 30 days, save where Union or Member State law requires continued storage. The Controller may, within that 30-day window, export Customer Data through the Service in a structured, commonly used, machine-readable format.

Should any provision of this DPA be or become invalid in whole or in part, the validity of the remaining provisions shall not be affected. The parties shall replace any invalid provision with a valid provision that comes closest to the economic purpose of the invalid provision.

This DPA is governed by the laws of the Federal Republic of Germany, to the exclusion of the United Nations Convention on Contracts for the International Sale of Goods. The exclusive venue for disputes arising from or in connection with this DPA is the registered seat of the Processor, save where mandatory law provides otherwise.

Annex I — Description of processing

Subject matter

The processing of Personal Data necessary to provide the Service to the Controller.

Duration

For so long as the Controller's account is active and for any post-termination period required by section 16 of this DPA or by mandatory law.

Nature and purpose

Storage, transmission, indexing, and transformation of Personal Data embedded by the Controller into PDF templates, inputs, and rendered documents, for the purpose of providing the Service in accordance with the Terms of Service.

Categories of data subjects

The Controller's employees, contractors, users, customers, and any other natural persons whose Personal Data the Controller chooses to process through the Service.

Types of Personal Data

Identification data (name, salutation, language preference), contact details (email, postal address, telephone), authentication data (hashed passwords, OAuth identifiers, API keys), workspace and membership metadata, invoice metadata (billing address, VAT identification number), audit logs of administrative actions, and any further Personal Data embedded by the Controller into template inputs. The Controller shall not transmit special categories of Personal Data (Article 9 GDPR) through the Service unless expressly agreed.

Annex II — Technical and organisational measures

The Processor implements and maintains the following technical and organisational measures (Article 32 GDPR). The measures described represent the standard configuration; specific measures may be enhanced or substituted with measures of equivalent or better effect.

• Pseudonymisation and encryption. Encryption in transit using TLS 1.2 or higher. Encryption of secrets at rest using AES-256-GCM with per-purpose keys. Passwords hashed with bcrypt at a cost factor of 12. API keys stored as SHA-256 hashes; revocation is the sole mechanism for invalidation (raw keys cannot be recovered).
• Confidentiality. Role-based access control on the principle of least privilege. Multi-factor authentication mandatory for operator administrative access. Tenant data partitioned at the database layer using PostgreSQL row-level security policies, preventing cross-tenant reads at the storage layer.
• Integrity. Append-only audit logs of administrative actions. Code changes subject to version-controlled review prior to deployment. Automatic dependency vulnerability scanning on every release.
• Availability and resilience. Daily encrypted backups of the application database with 30-day retention; backups stored on object storage segregated from the application data set. Documented restore procedures tested on a regular basis.
• Process for regularly testing and evaluating the effectiveness of measures (Article 32 (1) (d) GDPR). Annual review of these measures. Annual third-party penetration testing for Enterprise environments.
• Personnel and contractors. Confidentiality undertakings obtained from all persons authorised to access Personal Data, extending beyond the end of their engagement. Data-protection training provided on onboarding and periodically thereafter.
• Incident management. Documented procedures for identification, containment, eradication, and recovery from security incidents, including notification procedures consistent with section 12 of this DPA.

Annex III — Sub-processors

The Processor engages the following Sub-processors at the effective date of this DPA. The current list, as updated from time to time, is also published in the Privacy Policy and is accessible on request from the address designated in section 16.