Data Processing Addendum
Version 1.0 — 2026-04-17
This DPA forms part of our Terms when you process personal data through SnapPDF on behalf of your own users. Business and Enterprise customers can countersign an executed copy by emailing dpa@snappdf.au.
1. Definitions
Terms not defined here follow GDPR art. 4 / AU Privacy Act definitions. "Customer" is you. "Processor" is us.
2. Roles
You are the Data Controller. We are the Processor. We act only on your documented instructions (the API calls you make).
3. Confidentiality
Our staff with data access are bound by confidentiality obligations that survive employment.
4. Security measures
- TLS 1.3 in transit, AES-256 at rest for async artifacts.
- API keys stored as bcrypt hashes, never in plaintext.
- Webhook payloads signed with HMAC-SHA256.
- Quarterly penetration tests; findings tracked to closure.
- Least-privilege access controls; MFA required for all staff.
- 90-day log retention for security monitoring.
5. Sub-processors
Current list: Vercel, Supabase, Stripe, AWS, Resend. New sub-processors get 30 days' notice; you can object in writing. See Privacy Policy for locations.
6. International transfers
Transfers rely on Standard Contractual Clauses (EU) and Australian APPs. Data residency: US, EU, or AU region pinned to your account on Business+.
7. Data subject rights
We'll assist you in responding to data subject access / erasure / portability requests within 10 business days of your notice.
8. Audits
Once per year (and in response to a documented incident), you can audit our SOC 2 reports, policies, and compensating controls. On-site audits require 30 days' notice.
9. Incident response
We'll notify you within 72 hours of becoming aware of a personal-data breach that affects you. Notifications include: nature, affected data categories, likely consequences, our response.
10. Deletion on termination
On termination, we delete or return all your personal data within 30 days, unless retention is required by law.