1. Definitions
Controller means you (the customer). Processor means Paperloom.io (AiGenixs Labs). Personal Data means any data as defined under GDPR Article 4.
2. Scope and purpose
Paperloom.io processes personal data solely to provide the extraction service as described in the Terms of Service. We will not process personal data for any other purpose without your explicit instruction.
3. Processor obligations
- Process personal data only on documented instructions from the Controller
- Ensure personnel authorised to process data are bound by confidentiality
- Implement appropriate technical and organisational security measures
- Assist the Controller in responding to data subject rights requests
- Delete or return all personal data at the end of the service relationship
4. Sub-processors
Paperloom.io uses the following sub-processors to deliver the service:
- Microsoft Azure — cloud infrastructure, blob storage, OCR, AI extraction (EU region)
- Supabase — authentication and structured data storage (EU region)
- MongoDB Atlas — document workflow state (EU region)
We will notify you at least 30 days before adding new sub-processors that process personal data.
5. International transfers
All processing occurs within the European Economic Area. No personal data is transferred outside the EEA without appropriate safeguards under GDPR Chapter V.
6. Data subject rights
We will assist you in fulfilling data subject requests (access, erasure, portability, restriction) within 72 hours of notification.
7. Audits
Upon written request with 30 days notice, we will provide documentation or allow an audit to verify compliance with this DPA. Audit costs are borne by the Controller.
8. Signing this DPA
To execute a signed DPA for enterprise contracts, email legal@paperloom.io with your company name and designated Data Protection Officer contact.