Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") forms part of the agreement between PDFBolt (the "Processor") and the Customer (the "Controller") for the provision of PDFBolt services (the "Services") as described in the PDFBolt Terms of Service.

1. Definitions

For the purposes of this DPA:

"Agreement" means the PDFBolt Terms of Service or the main agreement between the parties governing the provision of the Services.
"Controller" means the entity that determines the purposes and means of processing Customer Personal Data, as identified in the Agreement.
"Customer Personal Data" means the subset of Personal Data that PDFBolt processes on behalf of the Controller as a processor under this DPA.
"Data Protection Laws" means all applicable laws and regulations relating to privacy and data protection, including where applicable the General Data Protection Regulation (EU) 2016/679 ("GDPR"), the California Consumer Privacy Act ("CCPA"), and successor or implementing legislation.
"Data Subject" means an identified or identifiable natural person whose Personal Data is processed.
"Personal Data" means any information relating to an identified or identifiable natural person.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Customer Personal Data.
"Processing" has the meaning given in applicable Data Protection Laws and includes any operation performed on Customer Personal Data.
"Processor" means Michał Szymanowski PDFBolt, a business entity registered in Poland (VAT EU: PL8121921097), with its address at Przedpole 9/73, 02-241 Warsaw, Poland.
"Sensitive Personal Data" means special categories of Personal Data under the GDPR, sensitive personal information under California privacy laws, or equivalent sensitive data under applicable Data Protection Laws.
"Services" means the PDF generation services provided through the PDFBolt API and Dashboard, including conversion of HTML content, URLs, and template-based documents, generated PDF delivery, default temporary PDF storage, request logging, Dashboard template functionality, and optional AI template features.
"Subprocessor" means any third party engaged by the Processor to process Customer Personal Data on behalf of the Controller.

2. Scope and Application

2.1 Relationship of the Parties

With respect to Customer Personal Data processed under this DPA, the Controller acts as the data controller and PDFBolt acts as the data processor under applicable Data Protection Laws.

2.2 Scope of This DPA

This DPA applies to Customer Personal Data that PDFBolt processes on behalf of the Controller as a processor when providing the PDF generation API, Dashboard template functionality, generated PDF delivery, default temporary PDF storage, request logging, and optional AI template features used by the Controller.

PDFBolt processes account data, limited billing metadata, website and analytics data, support communications, security data, and service operations data as a controller, as described in the Privacy Policy, unless the parties expressly agree otherwise or the Controller provides Customer Personal Data to PDFBolt for support in relation to the Services.

2.3 DPA Precedence

This DPA supplements and forms an integral part of the Agreement. In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Customer Personal Data.

3. Details of Processing

3.1 Subject Matter and Duration

The subject matter and duration of the processing are determined by the Agreement and the Controller's use of the Services for the term of the Agreement.

3.2 Nature and Purpose of Processing

PDFBolt processes Customer Personal Data for the following purposes:

Generating PDF documents from HTML content, URLs, templates, template data, and related request parameters.
Delivering generated PDFs to the Controller through the selected conversion flow.
Providing default temporary PDF storage for sync and async conversions.
Processing API requests and maintaining request logs for troubleshooting, security, usage analysis, and service operation.
Providing Dashboard template functionality, including saved templates, sample data, template settings, drafts, and versions.
Providing optional AI template features when used by the Controller.
Providing support where the Controller submits Customer Personal Data for troubleshooting or assistance.
Securing, maintaining, and improving the Services.

3.3 Categories of Data Subjects

Customer Personal Data processed under this DPA may relate to:

End users of services provided by the Controller.
Customers, clients, employees, contractors, or representatives of the Controller.
Authorized users of the Controller's PDFBolt workspace.
Any other individuals whose Personal Data is included in content submitted to the Services by or on behalf of the Controller.

3.4 Types of Customer Personal Data

Customer Personal Data may include personal data contained in content submitted for PDF generation, including HTML, URLs, fetched webpage content, template data, request parameters, generated PDFs, saved templates, sample data, template settings, optional AI prompts and outputs, optional reference files, and support materials submitted by the Controller.

PDFBolt does not determine which types of Customer Personal Data are submitted to the Services. The Controller is responsible for determining whether its use of the Services is lawful and appropriate for the data it submits.

4. Controller Obligations

The Controller warrants and undertakes that:

4.1 Lawful Basis

The Controller has established a lawful basis for processing Customer Personal Data where required under applicable Data Protection Laws and has obtained all necessary notices, consents, permissions, and authorizations required for such processing.

4.2 Instructions to Processor

All instructions provided to PDFBolt regarding the processing of Customer Personal Data shall be documented and shall comply with applicable Data Protection Laws. The Agreement, this DPA, and the Controller's use and configuration of the Services constitute documented instructions to PDFBolt.

4.3 Data Minimization

The Controller shall submit to the Services only Customer Personal Data that is necessary for the Controller's legitimate purposes. The Controller shall not submit Sensitive Personal Data unless it is necessary, legally authorized, and appropriate for the Controller's use of the Services.

4.4 Transparency

The Controller shall provide appropriate notices to Data Subjects regarding the processing of their Personal Data, including, where required, disclosure of PDFBolt's involvement as a processor and the general location of processing.

4.5 Compliance Responsibility

The Controller is responsible for determining whether its use of the Services is lawful, for providing required notices to Data Subjects, for establishing a lawful basis for processing, and for ensuring that its instructions to PDFBolt comply with Data Protection Laws. PDFBolt remains responsible for its obligations as Processor under this DPA and applicable Data Protection Laws.

4.6 Accuracy of Data

The Controller is responsible for ensuring that Customer Personal Data provided to PDFBolt is accurate, complete, and up to date where required for the Controller's use of the Services.

5. Processor Obligations

5.1 Compliance with Instructions

PDFBolt shall process Customer Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. PDFBolt shall inform the Controller if it believes an instruction violates applicable Data Protection Laws, unless prohibited by law.

5.2 Confidentiality

PDFBolt shall ensure that persons authorized to process Customer Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.3 Security Measures

PDFBolt implements and maintains appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized access, accidental loss, and unlawful processing, taking into account the nature of the Services and the risks of processing. These measures may include:

HTTPS/TLS for API, Dashboard, PDF retrieval, webhooks, and storage uploads.
Provider-managed encryption at rest where supported by infrastructure and storage providers.
Access controls and least-privilege access for production systems.
Authentication and API key controls.
Request parameter redaction controls.
Default temporary PDF storage expiration for sync and async conversions.
Logging and monitoring for service reliability and security.
Backups and restoration procedures where applicable.
Incident response and breach notification procedures.
Subprocessor due diligence and contractual data protection obligations.

5.4 Customer Content and Request Logs

Customer content submitted for PDF generation is processed to provide the requested conversion. PDFBolt retains API request logs for troubleshooting, security, usage analysis, and service operation. The html and templateData fields are always redacted from stored request logs after processing is complete. The Controller can configure additional request fields for redaction in its privacy settings.

5.5 Data Subject Rights

PDFBolt shall, to the extent legally permitted and taking into account the nature of the processing, assist the Controller by implementing appropriate technical and organizational measures to help the Controller respond to requests from Data Subjects exercising their rights under Data Protection Laws.

5.6 Personal Data Breach Notification

Upon becoming aware of a Personal Data Breach affecting Customer Personal Data processed under this DPA, PDFBolt will notify the Controller without undue delay and, where feasible, within 72 hours. PDFBolt will provide information reasonably available to help the Controller meet its breach notification obligations.

PDFBolt will take reasonable measures to investigate, contain, and mitigate the breach where it is within PDFBolt's control.

5.7 Data Retention and Deletion

PDFs stored in PDFBolt's default temporary storage for sync and async conversions expire after 24 hours. PDFs returned through the direct endpoint are returned in the API response instead of being stored by PDFBolt for later retrieval. PDFs uploaded to the Controller's custom S3-compatible bucket are retained according to the Controller's bucket settings.

Request logs are retained only as reasonably necessary for troubleshooting, security, usage analysis, and service operation, subject to the redaction controls described in this DPA.

6. Location of Processing and International Transfers

PDFBolt's PDF generation infrastructure and default temporary PDF storage are hosted in the European Union. Core conversion infrastructure uses Hetzner infrastructure in Germany (Nuremberg and Falkenstein). Default temporary PDF storage uses a Cloudflare R2 bucket configured with EU jurisdiction.

Some Subprocessors used for authentication, security, support, error monitoring, and optional AI features may process Customer Personal Data outside the EEA. Where required, PDFBolt relies on Standard Contractual Clauses, adequacy decisions, or other appropriate transfer safeguards.

7. Subprocessors

7.1 Authorized Subprocessors

The Controller grants PDFBolt general authorization to engage the following Subprocessors for Customer Personal Data processed under this DPA:

Subprocessor	Service / purpose	Location / transfer notes
Hetzner Online GmbH	Hosting and conversion infrastructure	Germany (Nuremberg and Falkenstein)
Cloudflare, Inc. / Cloudflare R2	Default temporary object storage and infrastructure support	European Union (R2 EU jurisdiction bucket); appropriate safeguards where required
Google / Firebase	Authentication for Dashboard/API access and related security where applicable	May process outside the EEA with appropriate safeguards where required
Google / reCAPTCHA	Abuse prevention and security checks where used in flows covered by this DPA	May process outside the EEA with appropriate safeguards where required
Sentry (Functional Software, Inc. d/b/a Sentry)	Error monitoring and technical troubleshooting	May process outside the EEA with appropriate safeguards where required
Crisp IM SAS	Support communications involving Customer Personal Data	EU/EEA; may process outside the EEA with appropriate safeguards where required
Anthropic PBC / applicable Anthropic contracting entity	Optional AI template generation	May process outside the EEA with appropriate safeguards where required
OpenAI Ireland Ltd / OpenAI OpCo, LLC, as applicable	Safety and abuse prevention for optional AI features	May process outside the EEA with appropriate safeguards where required
Pexels / Canva Germany GmbH	Optional stock image search for AI template features	EU/EEA; may process outside the EEA with appropriate safeguards where required

7.2 Subprocessor Obligations

PDFBolt shall enter into written agreements with Subprocessors that impose data protection obligations designed to protect Customer Personal Data in a manner consistent with this DPA. PDFBolt remains responsible to the Controller for the performance of its Subprocessors' obligations with respect to Customer Personal Data.

7.3 Subprocessor Changes

PDFBolt will maintain an up-to-date list of Subprocessors in this DPA or on PDFBolt's website. PDFBolt will provide reasonable notice of any intended addition or replacement of a Subprocessor, for example by updating the Subprocessor list or by email where the change is material.

The Controller may object to a Subprocessor change on reasonable data protection grounds by contacting PDFBolt during the notice period. If the parties cannot resolve the objection, the Controller may stop using the affected Services. Where a change is required for security, service continuity, or legal compliance, PDFBolt may make the change sooner and provide notice as soon as reasonably practicable.

8. Audit Rights

PDFBolt will make available information reasonably necessary to demonstrate compliance with this DPA and Article 28 GDPR. Audits must be conducted on reasonable prior notice, during normal business hours, subject to confidentiality, and in a manner that does not unreasonably disrupt the Services or compromise the security or confidentiality of PDFBolt or other customers.

PDFBolt may satisfy audit requests by providing relevant documentation, security summaries, policies, or written responses, where appropriate.

9. DPIA and Prior Consultation

Upon the Controller's written request, PDFBolt shall provide reasonable cooperation and assistance, taking into account the nature of the processing and the information available to PDFBolt, to help the Controller comply with obligations concerning Data Protection Impact Assessments and prior consultation with supervisory authorities where required by applicable Data Protection Laws.

10. Records and Cooperation

10.1 Processing Records

PDFBolt shall maintain records of processing activities carried out on behalf of the Controller as required by applicable Data Protection Laws.

10.2 Cooperation with Authorities

PDFBolt shall cooperate with supervisory authorities in the performance of their tasks relating to this DPA where required by applicable Data Protection Laws.

11. Term and Termination

11.1 Duration

This DPA takes effect on the date of the Agreement and continues for the duration of the Agreement and any renewal periods.

11.2 Survival

The provisions of this DPA that by their nature should survive termination shall survive, including obligations relating to confidentiality, deletion or return of Customer Personal Data, audit support, and liability.

11.3 Effect of Termination

Upon termination or expiry of the Agreement, PDFBolt will, at the Controller's choice and taking into account the nature of the Services, delete or return Customer Personal Data processed under this DPA, unless applicable law requires continued retention.

PDFBolt may retain copies in backups or logs for a limited period where deletion is technically impracticable, provided the data remains protected and is not used for any other purpose until deleted in accordance with PDFBolt's retention practices.

12. General Provisions

12.1 Amendments

PDFBolt may amend this DPA as necessary to comply with changes in Data Protection Laws or the Services, provided that such amendments do not materially reduce the level of protection for Customer Personal Data. PDFBolt shall provide reasonable notice of material amendments.

12.2 Severability

If any provision of this DPA is held to be invalid or unenforceable, the remaining provisions shall remain in full force and effect. The parties shall negotiate in good faith to replace any invalid provision with a valid provision that achieves the original intent.

12.3 Conflict

In the event of any conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Customer Personal Data.

12.4 Governing Law

This DPA shall be governed by and construed in accordance with the laws governing the Agreement.

12.5 Notices

All notices under this DPA shall be delivered to the addresses specified in the Agreement or as otherwise notified by either party. Notices regarding privacy or data protection matters may also be sent to contact@pdfbolt.com.

12.6 California Privacy Laws

Where California privacy laws apply, PDFBolt acts as a service provider or contractor for Customer Personal Information processed under this DPA. For this section, Customer Personal Information means Customer Personal Data that is personal information under applicable California privacy laws. PDFBolt will not sell or share Customer Personal Information, retain, use, or disclose it outside the business purposes of providing, securing, supporting, and improving the Services, or combine it with personal information from other sources except as permitted by applicable law.

13. Contact Information

For questions or concerns regarding this DPA or data protection matters, contact PDFBolt at contact@pdfbolt.com.

PDFBolt
Michał Szymanowski PDFBolt
VAT EU: PL8121921097
Address: Przedpole 9/73, 02-241 Warsaw, Poland

By using the Services to process Customer Personal Data, the Controller acknowledges and agrees that this DPA applies to that processing and confirms that it has authority to bind its organization.

Download: Data Processing Agreement (PDF)

Last updated: May 7, 2026

1. Definitions​

2. Scope and Application​

2.1 Relationship of the Parties​

2.2 Scope of This DPA​

2.3 DPA Precedence​

3. Details of Processing​

3.1 Subject Matter and Duration​

3.2 Nature and Purpose of Processing​

3.3 Categories of Data Subjects​

3.4 Types of Customer Personal Data​

4. Controller Obligations​

4.1 Lawful Basis​

4.2 Instructions to Processor​

4.3 Data Minimization​

4.4 Transparency​

4.5 Compliance Responsibility​

4.6 Accuracy of Data​

5. Processor Obligations​

5.1 Compliance with Instructions​

5.2 Confidentiality​

5.3 Security Measures​

5.4 Customer Content and Request Logs​

5.5 Data Subject Rights​

5.6 Personal Data Breach Notification​

5.7 Data Retention and Deletion​

6. Location of Processing and International Transfers​

7. Subprocessors​

7.1 Authorized Subprocessors​

7.2 Subprocessor Obligations​

7.3 Subprocessor Changes​

8. Audit Rights​

9. DPIA and Prior Consultation​

10. Records and Cooperation​

10.1 Processing Records​

10.2 Cooperation with Authorities​

11. Term and Termination​

11.1 Duration​

11.2 Survival​

11.3 Effect of Termination​

12. General Provisions​

12.1 Amendments​

12.2 Severability​

12.3 Conflict​

12.4 Governing Law​

12.5 Notices​

12.6 California Privacy Laws​

13. Contact Information​