Data Processing Addendum
Version 1.0 · Last updated: May 1, 2026
This Data Processing Addendum (the "DPA") is entered into between PaperNudge (the "Processor"), a software service operated at papernudge.com, and the customer firm executing this DPA in connection with its use of the PaperNudge service (the "Controller" or "Customer"). It forms part of and is incorporated by reference into the Terms of Service (the "Master Agreement"). In the event of any conflict between this DPA and the Master Agreement on the subject of personal data processing, this DPA controls.
1. Definitions
Personal Data means any information relating to an identified or identifiable natural person that is processed by Processor on behalf of Controller, including client names, email addresses, telephone numbers, and the contents of documents uploaded by clients (W-2s, 1099 forms, bank statements, prior-year tax returns, government identification, and similar tax-related documents).
Sub-processor means any third party engaged by Processor to process Personal Data on behalf of Controller, as listed in Schedule B below.
Applicable Data Protection Laws means the Gramm-Leach-Bliley Act and FTC Safeguards Rule (16 C.F.R. Part 314), the California Consumer Privacy Act as amended by the CPRA, the EU GDPR (where applicable), Internal Revenue Code §7216 (where applicable), and any other US state or federal privacy law of the State in which the Controller is located.
2. Roles and Scope
Controller determines the purposes and means of Processing Personal Data and is the "controller," "business," or equivalent under Applicable Data Protection Laws. Processor processes Personal Data on Controller's behalf as a "processor," "service provider," or equivalent.
Processor will Process Personal Data only (a) to provide the Service in accordance with the Master Agreement, (b) on documented instructions from Controller (including the configuration of the Service through Controller's account), and (c) as necessary to comply with applicable law, in which case Processor will inform Controller of that legal requirement before Processing unless prohibited by law.
Processor will not (a) sell or share Personal Data within the meaning of the CCPA, (b) retain, use, or disclose Personal Data outside of the direct business relationship between Controller and Processor, (c) combine Personal Data received from Controller with Personal Data Processor receives from any other source (except as specifically permitted by CCPA Regulations), or (d) use Personal Data to train, improve, or fine-tune any artificial intelligence or machine learning model owned or operated by Processor or any Sub-processor.
3. Sub-processors
Controller authorizes Processor to engage the Sub-processors listed in Schedule B below to Process Personal Data. Processor will impose data protection obligations on each Sub-processor that are no less protective than those in this DPA and remains liable to Controller for the acts and omissions of its Sub-processors.
The AI Sub-processor (currently Anthropic, PBC) is engaged solely to classify uploaded documents into category labels (W-2, 1099 variants, bank statement, etc.). Personal Data sent to the AI Sub-processor is transmitted over TLS-encrypted connections, is not retained by the AI Sub-processor beyond the brief processing window, and is not used by the AI Sub-processor to train its models, in accordance with the AI Sub-processor's published commercial API terms.
Processor will provide Controller with at least 30 days' prior written notice before adding or replacing any Sub-processor. Controller may object on reasonable, documented data protection grounds within 14 days; if the parties cannot resolve the objection in good faith, Controller may terminate the affected processing without penalty.
4. Security Measures
Processor maintains a written information security program designed to protect the confidentiality, integrity, and availability of Personal Data in accordance with the GLBA Safeguards Rule. Personal Data is encrypted at rest in object storage (AES-256) and in transit (TLS 1.2 or higher). Database tables enforce row-level security so that one Customer's data cannot be read by another Customer. Public-facing client upload links use unguessable UUID v4 tokens with default 90-day expiry. The object storage bucket holding uploaded documents is private; downloads occur via short-lived signed URLs.
5. Security Incident Notification
Upon becoming aware of a Security Incident, Processor will notify Controller without undue delay and in no event later than 72 hoursafter Processor's confirmation of the incident. Notification will include the nature of the incident, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and measures taken or proposed to address it. Processor will reasonably cooperate with Controller's investigation.
6. Data Subject Rights
Processor will, taking into account the nature of the Processing, provide reasonable assistance to Controller to fulfill its obligations to respond to Data Subject requests under Applicable Data Protection Laws (access, correction, deletion, portability, restriction, objection). If Processor receives a request directly from a Data Subject, Processor will forward the request to Controller without undue delay and will not respond to the Data Subject except to confirm receipt.
7. Data Deletion and Return on Termination
Upon termination of the Master Agreement or upon Controller's written request, Processor will, at Controller's choice, return all Personal Data to Controller or delete it and certify deletion in writing. When Controller initiates account deletion through the Service interface, Processor will cancel the Stripe subscription, delete all documents from object storage, delete all database records via cascading deletion, delete the authentication user, and confirm completion.
8. Audit Rights
Processor will make available to Controller information reasonably necessary to demonstrate compliance with this DPA, including third-party audit reports of its hosting and processing infrastructure (e.g., SOC 2 Type II reports of Vercel and Supabase). Controller may, no more than once per twelve-month period and upon at least thirty days' prior written notice, conduct a reasonable audit, subject to mutually agreed confidentiality, security, and scheduling protections.
9. International Transfers
Processor and its Sub-processors process Personal Data primarily in the United States. Where Personal Data is transferred outside the European Economic Area, the United Kingdom, or any other jurisdiction with cross-border restrictions, the parties will rely on an applicable adequacy decision, the Standard Contractual Clauses (Module 2: Controller-to-Processor) approved by the European Commission, or another lawful transfer mechanism.
10. CCPA-Specific Terms
For Personal Data subject to the CCPA, Processor is a "service provider" as defined in CCPA §1798.140(ag). Processor will not sell or share Personal Data, retain or use Personal Data for any purpose other than the specific business purposes described in this DPA, retain or disclose Personal Data outside the direct business relationship between the parties, or combine Personal Data with personal information from other sources except as permitted by CCPA Regulations. Processor certifies that it understands and will comply with these restrictions.
11. GLBA-Specific Terms
For Personal Data subject to GLBA, Controller is a "financial institution" within the meaning of 16 C.F.R. §314.2(h), and Personal Data includes "customer information" within the meaning of 16 C.F.R. §314.2(d). Processor will implement and maintain the safeguards described in Section 4, which Processor represents are appropriate to the size and complexity of its operations and the nature of its activities, in accordance with 16 C.F.R. §314.4.
12. IRC §7216 — Tax Return Preparer Disclosures
Where Controller is a tax return preparer within the meaning of IRC §7216, Controller acknowledges that (a) certain "tax return information" may be processed through the Service, (b) Treasury Regulation §301.7216-3 imposes specific written-consent requirements on Controller before such tax return information may be disclosed to Processor and the AI Sub-processor for purposes other than tax return preparation, and (c) it is the Controller's responsibility, not Processor's, to obtain compliant §7216 consents from each Data Subject before uploading that Data Subject's tax return information to the Service. Processor may provide a templated consent form as a courtesy but makes no representation that the templated form satisfies the regulation as applied to Controller's specific circumstances.
13. Liability
This DPA is subject to and incorporates the limitations of liability set forth in the Master Agreement.
14. Term and Termination
This DPA is effective as of the date Controller accepts it (typically at signup) and continues for the term of the Master Agreement. Termination of the Master Agreement automatically terminates this DPA, except for those provisions that by their nature should survive termination (including Sections 5, 7, 8, and 13).
15. Modifications and Re-acceptance
Processor may unilaterally update Schedule B (Sub-processors) and Schedule C (Security Measures) by following the notice procedures in Section 3. For other material modifications to this DPA, Processor will notify Controller and request re-acceptance. Continued use of the Service after notification constitutes acceptance of the updated DPA, subject to Controller's right to terminate without penalty if it does not agree to the changes.
Schedule A — Description of Processing
- Subject matter: SaaS to automate document collection from Controller's clients, including AI-assisted document classification.
- Duration: The duration of the Master Agreement, plus any post-termination retention period.
- Nature and purpose: Receive uploaded documents from Controller's clients via a secure portal; classify each document into category labels using the AI Sub-processor; match each document to Controller's checklist; send transactional follow-up emails on Controller's behalf; display documents and metadata to Controller through a web dashboard.
- Data Subjects: Controller's principals and employees; Controller's clients (typically individual taxpayers and small business owners) and their representatives.
- Categories of Personal Data: Names, email addresses, optional telephone numbers, document filenames, and the contents of uploaded tax-related documents (which may include Social Security numbers, taxpayer identification numbers, financial account numbers, employer identification numbers, wage and income figures, and similar information).
Schedule B — Authorized Sub-processors
As of the version date of this DPA:
| Sub-processor | Purpose | Location |
|---|---|---|
| Anthropic, PBC | Document classification via the Claude API | United States |
| Supabase, Inc. | Database, object storage, authentication | United States |
| Vercel, Inc. | Application hosting, serverless functions | United States |
| Stripe, Inc. | Payment processing (billing data only; does not receive Data Subject documents) | United States |
| Resend | Outbound transactional email (does not receive uploaded documents) | United States |
If Processor adds, replaces, or removes any Sub-processor, this Schedule will be updated and Controller will be notified in accordance with Section 3.
Schedule C — Technical and Organizational Security Measures
Processor maintains, and will not materially diminish during the term of the Master Agreement, the following security measures:
- Encryption: AES-256 at rest, TLS 1.2+ in transit, bcrypt-hashed authentication passwords.
- Access controls: Database row-level security per Customer; UUID v4 upload tokens with expiry; signed-URL document downloads; cron endpoints require shared-secret authorization.
- Operational security: Rate limits on classification and signed-URL endpoints; file type and size validation at client and server; sanitized filenames; parameterized SQL queries; HMAC-verified webhooks.
- Audit logging: Administrative events and webhook idempotency keys logged for at least 90 days.
- Backup: Continuous database backups via the Sub-processor; object storage redundancy via the underlying provider.
- Personnel: Production access restricted to authorized personnel under written confidentiality obligations.
- Incident response: Documented detect-contain-eradicate-recover-review process; Customer notification per Section 5.
- Vendor management: Sub-processors selected based on security posture, compliance certifications, and contractual data-protection commitments; reviewed at least annually.
Acceptance
By signing up for and using the PaperNudge Service, the Controller (the customer firm) accepts and agrees to be bound by this DPA. Acceptance is recorded electronically with the version number, timestamp, IP address, and browser User-Agent at the time of signup, and is available to the Controller upon request.
Contact
For questions about this DPA, sub-processor changes, or to request a signed counterpart, contact us at hello@papernudge.com.