Data Processing Addendum
Last updated July 3, 2026 · Hiltos LLC
This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Hiltos LLC (“Processor,” “we”) and a customer (“Controller,” “you”) and applies where we process personal data on your behalf in providing PaperReady. Where terms like “personal data,” “processing,” “controller,” and “processor” are used, they have the meaning given in the GDPR.
1. Scope and roles
You are the controller and we are the processor of the personal data you provide or make available through the Service (“Customer Personal Data”). Because PaperReady is local-first, the contents of labels printed through the ordinary local path stay on your machines and are not processed by us; this DPA principally covers (a) account and workspace data and (b) any personal data contained in payloads you send through the metered cloud API.
2. Processing instructions
We process Customer Personal Data only to provide and support the Service, in accordance with your documented instructions (including these Terms), and as required by law. We will tell you if we believe an instruction violates applicable data-protection law.
3. Confidentiality
We ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.
4. Security
We implement appropriate technical and organizational measures to protect Customer Personal Data, described in Annex II. For cloud-API payloads, this includes transient handling — the payload is held only to deliver the print job and is deleted once the job settles.
5. Subprocessors
You authorize us to engage the subprocessors listed at our subprocessors page to process Customer Personal Data. We impose data-protection obligations on each subprocessor no less protective than this DPA and remain responsible for their performance. We will give notice of new subprocessors and provide a mechanism to object on reasonable data-protection grounds.
6. Data-subject requests
Taking into account the nature of the processing, we will assist you by appropriate measures, insofar as possible, to respond to requests from data subjects exercising their rights. If we receive such a request directly, we will refer the individual to you unless legally required to respond.
7. Personal-data breaches
We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and will provide information reasonably available to help you meet your notification obligations.
8. Deletion and return
On termination of the Service, we will delete or return Customer Personal Data in our systems within a commercially reasonable period, except metadata we are permitted or required to retain, and cloud-API payloads (which are already deleted on settlement).
9. Audits
We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits, subject to reasonable confidentiality and security limits (including our providing third-party reports where available in lieu of on-site audits).
10. International transfers
Where we transfer Customer Personal Data across borders in a way that requires a transfer mechanism, we rely on an appropriate mechanism such as the Standard Contractual Clauses, which are incorporated by reference where applicable.
11. Liability
Each party’s liability under this DPA is subject to the limitations of liability in the Terms of Service.
Annex I — Details of processing
- Subject matter: provision of the PaperReady label-printing Service.
- Duration: for the term of the Service.
- Nature and purpose: authentication, account and device management, and (for the cloud API) transient transmission of print payloads to a target workstation.
- Categories of data subjects: your authorized users; and, for cloud-API payloads, the individuals whose details you include on labels (e.g., recipients).
- Categories of personal data: email addresses and account identifiers; and, for cloud-API payloads, whatever personal data you choose to include on a label (e.g., name and postal address).
Annex II — Security measures
Encryption in transit (TLS); loopback TLS for local communication; hashed, single-use sign-in tokens and signed session cookies; least-privilege access controls; encrypted, access-controlled databases; regular backups; transient handling and prompt deletion of cloud-API payloads; and pseudonymous, cookieless website analytics.
Contact
To request a signed copy of this DPA or with questions, contact privacy@paperready.studio.
More policies: Terms of Service · Privacy Policy · Cookie Policy · Print Bridge License · Acceptable Use Policy · Subprocessors · Developer API Terms