Home / Legal / Data Processing Addendum
Legal

Data Processing Addendum

Last updated July 3, 2026 · Hiltos LLC

This Data Processing Addendum (“DPA”) forms part of the Terms of Service between Hiltos LLC (“Processor,” “we”) and a customer (“Controller,” “you”) and applies where we process personal data on your behalf in providing PaperReady. Where terms like “personal data,” “processing,” “controller,” and “processor” are used, they have the meaning given in the GDPR.

1. Scope and roles

You are the controller and we are the processor of the personal data you provide or make available through the Service (“Customer Personal Data”). Because PaperReady is local-first, the contents of labels printed through the ordinary local path stay on your machines and are not processed by us; this DPA principally covers (a) account and workspace data and (b) any personal data contained in payloads you send through the metered cloud API.

2. Processing instructions

We process Customer Personal Data only to provide and support the Service, in accordance with your documented instructions (including these Terms), and as required by law. We will tell you if we believe an instruction violates applicable data-protection law.

3. Confidentiality

We ensure that personnel authorized to process Customer Personal Data are bound by appropriate confidentiality obligations.

4. Security

We implement appropriate technical and organizational measures to protect Customer Personal Data, described in Annex II. For cloud-API payloads, this includes transient handling — the payload is held only to deliver the print job and is deleted once the job settles.

5. Subprocessors

You authorize us to engage the subprocessors listed at our subprocessors page to process Customer Personal Data. We impose data-protection obligations on each subprocessor no less protective than this DPA and remain responsible for their performance. We will give notice of new subprocessors and provide a mechanism to object on reasonable data-protection grounds.

6. Data-subject requests

Taking into account the nature of the processing, we will assist you by appropriate measures, insofar as possible, to respond to requests from data subjects exercising their rights. If we receive such a request directly, we will refer the individual to you unless legally required to respond.

7. Personal-data breaches

We will notify you without undue delay after becoming aware of a personal-data breach affecting Customer Personal Data, and will provide information reasonably available to help you meet your notification obligations.

8. Deletion and return

On termination of the Service, we will delete or return Customer Personal Data in our systems within a commercially reasonable period, except metadata we are permitted or required to retain, and cloud-API payloads (which are already deleted on settlement).

9. Audits

We will make available information reasonably necessary to demonstrate compliance with this DPA and allow for audits, subject to reasonable confidentiality and security limits (including our providing third-party reports where available in lieu of on-site audits).

10. International transfers

Where we transfer Customer Personal Data across borders in a way that requires a transfer mechanism, we rely on an appropriate mechanism such as the Standard Contractual Clauses, which are incorporated by reference where applicable.

11. Liability

Each party’s liability under this DPA is subject to the limitations of liability in the Terms of Service.

Annex I — Details of processing

Annex II — Security measures

Encryption in transit (TLS); loopback TLS for local communication; hashed, single-use sign-in tokens and signed session cookies; least-privilege access controls; encrypted, access-controlled databases; regular backups; transient handling and prompt deletion of cloud-API payloads; and pseudonymous, cookieless website analytics.

Contact

To request a signed copy of this DPA or with questions, contact privacy@paperready.studio.


More policies: Terms of Service · Privacy Policy · Cookie Policy · Print Bridge License · Acceptable Use Policy · Subprocessors · Developer API Terms