Data Processing Agreement (DPA)

Last Updated: December 17, 2025

Note to Business Customers: This Agreement applies automatically to any Business User utilizing the PostService.io API to process personal data of third parties (e.g., sending invoices to your clients). You are the "Controller" and we are the "Processor".

This Data Processing Agreement ("DPA") is entered into between PostService HQ (Varna, Bulgaria), hereinafter referred to as the "Processor", and the Business User of the PostService.io API, hereinafter referred to as the "Controller".

1. Definitions

  • "GDPR" means Regulation (EU) 2016/679 (General Data Protection Regulation).
  • "Personal Data" means any information relating to an identified or identifiable natural person (e.g., names and addresses on envelopes).
  • "Services" means the printing, enveloping, and dispatching services provided by the Processor via API or Web App.

2. Scope and Purpose of Processing

The Processor will process Personal Data solely for the purpose of providing the Services defined in the Terms of Service. This includes:

  • Receiving PDF files or text content via API.
  • Printing content onto physical paper.
  • Printing recipient addresses onto envelopes.
  • Handing over sealed envelopes to postal carriers.

Duration: Processing is transient. Personal Data (Content) is stored only until the physical dispatch is confirmed, up to a maximum of 24 hours.

3. Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure the security of the data, including:

  • Encryption: All data in transit is encrypted via TLS 1.2/1.3 (HTTPS).
  • Access Control: Print nodes are secured via VPN and restricted to authorized personnel only.
  • Data Minimization: Automated scripts permanently delete (shred) digital files from print servers 24 hours after processing.
  • Physical Security: Sub-processors operate in secure facilities with restricted physical access.

4. Sub-Processors

The Controller authorizes the Processor to engage specific Sub-processors to fulfill the printing and mailing tasks. Current Sub-processors include:

Role Location Function
Print Node BG Varna, Bulgaria (EU) Eco Saver Printing
Print Node UK London, UK (Non-EU) Express Local UK
Print Node FI Helsinki, Finland (EU) Express Local Nordics
Print Node TR Istanbul, Turkey (Non-EU) Express Local Turkey
Cloud Provider EU Region (Google Cloud) API Hosting & Storage

5. Data Breach Notification

In the event of a Personal Data Breach (e.g., unauthorized access to the API or physical loss of mail before dispatch), the Processor shall notify the Controller without undue delay, and in any event within 48 hours of becoming aware of the breach.

6. Audit Rights

Upon reasonable request and typically no more than once per year, the Controller may audit the Processor’s compliance with this DPA. Such audits shall be conducted at the Controller’s expense and subject to strict confidentiality obligations.

7. International Transfers

For data transferred to Sub-processors outside the EEA (UK, Turkey), the Processor relies on standard contractual clauses (SCCs) or the specific derogations under Article 49 GDPR (performance of a contract), as the transfer is necessary to deliver the mail to the requested destination.

To sign a hard copy of this DPA, please contact legal@postservice.io.