Data Processing Agreement (DPA)
Last updated: 2026-06-27
This Data Processing Agreement (“DPA”) describes how PATEON Network Technology Inc. (“PATEON”, “we”) processes personal data on a customer’s behalf under EU General Data Protection Regulation (GDPR) Article 28 and equivalent laws. It is a grounded draft pending review by counsel and is not legal advice.
When this DPA applies. It applies only where PATEON acts as a processor of your personal data — that is, for any hosted or managed NextPDF service in which we process data you control.
When it does not. NextPDF Core, Connect, Pro, and Enterprise are self-hosted software that runs on your infrastructure. For self-hosted use, you are the sole controller, PATEON does not process your end-users’ personal data, and this DPA is not engaged. Browsing this marketing Site is covered by the Privacy Policy, not by a controller–processor relationship.
1. Roles and scope
For an in-scope hosted service, you (the customer) are the controller (or processor for your own customers) and PATEON is the processor (or sub-processor). PATEON processes personal data only to provide the agreed service and only on your documented instructions, including as set out in the order and this DPA.
2. Subject-matter and details of processing
- Subject-matter: provision of the contracted hosted NextPDF service.
- Duration: the term of the service agreement, plus the deletion window in §8.
- Nature and purpose: document generation, conversion, signing, validation, and related processing performed by the service at your instruction.
- Categories of data: the personal data contained in the documents and inputs you submit, plus service operational metadata (account, authentication, and log data).
- Categories of data subjects: your users and the individuals referenced in your documents.
PATEON does not determine the purposes of processing your content and does not use your content for its own purposes, including model training.
3. Processor obligations
PATEON shall: (a) process personal data only on your documented instructions; (b) ensure persons authorized to process it are bound by confidentiality; (c) implement appropriate technical and organizational measures under GDPR Article 32 (see §4); (d) respect the sub-processor conditions in §5; (e) assist you, taking account of the nature of processing, with data-subject requests and with your obligations under Articles 32–36; (f) at your choice, delete or return personal data as in §8; and (g) make available information necessary to demonstrate compliance and allow for audits under §7.
4. Security
PATEON operates an information-security management system that is independently certified to ISO/IEC 27001:2022 (certificate QCC/B86F/1224), and maintains technical and organizational measures appropriate to the risk, including encryption in transit, access control on a need-to-know basis, logging, and resilience and recovery practices. We will notify you without undue delay after becoming aware of a personal-data breach affecting your data and provide the information you need to meet your own notification duties.
5. Sub-processors
You provide general authorization for PATEON to engage sub-processors to deliver the service. Each sub-processor is bound by data-protection obligations no less protective than this DPA. We maintain a current list of sub-processors and will give prior notice of any intended addition or replacement, giving you a reasonable opportunity to object on reasonable data-protection grounds.
| Sub-processor | Role | Region |
|---|---|---|
| Cloudflare, Inc. | Hosting, CDN, security, edge delivery | United States / global edge |
| Resend | Transactional email delivery | United States |
(The marketing Site additionally uses GitHub for source hosting and CI build. Sub-processors for any specific hosted product are listed in that product’s order documentation.)
6. International transfers
Where providing the service involves transferring personal data outside the EU/EEA, UK, or your jurisdiction, such transfers rely on an appropriate safeguard — the EU Standard Contractual Clauses (2021), Modules 2 and 3, and/or the EU–US Data Privacy Framework where applicable — supported by a transfer-impact assessment. The SCCs are incorporated by reference for in-scope transfers.
7. Audits
PATEON will make available the information necessary to demonstrate compliance with Article 28 and allow for and contribute to audits, including inspections, conducted by you or a mandated auditor bound by confidentiality, on reasonable prior notice, no more than once per year (or following a substantiated incident), and limited to what is necessary to verify compliance.
8. Return and deletion
On termination of the in-scope service, PATEON will, at your choice, delete or return the personal data and delete existing copies within a defined window, unless retention is required by law.
9. Liability and precedence
Liability under this DPA is subject to the limitations in the applicable service agreement and the NextPDF Commercial License. In case of conflict on data-protection matters, this DPA prevails over the service agreement to the extent of the conflict.
10. Governing law
This DPA is governed by the laws of Taiwan (R.O.C.), with the Taipei District Court (臺灣臺北地方法院) as the forum, without prejudice to mandatory data-protection rights and supervisory- authority competence under applicable law.
Contact
Data-protection contact: [email protected]. To request an executed DPA for an in-scope hosted service, contact [email protected].