logo
Legal

Data Processing Agreement

For API customers processing personal data under GDPR and equivalent regulations

Effective date: April 27, 2026 — Version 1.0

This Data Processing Agreement (“DPA”) governs the processing of personal data by TMI Iurii Rogulia as a processor on behalf of customers who use the HTPBE API to analyze PDF documents (“Controller”). It supplements the Terms and Conditions available at htpbe.tech/legal and takes effect when the Controller submits the first API request after this DPA has been published.

This DPA applies to API customers only. Users of the free web interface at htpbe.tech are data subjects under the Privacy Policy; the controller–processor relationship described here does not apply to them.

Enterprise customers who require a countersigned DPA or custom contractual terms may contact [email protected].

1. Definitions

“Controller”
The API customer (legal entity or individual) that determines the purposes and means of processing personal data and submits PDF documents or URLs to the Service for analysis.
“Processor”
TMI Iurii Rogulia, VAT ID FI29845875, Vanhanpellonaktu 5, 53850 Lappeenranta, Finland, operating as HTPBE.
“Personal Data”
Any information relating to an identified or identifiable natural person that may be present in the PDF documents submitted for analysis or extracted from those documents as metadata (e.g., author name, email address embedded in document properties).
“Service”
The PDF authenticity checking API provided at api.htpbe.tech/v1.
“Subprocessorr”
Any third party engaged by the Processor to carry out processing activities on behalf of the Controller. The current list is maintained at htpbe.tech/legal/subprocessors.

2. Subject Matter and Nature of Processing

The Processor provides automated structural analysis of PDF documents to detect potential post-creation modifications or tampering. Processing is limited to the following activities:

  • Fetching or receiving the PDF document for in-memory analysis
  • Extracting structural metadata: information dictionary fields (author, creator, producer, creation date, modification date, title), cross-reference table structure, object counts, digital signature presence, and related structural indicators
  • Computing an authenticity verdict (INTACT / MODIFIED / INCONCLUSIVE)
  • Persisting the extracted metadata fields and verdict linked to the API key

Two processing modes

Mode A — URL-based (standard API mode)

The Controller provides an HTTPS URL to a PDF file hosted on their own infrastructure. The Processor fetches the file over HTTPS directly into server memory, performs analysis, and immediately discards the binary content. No PDF file content is written to any storage system or transmitted to any subprocessorr. Only the extracted metadata fields and the verdict are stored persistently. Cloudflare R2 is not engaged in this mode.

Mode B — Browser upload via Web UI

Applies when an end user uploads a file using the HTPBE web interface (htpbe.tech). The file is transmitted directly from the browser to Cloudflare R2 via a presigned PUT URL, after which the Processor’s server downloads it for in-memory analysis. The file is automatically deleted from R2 within 7 days of upload; in practice deletion typically occurs within 24 hours. Cloudflare R2 is engaged as a subprocessorr exclusively in this mode.

In both modes, the textual and visual content of the PDF document — its text, images, and any personal or confidential information contained therein — is never read, stored, or transmitted by the Processor or any subprocessorr.

Categories of personal data: Metadata fields embedded in PDF documents may contain personal data, including but not limited to: author name, email address (if embedded in document properties), title.

Categories of data subjects: Natural persons who created, modified, or are identified within the PDF documents submitted for analysis.

Purpose of processing: Detection of post-creation modifications and authenticity verification of PDF documents as instructed by the Controller.

Duration: For the term of the Controller’s active subscription or API access. Upon termination, personal data is deleted in accordance with Section 9 below.

3. Controller Obligations

The Controller warrants and undertakes that:

  • It has a valid legal basis under GDPR Article 6 (and Article 9 where applicable) for submitting personal data to the Processor for analysis.
  • It has provided adequate notice to data subjects regarding the use of the Service, or has obtained the necessary consents.
  • It will provide instructions to the Processor in writing (including via API usage in accordance with the documentation). The Processor will act only on the Controller’s documented instructions.
  • It is responsible for assessing whether the Service is suitable for its intended use case and for any decisions made on the basis of the analysis results.

4. Processor Obligations

The Processor shall:

  • Process personal data only on the documented instructions of the Controller and for no other purpose.
  • Ensure that persons authorized to process personal data are bound by appropriate confidentiality obligations.
  • Implement the technical and organizational security measures described in Section 7.
  • Engage subprocessors only in accordance with Section 5 and impose equivalent data protection obligations on them.
  • Assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligations to respond to data subject requests under Chapter III of the GDPR.
  • Notify the Controller without undue delay (and in any event within 72 hours of becoming aware) of a personal data breach affecting data processed under this DPA.
  • Provide the Controller with all information necessary to demonstrate compliance with this DPA and, upon request, contribute to and facilitate audits in accordance with Section 8.
  • Delete or return all personal data at the end of the service relationship, in accordance with Section 9.

5. Subprocessors

The Controller grants general written authorization for the Processor to engage the subprocessors listed at htpbe.tech/legal/subprocessors. That page specifies for each subprocessorr: the data processed, the storage region, and which processing mode(s) it applies to.

The Processor will notify the Controller of any intended addition or replacement of subprocessors at least 10 days in advance by updating the subprocessors page and emailing the address associated with the Controller’s account. The Controller may object to a new subprocessorr within 10 days of notification by contacting [email protected]. If the Processor cannot accommodate the objection, the Controller may terminate the Agreement by written notice and will receive a pro-rata refund for the unused portion of the current billing period.

The Processor imposes equivalent data protection obligations on all subprocessors via contractual terms (including standard contractual clauses where required for international transfers). The Processor remains liable to the Controller for the performance of subprocessors’ obligations.

6. International Data Transfers

Some subprocessors are located in the United States. Where personal data originating in the European Economic Area (EEA) is transferred to the United States, the Processor ensures that appropriate safeguards are in place, including:

  • Standard Contractual Clauses (Module 3 — Processor to Subprocessorr) adopted by the European Commission under GDPR Article 46(2)(c), or
  • An adequacy decision by the European Commission covering the destination country or the specific recipient, or
  • The EU–U.S. Data Privacy Framework (DPF) certification of the subprocessorr, where applicable.

The same safeguards apply to transfers to any other third country. The subprocessors page identifies the storage region for each subprocessorr to allow the Controller to assess transfer risks.

7. Security Measures

The Processor implements the following technical and organizational measures (Article 32 GDPR):

  • Encryption in transit: All data transfers between the Controller’s systems and the Service, and between the Service and subprocessors, are encrypted using TLS 1.2 or higher.
  • Encryption at rest: Data stored in the database (Turso) is encrypted at rest by the subprocessorr.
  • Access control: Personal data is accessible only to personnel and systems that require it for service operation. API keys are stored as SHA-256 hashes; plaintext keys are never stored.
  • Minimal retention: PDF file content is processed in-memory and never written to persistent storage (API mode). In Web UI mode, file content in R2 is deleted within 7 days. Only structural metadata and verdicts are stored persistently.
  • Monitoring and logging: Structured logs are maintained via Axiom. Logs do not contain PDF content; they contain request identifiers, HTTP status codes, and error traces.
  • Incident response: The Processor maintains an internal incident response procedure. The Controller will be notified of any breach affecting their data within 72 hours of discovery.

8. Audit Rights

The Processor shall provide the Controller with all information reasonably necessary to demonstrate compliance with this DPA, including this page, the subprocessors page, and the Privacy Policy.

The Controller may request an audit or inspection by written notice to [email protected]. Audits are conducted at the Controller’s expense, require at least 30 days notice, may not occur more than once per calendar year, must not disrupt the Processor’s operations, and are subject to a reasonable confidentiality agreement. The Processor may satisfy audit requests by providing relevant certifications or third-party audit reports where available.

9. Deletion and Return of Data

Upon termination of the Controller’s account or upon written request, the Processor will:

  • Delete all analysis results and associated metadata from the database within 90 days of the termination date.
  • Ensure that subprocessors delete copies of the data within the same timeframe.
  • Provide a written confirmation of deletion upon request.

Retention for legal obligations: Billing records are retained for 6 years as required by Finnish accounting law (Kirjanpitolaki 1336/1997), regardless of account termination. These records do not contain PDF content or document metadata.

PDF files (Web UI mode): File content in Cloudflare R2 is automatically deleted within 7 days of upload, independently of account status. No special request is needed for file deletion.

10. Data Subject Rights

The Controller is responsible for handling data subject requests (access, rectification, erasure, portability, restriction, objection) in respect of personal data processed under this DPA.

If a data subject submits a request directly to the Processor, the Processor will promptly forward the request to the Controller (where the Controller’s identity can be established) and may not respond to the data subject on the Controller’s behalf without written authorization. The Processor will provide reasonable technical assistance to the Controller in fulfilling such requests, including by deleting specific check records from the database upon the Controller’s instruction.

11. Liability

Each party’s liability under this DPA is subject to the limitations set out in the Terms and Conditions. The Processor’s total aggregate liability to the Controller under this DPA shall not exceed the total fees paid by the Controller to the Processor during the 12 months preceding the event giving rise to the claim.

Nothing in this DPA limits either party’s liability for fraud, willful misconduct, or any liability that cannot be excluded by applicable law.

12. Governing Law

This DPA is governed by the laws of Finland. Any disputes shall be resolved in accordance with the dispute resolution mechanism set out in the Terms and Conditions. Where applicable, the DPA shall be interpreted in a manner consistent with the GDPR and any guidance issued by the European Data Protection Board.

13. Changes to this DPA

The Processor may update this DPA to reflect changes in applicable law, regulatory guidance, or subprocessorr arrangements. Material changes will be communicated by email at least 14 days before they take effect. Continued use of the Service after the effective date of a revised DPA constitutes acceptance of the revised terms. If you do not accept a material change, you may terminate the Agreement by written notice before the effective date and receive a pro-rata refund for the unused portion of the current billing period.

14. Contact

For all DPA-related inquiries, data subject forwarding requests, breach notifications, or requests for countersigned agreements, contact:
TMI Iurii Rogulia
Vanhanpellonaktu 5, 53850 Lappeenranta, Finland
[email protected]

Related documents

Terms & ConditionsPrivacy PolicySubprocessors