Pricing Sign in Sign up

Data Processing Agreement (DPA)

Last updated: 25. 11. 2025

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer" or "Controller") and Performance4 s.r.o. ("Processor") governing the use of the P4PDF by Performance4 s.r.o. service.

1. Subject Matter and Duration

The Processor shall process personal data on behalf of the Controller for the purpose of providing the Service as described in the main agreement and this DPA. The processing shall continue for the duration of the main agreement, unless otherwise agreed.

2. Nature and Purpose of Processing

The Service enables the Controller to upload and process documents (PDFs, attachments) for the purposes of electronic signing, timestamping and related operations. Personal data may appear within such documents and related metadata.

3. Types of Personal Data and Categories of Data Subjects

The types of personal data processed may include:

  • Names, email addresses and other identifiers;
  • Contact information and billing data;
  • Any personal data contained in documents uploaded by the Controller.

Data subjects may include:

  • Controller’s employees and representatives;
  • Customers, suppliers and other business contacts of the Controller;
  • Any other individuals whose data is contained within the documents.

4. Instructions of the Controller

The Processor shall process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by law. The Controller’s use of the Service (configuration, API calls, uploads) constitutes such instructions.

5. Confidentiality

The Processor shall ensure that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

6. Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

  • encryption in transit;
  • access controls and authentication;
  • segregation of environments;
  • logging and monitoring;
  • regular updates and security patches.

7. Sub-processors

The Controller hereby authorizes the Processor to engage sub-processors for hosting, payment processing, timestamping and related services. The current list of sub-processors includes (without limitation):

  • Stripe – payment processing;
  • freetsa.org – timestamp authority (TSA) in case API is used without TSA custom specification.

The Processor shall impose data protection obligations on sub-processors that are no less protective than those in this DPA.

8. Data Subject Rights

Taking into account the nature of the processing, the Processor shall assist the Controller, by appropriate technical and organizational measures, in fulfilling its obligation to respond to requests for exercising data subjects’ rights (access, rectification, erasure, restriction, portability, objection).

9. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach affecting data processed on behalf of the Controller.

10. Deletion or Return of Data

Upon termination of the main agreement, the Processor shall delete or return all personal data processed on behalf of the Controller, unless EU or Member State law requires storage of the data.

11. Audits

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this DPA and shall allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, not more than once per year, unless otherwise required by a competent authority.