Data Processing Agreement

You (the customer) are the Data Controller. You determine what PDF documents are sent to PDFPipe and how the converted output is used.

PDFPipe acts as a Data Processor. We process PDF content solely to perform the conversion you request and do not use your data for any other purpose.

When you make an API request, PDFPipe processes the following data:

• PDF URL — the URL you provide pointing to the PDF document.
• PDF content — the file fetched from that URL, temporarily held during conversion.
• Request metadata — request ID, output format, processing type, timestamp, and your account/user identifiers.
• API key prefix — used for authentication. The full key is never stored.

PDFPipe does not access, index, or analyse the semantic content of your PDFs beyond what is required to perform the requested conversion.

Data is processed exclusively to fulfil your API conversion requests. This includes:

• Fetching the PDF from the provided URL (via direct HTTP or headless browser for attachment PDFs).
• Converting the PDF content into the requested output format.
• Temporarily storing the output in S3 and providing a presigned download URL.
• Recording usage metrics (request count, format, success/failure) for billing and rate limiting.

PDFPipe follows an ephemeral storage model. Converted output is not retained long-term.

• Primary cleanup: An asynchronous process deletes the S3 object as soon as the conversion response is delivered.
• Backstop cleanup: An S3 lifecycle policy automatically deletes all stored objects after 48 hours.
• Request metadata (request ID, status, timestamps) is retained in DynamoDB for usage tracking and billing purposes.
• Usage records are retained for the duration of your account for billing reconciliation.

The raw PDF content from the source URL is never persisted — it exists only in Lambda memory during processing.

PDFPipe uses the following third-party sub-processors:

We will notify you of any changes to sub-processors with reasonable advance notice.

All data processing occurs within AWS EU (London) — eu-west-2. PDF content, converted output, metadata, and queue messages all reside in this region. The web application is served globally via CloudFront CDN, but the origin and all data storage remain in eu-west-2.

Stripe processes billing data in accordance with their own data processing policies.

PDFPipe implements technical and organisational measures to protect your data. For a detailed breakdown, see our Security page.

Key measures include:

• Encryption in transit (TLS 1.2+) and at rest (AES-256)
• API keys stored as bcrypt hashes with optional IP allowlisting per key
• Ephemeral file storage with automatic deletion
• SSRF prevention blocking private IP ranges
• IAM least-privilege access controls
• Input validation on all API requests
• Structured audit logging

You retain full control over the data you send to PDFPipe. To exercise data subject rights:

• Access & portability: Your usage data and account details are available in the dashboard.
• Deletion: You can delete your account at any time from Account Settings. This removes all associated metadata and usage records.
• PDF content: As noted above, PDF content is ephemeral and automatically deleted within 48 hours at most.

For additional data requests, contact privacy@pdfpipe.dev.

In the event of a personal data breach, PDFPipe will:

• Notify affected customers without undue delay and no later than 72 hours after becoming aware of the breach.
• Provide details of the nature of the breach, the data affected, and the measures taken to address it.
• Cooperate with your own breach notification obligations under applicable data protection law.

This DPA applies for the duration of your use of PDFPipe services. Upon termination of your account:

• All converted output files are already deleted (ephemeral model).
• Account metadata and usage records are deleted upon account deletion.
• Billing records may be retained as required by applicable law.