PDFMonkey GDPR Compliance and Data Processing Agreement (DPA)

PDFMonkey aligns its data handling practices with GDPR requirements. This page covers the company’s compliance posture, the available legal agreements, and the key privacy commitments built into the platform.

Compliance posture

PDFMonkey does not hold a formal compliance certification (such as SOC 2 or ISO 27001). As a small, focused company, pursuing these certifications is not currently feasible. Instead, PDFMonkey implements concrete security measures that protect your data at every stage: encryption in transit and at rest, EU-only hosting, strict access controls, and configurable data retention.

GDPR data roles

When you use PDFMonkey, the GDPR roles are defined as follows:

PDFMonkey processes your data only for the purpose of providing the service. It is never analyzed, shared with partners, sold, or used for any other purpose.

If you are yourself a Processor acting on behalf of a Controller (for example, generating documents for your own clients), PDFMonkey provides a separate Data SubProcessing Agreement (DsPA) that formalizes the Controller-Processor-SubProcessor chain.

Data Processing Agreement (DPA)

PDFMonkey provides two standard agreements covering data processing obligations under GDPR:

Both agreements are dated March 1, 2023 and cover:

• Definitions aligned with GDPR terminology
• Data processing obligations and instructions
• Security measures and confidentiality
• Audit rights (once per year, 30 days’ notice)
• Breach notification procedures
• International data transfer safeguards
• Approved sub-processor list
• Data deletion on termination

Key GDPR commitments

The following commitments are formalized in the DPA and reflected in PDFMonkey’s technical implementation:

EU-only data hosting

All infrastructure runs on AWS in the EU (Paris) region. Your data does not leave the EEA unless a sub-processor requires it, in which case the transfer is protected by GDPR-compliant safeguards (adequacy decisions or standard contractual clauses). See Security Measures: European hosting for details.

Purpose limitation

PDFMonkey processes your data exclusively to generate the Documents you request. It is never analyzed by PDFMonkey or any external service, never shared with third parties, and never used for profiling or analytics.

Data minimization and retention

You control how long your data is stored. Each Template has a configurable TTL (Time To Live) that automatically deletes Documents after the retention period expires. You can also delete Documents manually at any time. See Data Storage and Retention for the full picture of what is stored and when it is removed.

Breach notification

If PDFMonkey becomes aware of a personal data breach affecting your data, it notifies you without undue delay. The notification includes the nature and scope of the breach, a point of contact, likely consequences, and remediation measures taken or proposed.

Data deletion on termination

When you delete your account, PDFMonkey ceases all processing and permanently destroys all your data, including Templates, Documents, generated files, and dynamic data.

Approved sub-processors

PDFMonkey uses a limited set of sub-processors. The DPA requires PDFMonkey to notify you in writing before adding or replacing a sub-processor, giving you time to object.

For full contact details and compliance links for each sub-processor, see Section 5 of the DPA or DsPA.

Frequently asked questions

Does PDFMonkey have SOC 2 or ISO 27001 certification?

No. PDFMonkey is a small company and does not currently hold formal compliance certifications. The Security Measures page describes the technical and organizational measures in place.

Can I audit PDFMonkey?

Yes. The DPA grants you the right to audit PDFMonkey’s data processing practices once per year, during business hours, with at least 30 days’ written notice. Audit costs are borne by you unless the audit reveals non-compliance on PDFMonkey’s part.

What happens to my data if I cancel my subscription?

When you delete your account, PDFMonkey permanently deletes all your Workspaces, Templates, Documents, and generated files. See Account Deletion for the full process.

Is my data transferred outside the EU?

PDFMonkey commits to processing data within the EEA. If a sub-processor requires a transfer outside the EEA, GDPR-compliant safeguards (adequacy decisions or standard contractual clauses) are in place.

Related pages

• Security Measures – encryption, access controls, and data isolation
• Data Storage and Retention – what data PDFMonkey stores and for how long
• Document Retention and Automatic Deletion – TTL configuration and plan-based limits
• Account Deletion – what happens when you delete your account
• Support – how to reach the PDFMonkey team

Frequently asked questions

Is PDFMonkey GDPR compliant?

PDFMonkey follows GDPR principles: data is processed exclusively within the EU (AWS Paris region), encrypted in transit and at rest, never shared with third parties, and deleted when no longer needed. PDFMonkey acts as a data Processor on your behalf.

Does PDFMonkey provide a Data Processing Agreement (DPA)?

Yes. PDFMonkey provides a standard DPA and a Data SubProcessing Agreement (DsPA), both available for download. If your organization requires a custom data privacy agreement, you can contact PDFMonkey to arrange review and signing.

Where is PDFMonkey data hosted?

All PDFMonkey infrastructure is hosted on Amazon Web Services (AWS) in the EU (Paris) region. This includes application servers, the database, and S3 storage. Data is processed exclusively within the EEA.

What sub-processors does PDFMonkey use?

PDFMonkey uses a limited set of sub-processors: AWS (hosting and storage), Heroku (hosting), SendGrid (email), Dropbox (invoice storage), Svix and Zapier (integrations), Rollbar and Sentry (error logging), and Cloudflare (DNS). The full list is detailed in the DPA.