DPA.

PaidProof is operated by a Polish individual under działalność nierejestrowa. The DPA names the individual, address, and contact channel.

For data submitted by you about your clients (names, billing addresses, contract bodies, signatures, IP logs, email content), you remain the controller and PaidProof is the processor. The DPA limits PaidProof to processing that data only as needed to provide the service.

The DPA lists the sub-processors PaidProof relies on (Supabase, Vercel, Resend, Lemon Squeezy, Cloudflare, PostHog, Sentry). Adding a new sub-processor triggers a 30-day notice email; you may object and terminate without penalty.

The current list with regions is on Privacy.

• —AES-256-GCM column encryption on contract bodies, signature blobs, dispute-kit notes, and inbound email content.
• —Application-layer key held outside the database, separate trust domain.
• —Disk-level encryption at rest (AES-256).
• —Row-level security in Postgres, per-tenant isolation.
• —Append-only forensic audit log on row deletes (24h retention).
• —Database trigger blocking edits and deletes on signed contract rows.
• —One-button data export (zip of CSVs) and account deletion in Settings.

Detail and threat model on Security.

The primary database lives in the EU (Ireland). Some sub-processors operate in the US (Lemon Squeezy, Reddit Ads). Where applicable, transfers rely on Standard Contractual Clauses (Module Two — Controller to Processor) or the EU-US Data Privacy Framework where the processor is certified.

Most are self-serve in Settings. For anything the UI doesn’t cover, mail support@paidproof.app — the same channel that handles GDPR Art. 15–22 requests. Resolved within 72 hours.

Mail support@paidproof.app. Reply includes the DPA as a signed PDF and a DocuSign-style click-to-sign link if you’d like a counter-signed copy on file.