Data Processing Agreement
Last updated: 24 April 2026 · Version 1.1 · UK GDPR Article 28
How this DPA is accepted: By registering for a PreprintAgent company account and ticking the DPA consent checkbox, the Client agrees to this DPA on behalf of their organisation. This DPA forms part of the PreprintAgent
Terms of Service and is incorporated by reference into them.
1. Parties
Data Controller ("Controller" / "Client"): The company or individual that registers for and uses the PreprintAgent Service.
Data Processor ("Processor"): Creative4 Ltd, Company No. 10129403, 36 Orchard Road, Lutterworth, LE17 4DA, United Kingdom.
2. Background
The Processor operates PreprintAgent, a prepress automation platform. In providing the Service, the Processor processes personal data on behalf of the Controller. This DPA sets out the terms under which such processing takes place, in full compliance with Article 28 of the UK General Data Protection Regulation (UK GDPR) and the Data Protection Act 2018.
3. Subject Matter and Duration
Subject matter: Automated prepress processing of print files uploaded by the Client, including preflight validation, bleed processing, and panel imposition, together with account and job management.
Duration: This DPA applies for the duration of the Client's use of the Service and for any period thereafter during which the Processor retains personal data as required by applicable law or the Terms of Service.
4. Nature and Purpose of Processing
Processing is performed solely to deliver the Service: receiving, storing, processing, and returning print files; sending job status notifications; managing the Client's company account and user accounts; and providing customer support. Processing will not be carried out for any other purpose without the Controller's documented instruction.
5. Types of Personal Data Processed
The personal data processed under this DPA may include:
- Contact details of Client personnel (name, email address)
- Login credentials (email address; passwords stored as irreversible cryptographic hashes only)
- Metadata embedded in uploaded print files (which may incidentally include names or identifiers)
- Communication records (support enquiries)
- Technical data (IP addresses, browser/device identifiers)
- Consent records (timestamps of ToS, DPA, and marketing consent with IP addresses)
Prohibition on special category data: The Controller must not upload files containing special category personal data (as defined in UK GDPR Article 9) — including health information, biometric data, racial or ethnic origin, religious beliefs, or sexual orientation — without a separate written agreement with the Processor. The Processor is not equipped to handle such data under this DPA.
6. Data Subjects
Employees, contractors, and other individuals associated with the Client's organisation who use or are referenced in connection with the Service.
7. Processor Obligations
The Processor shall:
- Instructions: Process personal data only on documented instructions from the Controller (i.e. as required to deliver the Service), unless required to do so by UK law; in that case the Processor shall inform the Controller before processing, unless the law prohibits this
- Confidentiality: Ensure that all personnel authorised to process personal data are subject to a binding obligation of confidentiality
- Security: Implement and maintain the technical and organisational security measures described in Schedule 1
- Sub-processors: Only engage sub-processors in accordance with Clause 8 of this DPA
- Data subject rights: Assist the Controller in fulfilling its obligations to respond to data subject rights requests under UK GDPR Articles 15–22, to the extent reasonably possible given the nature of the processing
- Controller obligations: Taking into account the nature of the processing and the information available, assist the Controller in ensuring compliance with its obligations under UK GDPR Articles 32–36 (security, breach notification, data protection impact assessments, and prior consultation with the ICO)
- Deletion or return: At the Controller's written request, delete or return all personal data to the Controller at the end of the Service, and delete existing copies unless UK law requires retention; confirm completion in writing within 30 days
- Demonstration of compliance: Make available to the Controller all information necessary to demonstrate compliance with Article 28 UK GDPR, and allow for and contribute to audits and inspections as set out in Clause 9 below
- Unlawful instructions: Notify the Controller without undue delay if, in its reasonable opinion, any instruction from the Controller infringes UK GDPR or other applicable data protection law
8. Sub-Processors
The Controller grants general authorisation for the Processor to engage the sub-processors listed below and any replacements or additions notified in accordance with this Clause.
| Sub-processor | Purpose | Location | Safeguard |
|---|
| Hetzner Online GmbH | Cloud server infrastructure and file storage | Germany (EU) | UK–EU adequacy |
| Brevo (Sendinblue SAS) | Transactional email delivery and marketing email management | France (EU) | UK–EU adequacy |
| Stripe Inc. | Payment processing and billing | USA | UK IDTA / SCCs |
| Cloudflare Inc. | DNS, CDN, security, email routing | USA | UK IDTA / SCCs |
| GitHub Inc. (Microsoft Corporation) | Source code hosting and automated deployment (CI/CD pipeline) | USA | UK IDTA / SCCs |
Changes to sub-processors: The Processor will give the Controller at least 14 days' written notice before engaging a new sub-processor or replacing an existing one (by email to the registered account address). The Controller may object to the change within that period by written notice to [email protected], specifying the grounds for objection. If the Processor proceeds with the change despite a valid objection, the Controller may terminate the Service without penalty by written notice within 30 days of the Processor confirming the change. Sub-processors are bound by data protection obligations equivalent to those in this DPA.
9. Audit Rights
In accordance with UK GDPR Article 28(3)(h), the Processor shall allow for, and contribute to, audits and inspections conducted by the Controller or a third-party auditor mandated by the Controller. The following conditions apply:
- The Controller must give at least 30 days' prior written notice of any audit request, specifying the scope and proposed auditor
- Audits shall be conducted during normal business hours, no more than once per calendar year (unless required by a regulatory authority), and in a manner that minimises disruption to the Processor's operations
- Any third-party auditor appointed by the Controller must enter into a confidentiality agreement with the Processor before audit commencement
- The Controller shall bear the costs of any such audit unless the audit reveals material non-compliance by the Processor with this DPA, in which case the Processor shall bear reasonable audit costs
- The Processor may, at its discretion, satisfy the audit right by providing the Controller with up-to-date third-party security certifications (e.g. ISO 27001) or a written compliance report in lieu of a full on-site audit
10. International Transfers
Where personal data is transferred outside the UK, the Processor shall ensure that an appropriate transfer mechanism is in place (UK adequacy regulations, UK IDTA, or equivalent SCCs) before the transfer takes place. Details of applicable transfer mechanisms for each sub-processor are set out in Clause 8 and are available in full on request.
11. Personal Data Breach
The Processor shall notify the Controller without undue delay — and in any event within 72 hours where feasible — upon becoming aware of a personal data breach affecting data processed under this DPA. Notifications shall be delivered to the registered account email address and shall include:
- The nature of the breach, including categories and approximate numbers of data subjects and records affected
- The name and contact details of the Processor's data protection contact
- Likely consequences of the breach
- Measures taken or proposed to address the breach and mitigate its effects
Where full information is not immediately available, initial notification may be made in stages as information becomes available.
12. Governing Law
This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes shall be subject to the exclusive jurisdiction of the courts of England and Wales.
Schedule 1 — Technical and Organisational Security Measures
The Processor implements and maintains the following technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access:
Access Control
- Access to production systems requires strong authentication; administrative access is restricted to authorised personnel only
- Role-based access controls limit access to personal data to those with a documented business need
- Principle of least privilege applied to all system access
Data Encryption
- All data in transit encrypted using TLS 1.2 or higher (HTTPS enforced on all endpoints)
- Passwords stored using bcrypt hashing with appropriate cost factor; never stored in plaintext
- Authentication tokens are signed JWTs with expiry; not stored server-side
Infrastructure Security
- Servers hosted on Hetzner (Germany) with firewall rules restricting inbound access to authorised sources only
- Rate limiting applied to all public API endpoints to prevent abuse and brute-force attacks
- Regular OS and dependency security updates applied on a timely basis
- HTTPS enforced via Cloudflare with HSTS headers
Application Security
- Input validation and sanitisation applied to all user inputs
- Path traversal protections on all file upload and download endpoints
- XSS protections applied to all rendered output
- SQL injection protections via parameterised queries
- CSRF protections on all state-changing requests
Data Minimisation and Retention
- Uploaded print files are stored only as long as necessary for job completion and deleted after 90 days
- System logs retained for 12 months for security monitoring
- Only the minimum personal data required for each processing purpose is collected
Operational Controls
- Regular automated database backups with retention controls
- Incident response procedure in place; data breach notification process documented
- Deployment pipeline secured via GitHub Actions with restricted access credentials
Schedule 2 — Processing Details
| Field | Details |
|---|
| Subject matter | Prepress processing of print-ready files and associated company account management |
| Duration | Duration of the Service agreement plus applicable legal retention periods |
| Nature of processing | Collection, storage, automated processing (preflight, bleed, imposition), transmission, deletion |
| Purpose | Delivery of the PreprintAgent prepress automation service |
| Type of personal data | Contact details, credentials (hashed passwords), file metadata, technical identifiers, consent records |
| Categories of data subjects | Client company employees and contractors using or referenced in connection with the Service |
| Special category data | None — prohibited under this DPA without separate agreement |
Creative4 Ltd — Data Processor
Company No. 10129403 · Registered in England and Wales
36 Orchard Road, Lutterworth, LE17 4DA, UK
[email protected]