Enveloppe
Create my page

Data Processing Agreement (DPA)

Last updated: April 24, 2026

This Data Processing Agreement ("DPA") supplements the Enveloppe Terms in accordance with article 28 of the GDPR when Enveloppe acts as processor on behalf of the User ("Controller").

1. Scope and duration

The DPA applies for the entire duration of the User's subscription and ends upon effective account termination.

2. Nature and purpose of processing

  • Nature: temporary storage, transmission, and retrieval of files.
  • Purpose: enable the User's clients to submit documents.
  • Data categories: those chosen by the User and Droppers; Enveloppe does not restrict content by default.
  • Data subjects: clients or any third party using a drop page.

3. Enveloppe's obligations

  • Process data only on the User's documented instructions (Terms and page configuration constitute the initial instruction).
  • Ensure confidentiality through binding clauses with personnel.
  • Implement appropriate technical and organizational measures (encryption in transit and at rest, logging, RBAC).
  • Notify any security incident to the User within 72 hours of becoming aware.
  • Assist the User with data subject rights requests.
  • Delete or return data at the end of the DPA, at the User's option.

4. Authorized sub-processors

  • Hyperfluid / CaaStor — application hosting and object storage, EU.
  • Stripe — payments (billing only, no uploaded files).
  • Resend — notification email delivery.

Enveloppe will notify the User of any sub-processor change with 30 days' notice, giving the User the right to object.

5. International transfers

Primary hosting is European. If a sub-processor processes data outside the EU, transfers are covered by the European Commission's Standard Contractual Clauses.

6. Security measures

  • TLS 1.2+ encryption in transit.
  • Encryption at rest via provider object storage.
  • Strong authentication for pro access (Keycloak, SSO).
  • Logical tenant isolation.
  • Daily encrypted backups, periodically tested.
  • Administrative access auditing.

7. Return and deletion

At the end of the DPA, the User may export their data (metadata and download links) for 30 days. After that window, Enveloppe proceeds with final deletion, including backups within their rotation cycle (90 days max).

8. Contact

contact@enveloppe.eu