Papermark is GDPR-compliant across its virtual data room, document sharing, and analytics workflows. We operate as a data processor (in GDPR terms) for customers handling EU resident data, offer a signed Data Processing Agreement (DPA), maintain a public sub-processor list, and support EU data residency for deployments requiring it. For the full security and compliance posture (encryption, hosting regions, certifications), see the Papermark security page.
This guide covers exactly how we meet each GDPR requirement and what it means for customers running EU-regulated workflows on Papermark.
The General Data Protection Regulation (GDPR) is a comprehensive data protection law from the European Union that regulates how organizations collect, process, store, and protect personal data of EU residents. It applies to any organization handling EU resident data regardless of the organization's location. Non-compliance can result in fines up to 4% of global revenue or €20 million, whichever is higher.
GDPR is built on seven principles: lawful processing, purpose limitation, data minimization, accuracy, storage limitation, integrity and confidentiality, and accountability. For a VDR processing confidential business documents containing personal data of employees, investors, or counterparties, GDPR compliance is not optional.
Virtual data rooms routinely process personal data as part of M&A, fundraising, and audit workflows: employee records during HR diligence, investor contact data, customer contract signatories, LP investor PII. Four reasons make GDPR compliance essential for VDR selection.
Global reach. GDPR applies to any organization processing EU resident data, regardless of the organization's own location. A US company raising from European LPs must use a GDPR-compliant VDR.
Legal exposure. Non-compliance fines scale with global revenue: up to 4% or €20M, whichever is higher. Using a non-compliant VDR creates liability for the customer, not just the vendor.
Vendor due diligence. EU customers increasingly require GDPR documentation (DPA, sub-processor list, data residency) as part of vendor onboarding. A non-GDPR-compliant VDR fails that screening.
Data subject trust. EU regulators and courts increasingly scrutinize cross-border transfers, especially to US cloud providers post-Schrems II. A VDR with documented GDPR posture reduces that risk.
Papermark operates as a data processor for customers who are the data controllers of the information they upload. We process personal data on customer instructions as defined in our DPA.
Papermark processes personal data on four lawful bases, as applicable:
Data subjects (the people whose data is processed) can exercise the following rights through their account or through a formal request:
Papermark's technical controls supporting GDPR compliance:
Three items make up the procurement-level GDPR documentation that EU buyers typically request during vendor assessments.
A DPA is the legal contract between a data controller (customer) and a data processor (Papermark) that sets out the terms of processing, data subject rights, security obligations, and breach notification procedures under GDPR Article 28. Papermark provides a standard DPA available for review and signature, and supports customer-specific amendments for enterprise contracts.
Papermark maintains a public sub-processor list identifying every third party that processes customer data as part of service delivery (infrastructure providers, email delivery, analytics). For each sub-processor, the list documents the service provided, the data processed, and the jurisdiction of operation. Customers are notified in advance of any material sub-processor changes.
For customers requiring data to remain inside the EU (cross-border transfer restrictions post-Schrems II, regulated industries, sovereign data requirements), Papermark supports:
| GDPR article | Requirement | How Papermark implements |
|---|---|---|
| Art. 5 | Principles of processing | Lawful basis documented, purpose-specified, minimized data collection |
| Art. 6 | Lawful basis | Contract, legitimate interest, consent, legal obligation as applicable |
| Art. 12-14 | Transparency and information | Privacy policy, cookie notice, account-level processing records |
| Art. 15-22 | Data subject rights | In-product controls and formal request workflow |
| Art. 25 | Privacy by design | Privacy reviewed as part of product development |
| Art. 28 | Processor obligations | Signed DPA, documented processing activities |
| Art. 30 | Records of processing | Internal ROPA maintained |
| Art. 32 | Security of processing | AES-256, TLS 1.3, MFA, audit log, SOC 2 Type II |
| Art. 33-34 | Breach notification | 72-hour notification, documented incident response |
| Art. 35 | DPIA | Conducted for high-risk processing activities |
| Art. 44-50 | Cross-border transfers | EU residency options, SCCs for international transfers |
For EU-based customers. Papermark meets local data protection requirements, supports your compliance obligations, and provides the DPA and sub-processor documentation your legal team needs for vendor assessments.
For international customers processing EU data. Papermark's GDPR posture lets you run M&A, fundraising, and due diligence workflows involving EU residents without creating additional compliance risk.
For due diligence workflows. Legal and financial professionals can run cross-border diligence knowing the platform meets GDPR requirements for personal data processing.
For fundraising activities. Startups raising from European LPs can demonstrate GDPR compliance through their choice of VDR, which is increasingly a procurement requirement for institutional European LPs.
Page-by-page document analytics give controllers the audit trail Article 30 requires:
For the full list of certifications, hosting regions, encryption standards, and the public DPA and sub-processor list, visit the Papermark security page.
| Feature | Papermark |
|---|---|
| GDPR-compliant | ✔️ |
| DPA available | ✔️ |
| Public sub-processor list | ✔️ |
| EU data residency | ✔️ (enterprise, self-hosted) |
| SOC 2 Type II | ✔️ |
| ISO 27001 | Via self-hosted deployment |
| HIPAA | Via self-hosted + BAA (enterprise) |
| Encryption at rest | AES-256 |
| Encryption in transit | TLS 1.3 |
| MFA | ✔️ |
| Audit logging | Append-only, exportable |
| 72-hour breach notification | ✔️ |
| Self-hosted option | ✔️ (AGPL open-source) |
Papermark SOC 2 Type II compliance explained: the five Trust Services Criteria, audit scope, and what it means for M&A, fundraising, and regulated VDR workflows.
Virtual data room pricing in 2026 explained. Compare per-page, per-user, storage, and flat-rate models across Papermark, Datasite, iDeals, Intralinks, and 30+ providers.
Step-by-step guide to building a Notion data room in 2026 and sharing it securely with a custom domain, password protection, page-by-page analytics, and link expiration using Papermark.
