Legal

Data Processing Agreement

This DPA forms part of the Terms of Service between FolioDoc ("Processor") and the Customer ("Controller").

1. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person (GDPR Art. 4(1)).
  • "Processing" means any operation performed on Personal Data, whether automated or not (GDPR Art. 4(2)).
  • "Data Subject" means the natural person whose Personal Data is processed.
  • "Sub-processor" means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
  • "Supervisory Authority" means an independent public authority responsible for monitoring the application of GDPR (Art. 4(21)).

2. Scope and purpose of processing

The Processor processes Personal Data solely on behalf of the Controller for the purpose of:

  • Collecting documents and information from the Controller's clients (recipients)
  • Sending email notifications and reminders to recipients
  • Storing uploaded files securely until retention period expires or Controller deletes them

3. Types of personal data processed

Recipient names, email addresses, phone numbers (optional), uploaded documents, and free-text responses as directed by the Controller.

4. Data subject categories

Clients, customers, or contacts of the Controller who are requested to submit documents.

5. Obligations of the Processor

The Processor shall:

  • Process Personal Data only on documented instructions from the Controller, unless required by applicable law
  • Ensure that all personnel authorized to process Personal Data are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures in accordance with GDPR Art. 32
  • Not engage sub-processors without the Controller's prior consent; notify the Controller at least 30 days before adding or replacing a sub-processor
  • Assist the Controller in responding to data subject requests within 10 business days
  • Notify the Controller of personal data breaches without undue delay after becoming aware, aiming within 72 hours
  • Assist the Controller with data protection impact assessments (DPIAs) where required
  • Delete or return all Personal Data upon termination of the service agreement, at the Controller's choice
  • Make available to the Controller all information necessary to demonstrate compliance with this DPA

6. Sub-processors

The Controller grants general authorization for the sub-processors listed below. The Processor will notify the Controller at least 30 days before adding or replacing a sub-processor. The Controller may object within 14 days.

Sub-processorPurposeData processedLocation
Hetzner Online GmbHApplication hosting, database, file storageAll personal dataEU (Germany)
Mailgun (Sinch Email)Transactional email deliveryRecipient names, email addressesEU
Sentry (Functional Software Inc.)Error monitoring and alertingError metadata only (PII scrubbed)USA
Stripe, Inc.Subscription billing and payment processingWorkspace owner email, name, plan selectionUSA (EU data via Stripe EU infrastructure)
Google LLC (Google Analytics 4)Website analytics (marketing pages only)Anonymized IP, page views, device type (consent-based)USA

7. Data retention and deletion

The Processor retains data for the duration specified in the retention policy (default: 90 days after request completion). The Controller may delete data at any time via the platform. Upon account deletion, all data is permanently erased including uploaded files.

8. Technical and organizational measures (TOMs)

The Processor implements the following technical and organizational measures in accordance with GDPR Art. 32:

Access controls:

  • Role-based access control with owner, admin, and reviewer roles per workspace
  • JWT authentication with 15-minute access tokens, refresh rotation, and blacklisting on logout
  • Optional TOTP-based two-factor authentication (2FA) via authenticator apps
  • Login attempt throttling per email+IP combination to prevent brute force
  • Optional access-code verification for recipient portal with lockout after repeated failures
  • Admin access restricted to whitelisted IPs in production

Transport security:

  • All connections encrypted via HTTPS/TLS 1.2+ with modern cipher suites (ECDHE, AES-GCM/CHACHA20) and HSTS preloading
  • Browser security headers: strict CSP (no unsafe-eval), X-Content-Type-Options, X-Frame-Options (DENY), Permissions-Policy, Referrer-Policy (no-referrer)
  • Magic link tokens protected from referrer leakage via strict Referrer-Policy

Data protection:

  • Magic link tokens stored as SHA-256 hashes only — raw tokens never persisted
  • Passwords hashed with PBKDF2, minimum 10 characters required, and length-limited to prevent algorithmic complexity attacks
  • File upload validation (5-layer: size, content-type, extension, magic-byte, per-recipient quotas)
  • Automatic data retention enforcement with configurable purge periods
  • Secure deletion workflows with retry mechanisms for failed file removals
  • Encryption at rest via Hetzner encrypted volumes

Integrity and availability:

  • SHA-256 file integrity checksums stored on upload with periodic verification
  • Backup and recovery procedures documented with defined RPO/RTO targets
  • CSV formula injection prevention in all data exports
  • Container hardening with network segmentation, dropped capabilities, and least-privilege processes

Security monitoring:

  • Login event audit logging (IP address, result, timestamp)
  • Document submission and data deletion events logged with timestamps
  • Immutable deletion audit trail for GDPR traceability
  • Audit logs available via dashboard and exportable as CSV
  • Background task health monitoring with alerting
  • Error monitoring with PII scrubbing (no request bodies, tokens, or credentials transmitted)

Uploaded files are automatically scanned for viruses using ClamAV. No scanning solution is 100% effective; Controllers should still verify downloaded files.

9. Data residency and international transfers

Personal Data is currently processed and stored within the EU (Hetzner, Germany). Certain sub-processors (Stripe, Sentry, Google Analytics) may process limited data in the USA under Standard Contractual Clauses (SCCs) as approved by the European Commission and the EU-U.S. Data Privacy Framework.

10. Term and termination

  • This DPA is effective for the duration of the service agreement between the Processor and the Controller.
  • Upon termination, the Controller may export data for 30 days, after which all data is deleted per the retention policy.
  • Deletion includes all files, responses, recipient data, and notification history.

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service.

12. Governing law

This DPA is governed by the laws of the Federal Republic of Germany.