FileGPT.dev
Open app
← Back to home

Data Processing Agreement (DPA)

Last updated: 24 April 2026

This DPA forms part of the Terms for business use of FileGPT.dev where Customer acts as controller and FileGPT acts as processor under Article 28 GDPR.

1. Parties and role allocation

  • Customer: controller (or processor acting on behalf of a controller, with required authority).
  • FileGPT.dev operator: processor for Customer Personal Data processed through the Service.

2. Subject matter and duration

Processing covers document storage, indexing, retrieval, and AI inference needed to provide private document-intelligence functionality. This DPA applies for the duration of the Service subscription and survives as long as we process Customer Personal Data on Customer’s behalf.

3. Nature and purpose of processing

  • Store uploaded files and related metadata.
  • Extract text, split into chunks, and create embeddings for retrieval.
  • Process user prompts and retrieved snippets for AI-generated responses.
  • Store chat/session history and operational usage records.
  • Operate security, integrity, and abuse-prevention controls.

4. Categories of data and data subjects

Categories may include account identifiers, uploaded document contents, prompts, chat messages, and technical metadata. Data subjects may include Customer users, employees, contractors, and other persons whose data is included in uploaded materials.

5. Processor obligations

FileGPT will:

  • process Customer Personal Data only on documented instructions from Customer;
  • ensure personnel with access are subject to confidentiality obligations;
  • implement technical and organizational security measures appropriate to risk;
  • assist Customer with data subject requests where technically feasible;
  • assist with DPIA or consultation requests where required and feasible; and
  • notify Customer of personal data breaches without undue delay.

6. Customer obligations

  • Provide lawful instructions and legal basis for processing.
  • Ensure uploaded data is lawfully collected and shared.
  • Configure Service usage in line with Customer’s compliance requirements.
  • Handle data subject rights requests directed to Customer as controller.

7. Subprocessors

Customer grants a general authorization for subprocessors used to operate the Service. Current subprocessor categories include cloud hosting/runtime, database/auth/storage, AI model/embedding providers, and rate-limiting infrastructure.

Material subprocessor changes will be reflected in the legal/security documentation. Customer may raise reasonable objections for data protection reasons via info@filegpt.dev.

8. International transfers

Where subprocessors process data outside the EEA, transfer mechanisms such as Standard Contractual Clauses and supplementary measures are used where legally required.

9. Security measures (Annex II summary)

  • Authenticated API access and account-based authorization checks.
  • Document storage in private buckets and scoped signed URL access.
  • Input validation, request rate limiting, and abuse safeguards.
  • Logical tenant separation via user-scoped access patterns and policy controls.
  • Encryption in transit via TLS and encryption at rest through infrastructure providers.
  • Operational monitoring, logging, and incident response handling.

A technical overview with known limitations is published on the Security page.

10. Personal data breach notifications

If we become aware of a confirmed personal data breach affecting Customer Personal Data, we will notify Customer without undue delay and provide available information reasonably required for Customer’s own notification obligations.

11. Audit and information rights

Customer may request information reasonably necessary to demonstrate compliance with this DPA. Audits are limited to reasonable frequency, scope, confidentiality protections, and security safeguards.

12. Return or deletion at termination

Upon account closure or documented instruction, Customer data is deleted according to the Service deletion workflows and retention constraints. Some records may be retained where legally required.

13. Priority and conflict

If this DPA conflicts with other service terms regarding data protection, this DPA prevails for processing of personal data. This DPA may be replaced by a signed negotiated agreement for enterprise customers.

14. Contact and signed copies

For enterprise procurement, signed DPA requests, or compliance questionnaires, contact info@filegpt.dev.