Fillenza
DATA PROCESSING AGREEMENT
Last updated:
This Data Processing Agreement governs how Fillenza processes personal data on behalf of its customers. See our Privacy Notice and Terms of Service for additional details.
TABLE OF CONTENTS
- DEFINITIONS
- SCOPE AND PURPOSE OF PROCESSING
- TYPES OF PERSONAL DATA PROCESSED
- CATEGORIES OF DATA SUBJECTS
- PROCESSOR OBLIGATIONS
- CONTROLLER OBLIGATIONS
- TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
- SUB-PROCESSORS
- AUDIT RIGHTS
- DATA DELETION AND RETURN
- DATA BREACH NOTIFICATION
- INTERNATIONAL DATA TRANSFERS
- GOVERNING LAW AND JURISDICTION
- LIMITATION OF LIABILITY
- AMENDMENTS
- CONTACT
1. DEFINITIONS
For the purposes of this Data Processing Agreement, the following definitions apply:
- "Controller" means the Customer who integrates the Fillenza widget into their website and determines the purposes and means of processing Personal Data.
- "Processor" means CSHARPAD DOO, doing business as Fillenza, which processes Personal Data on behalf of the Controller.
- "Data Subject" means the End User — an individual whose Personal Data is processed through the Fillenza widget on the Controller's website.
- "Personal Data" means any information relating to an identified or identifiable natural person that is submitted through the Fillenza widget, Portal, or API.
- "Sub-processor" means a third party engaged by Fillenza to process Personal Data on behalf of the Controller.
- "Services" means the Fillenza widget, API, and Portal as described in the Terms of Service.
- "DPA" means this Data Processing Agreement.
2. SCOPE AND PURPOSE OF PROCESSING
Fillenza acts as a Processor and processes Personal Data solely on behalf of and under the documented instructions of the Controller.
The purpose of processing is AI-powered form filling: transforming unstructured input (free text, documents, images) submitted by Data Subjects into structured form data for completion of web forms on the Controller's website.
The duration of processing corresponds to the duration of the Controller's use of the Services. Processing ceases upon termination of the Controller's account, subject to the data deletion provisions in Section 10.
Ephemeral Processing. The nature of widget data processing is automated and ephemeral. Data submitted through the Fillenza widget is processed in memory only and is immediately deleted after the form-filling operation is complete. No widget data is written to disk or persisted in any database.
3. TYPES OF PERSONAL DATA PROCESSED
| Data Category | Examples | Retention |
|---|---|---|
| Widget form data | Free text, documents (PDF, DOCX), images | NOT STORED — processed in memory, immediately deleted |
| Portal account data | Email address, password hash | Until account deletion request |
| Billing profile data | Company name, VAT number, billing address | As required by applicable tax/accounting laws |
| Operational metadata | Usage counts, performance metrics, audit logs | 90 days (audit logs), then automatically deleted |
4. CATEGORIES OF DATA SUBJECTS
- End Users: Individuals who interact with the Fillenza widget on the Controller's website.
- Controller Personnel: Individuals who access the Fillenza Portal for account management.
5. PROCESSOR OBLIGATIONS
Fillenza, as the Processor, shall:
- Process Personal Data only on documented instructions from the Controller, unless required to do so by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.
- Ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
- Implement appropriate technical and organizational security measures as described in Section 7.
- Not engage another processor without prior written authorization of the Controller, as described in Section 8.
- Assist the Controller in responding to Data Subject requests exercising their rights under GDPR Articles 15-22 (access, rectification, erasure, restriction, portability, objection).
- Assist the Controller in ensuring compliance with GDPR Articles 32-36 (security of processing, breach notification, data protection impact assessments, prior consultation).
- Delete or return all Personal Data upon termination of the Services, as described in Section 10.
- Make available all information necessary to demonstrate compliance with this DPA and GDPR Article 28, and allow for and contribute to audits as described in Section 9.
6. CONTROLLER OBLIGATIONS
The Controller shall:
- Ensure a lawful basis for processing Personal Data under GDPR (e.g., consent, legitimate interest, contractual necessity).
- Provide clear and transparent privacy notices to Data Subjects regarding the use of the Fillenza widget and the processing of their data.
- Obtain Data Subject consent where required by applicable law.
- Provide documented instructions to Fillenza regarding the processing of Personal Data.
- Promptly notify Fillenza of any Data Subject requests that require Fillenza's assistance.
7. TECHNICAL AND ORGANIZATIONAL MEASURES (TOMs)
Fillenza implements the following technical and organizational measures to ensure the security of Personal Data processing:
- Transport encryption: TLS 1.2+ on all communications.
- Application-level E2E encryption: RSA-OAEP-256 (key exchange) + AES-256-GCM (payload).
- Unique keys per request: Every fill request uses a unique, one-time symmetric key — no key reuse.
- Immediate key destruction: Session keys permanently destroyed after single use.
- FRT tokens: Short-lived (max 5 minutes), single-use JWT with replay protection.
- Domain-bound API keys: Live keys restricted to authorized origins.
- Data isolation: Database-level user-scoped query filtering on all queries.
- No persistent storage: Widget data processed in memory only, never written to disk.
- No AI training: User data never used for model training or fine-tuning.
- Rate limiting: Per-IP request throttling.
- Audit logging: PII-free operational logging (90-day retention).
For a detailed description of our encryption architecture and security measures, see our Privacy Notice — Section 3.
8. SUB-PROCESSORS
Fillenza uses the following Sub-processors to deliver the Services:
| Sub-processor | Role | Data Shared | Location | Purpose | DPA |
|---|---|---|---|---|---|
| Microsoft Azure | Processor | Infrastructure data; ephemeral form data (AI fallback) | EU (West Europe) | Hosting, AI fallback processing | Microsoft DPA |
| Paddle (Paddle.com Market Ltd) | Controller (MoR) | Email, company name, VAT, billing address | UK/EU | Payment processing, invoicing, tax compliance | Paddle DPA |
| Loopia | Processor | Email addresses | Sweden (EU) | Transactional email delivery | Loopia Terms (Appendix A) |
Fillenza shall remain fully liable for the performance of its Sub-processors' obligations under this DPA.
Fillenza shall notify the Controller at least 30 days before adding or replacing a Sub-processor. The Controller may object to a new Sub-processor within 14 days of notification. If the objection is not resolved within a reasonable timeframe, the Controller may terminate the agreement in accordance with the Terms of Service.
9. AUDIT RIGHTS
The Controller may request an audit once per calendar year to verify Fillenza's compliance with this DPA and GDPR Article 28.
- Audit requests must be submitted in writing to support@fillenza.com with at least 30 days' advance notice.
- Fillenza shall make available all information necessary to demonstrate compliance with this DPA and GDPR Article 28.
- Audits may be conducted by the Controller or an independent third-party auditor, subject to confidentiality obligations.
- Fillenza shall cooperate with audits during normal business hours and in a manner that minimizes disruption to operations.
- Fillenza may provide compliance documentation (security reports, certifications) in lieu of on-site audits where appropriate.
10. DATA DELETION AND RETURN
- Widget data: Automatically and immediately deleted after processing — widget data is never stored.
- Upon termination of the Services: Fillenza shall delete all Controller Personal Data within 30 days, except where retention is required by applicable law.
- Upon request: Fillenza shall provide the Controller with a copy of their Portal account data in a structured, commonly used, and machine-readable format (such as JSON or CSV) before deletion.
- Billing data: Permanently deleted from Fillenza's systems upon account deletion. Paddle (Merchant of Record) retains invoice and transaction records per its own retention policy and applicable tax regulations.
- Audit log references: User references set to NULL and actor names anonymized ("Deleted User") upon account deletion. Logs are retained for up to 90 days but are no longer attributable to the Controller.
Account deletion timeline: When a data subject requests account deletion through the Portal, a 28-day grace period applies (14 days self-service cancellation + 14 days admin-assisted reversal). After this period, all Controller Personal Data is permanently deleted from Fillenza's systems, except as noted below.
Cancellation during grace period: If you cancel the deletion during the grace period, your account is restored to active status. However, any subscriptions that were paused during the deletion process must be manually reactivated by you through the Portal. Subscription billing will not resume until you explicitly reactivate each subscription.
Paddle (Merchant of Record): As an independent data controller, Paddle retains invoice, transaction, and customer billing records per its own retention policy and applicable tax/accounting regulations. Fillenza cannot compel Paddle to delete these records, nor is it legally required to — Paddle's retention serves a legitimate legal basis (tax compliance).
11. DATA BREACH NOTIFICATION
Fillenza shall notify the Controller without undue delay, and in any event within 24 hours, after becoming aware of a Personal Data breach. This ensures the Controller has sufficient time to meet the 72-hour supervisory authority notification deadline under GDPR Article 33.
Notification shall include:
- The nature of the Personal Data breach.
- The categories and approximate number of Data Subjects affected.
- The likely consequences of the breach.
- The measures taken or proposed to mitigate the breach and its adverse effects.
Fillenza shall cooperate with the Controller and provide all necessary information to fulfill the Controller's obligations under GDPR Articles 33 and 34 (notification to the supervisory authority and communication to the data subject).
Failure to meet the 24-hour notification timeline shall not constitute a material breach of this DPA where Fillenza has acted in good faith and without undue delay in investigating and reporting the breach.
12. INTERNATIONAL DATA TRANSFERS
| Infrastructure | Location | Data Type | Safeguards |
|---|---|---|---|
| Azure (hosting + database) | EU (West Europe) | Account, billing, metadata | Microsoft DPA + SCCs |
| Azure OpenAI (fallback) | EU (West Europe) | Ephemeral form data | Microsoft DPA, no storage configured |
| On-Premise LLM Server | Serbia | Ephemeral form data (in-memory only) | Application-level E2E encryption, no data at rest |
| Paddle | UK/EU | Billing data | Paddle DPA + UK adequacy decision |
| Loopia (SMTP) | Sweden (EU) | Email addresses | Within EU |
Note on Serbia: Serbia's data protection law (Zakon o zaštiti podataka o ličnosti, Official Gazette RS No. 87/2018) is modeled on GDPR and provides comparable protection. Widget data processed in Serbia is ephemeral (in-memory only, never stored) and protected by application-level end-to-end encryption. Standard Contractual Clauses (EU 2021/914, Module 3 — Processor to Processor) are available upon request for Controllers requiring formal transfer safeguards.
13. GOVERNING LAW AND JURISDICTION
This DPA is governed by the laws of the Republic of Serbia.
For disputes arising out of or in connection with this DPA, the courts of Subotica, Republic of Serbia shall have exclusive jurisdiction.
Where GDPR applies to the processing of Personal Data under this DPA, the provisions of this DPA shall be interpreted in accordance with GDPR.
14. LIMITATION OF LIABILITY
Fillenza's aggregate liability under this DPA shall not exceed the total fees paid by the Controller to Fillenza during the 12 months preceding the claim. This limitation applies to all claims arising under this DPA collectively.
IN NO EVENT SHALL EITHER PARTY BE LIABLE FOR ANY INDIRECT, INCIDENTAL, SPECIAL, CONSEQUENTIAL, OR PUNITIVE DAMAGES ARISING OUT OF OR RELATED TO THIS DPA, INCLUDING BUT NOT LIMITED TO LOSS OF PROFITS, LOSS OF DATA, BUSINESS INTERRUPTION, OR LOSS OF GOODWILL, EVEN IF THE PARTY HAS BEEN ADVISED OF THE POSSIBILITY OF SUCH DAMAGES.
Nothing in this Section shall limit or exclude liability for damages that cannot be limited or excluded under applicable law, including mandatory provisions of GDPR.
15. AMENDMENTS
Material changes to the data protection obligations under this DPA require mutual agreement between Fillenza and the Controller. Fillenza may update non-material provisions with at least 30 days' notice.
All changes will be communicated via email to the Controller's registered email address. Continued use of the Services after non-material amendments take effect constitutes acceptance of the updated DPA.
16. CONTACT
If you have questions about this Data Processing Agreement, please contact us at:
CSHARPAD DOO (doing business as Fillenza)
Ludaski sor 74
Supljak 24418
Serbia
support@fillenza.com