FileFlow Legal

Data Processing Agreement

Last Updated: January 2026

1. Parties and Definitions

1.1 Parties

This Data Processing Agreement ("DPA") is entered into between:

  • Data Controller: The merchant using FileFlow (you)
  • Data Processor: Vellir Technologies operating FileFlow (us)

1.2 Definitions

  • Personal Data: Any information relating to an identified or identifiable natural person
  • Processing: Any operation performed on Personal Data, such as collection, storage, use, or deletion
  • Data Subject: The individual to whom Personal Data relates (e.g., your customers)
  • GDPR: General Data Protection Regulation (EU) 2016/679

2. Scope of Processing

2.1 Subject Matter

Processing of Personal Data necessary to provide digital product delivery services to merchants and their customers.

2.2 Duration

Processing will continue for the duration of the merchant's subscription and for the retention periods specified in our Data Retention Policy.

2.3 Nature and Purpose of Processing

  • Storage and delivery of digital products
  • Email delivery of download links to customers
  • Download tracking and analytics
  • Customer access control management
  • License key generation and distribution

2.4 Types of Personal Data

  • Customer email addresses
  • Customer names
  • Order information
  • Download activity (IP addresses, user agents, timestamps)

2.5 Categories of Data Subjects

  • Customers who purchase digital products from merchants
  • Merchants who use the FileFlow service

3. Merchant Responsibilities (Data Controller)

As the Data Controller, you (the merchant) are responsible for:

  • Ensuring you have a lawful basis for processing Personal Data
  • Providing appropriate privacy notices to your customers
  • Obtaining necessary consents for data processing
  • Ensuring the accuracy of Personal Data provided to FileFlow
  • Complying with data subject rights requests (access, deletion, etc.)
  • Notifying us promptly of any data protection concerns

4. Our Responsibilities (Data Processor)

As the Data Processor, we commit to:

  • Process Personal Data only on your documented instructions
  • Ensure confidentiality of persons authorized to process Personal Data
  • Implement appropriate technical and organizational security measures
  • Assist you in responding to data subject rights requests
  • Notify you of any Personal Data breaches without undue delay
  • Delete or return Personal Data upon termination of services
  • Make available information necessary to demonstrate GDPR compliance

5. Sub-Processors

We engage the following sub-processors to assist in providing our services:

Sub-ProcessorService ProvidedLocation
Cloudflare R2Cloud file storageGlobal (multiple regions)
ResendEmail delivery serviceUnited States
PostgreSQL Hosting ProviderDatabase infrastructureSan Francisco, USA
Shopify Inc.E-commerce platform and APICanada, United States

We will notify you of any changes to sub-processors with reasonable advance notice. You have the right to object to the use of a new sub-processor.

6. Security Measures

We implement the following technical and organizational measures to protect Personal Data:

6.1 Technical Measures

  • Encryption at rest (AES-256 for stored data)
  • Encryption in transit (TLS 1.2+ for all data transmission)
  • Encrypted backups with secure key management
  • Access control and authentication mechanisms
  • Regular security patches and updates
  • Intrusion detection and prevention systems

6.2 Organizational Measures

  • Role-based access control (principle of least privilege)
  • Employee confidentiality agreements
  • Security awareness training for staff
  • Incident response procedures
  • Regular security audits and assessments
  • Separate development, testing, and production environments

7. Data Subject Rights

We will assist you in fulfilling your obligations to respond to requests from data subjects exercising their rights under GDPR:

  • Right of Access: Provide data subjects with access to their Personal Data
  • Right to Rectification: Correct inaccurate Personal Data
  • Right to Erasure: Delete Personal Data when no longer necessary
  • Right to Restriction: Restrict processing under certain circumstances
  • Right to Data Portability: Provide Personal Data in a structured, machine-readable format
  • Right to Object: Object to certain types of processing

We will respond to your requests for assistance within 7 business days, allowing you sufficient time to meet the 30-day GDPR response deadline.

8. Data Breach Notification

In the event of a Personal Data breach, we will:

  • Notify you without undue delay and within 72 hours of becoming aware of the breach
  • Provide details of the nature of the breach, categories and approximate number of affected data subjects
  • Describe the likely consequences of the breach and measures taken or proposed to address it
  • Cooperate with you to notify supervisory authorities and affected data subjects as required by GDPR

9. Audit Rights

You have the right to audit our compliance with this DPA and GDPR requirements:

  • We will provide you with information and documentation demonstrating compliance upon request
  • We will allow for and contribute to audits and inspections conducted by you or an authorized auditor
  • Audit requests must be made with reasonable advance notice and scheduled at mutually convenient times
  • Audits will be conducted in a manner that does not unreasonably interfere with our operations

10. International Data Transfers

If Personal Data is transferred outside the European Economic Area (EEA), we ensure appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where data is transferred to countries with adequate data protection
  • Additional security measures to protect data during international transfers

11. Term and Termination

11.1 Duration

This DPA remains in effect for the duration of the Terms of Service and any processing of Personal Data on your behalf.

11.2 Effect of Termination

Upon termination of services, we will:

  • Delete all Personal Data unless required by law to retain it
  • Provide confirmation of deletion upon request
  • Complete deletion within the timeframes specified in our Data Retention Policy

12. Liability and Indemnification

Each party's liability under this DPA shall be subject to the limitations and exclusions set forth in the Terms of Service.

We will indemnify you against claims arising from our breach of this DPA, except where caused by your instructions or your breach of GDPR.

13. Amendments

We may amend this DPA to reflect changes in data protection laws or our data processing practices. Material changes will be communicated with 30 days' advance notice.

14. Contact Information

For questions or concerns about data processing or to exercise your rights under this DPA, please contact:

Company: Vellir Technologies

Address: 104 William St, Five Dock, NSW, Australia

Email: vellir.tech@gmail.com