Data Processing Agreement
Effective date: 24 March 2026
This Data Processing Agreement (“DPA”) forms part of the agreement between you (“Customer”, “Controller”) and Techlyft Pty Ltd (“FileSafety”, “Processor”) for the use of the FileSafety content security API and related services (the “Service”).
This DPA applies where FileSafety processes personal data on behalf of the Customer in connection with the Service and such processing is subject to the General Data Protection Regulation (EU) 2016/679 (“GDPR”), the UK GDPR, or other applicable data protection laws.
1. Definitions
Section titled “1. Definitions”- “Personal Data” — any information relating to an identified or identifiable natural person, as defined in the GDPR.
- “Controller” — the Customer, who determines the purposes and means of processing personal data by using the Service.
- “Processor” — FileSafety (Techlyft Pty Ltd), which processes personal data on behalf of the Controller.
- “Sub-processor” — a third party engaged by the Processor to process personal data on behalf of the Controller.
- “Data Subject” — an identifiable natural person whose personal data is processed.
- “Processing” — any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
- “Security Incident” — a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, personal data.
2. Scope and Purpose
Section titled “2. Scope and Purpose”2.1 Roles
Section titled “2.1 Roles”The Customer acts as the Controller and FileSafety acts as the Processor with respect to personal data processed through the Service.
2.2 Processing Details
Section titled “2.2 Processing Details”| Detail | Description |
|---|---|
| Nature of processing | Automated file scanning for malware detection and content analysis |
| Purpose | To provide the file scanning service as described in the Terms of Service |
| Categories of personal data | Files uploaded for scanning, file metadata (name, size, hash, MIME type), scan results, IP addresses |
| Categories of data subjects | Customer’s end users whose files are submitted for scanning |
| Duration | Files are processed and deleted immediately. Service relationship lasts for the term of the Customer’s use, plus the retention periods described below. |
2.3 Processing Instructions
Section titled “2.3 Processing Instructions”FileSafety will process personal data only in accordance with the Customer’s documented instructions, which are defined by:
- The Service’s Terms of Service and Privacy Policy
- The Customer’s configuration of the Service (API calls, settings)
- Any additional written instructions agreed between the parties
If FileSafety believes an instruction infringes the GDPR or applicable data protection law, it will promptly notify the Customer.
3. Obligations of the Processor
Section titled “3. Obligations of the Processor”3.1 Processing Limitations
Section titled “3.1 Processing Limitations”FileSafety will:
- Process personal data only on documented instructions from the Customer, unless required by applicable law (in which case FileSafety will notify the Customer before processing, unless legally prohibited)
- Not process personal data for any purpose other than providing the Service
3.2 Confidentiality
Section titled “3.2 Confidentiality”FileSafety will ensure that all personnel authorised to process personal data are bound by obligations of confidentiality.
3.3 Security Measures
Section titled “3.3 Security Measures”FileSafety implements and maintains the following technical and organisational measures:
Technical Measures:
- Encryption at rest using AES-256 for all stored data
- Encryption in transit using TLS 1.2 or higher for all connections
- Immediate deletion of uploaded files after scanning completes (24-hour lifecycle policy as failsafe)
- Network isolation via VPC with private subnets for scanning workloads
- API key authentication for all service access
- Hashed storage of API keys for request authentication and hashed passwords via Cognito
Organisational Measures:
- Strict access controls with least-privilege IAM policies
- Regular security reviews of infrastructure and code
- Incident response procedures
- Employee confidentiality obligations
3.4 Sub-processor Management
Section titled “3.4 Sub-processor Management”FileSafety will:
- Not engage a new sub-processor without providing the Customer with prior notice and an opportunity to object (see Section 4)
- Enter into written agreements with each sub-processor imposing data protection obligations no less protective than those in this DPA
- Remain liable for the acts and omissions of its sub-processors
3.5 Data Subject Rights
Section titled “3.5 Data Subject Rights”FileSafety will assist the Customer in fulfilling its obligations to respond to data subject requests (access, deletion, portability, rectification, restriction, objection) by:
- Providing tools and APIs that allow the Customer to access or delete data
- Responding to Customer requests for assistance within 10 business days
- Not responding directly to data subjects unless instructed by the Customer
3.6 Breach Notification
Section titled “3.6 Breach Notification”In the event of a Security Incident involving personal data:
- FileSafety will notify the Customer without undue delay and no later than 72 hours after becoming aware of the incident
- The notification will include: the nature of the incident, categories and approximate number of data subjects affected, likely consequences, and measures taken or proposed to address it
- FileSafety will cooperate with the Customer and take reasonable steps to mitigate the effects of the incident
3.7 Deletion on Termination
Section titled “3.7 Deletion on Termination”Upon termination of the Service agreement, a 30-day grace period applies during which the Customer may reactivate their account. After the grace period, FileSafety will:
- Delete all personal data processed on behalf of the Customer in accordance with the retention schedule (files deleted immediately after scanning, scan metadata within 30 days, account data after the grace period)
- Provide confirmation of deletion upon request
- Retain data only where required by applicable law, in which case FileSafety will inform the Customer of the legal requirement and limit processing to what is required by law
4. Sub-processors
Section titled “4. Sub-processors”4.1 Current Sub-processors
Section titled “4.1 Current Sub-processors”The following sub-processors are authorised by the Customer as of the effective date of this DPA:
| Sub-processor | Purpose | Data Processed | Location |
|---|---|---|---|
| Amazon Web Services (AWS) | Cloud infrastructure, file scanning, authentication, storage, database | All service data | Australia (ap-southeast-2) |
| Stripe | Payment processing, subscription management | Billing data, customer email | United States / European Union |
| Cloudflare | DNS, CDN, DDoS protection, documentation hosting | IP addresses, request metadata | Global edge network |
4.2 Changes to Sub-processors
Section titled “4.2 Changes to Sub-processors”FileSafety will:
- Maintain an up-to-date list of sub-processors in this DPA and at docs.filesafety.dev/legal/dpa
- Notify the Customer by email at least 30 days before engaging a new sub-processor
- Provide the Customer an opportunity to object to the new sub-processor on reasonable data protection grounds
- If the Customer objects and no resolution is reached within 30 days, the Customer may terminate the Service agreement without penalty
5. International Data Transfers
Section titled “5. International Data Transfers”5.1 Primary Processing Location
Section titled “5.1 Primary Processing Location”Personal data is primarily processed in Australia (AWS ap-southeast-2).
5.2 Transfer Safeguards
Section titled “5.2 Transfer Safeguards”Where personal data is transferred to a sub-processor located outside the European Economic Area (EEA) or a country without an adequate level of data protection:
- FileSafety ensures that Standard Contractual Clauses (SCCs) approved by the European Commission are in place
- Additional safeguards are implemented where required by applicable law (such as encryption and access controls)
5.3 Transfer Impact Assessment
Section titled “5.3 Transfer Impact Assessment”FileSafety has assessed the laws and practices of the countries where sub-processors operate and determined that, together with the supplementary measures described in this DPA, they provide an adequate level of protection for personal data.
6. Audit Rights
Section titled “6. Audit Rights”6.1 Information and Reports
Section titled “6.1 Information and Reports”FileSafety will:
- Make available to the Customer all information necessary to demonstrate compliance with this DPA, including consent version tracking records
- Provide an annual summary audit report or independent security assessment (such as SOC 2 Type II, when available) upon request
6.2 On-site Audits
Section titled “6.2 On-site Audits”The Customer may conduct or commission an audit of FileSafety’s processing activities, subject to:
- At least 30 days’ written notice
- Reasonable scope and duration
- Confidentiality obligations regarding any information disclosed during the audit
- A maximum of one audit per 12-month period (unless required by a data protection authority)
6.3 Costs
Section titled “6.3 Costs”Each party bears its own costs related to audits, unless the audit reveals material non-compliance by FileSafety.
7. Duration and Termination
Section titled “7. Duration and Termination”7.1 Duration
Section titled “7.1 Duration”This DPA remains in effect for the duration of the Customer’s use of the Service. The obligations in this DPA survive termination to the extent FileSafety continues to process personal data (for example, during the retention period).
7.2 Termination
Section titled “7.2 Termination”This DPA terminates automatically when the Service agreement between the parties terminates and all personal data has been deleted or returned in accordance with Section 3.7.
8. Liability
Section titled “8. Liability”The liability of each party under this DPA is subject to the limitations of liability set out in the Terms of Service.
9. Conflict
Section titled “9. Conflict”In the event of a conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters.
10. Contact
Section titled “10. Contact”For questions about this DPA or to exercise any rights under it:
Techlyft Pty Ltd Email: [email protected] Website: filesafety.dev