Data Processing Agreement (DPA)
Last updated: February 17, 2026
1. Introduction
This Data Processing Agreement ("DPA") forms part of the Agreement between FileChute ("Processor") and the customer ("Controller") for the processing of personal data in connection with the FileChute service.
This DPA is designed to ensure compliance with applicable data protection laws, including the EU General Data Protection Regulation (GDPR), UK GDPR, and other relevant privacy legislation.
2. Definitions
- Personal Data means any information relating to an identified or identifiable natural person processed through the Service.
- Processing means any operation performed on Personal Data, including collection, storage, retrieval, and deletion.
- Sub-processor means a third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Scope of Processing
FileChute processes Personal Data solely for the purpose of providing the file collection service, including:
- Storing uploaded files on behalf of the Controller
- Sending email notifications and reminders to recipients
- Maintaining audit logs of file request activity
- Generating analytics and reports for the Controller
4. Data Security Measures
FileChute implements appropriate technical and organizational measures to protect Personal Data, including:
- Encryption in transit (TLS 1.2+) and at rest (AES-256)
- Row-level security (RLS) for strict tenant isolation
- Signed URL access patterns — files are never publicly accessible
- Two-factor authentication (TOTP) for account security
- Rate limiting on all public endpoints
- Regular security monitoring and incident response procedures
5. Sub-processors
FileChute uses the following sub-processors to deliver the service:
| Provider | Purpose | Location |
|---|---|---|
| Supabase | Database, authentication, file storage | US / EU (configurable) |
| Vercel | Application hosting and edge network | Global |
| Resend | Transactional email delivery | US |
| Stripe | Payment processing | US |
The Controller will be notified of any changes to sub-processors with at least 30 days' notice.
6. Data Subject Rights
FileChute will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability) through available product features including data export and account deletion capabilities.
7. Data Retention and Deletion
Personal Data is retained for the duration of the service agreement. Upon termination or request, FileChute will delete all Personal Data within 30 days, subject to any legal retention obligations.
8. Breach Notification
In the event of a Personal Data breach, FileChute will notify the Controller without undue delay and no later than 72 hours after becoming aware of the breach, providing all available details about the nature and scope of the incident.
9. Contact
To request a signed copy of this DPA or for data protection inquiries, contact us at privacy@filechute.com.