Data Processing Agreement

Last updated: June 30, 2026

This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", the data controller) and Cyrus Group Kft.("Filly AI", the data processor) for use of the Filly AI service (the "Service"). It governs the processing of personal data Customer submits to the Service, in accordance with Regulation (EU) 2016/679 ("GDPR"). Where Customer requires a countersigned copy, contact support@getfilly.app.

1. Roles

Customer is the controller and Filly AI is the processor of the personal data Customer uploads or enters into the Service ("Customer Data"). For account and billing data, Filly AI acts as an independent controller as described in our Privacy Policy.

2. Subject matter, duration, nature and purpose

Filly AI processes Customer Data to provide the Service — extracting fields from documents, auto-filling forms, generating documents, enabling sharing and e-signatures, and related support — for the duration of the agreement.

3. Categories of data and data subjects

Data subjects: Customer's clients, signatories, and other individuals whose details Customer includes. Data: names, contact details, addresses, dates of birth, document contents, and identifiers Customer chooses to provide (e.g. tax/ID numbers). Customer must not submit special-category data (Art. 9 GDPR) without a valid lawful basis.

4. Processor obligations

  • Process Customer Data only on Customer's documented instructions (including via use of the Service), unless required by law.
  • Ensure persons authorized to process the data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures (Art. 32) — encryption in transit and at rest, account-level isolation via row-level security, and server-only access to privileged credentials.
  • Assist Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting obligations under Articles 32–36.
  • Make available information necessary to demonstrate compliance and allow for reasonable audits.

5. Sub-processors

Customer provides general authorization for Filly AI to engage the sub-processors listed on our security page and Privacy Policy (currently Supabase, Vercel, Anthropic, Stripe, Resend, and Sentry), each bound by data-protection terms consistent with this DPA. We will give notice of intended changes and Customer may object on reasonable data-protection grounds.

6. Personal data breach

Filly AI will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and provide information reasonably required for Customer to meet its notification obligations.

7. Deletion and return

On termination, or on Customer's request, Filly AI will delete or return Customer Data and delete existing copies, save where storage is required by law. Customer can delete its data at any time in-app, including a full account deletion that erases all associated data.

8. International transfers

Where Customer Data is transferred outside the EEA (e.g. to US-based sub-processors), such transfers are made under appropriate safeguards, including the European Commission's Standard Contractual Clauses, which are incorporated by reference.

9. General

In case of conflict between this DPA and the main agreement regarding processing of Customer Data, this DPA prevails. This DPA is a standard template; for a negotiated or signed version, contact support@getfilly.app.

We use optional analytics and advertising-measurement cookies to understand product usage and see which ads bring people to Filly. You can accept them, or continue with essential-only. Privacy policy.