Data Processing Agreement
Last updated: June 30, 2026
This Data Processing Agreement ("DPA") forms part of the agreement between you ("Customer", the data controller) and Cyrus Group Kft.("Filly AI", the data processor) for use of the Filly AI service (the "Service"). It governs the processing of personal data Customer submits to the Service, in accordance with Regulation (EU) 2016/679 ("GDPR"). Where Customer requires a countersigned copy, contact support@getfilly.app.
1. Roles
Customer is the controller and Filly AI is the processor of the personal data Customer uploads or enters into the Service ("Customer Data"). For account and billing data, Filly AI acts as an independent controller as described in our Privacy Policy.
2. Subject matter, duration, nature and purpose
Filly AI processes Customer Data to provide the Service — extracting fields from documents, auto-filling forms, generating documents, enabling sharing and e-signatures, and related support — for the duration of the agreement.
3. Categories of data and data subjects
Data subjects: Customer's clients, signatories, and other individuals whose details Customer includes. Data: names, contact details, addresses, dates of birth, document contents, and identifiers Customer chooses to provide (e.g. tax/ID numbers). Customer must not submit special-category data (Art. 9 GDPR) without a valid lawful basis.
4. Processor obligations
- Process Customer Data only on Customer's documented instructions (including via use of the Service), unless required by law.
- Ensure persons authorized to process the data are bound by confidentiality.
- Implement appropriate technical and organizational security measures (Art. 32) — encryption in transit and at rest, account-level isolation via row-level security, and server-only access to privileged credentials.
- Assist Customer, taking into account the nature of processing, in responding to data-subject requests and in meeting obligations under Articles 32–36.
- Make available information necessary to demonstrate compliance and allow for reasonable audits.
5. Sub-processors
Customer provides general authorization for Filly AI to engage the sub-processors listed on our security page and Privacy Policy (currently Supabase, Vercel, Anthropic, Stripe, Resend, and Sentry), each bound by data-protection terms consistent with this DPA. We will give notice of intended changes and Customer may object on reasonable data-protection grounds.
6. Personal data breach
Filly AI will notify Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and provide information reasonably required for Customer to meet its notification obligations.
7. Deletion and return
On termination, or on Customer's request, Filly AI will delete or return Customer Data and delete existing copies, save where storage is required by law. Customer can delete its data at any time in-app, including a full account deletion that erases all associated data.
8. International transfers
Where Customer Data is transferred outside the EEA (e.g. to US-based sub-processors), such transfers are made under appropriate safeguards, including the European Commission's Standard Contractual Clauses, which are incorporated by reference.
9. General
In case of conflict between this DPA and the main agreement regarding processing of Customer Data, this DPA prevails. This DPA is a standard template; for a negotiated or signed version, contact support@getfilly.app.