This Data Processing Agreement (“DPA”) is entered into between:
The Customer: The legal entity subscribing to AIO Fileflow Team or Business plans (the “Controller”).
The Provider: Rawyal, a company incorporated in India, with its registered office in Jaipur, Rajasthan (the “Processor”).
1.1. This DPA is supplemental to the AIO Fileflow Terms of Service. In the event of a conflict, this DPA shall take precedence regarding the processing of Personal Data.
1.2. Definitions such as “Personal Data,” “Processing,” and “Data Subject” shall be interpreted in accordance with the EU GDPR and the Indian Digital Personal Data Protection (DPDP) Act.
2.1. Purpose: The Processor shall process Personal Data solely to provide PDF editing, conversion, compression, and electronic signature services (the “Services”).
Content of uploaded documents (User Files).
Signatory metadata (emails, IP addresses, timestamps, and digital signatures).
Customers, employees, suppliers, and business partners of the Controller whose data is contained within uploaded files.
3.1. Instructions: The Processor shall process data only on documented instructions from the Controller.
3.2. Confidentiality: The Processor ensures that all personnel authorized to process Personal Data are committed to strict confidentiality.
3.3. Security: The Processor shall implement the Technical and Organizational Measures (TOMs) outlined in Annex 1.
3.4. Data Subject Rights: The Processor will provide reasonable assistance to the Controller in responding to requests from individuals exercising their rights (access, erasure, or correction).
4.1. The Controller grants a general authorization to the Processor to engage sub-processors (e.g., AWS for hosting, Stripe for payments).
4.2. Notification: The Processor shall notify the Controller of any changes to sub-processors. The Controller has 14 days to object based on reasonable data protection grounds.
4.3. Liability: The Processor remains fully liable for the performance of the sub-processor’s data protection obligations.
5.1. The Processor shall provide the Controller with all information necessary to demonstrate compliance.
5.2. If the Controller has reasonable doubts, they may conduct an audit or appoint an independent auditor. Such audits must be scheduled 14 days in advance and performed during normal business hours.
6.1. Upon termination of the Services, the Processor shall delete all Personal Data and existing copies, unless local law (such as Indian tax or signature laws) requires further retention.
AIO Fileflow has implemented the following measures to ensure data integrity and confidentiality:
Physical: Our data centers (AWS/Hetzner) use biometric barriers, 24/7 video surveillance, and electronic intrusion detection.
Electronic: We enforce a Strong Password Policy and Two-Factor Authentication (2FA) for all internal access to critical systems.
Principle of Least Privilege: Employees only have access to the data strictly necessary for their specific role.
In Transit: All data moving between the user and our servers is encrypted using TLS (HTTPS).
At Rest: Critical system data is stored with encrypted disk storage.
Automatic Purge: User Files are purged from our processing servers within 1–2 hours by default, ensuring data does not linger.
Backups: Regular encrypted backups are maintained to restore service in the event of a system failure.
Incident Response: We maintain an internal Security Incident Response Plan to identify and mitigate potential threats immediately.
DPO: We have a designated Data Protection Officer overseeing our privacy framework.
Impact Assessments: We conduct internal privacy assessments for any new high-risk AI or data processing features.