Data Processing Agreement
Last updated: March 6, 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between DIZZUS GmbH ("Processor", "we") and the customer ("Controller", "you") using ConvertFly.io ("Service"). This DPA governs the processing of personal data by the Processor on behalf of the Controller in compliance with the Swiss Federal Act on Data Protection (nFADP/nLPD) and, where applicable, the EU General Data Protection Regulation (GDPR).
1. Definitions
- Personal Data: Any data relating to an identified or identifiable natural person, as defined by Art. 5 nFADP and Art. 4(1) GDPR.
- Processing: Any operation performed on personal data (collection, storage, use, transfer, deletion).
- Sub-processor: A third party engaged by the Processor to process personal data on behalf of the Controller.
2. Scope & Purpose
The Processor processes personal data solely for the purpose of providing the file conversion Service as described in the Terms of Service. Processing includes:
- Receiving and temporarily storing files uploaded by the Controller or their end users;
- Converting files between formats using automated processing engines;
- Temporarily storing conversion outputs for download;
- Maintaining conversion logs (metadata only, no file content).
3. Types of Personal Data
Files submitted for conversion may contain personal data. The categories depend on the Controller's use case and may include:
- Names, contact details, identification numbers;
- Financial data in spreadsheets or documents;
- Images containing faces or personal information;
- Any other personal data contained in uploaded files.
The Processor does not access, read, or analyze the content of files — processing is fully automated.
4. Obligations of the Processor
The Processor shall:
- Process personal data only on documented instructions from the Controller (i.e., performing the requested conversion);
- Ensure that persons authorized to process personal data are bound by confidentiality;
- Implement appropriate technical and organizational security measures (see Section 7);
- Engage sub-processors only with the Controller's authorization (see Section 6);
- Assist the Controller in responding to data subject requests;
- Delete all personal data upon termination of the Service, unless retention is required by law;
- Make available all information necessary to demonstrate compliance and allow for audits.
5. Obligations of the Controller
The Controller shall:
- Ensure it has a lawful basis for processing personal data through the Service;
- Provide any necessary notices to data subjects about the use of the Service;
- Ensure that files submitted do not contain special category data (Art. 9 GDPR) unless appropriate safeguards are in place.
6. Sub-processors
The Controller provides general authorization for the Processor to engage the following sub-processors. The Processor will notify the Controller of any changes to sub-processors at least 30 days in advance.
| Sub-processor | Purpose | Location |
|---|---|---|
| Amazon Web Services | File storage (S3, eu-central-1) | EU (Frankfurt) |
| Vercel | Application hosting & API | USA |
| Railway | Database hosting | USA |
| Cloudflare | CDN & secure tunnel | Global |
| Clerk | Authentication | USA |
| Stripe | Payment processing | USA |
For transfers outside Switzerland/EEA, the Processor ensures appropriate safeguards are in place (Standard Contractual Clauses or adequacy decisions).
7. Security Measures
The Processor implements the following technical and organizational measures:
- Encryption in transit: All communications use TLS 1.2+;
- Encryption at rest: Files stored with S3 Server-Side Encryption (SSE-S3);
- Access control: API key authentication, Clerk session management, role-based access;
- Worker security: HMAC-SHA256 signed requests between API and conversion workers;
- Data minimization: Import files deleted immediately after conversion; output files deleted after 24 hours;
- Monitoring: Error tracking via Sentry; automated health checks;
- Network security: Cloudflare Tunnel for worker isolation; Vercel edge network with DDoS protection.
8. Data Breach Notification
The Processor shall notify the Controller without undue delay (and in any event within 72 hours) after becoming aware of a personal data breach. The notification shall include the nature of the breach, categories and approximate number of data subjects affected, likely consequences, and measures taken to address the breach.
9. Data Subject Requests
The Processor shall promptly assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, objection). Given the automated and temporary nature of file processing, most data subject requests are satisfied automatically by the 24-hour file deletion policy.
10. Audits
The Controller may audit the Processor's compliance with this DPA. Audits shall be conducted with reasonable notice (at least 30 days) and during normal business hours. The Processor may charge reasonable fees for audit support beyond standard documentation.
11. Duration & Termination
This DPA is effective for the duration of the Service agreement. Upon termination, the Processor shall delete all personal data within 30 days, unless retention is required by Swiss or EU law. The Processor will provide written confirmation of deletion upon request.
12. Governing Law
This DPA is governed by the laws of Switzerland. The courts of Zug, Switzerland, shall have exclusive jurisdiction, unless mandatory law provides otherwise.
13. Contact
For DPA-related inquiries:
DIZZUS GmbH
Zug, Switzerland
Email: dpa@convertfly.io