Data Processing Agreement.

Provided by Funerals & Tech Limited. This agreement applies where you use Fyldit in a business or organisational capacity and we process personal data on your behalf.

This Data Processing Agreement applies where you use Fyldit in a business or organisational capacity and we process personal data on your behalf. It forms part of the agreement between you and Funerals & Tech Limited and should be read alongside our Terms & Conditions, Privacy Policy, Security Overview, Cookie Policy and Pricing & Refund Policy at fyldit.com/legal.

1. Introduction

This Data Processing Agreement (“DPA”) forms part of the agreement between Funerals & Tech Limited (“Processor”, “we”, “us”) and the user of Fyldit (“Controller”, “you”) for the processing of personal data in connection with the service.

It applies only where you use Fyldit in a business or organisational capacity and we process personal data on your behalf. For consumer use, our Privacy Policy applies instead.

2. Definitions

TermMeaning
Personal DataAny information relating to an identified or identifiable natural person.
ProcessingAny operation performed on personal data (collection, storage, retrieval, erasure, and so on).
Sub-processorA third party engaged by us to process personal data on your behalf.
Data SubjectAn individual whose personal data is processed.
Applicable Data Protection LawAll applicable laws relating to personal data, including UAE Federal Decree-Law No. 45 of 2021 (PDPL), the DIFC Data Protection Law, GDPR and UK GDPR.

3. Scope and Purpose of Processing

We process personal data solely to provide Fyldit as described in our Terms and Conditions, covering:

  • Account management — registration, authentication and profile data.
  • Vault storage — encrypted file storage and retrieval.
  • Communications — transactional emails such as password resets, reminders and notifications.
  • Billing — payment processing and subscription management.
  • Security — audit logging, fraud detection and access control.
  • Feature delivery — sharing, Vault Recovery, Unlock on Death and Unlock on Incapacity.

4. Our Obligations as Processor

We will:

  • Process personal data only on your documented instructions and as necessary to provide Fyldit.
  • Ensure that persons authorised to process personal data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational measures to protect personal data (see our Security Overview).
  • Engage sub-processors only with prior notification and subject to equivalent data-protection obligations.
  • Assist you in responding to data-subject rights requests.
  • Assist you with data-protection impact assessments and prior consultations with supervisory authorities, where required.
  • Delete or return all personal data on termination, at your choice, unless retention is required by law.
  • Make available the information necessary to demonstrate compliance and allow for audits.

5. Your Obligations as Controller

You will:

  • Ensure you have a lawful basis for the processing of personal data.
  • Provide us with clear instructions regarding the processing.
  • Ensure that data subjects are informed about the processing in accordance with applicable law.
  • Notify us promptly of any data-subject rights requests that require our assistance.

6. Sub-processors

We use the following sub-processors. Further detail on their role and security is set out in our Security Overview.

Sub-processorServiceData processedLocation
Amazon Web ServicesCloud infrastructure — file storage, database, email deliveryEncrypted vault data, account data, email deliverySweden (customer data). India and USA used for testing/UAT only — no customer data.
StripePayment processingEmail, billing details, subscription dataUSA / EU (with SCCs)
GoogleOAuth authentication (optional)Email, Google account ID, OAuth tokensUSA / EU (with SCCs)
MicrosoftClarity analytics (with consent)Anonymised session data, device infoPer Microsoft’s terms

We will notify you of any intended changes to the list of sub-processors and give you the opportunity to object. If you have a reasonable objection, we will work with you to find an alternative or you may terminate the affected part of the service.

7. Security Measures

We protect personal data using a zero-knowledge encryption model and a layered set of technical and organisational controls. In summary, vault content is encrypted on the user’s device before upload, encryption keys are never sent to our servers, data is encrypted both in transit and at rest, access to live systems is restricted to authorised personnel, security-relevant actions are audit-logged, and we operate incident response procedures.

A plain-English summary of our security — encryption, authentication, hosting, audit logging and certifications — is set out in our Security Overview at fyldit.com/legal. We do not repeat it here to keep this DPA concise.

8. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and in any case within 72 hours of becoming aware, with details of the breach, its likely consequences and the measures taken or proposed. We will cooperate with you and provide the information needed for any notification to supervisory authorities or data subjects.

9. International Transfers

Your encrypted data is hosted with Amazon Web Services exclusively in Sweden. We also operate testing and User Acceptance Testing (UAT) environments in India and the United States respectively, but these never hold customer data or documents. Funerals & Tech Limited, which operates Fyldit, remains incorporated in and operated from the Dubai International Financial Centre (DIFC) in the United Arab Emirates.

Because personal data may be processed in more than one country, we apply appropriate transfer safeguards, which may include Standard Contractual Clauses (SCCs), the UK International Data Transfer Agreement or Addendum, DIFC Standard Contractual Clauses, and equivalent safeguards recognised under applicable data-protection law.

10. Data Subject Rights

We assist you with requests from data subjects to exercise their rights of access, rectification, erasure, restriction, portability and objection.

Because vault content is zero-knowledge encrypted, we cannot provide readable copies of encrypted data. Data subjects can export their own data directly through Fyldit.

11. Term and Termination

This DPA remains in effect for the duration of our processing of personal data on your behalf. On termination, you may download your data within 30 days. After that period we will delete personal data unless retention is required by law. Certain records, such as invoices and security logs, may be retained as described in our Privacy Policy.

12. Governing Law

This DPA is governed by the laws of the United Arab Emirates, without prejudice to mandatory data-protection laws that may apply in your jurisdiction.

13. Contact

Query typeContact
Privacy and data protectionprivacy@fyldit.com
Legal and compliancelegal@fyldit.com