2025 BOI rule update US entities are now exempt. Check if you still need to file →
Effective May 31, 2026. Version 3.0. All policies.
Start filing →
Home/Legal/Data Processing Agreement
Dpa · File.Business

Data Processing Agreement

Effective May 31, 2026 Version 3.0 All paid plans
Plain-English summary When you use the Services to process personal data of your employees, customers, or contractors, you are the controller and we are the processor. This DPA describes our obligations and is automatically in force on all paid plans.
$0
Free
formation service
51
Jurisdictions
filed in-house
220K+
Businesses
formed since launch
4.9★
Rating
8,200+ verified reviews
SOC 2 Type II · 2025 report 4.9 · 8,200+ reviews E&O Insured · carrier on request 51 Jurisdictions 220,000+ Formed
See disclosures + carrier names →

01Background & scope

This Data Processing Agreement (the "DPA") forms part of the Terms of Service between you (the "Customer") and File.Business, Inc. (the "Processor") and applies whenever File.Business processes Customer Personal Data on behalf of Customer. It is intended to satisfy the requirements of Article 28 of the EU GDPR, the UK-GDPR, the Swiss FADP, the CCPA/CPRA service provider provisions, and equivalent laws.

Customers on Growth and Enterprise plans accept this DPA automatically. Starter customers may execute the DPA on request.

02Definitions

Capitalized terms have the meanings given in the GDPR or, where the GDPR is not applicable, in the corresponding local law. "Customer Personal Data" means Personal Data processed by File.Business on Customer's behalf. "Subprocessor" means any third party engaged by File.Business to process Customer Personal Data.

03Roles & responsibilities

Customer is the Controller. File.Business is the Processor. Each party will comply with its respective obligations under Applicable Data Protection Law.

04Processing details

Subject matter: provision of the Services as described in the Terms.

Duration: for as long as Customer has an active account, plus the retention period set in the Privacy Policy.

Nature and purpose: to perform the Services, including formation, compliance, communications, HR, finance, and storage.

Types of data: identifiers, customer records, professional/employment data, financial data, electronic communications, and (where Customer provides) sensitive data.

Categories of data subjects: Customer's employees, contractors, vendors, customers, and end-users.

05Processor obligations

File.Business will:

  • Process Customer Personal Data only on documented instructions from Customer, including with regard to transfers to a third country
  • Ensure that personnel authorized to process the data have committed to confidentiality
  • Take all measures required by Article 32 GDPR (security; see Security Policy)
  • Respect Subprocessor conditions (Section 7)
  • Assist Customer with data-subject rights requests
  • Assist Customer with security incident notification, DPIA, and prior consultation obligations
  • Delete or return Customer Personal Data on termination, subject to legal retention requirements
  • Make available to Customer all information necessary to demonstrate compliance and allow for audits

06Security incidents

File.Business will notify Customer without undue delay (and in any event within 72 hours of becoming aware) of any Personal Data Breach affecting Customer Personal Data. Notification includes the nature of the breach, categories and approximate number of affected data subjects and records, likely consequences, and measures taken or proposed.

07Subprocessors

Customer authorizes File.Business to engage the Subprocessors listed at subprocessors.html. File.Business will:

  • Impose contractual data-protection obligations on each Subprocessor that are no less protective than this DPA
  • Remain liable for the acts and omissions of Subprocessors
  • Provide at least 30 days' notice of new Subprocessors via the Subprocessor page
  • Allow Customer to object to a new Subprocessor in writing within 30 days; the parties will work in good faith to find a resolution, failing which Customer may terminate the affected Services and receive a pro-rata refund

08International transfers

For transfers from the EEA, UK, or Switzerland to countries that do not provide an adequate level of protection, the parties enter into and incorporate by reference the European Commission Standard Contractual Clauses (Module 2: Controller-to-Processor) with the following selections: Clause 7 (docking) optional; Clause 11(a) optional; Clause 17 governing law: Republic of Ireland; Clause 18 forum: courts of Ireland. The UK International Data Transfer Addendum and the Swiss FADP equivalents apply mutatis mutandis to UK and Swiss transfers.

09Audit

Customer has the right to audit File.Business's compliance with this DPA at its own expense, no more than once per year (unless required by a regulator). Audits will be conducted under reasonable notice, during business hours, and subject to confidentiality. File.Business may satisfy the audit obligation by providing its current SOC 2 Type II report, ISO 27001 certificate, or equivalent.

10Return & deletion

At Customer's choice, on termination File.Business will delete or return all Customer Personal Data and delete existing copies, except as required by law. Deletion will be completed within 30 days unless a longer period applies under law.

11Liability

The liability provisions of the Terms of Service apply to this DPA. Nothing in this DPA limits any liability that cannot be limited under Applicable Data Protection Law.

Contact our legal team

Questions about this policy go to legal@file.business. Privacy or data requests go to privacy@file.business. Postal mail: File.Business, Inc., 101 N Monroe St, Suite 800, Tallahassee, FL 32301, USA.

$129/yr Compliance Annual Filings · penalty-free

On the $129/yr Compliance Annual Filings plan, we cover state late fees.

When you autofile your annual report through the $129/yr plan and we miss the deadline, we pay the state's late fee. The guarantee applies to that specific plan and the filings it includes. Other File.Business services are billed at the prices on this page.

See compliance plans →
Form your business for $0Start →
File.Business is a private business filing and compliance service. We are not a government agency and are not affiliated with any Secretary of State office. You may file directly with the appropriate state agency. SOC 2 Type II audited. 220,000+ businesses formed since 2017.