Home
Legal

Data Processing Agreement

This DPA governs how Folio processes personal data on your behalf as a data processor, in accordance with GDPR and applicable data protection law.

1. Definitions

"Controller" means you — the accounting firm or professional who uses Folio to collect, manage, and store client data.

"Processor" means Folio — the platform that processes personal data on behalf of the Controller.

"Personal Data" means any information relating to an identified or identifiable natural person, including client names, email addresses, phone numbers, and the contents of uploaded documents.

"Sub-processor" means a third-party service provider engaged by Folio to process Personal Data on behalf of the Controller.

"Data Subject" means the individual to whom the Personal Data relates — typically your clients.

"Processing" means any operation performed on Personal Data, including collection, storage, retrieval, transmission, and deletion.

2. Scope and purpose of processing

This DPA applies to all Personal Data that Folio processes on your behalf when you use the Service. The purpose of processing is to provide the Folio platform — including client portal delivery, document collection, automated reminders, e-signatures, messaging, and invoicing.

The categories of Personal Data processed include:

  • Client identity data: names, email addresses, phone numbers.
  • Document data: files uploaded by clients through magic link portals.
  • Communication data: messages exchanged through the portal messaging feature.
  • Transaction data: invoice amounts, payment status (if invoicing is used).

3. Obligations of the Controller

As the Controller, you are responsible for:

  • Ensuring you have a lawful basis for collecting and processing your clients' Personal Data.
  • Informing your clients that their data will be processed through Folio.
  • Responding to data subject access requests from your clients, with our assistance as described below.
  • Ensuring the accuracy and relevance of Personal Data entered into the Service.

4. Obligations of the Processor

As the Processor, Folio shall:

  • Process Personal Data only on your documented instructions, unless required by law.
  • Ensure that persons authorised to process Personal Data are bound by confidentiality obligations.
  • Implement appropriate technical and organisational security measures (see Section 6).
  • Assist you in fulfilling your obligations to respond to data subject requests.
  • Delete or return all Personal Data upon termination of the agreement, at your election.
  • Make available all information necessary to demonstrate compliance and allow audits.

5. Sub-processors

Folio uses the following sub-processors to deliver the Service:

  • Cloudflare, Inc. — Infrastructure, content delivery, Workers compute, R2 object storage, D1 database. Data may be processed in EU, US, and other regions.
  • Polar — Subscription billing and payment processing for your Folio account.
  • Stripe, Inc. — Client payment processing (only if you enable the invoicing feature and connect your Stripe account).

We will notify you by email at least 14 days before engaging any new sub-processor. If you object to a new sub-processor, you may terminate the affected portion of the Service without penalty.

6. Security measures

Folio implements the following technical and organisational measures to protect Personal Data:

  • Encryption at rest: All stored data, including uploaded documents in Cloudflare R2, is encrypted at rest using AES-256.
  • Encryption in transit: All data transmitted between clients, your browser, and our infrastructure is encrypted using TLS 1.2 or higher.
  • Access control: Role-based access within workspaces (owner, admin, member). Client portal access is authenticated via time-limited magic links.
  • Infrastructure isolation: Each workspace's data is logically isolated at the application and database level.
  • Audit logging: Key actions (login, document access, permission changes) are logged with timestamps and user identifiers.
  • Vulnerability management: Regular dependency updates and security reviews of application code.

7. Data breach notification

In the event of a Personal Data breach, Folio shall:

  • Notify you without undue delay and in any event within 72 hours of becoming aware of the breach.
  • Provide the nature of the breach, the categories and approximate number of Data Subjects affected, the likely consequences, and the measures taken or proposed to address the breach.
  • Cooperate with you and provide such information as you reasonably require to fulfil your own breach notification obligations under GDPR Article 33.

8. Data subject rights

Folio will assist you in responding to requests from Data Subjects exercising their rights under GDPR, including the right of access, rectification, erasure, restriction of processing, data portability, and objection.

If Folio receives a request directly from a Data Subject, we will promptly redirect them to you (the Controller) unless legally required to respond directly.

9. International data transfers

Where Personal Data is transferred outside the European Economic Area, Folio ensures appropriate safeguards are in place:

  • Standard Contractual Clauses (SCCs): We rely on the European Commission's Standard Contractual Clauses for transfers to sub-processors in third countries.
  • Adequacy decisions: Where applicable, transfers are made to countries that have received an adequacy decision from the European Commission.

Cloudflare, our primary infrastructure provider, maintains Data Processing Addenda incorporating SCCs for all applicable data flows.

10. Audit rights

You have the right to audit Folio's compliance with this DPA. Audits may be conducted:

  • By written request, no more than once per calendar year under normal circumstances.
  • At your expense, during normal business hours, with reasonable advance notice.
  • Through review of documentation, certifications, and third-party audit reports that Folio makes available.

Folio will cooperate with reasonable audit requests and provide access to relevant documentation and personnel.

11. Term and termination

This DPA takes effect when you first use the Service and remains in force for the duration of your use. Upon termination of your Folio subscription:

  • We will retain your data for 30 days to allow account recovery or data export.
  • After the 30-day retention period, all Personal Data will be permanently deleted from our systems and sub-processors, except where retention is required by applicable law.
  • We will provide written confirmation of deletion upon request.

12. Contact

For questions about this DPA or to exercise any rights described herein, contact us at privacy@getfolio.pages.dev.

FAQ

Common questions

Is Folio a data controller or a data processor?

Folio acts as a data processor when handling client data you enter into the platform. You (the accounting firm) are the data controller. Folio is the data controller only for your own account data (name, email, billing).

Where does Folio store my clients' data?

Client data and uploaded documents are stored on Cloudflare's global infrastructure, including R2 object storage and D1 databases. All data is encrypted at rest and in transit. Transfers outside the EEA are covered by Standard Contractual Clauses.

Does Folio use sub-processors?

Yes. Folio uses Cloudflare (infrastructure and storage), Polar (subscription billing), and Stripe (client payment processing, only if you enable invoicing). We maintain a current list of sub-processors and notify you before adding new ones.

How does Folio handle data breach notifications?

We notify affected customers within 72 hours of confirming a personal data breach, consistent with GDPR Article 33 requirements. Our notification includes the nature of the breach, likely consequences, and measures taken.

Can I request deletion of all my data?

Yes. You can request complete data deletion at any time by contacting privacy@getfolio.pages.dev. We will delete all account data, client records, and uploaded documents within 30 days, except where retention is required by law.