← Back to home

Data Processing Agreement

Effective date: 2026-06-02

This Data Processing Agreement (“DPA”) forms part of the Terms of Service (the “Agreement”) between you and your organisation (“Customer”, the controller) and PK Digital (“Firepipe”, “we”, “us”, the processor) and reflects the parties' agreement on the processing of Customer Personal Data in connection with the Firepipe SFTP/FTPS gateway and dashboard (the “Service”). It is designed to meet the requirements of Article 28 of the UK GDPR and the EU GDPR. Where this DPA conflicts with the Agreement on the subject of data protection, this DPA prevails. A counter-signed copy is available on request to [email protected].

1. Definitions

“Data Protection Laws” means the UK GDPR, the EU GDPR (Regulation 2016/679), and the Data Protection Act 2018, as applicable. “Controller”, “Processor”, “Data Subject”, “Personal Data”, “Processing”, “Sub-processor”, and “Personal Data Breach” have the meanings given in those laws. “Customer Personal Data” means Personal Data we Process on the Customer's behalf under the Agreement, as described in Annex I.

2. Roles & scope

For Customer Personal Data, the Customer is the Controller and Firepipe is the Processor. Firepipe Processes Customer Personal Data only to provide the Service and only on the Customer's documented instructions — which comprise the Agreement, this DPA, the configuration the Customer sets in the dashboard, and the Customer's use of the Service — unless required by law (in which case we will inform the Customer first, where legally permitted).

Your file contents are out of scope of this DPA. Firepipe is a bring-your-own-bucket service: the files transferred through the Service remain in the Customer's own storage bucket, under the Customer's control, and are streamed — not stored — by the Service. We do not copy, retain, or take ownership of file contents. This DPA governs the operational Personal Data described in Annex I (e.g. SFTP usernames, access logs, the metadata index), not the contents of the Customer's objects.

Firepipe is an independent Controller for the limited Personal Data it Processes for its own purposes (account administration, billing, security, and product analytics); that Processing is described in our Privacy Policy, not this DPA.

3. Firepipe's obligations as processor

Firepipe shall:

  1. Instructions. Process Customer Personal Data only on the Customer's documented instructions, including with regard to international transfers, unless required by law; and inform the Customer if, in our opinion, an instruction infringes Data Protection Laws.
  2. Confidentiality. Ensure that persons authorised to Process Customer Personal Data are bound by confidentiality obligations and access it only as needed to provide the Service (least-privilege).
  3. Security. Implement and maintain the technical and organisational measures in Annex III, appropriate to the risk, as required by Article 32.
  4. Sub-processors. The Customer gives general authorisation for the Sub-processors listed in Annex II. We impose data-protection obligations on each Sub-processor no less protective than this DPA and remain liable for their performance. We will give the Customer at least 30 days' notice (by email or in the dashboard) before adding or replacing a Sub-processor, during which the Customer may object on reasonable data-protection grounds; if the parties cannot resolve the objection, the Customer may terminate the affected Service.
  5. Data-subject requests. Taking into account the nature of the Processing, assist the Customer by appropriate technical and organisational measures, insofar as possible, to respond to requests from Data Subjects exercising their rights.
  6. Breach notification. Notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Personal Data, with the information the Customer reasonably needs to meet its own obligations under Articles 33–34, and assist the Customer in responding.
  7. DPIAs. Provide reasonable assistance with data-protection impact assessments and prior consultations under Articles 35–36, taking into account the nature of the Processing and the information available to us.
  8. Deletion or return. On termination of the Service, and at the Customer's choice, delete or return Customer Personal Data we hold, and delete existing copies, within a reasonable period unless law requires retention. (Your file contents are unaffected — they never leave your bucket.) Account deletion cascades to delete the Customer's tenant data, and our identity provider's user record is deleted via a dedicated deletion routine.
  9. Audits. Make available the information reasonably necessary to demonstrate compliance with Article 28, and allow for and contribute to audits, including inspections, conducted by the Customer or a mandated auditor — on reasonable prior notice, no more than once per year (save where required by a supervisory authority or following a breach), subject to confidentiality and without compromising the security of other customers.

4. International transfers

The control plane (account data, configuration, logs, the metadata index) is hosted in the EU/UK. Where Processing by a Sub-processor involves a transfer of Personal Data outside the UK/EEA, that transfer is made under an appropriate safeguard — the UK International Data Transfer Agreement/Addendum or the EU Standard Contractual Clauses, as applicable — which are incorporated by reference. The Customer chooses the region of its own storage bucket.

5. Liability

Each party's liability under this DPA is subject to the limitations and exclusions of liability in the Agreement.

6. Term

This DPA takes effect when the Customer accepts the Agreement and continues until Firepipe has ceased all Processing of Customer Personal Data in accordance with section 3(8).

Annex I — Details of the processing

  • Subject matter & duration: Processing of Customer Personal Data for the purpose of providing the Service, for the duration of the Customer's account.
  • Nature & purpose: authenticating SFTP/FTPS connections, enforcing per-user access and quotas, brokering byte transfers between SFTP clients and the Customer's bucket, maintaining an optional metadata index for fast listings, metering usage, and keeping an audit trail.
  • Categories of Data Subjects: the Customer's authorised users and the end-users / counterparties who hold SFTP credentials the Customer issues (these are typically machine/service accounts, but may identify individuals).
  • Categories of Personal Data: SFTP usernames and authentication material (hashed passwords, SSH public keys); access-control configuration (path prefixes, IP allow/deny lists); audit and access logs (usernames, source IP addresses, object paths, byte counts, timestamps, operation type and outcome); the metadata index (file names, paths, sizes, timestamps — which may incidentally contain Personal Data in file names); and the Customer's bucket credentials, stored encrypted. Not included: the contents of the Customer's files (these remain in the Customer's bucket).
  • Special category data: none is intended to be Processed; the Customer must not configure usernames, paths, or file names so as to reveal special-category data.

Annex II — Authorised sub-processors

Sub-processorPurposeLocation
Amazon Web ServicesGateway compute (S3 fleet), key management (KMS), cross-account access (STS)EU/UK regions; Customer-selected for storage
Microsoft AzureGateway compute for connections to Azure Blob Storage bucketsEU (North Europe)
Google Cloud PlatformGateway compute for connections to Google Cloud Storage bucketsEU (europe-west1)
SupabaseAuthentication and control-plane database hostingEU
StripeBilling and subscription managementEU/US (SCCs)
GoogleSign-in (OAuth) and, with consent, website analyticsEU/US (SCCs)
Customer's cloud storage providerThe Customer's own bucket (AWS S3, S3-compatible, Azure Blob, or Google Cloud Storage) that the Customer connectsCustomer-controlled

Annex III — Technical & organisational measures

  • Encryption in transit: SFTP over SSH (SHA-2+ key exchange, AEAD ciphers); HTTPS for the dashboard and API.
  • Encryption at rest: the Customer's stored bucket credentials are sealed with AES-256-GCM envelope encryption under a KMS-managed key, decryptable only by the gateway (the control API holds no decrypt permission). SFTP passwords are stored as argon2id hashes.
  • Access control & tenant isolation: row-level security with per-request tenant scoping on the control database; the gateway resolves storage only for the authenticated tenant; per-user home-directory path jails; assumed-role sessions scoped to the single connected bucket; optional per-credential IP allow/deny rules.
  • Authentication: password (argon2id) or SSH public key for SFTP; the dashboard supports multi-factor authentication; an adaptive brute-force defender blocks abusive source IPs.
  • Credential lifecycle: live sessions are re-evaluated and terminated on credential revocation, downgrade, or tenant suspension; credential changes are picked up promptly; credential decryption is audit-logged.
  • Monitoring & logging: an audit log of connection and file operations and of console actions; alerting to the Customer on access-denied conditions and authentication anomalies.
  • Resilience: graceful connection draining on deploys; least-privilege service roles; segregation of the control plane and the data plane.
  • Deletion: account deletion cascades across the Customer's tenant data and the identity provider's user record.