Data Processing Agreement

Last updated: March 10, 2026

1. Scope & Purpose

This Data Processing Agreement ("DPA") supplements the Terms of Service between you ("Data Controller") and Streamline Group s.r.o. ("Data Processor"), operating the Festich platform.

This DPA governs the processing of personal data that you submit to Festich for document parsing services, in compliance with the General Data Protection Regulation (EU) 2016/679 ("GDPR").

2. Definitions

Terms used in this DPA have the meanings given to them in the GDPR. "Processing" refers to any operation performed on personal data, including extraction, structuring, and transmission of document contents via the Festich API.

3. Data Processing Details

  • Subject matter: Document parsing and data extraction via API.
  • Duration: For the term of your Service agreement.
  • Nature: Automated processing — OCR, text extraction, table detection.
  • Categories of data: Any personal data contained within uploaded documents.
  • Data subjects: Individuals whose personal data appears in processed documents.

4. Processor Obligations

As Data Processor, we shall:

  • Process personal data only on your documented instructions.
  • Ensure that persons authorized to process data are bound by confidentiality.
  • Implement appropriate technical and organizational security measures.
  • Not engage sub-processors without your prior written consent.
  • Assist you in responding to data subject rights requests.
  • Delete or return all personal data at the end of the service, at your choice.
  • Make available all information necessary to demonstrate compliance.

5. Security Measures

We implement the following security measures:

  • TLS 1.3 encryption for all data in transit.
  • AES-256 encryption for data at rest.
  • Ephemeral document processing — files are not persisted after extraction.
  • Access controls and audit logging for all infrastructure.
  • Regular security assessments and vulnerability scanning.
  • EU-based data processing infrastructure.

6. Sub-processors

We currently use the following sub-processors:

  • Hetzner Online GmbH — Infrastructure hosting (Germany).
  • Convex, Inc. — Database and backend services (EU West).
  • Stripe, Inc. — Payment processing (EU/US, Privacy Shield).
  • Vercel, Inc. — Frontend hosting and CDN.

We will notify you of any intended changes to sub-processors and give you the opportunity to object.

7. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay and no later than 48 hours after becoming aware of the breach. The notification will include the nature of the breach, categories and approximate number of data subjects affected, and measures taken to address the breach.

8. International Transfers

We process data primarily within the European Economic Area. Where transfers outside the EEA are necessary (e.g., for sub-processors), we ensure appropriate safeguards are in place, including Standard Contractual Clauses approved by the European Commission.

9. Contact

For DPA-related inquiries, contact privacy@festich.dev.

Streamline Group s.r.o.
Prague, Czech Republic