Data Processing Agreement

Last updated: January 2026

This Data Processing Agreement ("DPA") forms part of the Terms of Service between ConvertAllFile.com ("Processor") and the user ("Controller"). This agreement ensures compliance with data protection laws including GDPR, CCPA, and other applicable regulations.

1. Definitions

Controller:

The natural or legal person, public authority, agency, or other body which, alone or jointly with others, determines the purposes and means of the processing of personal data.

Processor:

ConvertAllFile.com, the entity that processes personal data on behalf of the Controller.

Personal Data:

Any information relating to an identified or identifiable natural person, including but not limited to names, email addresses, IP addresses, and usage data.

Processing:

Any operation or set of operations which is performed on personal data, whether or not by automated means, such as collection, recording, organization, structuring, storage, adaptation, or alteration.

2. Scope and Purpose of Processing

The Processor shall process Personal Data only for the following purposes:

Providing file conversion services as requested by the Controller
Maintaining and improving the quality of our services
Ensuring security and preventing fraud
Complying with legal obligations and regulatory requirements
Communicating with users regarding their use of the Service

The Processor shall not process Personal Data for any other purposes without the prior written consent of the Controller.

3. Categories of Data Subjects

The Personal Data processed under this Agreement concerns the following categories of data subjects:

End-users of the Service who upload files for conversion
Individuals who contact our support team
Website visitors and users who interact with our platform
Subscribers to our newsletters and communications

4. Types of Personal Data Processed

The Processor may process the following categories of Personal Data:

Technical Data

• IP addresses
• Browser type and version
• Operating system
• Device identifiers
• Session cookies

Contact Data

• Email addresses
• Names (if provided)
• Support inquiry content
• Communication preferences

Usage Data

• Pages visited
• Time spent on site
• Conversion history
• Feature usage patterns

File Metadata

• File names
• File sizes
• File formats
• Upload timestamps

5. Processor Obligations

5.1 Confidentiality

The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

5.2 Security Measures

The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

Encryption of data in transit (TLS 1.3)
Secure server infrastructure with restricted access
Regular security assessments and penetration testing
Access controls and authentication mechanisms
Regular staff training on data protection

5.3 Data Minimization

The Processor shall only process Personal Data that is necessary for the specific purposes outlined in this Agreement. Uploaded files are automatically deleted within 1 hour or immediately after conversion.

5.4 Subprocessors

The Processor may engage subprocessors to assist in providing the Service. A current list of subprocessors is available upon request. The Processor shall ensure that any subprocessor is bound by data protection obligations that are at least as protective as those in this Agreement.

6. Data Subject Rights

The Processor shall assist the Controller in responding to requests from data subjects exercising their rights under applicable data protection laws, including:

Right to access Personal Data
Right to rectification of inaccurate data
Right to erasure ("right to be forgotten")
Right to restriction of processing
Right to data portability
Right to object to processing
Rights related to automated decision-making and profiling

7. International Data Transfers

The Processor may transfer Personal Data to countries outside the European Economic Area (EEA) only when appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) approved by the European Commission, or when the recipient country has been deemed to provide an adequate level of protection by the European Commission.

8. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a Personal Data breach. Such notification shall include details about the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken or proposed to address the breach.

9. Data Retention and Deletion

The Processor shall retain Personal Data only for as long as necessary to fulfill the purposes outlined in this Agreement:

Uploaded files: Automatically deleted within 1 hour or immediately after conversion
Session data: Deleted upon session completion or expiration
Usage logs: Retained for up to 90 days for security and analytical purposes
Account data: Retained until account deletion request

Upon termination of services or upon request, the Processor shall delete or return all Personal Data to the Controller and delete existing copies unless storage is required by applicable law.

10. Audit and Compliance

The Processor shall make available to the Controller all information necessary to demonstrate compliance with this Agreement and applicable data protection laws. The Controller may conduct audits or inspections to verify compliance, provided that reasonable notice is given and the audit does not disrupt the Processor's operations.

11. Compliance Certifications

GDPR Compliant

Full compliance with EU data protection regulations

CCPA Ready

California Consumer Privacy Act compliance

SOC 2 Type II

Security and availability controls certified

12. Term and Termination

This Agreement shall remain in effect as long as the Processor processes Personal Data on behalf of the Controller. Upon termination of services, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies, unless Union or Member State law requires storage of the Personal Data.

13. Governing Law

This Agreement shall be governed by and construed in accordance with the laws of the State of California, United States, without giving effect to any choice or conflict of law provision or rule. Any legal suit, action, or proceeding arising out of or related to this Agreement shall be instituted exclusively in the federal or state courts located in San Francisco County, California.

14. Contact Information

For any questions regarding this Data Processing Agreement or to exercise your data protection rights, please contact our Data Protection Officer:

ConvertAllFile.com - Data Protection Officer

Email: dpo@convertallfile.com

Address: 123 Tech Street, Suite 456, San Francisco, CA 94102

Response Time: Within 48 hours

Need a Signed DPA?

If you require a signed Data Processing Agreement for your organization's compliance needs, our legal team can provide a customized agreement.

Conversion studio

Preparing your workspace

Aligning formats, queueing files, and warming up the premium conversion stack.