Last updated: April 2026 | Version 1.0
This Data Processing Agreement ("DPA") forms part of the agreement between Creator Business OS Ltd and the Customer (as defined below). It governs the processing of personal data by Creator Business OS Ltd on behalf of the Customer in connection with the Filssi platform and services. This DPA is incorporated by reference into the Terms and Conditions. By using the Service, the Customer agrees to the terms of this DPA.
This Data Processing Agreement is entered into between:
| Role | Party | Details |
|---|---|---|
| Data Processor | Creator Business OS Ltd ("Processor", "we", "us") | A company registered in England and Wales under company number 17168418, with registered office at 18 Bordesley Road, Morden, London, SM4 5LR, United Kingdom. Operator of the Filssi platform. |
| Data Controller | The Customer ("Controller", "you") | The organisation or individual who has accepted the Filssi Terms and Conditions and uses the Service to process personal data of their own clients, customers, or employees. |
In this DPA, the following terms have the meanings set out below:
Creator Business OS Ltd will process Personal Data on behalf of the Customer only to the extent necessary to provide the Service in accordance with the Terms and Conditions and this DPA.
The processing is carried out for the purpose of providing the Filssi platform, which includes but is not limited to: accounting and financial management, payroll processing, invoicing and billing, CRM and client management, content scheduling, expense management, and AI-assisted features. Processing is performed only as instructed by the Customer through their use of the Service.
Depending on how the Customer uses the Service, Personal Data processed under this DPA may include:
Data Subjects may include the Customer's employees, contractors, clients, customers, vendors, and other third parties whose data the Customer enters into the Service.
Processing of Personal Data under this DPA continues for the duration of the Customer's subscription to the Service, and thereafter in accordance with Section 11 (Data Deletion and Export) and applicable legal retention obligations.
The Customer, as Data Controller, is responsible for:
Creator Business OS Ltd, as Data Processor, shall:
Process Personal Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by applicable law. Where required to process Personal Data by law, Creator Business OS Ltd shall inform the Customer before processing, unless prohibited by law.
Ensure that personnel authorised to process Personal Data are subject to appropriate confidentiality obligations. See Section 5 for further detail.
Implement appropriate technical and organisational measures to protect Personal Data against Security Incidents, in accordance with Article 32 of the UK GDPR. See Section 6 for further detail.
Engage Sub-Processors only in accordance with Section 7, ensuring equivalent data protection obligations are imposed on them by contract.
Assist the Customer in fulfilling their obligations to respond to Data Subject rights requests, taking into account the nature of the processing and the information available to Creator Business OS Ltd.
Assist the Customer in ensuring compliance with obligations under Articles 32–36 of the UK GDPR (security, breach notification, data protection impact assessments, and prior consultation), taking into account the nature of processing and information available to Creator Business OS Ltd.
Not use Personal Data processed under this DPA for any purpose other than performing the Service and fulfilling obligations under this DPA and the Terms. Personal Data is not sold, rented, or transferred to any third party for their own commercial purposes.
Creator Business OS Ltd ensures that all personnel with access to Personal Data processed under this DPA are subject to appropriate confidentiality obligations — whether by contract, statutory duty, or equivalent binding commitment. Access to Personal Data is limited to those personnel who require it to perform the Service.
These confidentiality obligations survive the termination of any individual's relationship with Creator Business OS Ltd and the termination of the Service.
Creator Business OS Ltd will not disclose any Personal Data to third parties except as permitted or required under this DPA, the Terms, or Applicable Data Protection Law.
Creator Business OS Ltd implements appropriate technical and organisational security measures designed to protect Personal Data against accidental or unlawful destruction, loss, alteration, unauthorised disclosure, or access. These measures include, but are not limited to:
No security measures can guarantee absolute protection. Creator Business OS Ltd cannot guarantee that Personal Data will never be compromised, but commits to implementing measures appropriate to the risks presented by the processing and the nature of the data.
Creator Business OS Ltd reviews and updates its security measures periodically, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of processing, as well as the risk of varying likelihood and severity to the rights and freedoms of Data Subjects.
The Customer grants Creator Business OS Ltd general written authorisation to engage the following Sub-Processors in connection with the delivery of the Service. Each Sub-Processor is subject to data processing obligations equivalent to those in this DPA.
| Sub-Processor | Purpose | Location |
|---|---|---|
| Neon (PostgreSQL) | Cloud database hosting. Stores all Customer and operational data. Data encrypted at rest and in transit. | United States (adequacy measures applied) |
| Stripe | Subscription payment processing and billing management. PCI DSS Level 1 certified. | United States (Standard Contractual Clauses) |
| Resend | Transactional email delivery (account notifications, invoices, billing, security alerts). | United States (Standard Contractual Clauses) |
| OCR.space | Optical character recognition for document scanning (receipts, invoices). Documents processed in real time; not permanently retained by this sub-processor. | United States |
| Mailgun | Inbound email processing for AP Email Capture feature. Email content passed through processing pipeline and discarded by Mailgun after processing. | United States (Standard Contractual Clauses) |
| OpenAI / AI model provider | Powers the AI Specialists feature (AI assistant, content generation, reporting insights, and automation suggestions). Data is processed only as required to provide AI functionality. Customer data is not used to train public AI models under our integration agreement. | United States (Standard Contractual Clauses) |
| Replit | Infrastructure and hosting platform. Acts as the infrastructure provider through which AI integrations are accessed. | United States (Standard Contractual Clauses) |
Creator Business OS Ltd may update or replace Sub-Processors from time to time as the Service evolves. Where such changes are material to the processing of Personal Data, Creator Business OS Ltd will provide the Customer with advance notice of the change (via email or in-platform notification) to allow the Customer a reasonable opportunity to object. Where the Customer objects and the objection cannot be resolved, the Customer may terminate the Service in accordance with the Terms.
An up-to-date list of Sub-Processors is available upon request to support@filssi.com.
Some of the Sub-Processors listed in Section 7 are located in countries outside the United Kingdom ("third countries"). Creator Business OS Ltd ensures that all transfers of Personal Data to third countries are made in accordance with Applicable Data Protection Law, using one or more of the following appropriate safeguards:
Creator Business OS Ltd will provide the Customer with information about the transfer mechanisms in place for specific Sub-Processors upon request.
In the event of a Security Incident affecting Personal Data processed under this DPA, Creator Business OS Ltd will notify the Customer (as Data Controller) without undue delay upon becoming aware of the Security Incident — and in any event within 72 hours where feasible. Notification will be made to the primary account email address on record.
The Security Incident notification will include, to the extent known at the time:
Where it is not possible to provide all information at the same time, the information may be provided in phases without undue further delay.
As Data Controller, the Customer is responsible for determining whether the Security Incident must be reported to the Information Commissioner's Office (ICO) and whether affected Data Subjects must be notified. Creator Business OS Ltd will provide reasonable assistance to the Customer in complying with these obligations.
In the event of a personal data breach affecting Creator Business OS Ltd's own processing as Data Controller (for example, a breach of account information or usage data), Creator Business OS Ltd will notify the ICO in accordance with Article 33 of the UK GDPR, and affected individuals in accordance with Article 34 where required.
Creator Business OS Ltd will provide reasonable assistance to the Customer in fulfilling the Customer's obligations to respond to requests from Data Subjects exercising their rights under Applicable Data Protection Law, including:
Taking into account the nature of processing, Creator Business OS Ltd will assist the Customer by implementing appropriate technical and organisational measures, insofar as possible, to enable the Customer to fulfil its obligations to respond to such requests.
Creator Business OS Ltd will promptly notify the Customer if it receives a request from a Data Subject that appears to relate to Personal Data processed on the Customer's behalf. Creator Business OS Ltd will not respond to such requests independently without the Customer's prior written authorisation, unless required to do so by applicable law.
During the term of the Customer's subscription, the Customer may export their data at any time using the export and reporting features available within the Service. Creator Business OS Ltd will provide reasonable assistance with data export requests upon request to support@filssi.com.
Upon termination or expiry of the Customer's subscription, Creator Business OS Ltd will delete or anonymise Personal Data processed under this DPA within a reasonable period, subject to any retention obligations under applicable law. The Customer may request confirmation of deletion.
Notwithstanding Section 11.2, certain Personal Data may be retained beyond the subscription period where Creator Business OS Ltd or the Customer is subject to a legal obligation to retain such data — for example, financial records retained for HMRC compliance purposes under UK tax legislation. In such cases, retained data will be processed only to the extent required by the applicable legal obligation, and will be deleted or anonymised when the retention period expires.
Retention periods may also be extended where required for dispute resolution, fraud prevention, regulatory enforcement, or legitimate business record-keeping purposes.
Creator Business OS Ltd will make available to the Customer all information reasonably necessary to demonstrate compliance with the obligations in this DPA and Applicable Data Protection Law.
The Customer may request written information from Creator Business OS Ltd regarding its data processing practices and security measures. Creator Business OS Ltd will respond to such requests within a reasonable time and at no cost for standard compliance enquiries.
Where the Customer has reasonable grounds to believe that Creator Business OS Ltd is not complying with this DPA, the Customer may request an audit of Creator Business OS Ltd's data processing activities. Such audits shall be conducted: (a) with reasonable prior written notice; (b) during normal business hours; (c) at the Customer's cost; (d) in a manner that does not unreasonably disrupt Creator Business OS Ltd's operations; and (e) no more than once per 12-month period, unless there are reasonable grounds to believe a Security Incident has occurred.
Creator Business OS Ltd will cooperate with requests from the ICO or other competent data protection authority in accordance with Applicable Data Protection Law, and will inform the Customer of any such requests where permitted by law.
This DPA is governed by and construed in accordance with the laws of England and Wales. Any disputes arising under or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of England and Wales.
This DPA shall be interpreted in a manner consistent with Applicable Data Protection Law. Where there is any conflict between this DPA and Applicable Data Protection Law, the requirements of Applicable Data Protection Law shall prevail.
This DPA is incorporated by reference into, and forms part of, the Filssi Terms and Conditions. By accepting the Terms and Conditions, the Customer agrees to this DPA. In the event of any conflict between this DPA and the Terms and Conditions with respect to the processing of Personal Data, this DPA shall prevail.
This DPA applies to all processing of Personal Data by Creator Business OS Ltd on behalf of the Customer in connection with the Service, including any processing performed by Sub-Processors.
Creator Business OS Ltd reserves the right to update this DPA from time to time to reflect changes in law, technology, or the Service. Material changes will be communicated to Customers in accordance with the notice provisions in the Terms and Conditions. Continued use of the Service following the effective date of an updated DPA constitutes the Customer's acceptance of the updated terms.
This DPA is intended to satisfy the requirements of Article 28 of the UK GDPR for a binding agreement between a Data Controller and Data Processor. For any questions regarding this DPA, please contact us at support@filssi.com.