DDossierCFOby Focus Digital
ITENSign inSign up

Public legal

Data Processing Addendum

DPA summary for controlled DossierCFO access.

Data Processing Addendum

Last updated: 9 June 2026. Effective date: 9 June 2026.

This page is a DPA summary for controlled DossierCFO access. A signed customer DPA, order form, or services agreement controls if it conflicts with this public summary.

Parties and roles

The customer determines the purposes and instructions for workspace documents and business content. Focus Digital S.r.l. provides DossierCFO and may act as processor or subprocessor for that customer workspace data.

Focus Digital remains controller for its own account, security, access enablement, service-administration, support, legal, and operational records.

Processing scope

| Item                     | Scope                                                                                                                                                                                             |
| ------------------------ | ------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------------- |
| Subject matter           | Preparing source-backed financial dossier drafts for professional review.                                                                                                                         |
| Customer data categories | Uploaded accounting documents, evidence-link uploads, extracted text, normalized facts, KPI values, review notes, report/export metadata, audit events, and support metadata.                     |
| Data subjects            | Customer contacts, company representatives, advisors, evidence-link contributors, employees, suppliers, shareholders, counterparties, and other persons appearing in uploaded business documents. |
| Duration                 | Active account or signed customer term plus documented deletion grace period, backup cycles, legal hold, security exceptions, and mandatory retention.                                            |
| Instructions             | Process only to provide, secure, support, maintain, and improve DossierCFO inside the documented product boundary.                                                                                |
| Location                 | Production provider locations and transfer mechanisms are documented through the subprocessor register and customer records.                                                                      |

Confidentiality and security

Focus Digital limits access to authorised personnel and service providers who need access to operate, secure, support, or maintain DossierCFO. DossierCFO separates authenticated upload, scan state, OCR, redacted AI text analysis, deterministic formulas, evidence state, and export readiness.

Support must use sanitized IDs and error categories rather than raw document content in unapproved channels.

Subprocessors

Production subprocessors are listed in the Subprocessors register. Manual AI access enablement remains the control point. Do not approve customer AI/OCR access until the active provider route and contract/DPA record are confirmed.

Focus Digital will require subprocessors to protect customer data with obligations appropriate to their role and the processing they perform.

International transfers

Where subprocessors or providers process data outside the EEA, Focus Digital uses appropriate GDPR transfer safeguards such as adequacy decisions, EU-US Data Privacy Framework certification where applicable, Standard Contractual Clauses, supplementary measures, or another valid transfer basis.

Assistance

Focus Digital will provide reasonable assistance, considering the nature of processing and available information, for data subject requests, security incidents, deletion/export requests, and customer compliance requests.

If a request concerns data for which Focus Digital acts as processor, Focus Digital may direct the requester to the customer controller unless law requires otherwise.

Deletion and return

Account deletion uses a 30-day grace period. Account export includes profile, case, document, analysis, upload, and audit metadata, but does not embed raw file binaries, raw OCR text, raw extracted document text, source-span raw text, or provider prompts.

Deletion from app tables is subject to backup cycles, legal hold, security exceptions, and mandatory retention. Signed customer terms may define additional return/deletion assistance.

Incidents

Suspected personal-data incidents must be escalated through the security contact path, contained, assessed, and communicated according to the operator runbook, applicable law, and any signed customer notice terms.

Audits and records

Focus Digital maintains operational records for subprocessors, provider route changes, security controls, deletion/export behavior, and AI/OCR enablement decisions. Customer audit or diligence requests are handled through signed customer terms or the Focus Digital support/legal contact.