Fencia analyzes technical documentation and detects compliance risks under the EU AI Act, GDPR and ISO 42001.

What documents can I scan?

PDF, DOCX and TXT files up to 25 MB: technical specifications, model cards, risk assessments, privacy policies.

Does Fencia replace legal advice?

No. Fencia is a RegTech support tool. It does not replace professional legal advice. Human review is recommended for final decisions.

TLS 1.3 + AES-256 encryption. GDPR-compliant European infrastructure. Minimal retention. Your documents are never used to train models.

Back to Trust Center

Data Processing Agreement

Data Processing Agreement (DPA)

If you upload documents containing personal data, this DPA governs how Fencia processes it as a processor on your behalf. You can read it here, print it to PDF, or request a signed copy.

Request a signed copy

Entity details pending

Before using this DPA in production, fill in the registered company name, address and tax details of the entity behind Fencia wherever [LEGAL ENTITY] appears. Until then, this document serves as a reference template.

1. Parties and subject matter

This Data Processing Agreement ("DPA") is entered into between the customer ("Controller") and [LEGAL ENTITY], operator of Fencia ("Processor"). It governs the processing of personal data the Controller provides when using the Fencia service, pursuant to Art. 28 GDPR (Regulation (EU) 2016/679).

2. Subject, duration and nature of processing

The Processor will process personal data solely to provide the compliance-analysis service (document scanning, findings generation, storage of results and optional monitoring). Processing lasts for the duration of the contractual relationship and the configured retention period.

3. Categories of data and data subjects

The personal data processed depends on the content the Controller uploads. It may include data of employees, customers or third parties referenced in policies, contracts and technical documentation. The Controller determines which documents are uploaded and therefore which categories of data are processed.

4. Processor obligations

The Processor will: (a) process data only on the Controller's documented instructions; (b) ensure confidentiality of authorized personnel; (c) apply the technical and organizational measures described in the Security Center (TLS 1.3 and AES-256 encryption, RLS, access control); (d) not use the data to train AI models; (e) assist the Controller in handling data-subject rights; (f) notify without undue delay any personal data breach.

5. Subprocessors

The Controller authorizes the use of the subprocessors listed in the Security Center (Supabase, Vercel, Google Gemini API, Stripe, Vercel Analytics). The Processor maintains processing agreements with all of them and will inform of any intended changes, giving the Controller the opportunity to object.

6. International transfers

Where a subprocessor processes data outside the European Economic Area, the transfer relies on the EU Commission's Standard Contractual Clauses (SCCs), plus any applicable supplementary technical measures.

7. Security

The Processor applies Art. 32 GDPR measures: encryption in transit and at rest, per-user data isolation (RLS), environment separation, two-factor authentication and audit logging. Details are at /security.

8. Deletion and return of data

On termination of the service, the Processor will delete or return personal data at the Controller's choice, unless legally required to retain it. The Controller can delete individual analyses at any time from the dashboard.

9. Audit

The Processor will make available the information necessary to demonstrate compliance with this DPA and allow for reasonable audits, including security questionnaires, with reasonable notice.

10. Governing law

This DPA is governed by Spanish and European Union law, consistent with Fencia's Terms of Service.