# Data Processing Agreement (DPA) **Date**: [Date] **Between**: - **Data Controller**: [Customer Company Name] - **Data Processor**: Soatdev IT Consulting SRL, Belgium (BE1014.369.580) --- ## 1. Scope and Purpose This Data Processing Agreement ("DPA") governs the processing of personal data by EncryptInvoice (a product of Soatdev IT Consulting SRL) on behalf of the Customer in accordance with the EU General Data Protection Regulation (GDPR) and other applicable data protection laws. **Effective Date**: Date of Customer's subscription to EncryptInvoice **Term**: Duration of subscription + applicable retention period --- ## 2. Data Processing Details ### 2.1 Subject Matter Processing of personal data necessary to provide EncryptInvoice's e-invoicing, customer management, and payment processing services. ### 2.2 Duration This DPA remains in effect for the duration of the Customer's subscription plus any applicable statutory retention period (typically 7-10 years for financial records). ### 2.3 Nature and Purpose - Creation, storage, transmission, and archival of invoices and quotes - Processing payments and subscription billing - Providing PEPPOL and other e-invoicing network connectivity - Maintaining audit logs and security monitoring ### 2.4 Categories of Personal Data - **Contact Information**: Names, email addresses, phone numbers, postal addresses - **Business Information**: Company names, VAT/tax numbers, business addresses - **Financial Information**: Invoice amounts, payment records, bank account details (tokenized) - **Technical Data**: IP addresses, browser information, access logs ### 2.5 Categories of Data Subjects - Customer's employees and authorized users - Customer's clients and vendors - Payment card holders (tokenized data only) --- ## 3. Processor Obligations (GDPR Art. 28) EncryptInvoice (Soatdev IT Consulting SRL) as Data Processor shall: ### 3.1 Processing Instructions - Process personal data only on documented instructions from the Customer - Inform the Customer if instructions violate GDPR or other data protection laws - Not process data for any purpose other than providing the Service ### 3.2 Confidentiality - Ensure that all personnel authorized to process personal data are bound by confidentiality obligations - Limit access to personal data to personnel who require it to perform their duties ### 3.3 Security Measures (GDPR Art. 32) Implement appropriate technical and organizational measures including: - **Encryption**: AES-256 encryption at rest, TLS 1.3 in transit - **Access Control**: Role-based access control, two-factor authentication - **Audit Logging**: Comprehensive activity tracking for security monitoring - **Infrastructure Security**: EU-based hosting, regular security audits - **Backup & Recovery**: Automated daily backups with encryption - **Incident Response**: 24-hour breach notification procedure ### 3.4 Data Subject Requests Assist the Customer in responding to data subject requests including: - **Right of Access**: Provide data export functionality - **Right to Erasure**: Implement data deletion with 30-day grace period - **Right to Portability**: Export data in JSON, CSV, PDF, UBL XML formats - **Right to Rectification**: Allow data correction through user interface - **Other Rights**: Support restriction, objection, and withdrawal of consent Response time: Within 30 days as required by GDPR ### 3.5 Data Breach Notification - Notify Customer of any personal data breach within **24 hours** of becoming aware - Provide detailed information: nature of breach, affected data, likely consequences, mitigation measures - Cooperate with Customer in breach investigation and remediation ### 3.6 Data Deletion or Return Upon termination or expiration of services: - **Free/Pro Plans**: 30-day export window before permanent deletion - **Business/Enterprise Plans**: 90-day export window before permanent deletion - **Statutory Retention**: Customer-facing data anonymized but financial records retained as required by law - Provide certification of deletion upon Customer request --- ## 4. Subprocessors EncryptInvoice uses the following subprocessors to provide its services: ### 4.1 Payment Processing - **Stripe Inc. (USA)**: Payment processing - **Protection**: Standard Contractual Clauses (SCC) under GDPR Art. 46 - **Privacy Policy**: https://stripe.com/privacy ### 4.2 Cloud Infrastructure - **Amazon Web Services (EU)**: Cloud hosting in EU datacenters - **Protection**: EU-based, GDPR-compliant, AWS Data Processing Addendum - **Privacy Policy**: https://aws.amazon.com/privacy ### 4.3 E-Invoicing Networks - **Storecove BV (Netherlands, EU)**: PEPPOL e-invoicing access point - **Protection**: EU-based, GDPR-compliant processor - **Privacy Policy**: https://www.storecove.com/privacy ### 4.4 Additional Payment Processors (As Enabled) - Additional payment processors may be added based on your plan and payment preferences - All processors are covered by Standard Contractual Clauses (SCC) or EU adequacy decisions - Current list available upon request to legal@encryptinvoice.com ### 4.5 Subprocessor Changes - EncryptInvoice will inform Customer of any changes to subprocessors via email (30-day notice) - Customer may object to new subprocessors within 30 days - If objection is valid and cannot be resolved, Customer may terminate without penalty --- ## 5. Data Transfers Outside the EEA ### 5.1 Primary Data Location All Customer data is stored in EU datacenters by default. ### 5.2 Non-EU Transfers Data may be transferred outside the European Economic Area (EEA) only to: - Subprocessors covered by Standard Contractual Clauses (SCC) - Countries with EU adequacy decisions - Processors with appropriate GDPR Art. 46 safeguards ### 5.3 Safeguards - Standard Contractual Clauses as approved by the European Commission - Additional security measures: encryption, access controls, audit logs - Regular compliance audits --- ## 6. Data Protection Impact Assessment & Prior Consultation EncryptInvoice will assist the Customer in conducting Data Protection Impact Assessments (DPIAs) when required under GDPR Art. 35, and will cooperate with prior consultation with supervisory authorities when necessary. --- ## 7. Security Audits & Compliance ### 7.1 Customer Audit Rights - Customer may audit EncryptInvoice's compliance with this DPA - Audits subject to reasonable notice (30 days), confidentiality obligations, and scheduling - EncryptInvoice will provide audit reports and compliance certifications upon request ### 7.2 Third-Party Certifications - **SOC 2 Type II**: In progress (expected Q3 2026) - **ISO 27001**: Planned (Q4 2026) - Regular third-party penetration testing and vulnerability assessments --- ## 8. Limitation of Liability ### 8.1 Liability Cap EncryptInvoice's total liability under this DPA shall not exceed the amount paid by Customer in the 12 months preceding the claim. ### 8.2 Exclusions EncryptInvoice is not liable for: - Breaches caused by Customer's instructions or misuse - Unauthorized access resulting from Customer's failure to secure credentials - Force majeure events beyond reasonable control ### 8.3 Indemnification EncryptInvoice will indemnify Customer for direct damages resulting from EncryptInvoice's breach of this DPA, subject to the liability cap. --- ## 9. Term and Termination ### 9.1 Term This DPA is effective from the date of Customer's first use of EncryptInvoice and continues for the duration of the subscription. ### 9.2 Termination - Automatic termination upon subscription cancellation or expiration - Customer may terminate for cause if EncryptInvoice materially breaches this DPA and fails to remedy within 30 days - EncryptInvoice obligations regarding data deletion/return survive termination --- ## 10. Governing Law and Jurisdiction This DPA shall be governed by the laws of Belgium. Any disputes arising from this DPA shall be subject to the exclusive jurisdiction of the courts of Belgium. --- ## 11. Contact Information **EncryptInvoice (Soatdev IT Consulting SRL)** - **Address**: Leopold de Waelplaats 28, 2000, Antwerpen, Belgium - **VAT**: BE1014.369.580 - **Email**: legal@encryptinvoice.com - **Data Protection Officer**: dpo@encryptinvoice.com **Customer** - **Company Name**: [To be completed] - **Address**: [To be completed] - **Email**: [To be completed] - **DPO (if applicable)**: [To be completed] --- ## Signatures By signing below, both parties agree to the terms of this Data Processing Agreement. **Customer** Signature: ________________________________ Name: ____________________________________ Title: ____________________________________ Date: ____________________________________ **EncryptInvoice (Soatdev IT Consulting SRL)** Signature: ________________________________ Name: ____________________________________ Title: ____________________________________ Date: ____________________________________ --- *This DPA template is provided for Enterprise customers. Once completed and signed by both parties, please email to: legal@encryptinvoice.com*