Skip to content
Invoice Master Logo
Sign up
Main content

Data Processing Agreement (DPA)

Agreement last updated: June 26, 2026

This data processing agreement explains how Invoice Master processes customer, invoice, contact, and payment-related personal data on behalf of customers who use the service.

It covers processor obligations, GDPR Article 32 security measures, subprocessors such as Stripe when payment processing is enabled, data-subject support, breach notice, international transfers, and deletion terms.

1. Parties

Controller (Customer): Any individual or entity registering for the Invoice Master service.

Processor: Enrique Moreno Tent (sole proprietor), Trachauerstraße 5, 01139 Dresden, Germany — support@invoicemaster.org.

2. Subject and duration

Processor hosts and processes Customer personal data to provide the service. This DPA lasts for the term of the subscription.

3. Purpose of processing

  • Store and display invoices, quotes, contacts, and related records.
  • Send transactional email.
  • Process payments through Stripe when enabled by Customer.

4. Data types and data subjects

Names, emails, business identifiers, billing details, invoice line items, payment references. Data subjects include Customer’s staff, clients, and suppliers. No special‑category data is intended.

5. Processor obligations

  • Process only on documented instructions from Customer.
  • Keep data confidential and ensure authorized personnel are bound by confidentiality.
  • Apply the security measures in Section 6.
  • Assist Customer with data‑subject requests and DPIAs where reasonable.
  • Delete or return personal data at the end of the engagement per Section 10.
  • Make information available to demonstrate compliance with this DPA.

6. Security measures (Art. 32 GDPR)

  • TLS encryption in transit and encryption at rest within hosting infrastructure.
  • Role‑based access control and multi‑factor authentication for administrators.
  • Change management and access logging.

7. Subprocessors

  • Supabase (EU) — database, storage, auth.
  • Stripe (EU/US) — payments.
  • SendGrid / Twilio (US) — transactional email.

These subprocessors are covered by this DPA when they process personal data needed to provide the Invoice Master service. Website-only analytics, support, and currency-detection tools are documented in the Privacy Policy.

Processor will notify Customer at least fourteen (14) days before adding a new subprocessor.

8. Data‑subject rights

Processor provides tools and support so Customer can fulfil access, rectification, erasure, and portability requests.

9. Personal‑data breach

Processor notifies Customer without undue delay and within 72 hours after becoming aware of a personal‑data breach.

10. Deletion and return

On account deletion or at the end of the service, Processor deletes active Customer personal data from the application after Customer confirms deletion. Limited copies may remain in provider backups, security logs, billing records, transactional email systems, or subprocessors until retention periods expire or retention is legally required.

11. Compliance information

Upon written request (no more than once per year) Processor will provide current security documentation from hosting and payment providers. On‑site audits are not available.

12. International transfers

Data may be transferred outside the EEA. Where required, Standard Contractual Clauses are used (e.g., for SendGrid in the US).

13. Liability

For ordinary negligence, liability is capped at fees paid by Customer in the twelve (12) months before the incident. No cap applies for intent or gross negligence.

14. Governing law and venue

German law governs. Exclusive venue is Dresden, Germany.

15. Acceptance

Customer accepts this DPA by ticking the DPA checkbox during signup or by executing a contract that references this document.

— Enrique Moreno Tent, Processor (June 26, 2026)