Data Processing Agreement (DPA)

Controller (Customer): Any individual or entity registering for the Invoice Master service.

Processor: Enrique Moreno Tent (sole proprietor), Trachauerstraße 5, 01139 Dresden, Germany — support@invoicemaster.org.

Processor hosts and processes Customer personal data to provide the service. This DPA lasts for the term of the subscription.

• Store and display invoices, quotes, contacts, and related records.
• Send transactional email.
• Process payments through Stripe when enabled by Customer.

Names, emails, business identifiers, billing details, invoice line items, payment references. Data subjects include Customer’s staff, clients, and suppliers. No special‑category data is intended.

• Process only on documented instructions from Customer.
• Keep data confidential and ensure authorized personnel are bound by confidentiality.
• Apply the security measures in Section 6.
• Assist Customer with data‑subject requests and DPIAs where reasonable.
• Delete or return personal data at the end of the engagement per Section 10.
• Make information available to demonstrate compliance with this DPA.

• TLS encryption in transit and encryption at rest within hosting infrastructure.
• Role‑based access control and multi‑factor authentication for administrators.
• Change management and access logging.

• Supabase (EU) — database, storage, auth.
• Stripe (EU/US) — payments.
• SendGrid / Twilio (US) — transactional email.

Processor will notify Customer at least fourteen (14) days before adding a new sub‑processor.

Processor provides tools and support so Customer can fulfil access, rectification, erasure, and portability requests.

Processor notifies Customer without undue delay and within 72 hours after becoming aware of a personal‑data breach.

On account deletion or at the end of the service, Processor deletes active personal data immediately after Customer confirms export. No backups are kept after deletion.

Upon written request (no more than once per year) Processor will provide current security documentation from hosting and payment providers. On‑site audits are not available.

Data may be transferred outside the EEA. Where required, Standard Contractual Clauses are used (e.g., for SendGrid in the US).

For ordinary negligence, liability is capped at fees paid by Customer in the twelve (12) months before the incident. No cap applies for intent or gross negligence.

German law governs. Exclusive venue is Dresden, Germany.

Customer accepts this DPA by ticking the DPA checkbox during signup or by executing a contract that references this document.

— Enrique Moreno Tent, Processor (October 20, 2025)