Invoice Master Logo
BlogPricingLog inSign up

Data-Processing Agreement

Last updated: 5 May 2025

1 · Parties

Controller (Customer): any person or entity that registers for the InvoiceMaster service.
Processor: Enrique Moreno Tent, sole proprietor, Trachauerstrasse 5, 01139 Dresden, Germany – [email protected].

2 · Subject Matter & Duration

Processor hosts invoices and related data for the Controller for the lifetime of the account.

3 · Purpose of Processing

  • Store and display invoices, bills, quotes and contacts
  • Provide backups and restore options
  • Handle payments via Stripe (optional)

4 · Data Types & Subjects

Names, addresses, emails, phones, invoice details and payment references of the Controller’s customers, vendors and contacts. No special-category data intended.

5 · Processor Obligations

  • Process data only on Controller’s instructions
  • Keep staff bound by confidentiality
  • Apply the security measures in § 6
  • Help Controller meet GDPR duties where feasible
  • Delete or return data after processing ends (§ 10)
  • Provide compliance evidence on request (§ 11)

6 · Security Measures (Art. 32 GDPR)

  • TLS for all traffic
  • AES-256 encryption at rest (Supabase EU)
  • Daily automated backups kept 7 days
  • Soft-delete with 7-day restore window
  • Role-based access, MFA for admin accounts

7 · Sub-processors

  • Supabase EU – DB & file storage
  • Stripe EU – payment processing
  • Hotjar EU/EEA – usage analytics
  • SendGrid US – transactional email (SCCs)

Controller will be notified 14 days before any new sub-processor is added.

8 · Assistance with Data-Subject Rights

Processor will support access, rectification, erasure and portability requests via the Service.

9 · Personal-Data Breach

Processor will notify Controller within 72 hours of awareness.

10 · Deletion & Return

On account closure, Controller may export data; Processor then deletes active data immediately. Backups auto-purge after 7 days.

11 · Compliance Evidence

Processor supplies current Supabase/Stripe security reports on request (max once per year). No on-site audits offered.

12 · International Transfers

Data stays in the EEA; email metadata passes through SendGrid US under Standard Contractual Clauses.

13 · Liability

For ordinary negligence, Processor’s liability is capped at the fees paid by the Controller in the 12 months before the incident. No cap for intent or gross negligence.

14 · Governing Law

German law; venue Dresden.

15 · Acceptance

Controller accepts this Agreement by ticking the DPA checkbox during signup.

— Enrique Moreno Tent, Processor (5 May 2025)