Data Processing Agreement (DPA)

Last Updated: August 17, 2025
Effective Date: August 17, 2025

1. Definitions

For the purposes of this DPA:

"Controller": The user (you) who determines the purposes and means of processing personal data
"Processor": Invoice Collector, which processes personal data on behalf of the Controller
"Personal Data": Any information relating to an identified or identifiable natural person contained in emails or documents
"Processing": Any operation performed on personal data, including collection, organization, storage, and deletion
"Data Subject": The natural person whose personal data is being processed
"Sub-processor": Any third party engaged by Invoice Collector to assist in processing personal data

2. Nature and Purpose of Processing

2.1 Subject Matter

Invoice Collector processes personal data contained in emails and associated documents for the purpose of automated invoice and receipt collection, organization, and storage.

2.2 Categories of Data Subjects

Email senders and recipients
Customers and clients mentioned in invoices
Vendors and service providers
Any individuals referenced in business documents

2.3 Types of Personal Data

Category	Data Types	Processing Purpose
Contact Information	Names, email addresses, phone numbers, addresses	Invoice identification and organization
Financial Information	Payment details, bank information, transaction IDs	Invoice processing and storage
Business Information	Company names, order numbers, purchase details	Document categorization and filing
Communication Data	Email content, metadata, timestamps	Email processing and PDF conversion

3. Controller and Processor Obligations

3.1 Controller Obligations (Your Responsibilities)

As the Controller, you:

Have the lawful basis for processing personal data in your emails
Ensure you have appropriate consent or other legal basis for sharing data with Invoice Collector
Are responsible for responding to data subject requests related to the original data
Must notify Invoice Collector if you become aware of any data protection violations
Agree to only process data in accordance with applicable data protection laws

3.2 Processor Obligations (Our Responsibilities)

As the Processor, Invoice Collector:

Processes personal data only on your documented instructions
Implements appropriate technical and organizational measures to protect data
Maintains confidentiality of personal data
Assists with data subject requests when technically feasible
Notifies you of any data breaches without undue delay
Deletes or returns personal data at the end of the service relationship
Provides information necessary to demonstrate compliance with obligations

4. Technical and Organizational Measures

4.1 Security Measures

Data Protection Measures:

Encryption: All data encrypted in transit (TLS 1.3) and at rest (AES-256)
Access Control: Role-based access with multi-factor authentication
Data Minimization: Process only data necessary for invoice collection
Pseudonymization: Where technically feasible and appropriate
Regular Testing: Security assessments and vulnerability testing
Incident Response: 24/7 monitoring and breach response procedures

4.2 Staff Security

Background checks for staff with data access
Regular data protection and security training
Confidentiality agreements with all personnel
Principle of least privilege for system access

5. Sub-processors

5.1 Authorization

You provide general authorization for Invoice Collector to engage sub-processors, subject to the conditions in this section.

5.2 Current Sub-processors

Sub-processor	Service	Location	Safeguards
Google LLC	Gmail/Drive API, Cloud Infrastructure	United States	Adequacy Decision, Standard Contractual Clauses
[Cloud Provider]	Application Hosting	[Location]	Standard Contractual Clauses
[Analytics Provider]	Usage Analytics	[Location]	Data Processing Agreement

5.3 Sub-processor Requirements

All sub-processors must:

Provide the same level of data protection as required by this DPA
Be bound by written data protection obligations
Process personal data only as instructed by Invoice Collector
Implement appropriate technical and organizational measures

6. Data Subject Rights

6.1 Assistance with Data Subject Requests

Invoice Collector will assist you in fulfilling data subject rights requests, including:

Access: Providing available personal data in our systems
Rectification: Correcting inaccurate data when technically possible
Erasure: Deleting personal data upon valid request
Portability: Providing data in a machine-readable format
Restriction: Limiting processing when required

6.2 Response Timeline

Invoice Collector will respond to assistance requests within 10 business days, providing available information and technical capabilities.

7. Data Breach Notification

7.1 Breach Response

In case of a personal data breach, Invoice Collector will:

Notify you without undue delay, and in any case within 72 hours of becoming aware
Provide available information about the breach, including:
- Nature and categories of data affected
- Approximate number of data subjects and records
- Likely consequences of the breach
- Measures taken or proposed to address the breach
Provide reasonable assistance with breach notification obligations
Cooperate with any investigations or remediation efforts

8. Data Transfers

8.1 International Transfers

Personal data may be transferred to third countries or international organizations. All transfers will be protected by appropriate safeguards:

European Commission adequacy decisions
Standard Contractual Clauses (SCCs)
Binding Corporate Rules where applicable
Other legally recognized transfer mechanisms

9. Data Retention and Deletion

9.1 Retention Period

Email Processing: Data processed temporarily and not permanently stored unless converted to PDF
System Logs: Retained for 90 days for security and operational purposes
Account Data: Retained while the service relationship exists

9.2 Data Deletion

Upon termination of service or your request:

Personal data will be deleted within 30 days
Backups will be securely deleted according to our backup retention schedule
Certification of deletion can be provided upon request

10. Audits and Compliance

10.1 Audit Rights

You have the right to:

Request information about our data protection compliance
Conduct audits or inspections (with reasonable notice and scope)
Engage qualified third-party auditors
Receive copies of relevant compliance certifications

10.2 Compliance Documentation

Invoice Collector maintains:

Records of processing activities
Security assessment reports
Staff training records
Sub-processor due diligence documentation

11. Liability and Indemnification

11.1 Limitation of Liability

Each party's liability for data protection violations is limited as set forth in the main service agreement, except where such limitations are prohibited by applicable law.

11.2 Indemnification

Invoice Collector will indemnify you against claims arising from our violation of this DPA, subject to:

Prompt notification of the claim
Reasonable cooperation in defense
Our sole control of the defense and settlement

12. Term and Termination

12.1 Duration

This DPA remains in effect for the duration of the service agreement and any processing activities thereafter.

12.2 Termination Effects

Upon termination:

Processing will cease within 30 days
Personal data will be deleted or returned as instructed
Relevant obligations will survive termination as required by law

13. Governing Law and Jurisdiction

This DPA is governed by the same law as the main service agreement. For EU data subjects, the DPA is also subject to applicable EU data protection law.

14. Amendment

This DPA may be amended only by written agreement, except for updates required by changes in applicable data protection law, which may be implemented with appropriate notice.

15. Contact Information

For questions about this DPA or data processing:

Contact: nir.ashkenazi88@gmail.com