Legal · DPA

Data processing agreement

The processor agreement that sits underneath your subscription. Aligned with GDPR Art. 28 and PIPEDA. Countersigned versions available on request.

Effective April 1, 2026 · v1.4.2

1. Roles

For all personal data you submit to InvoicePass, you are the controller and InvoicePass is the processor. We process the data only on your documented instructions, which are the Order Form, the Terms of Service, and any written request you send us through your administrator account.

2. Subject-matter and duration

  • Subject: ingestion, dedup, signing, storage, and forwarding of invoice payloads on behalf of the customer.
  • Duration: the term of the subscription, plus the retention windows stated in our Privacy policy.
  • Nature and purpose: automated processing of business records to enable accurate, deduplicated, signed delivery to a destination of record.

3. Categories of data and data subjects

Category Examples
Operator account data Name, work email, role, login timestamps
Vendor and counterparty data Vendor name, contact email on incoming invoices
Invoice content PDF text, line items, totals, references, due dates
Operational telemetry Source IPs, request IDs, dedup hashes

Data subjects: your operators (foremen, dispatchers, accounts payable staff) and the natural persons named on inbound invoices.

4. Sub-processors

You authorize InvoicePass to use the sub-processors listed in our Privacy policy. We provide at least 30 days' notice before adding or replacing a sub-processor. You may object on reasonable grounds; if we cannot accommodate, you may terminate the affected subscription on a pro-rated refund.

5. International transfers

Personal data is hosted in ca-central-1. Encrypted backups replicate to us-east-1. For data originating in the European Economic Area or the UK, we rely on the EU Standard Contractual Clauses (Module Two: controller to processor) and the UK International Data Transfer Addendum, both incorporated by reference into this DPA.

6. Security measures

We implement the technical and organizational measures described on our security page. Highlights:

  • Encryption at rest (AES-256) and in transit (TLS 1.3).
  • Just-in-time, SSO-backed access to production with hardware key second factor.
  • Append-only audit log for every administrative action.
  • Annual third-party penetration test and quarterly internal restore drills.
  • Background checks for engineers with production access.

7. Confidentiality

Every InvoicePass employee and contractor with access to personal data is bound by a written confidentiality agreement that survives termination of their engagement.

8. Assistance to the controller

Within the limits of what is technically feasible, we will assist you with:

  • Responding to data subject requests (access, correction, deletion, portability).
  • Carrying out data protection impact assessments and prior consultations with supervisory authorities.
  • Meeting your security, breach-notification, and audit obligations.

Self-serve tools at /data-export cover most requests without manual intervention.

9. Personal data breaches

We will notify you of a confirmed personal data breach affecting your data without undue delay and no later than 72 hours after we become aware of it. The notice will include the nature of the breach, categories and approximate volume affected, likely consequences, and the measures we have taken or propose to take.

10. Audits

Once per twelve-month period (or more often if required by a supervisory authority or following a confirmed breach), you may audit our compliance with this DPA. We will respond to audit requests with our most recent SOC 2 report, penetration test summary, and a written questionnaire response within 20 business days. On-site audits require 30 days' notice and a mutually executed NDA.

11. Return or deletion of data

On termination, you may export your data at any point during the 30 days following your last billing period via /data-export. After that, we hard-delete personal data within 60 days, except where retention is required by law. We confirm deletion in writing on request.

12. Liability

Liability under this DPA is governed by the limitation of liability provision in the Terms of Service. Nothing in this DPA limits either party's liability where applicable law prohibits such a limitation.

13. Conflict

If anything in this DPA conflicts with the Terms of Service in respect of the processing of personal data, this DPA controls.

14. Signatures

A countersigned version of this DPA, on customer letterhead or via electronic signature, is available on request from [email protected].