This Data Processing Agreement is available in English and German. In case of any discrepancy, the German version is legally binding.
Data Processing Agreement (DPA) according to Art. 28 GDPR
Preamble
Between the Invoice-Converter.com Customer (hereinafter referred to as "Controller") and Felix Graeber, CAYA Postbox 652326, 96035 Bamberg, Germany, Email: contact@invoice-converter.com (hereinafter referred to as "Processor"), the following agreement is concluded.
1. Subject Matter, Duration, and Specification of the Data Processing
1.1 Subject Matter of the Order
The subject matter of the order is the performance of the services agreed upon in the Main Agreement, in particular the automated conversion of invoice documents (e.g., PDF, XML) into structured electronic invoice formats (e.g., ZUGFeRD, XRechnung) using artificial intelligence (AI). This includes the extraction, validation, standardization, and conversion of invoice data.
1.2 Duration of the Order
The term of this DPA corresponds to the term of the Main Agreement between the Controller and the Processor. It automatically terminates upon the termination of the Main Agreement.
2. Type and Purpose of Processing, Type of Personal Data, and Categories of Data Subjects
2.1 Type and Purpose of Processing
The purpose of the processing is to enable the functionalities of Invoice-Converter.com described in the Main Agreement, primarily the conversion of invoice documents. The Processor processes personal data exclusively for the purpose of providing the services according to the Main Agreement and the instructions of the Controller.
2.2 Type of Personal Data
Within the scope of using Invoice-Converter.com, the following types of personal data may be processed, insofar as they are contained in the invoice documents uploaded by the Controller or arise during use:
- Master data of invoice issuers and recipients (Name, Company, Address)
- Contact details (Phone number, Email address)
- Bank account details (IBAN, BIC)
- Tax identification numbers (Tax number, VAT ID)
- Invoice details (Invoice number, Date, Amounts, Service descriptions)
- User data of the Controller (Name, Email address for the account)
- Technical metadata (IP address upon upload, Timestamp of processing)
2.3 Categories of Data Subjects
The categories of data subjects affected by the processing include:
- Customers (invoice recipients) of the Controller
- Suppliers (invoice issuers) of the Controller
- Contact persons at customers and suppliers
- Possibly employees of the Controller, if their data is contained in invoices
- Users of the Invoice-Converter.com account at the Controller
3. Technical and Organizational Measures (TOMs)
In accordance with Art. 32 GDPR, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk for the processed personal data. These measures are detailed in Annex 2 of this agreement and include, in particular, measures to ensure the confidentiality, integrity, availability, and resilience of the systems.
4. Rectification, Restriction, and Erasure of Data
The Processor will rectify, erase, or restrict the processing of data processed on behalf of the Controller only upon documented instruction from the Controller. If a data subject contacts the Processor directly, this request will be forwarded to the Controller immediately, at the latest within 24 hours. Upon termination of the Main Agreement, the data will be deleted in accordance with the provisions in Section 11 of this DPA.
5. Obligations of the Processor
The Processor ensures in particular:
- Processing of personal data only on documented instructions from the Controller.
- Ensuring that persons authorized to process the personal data have committed themselves to confidentiality in writing.
- Implementation and compliance with the TOMs described in Annex 2.
- Assisting the Controller in fulfilling its obligations (e.g., regarding data subject rights, notification of data breaches, data protection impact assessments).
- Enabling and supporting audits by the Controller according to Section 8.
- No unauthorized correction, deletion, or restriction of the processing of data.
- Informing the Controller if, in its opinion, an instruction infringes data protection regulations.
- Obligation to cooperate with the competent supervisory authority to the extent possible and to provide all necessary information to the Controller.
No Data Protection Officer has been appointed at the Processor, as the requirements of Art. 37 GDPR are not met. Contact person: Felix Graeber, contact@invoice-converter.com.
6. Sub-processing Relationships
The Processor is entitled to engage sub-processors to provide the contractual services. The sub-processors currently engaged and approved by the Controller are listed in Annex 1 of this agreement. The Processor shall inform the Controller 14 calendar days before engaging a new sub-processor via email and give the Controller the opportunity to object in writing within this period. Contracts that meet the requirements of Art. 28 GDPR will be concluded with the sub-processors.
7. Rights and Obligations of the Controller
The Controller is solely responsible for assessing the lawfulness of the processing and for safeguarding the rights of the data subjects. The Controller shall issue all orders or instructions in documented form. Oral instructions must be confirmed immediately in writing or text form.
8. Audit Rights of the Controller
The Controller has the right to audit the Processor's compliance with the statutory data protection provisions and the contractual agreements to the necessary extent. The Processor undertakes to provide the Controller with the necessary information upon request and to make available evidence (e.g., regarding TOMs, certifications).
If the remote evidence is objectively insufficient, the Controller may conduct an on-site audit after at least 14 days' notice during usual business hours. The costs of an on-site audit shall be borne by the Controller, unless the audit reveals a significant breach of this agreement or applicable data protection laws by the Processor. The Processor's effort is limited to four (4) working hours.
9. Notification of Breaches
The Processor shall notify the Controller without undue delay of any breach of data protection provisions or the contractual agreements made in connection with the processing of its data. This applies in particular to personal data breaches pursuant to Art. 33 GDPR.
10. Controller's Right of Instruction
The Processor may process data only within the framework of the agreements made and according to the instructions of the Controller. The Processor shall immediately inform the Controller if it believes that an instruction infringes applicable data protection laws.
11. Deletion and Return of Personal Data
Upon termination of the Main Agreement or at any time upon request by the Controller, the Processor shall, at the choice of the Controller, either delete or return all personal data subject to this DPA, unless there is a statutory obligation for the Processor to retain the data. If the Controller does not issue an instruction within 30 days after the end of the contract, all personal data will be deleted by default.
Uploaded source documents are deleted after processing completes. For asynchronous processing, download delivery, validation proofs, and troubleshooting, generated artifacts and limited technical metadata may be cached temporarily for a short period. We do not operate a permanent central archive of customer documents.
12. Liability
The parties shall be liable towards data subjects pursuant to Art. 82 GDPR as joint and several debtors. In the internal relationship, the following applies: Each party shall compensate the other for damages for which it is responsible; the Processor shall indemnify the Controller against claims insofar as these are based on a culpable breach of duty by the Processor.
13. Final Provisions
- Amendments and additions to this DPA must be made in writing.
- Should individual provisions of this DPA be or become invalid, the validity of the remaining provisions shall remain unaffected.
- German law shall apply.
- The parties agree that the conclusion of this agreement also occurs in electronic form by clicking a checkbox and logging the date, time, IP address, and User ID, thereby fulfilling the written form requirement of Art. 28 (9) GDPR.
- The place of jurisdiction, insofar as permissible, is Bamberg.
Version: April 28, 2025
Annex 1: Approved Sub-processors
The Controller agrees to the engagement of the following sub-processors on the condition of a contractual agreement in accordance with Art. 28 (2-4) GDPR:
| No. | Company | Address | Service | Processing Location | Data Access |
|---|---|---|---|---|---|
| 1 | OpenAI Ireland Ltd. / OpenAI, L.L.C. | 6th Floor, South Bank House, Barrow Street, Dublin 4, Ireland / 3180 18th St, San Francisco, CA 94110, USA | Provision of AI API (GPT models) for data extraction | EU/EEA (primary), USA (with SCC) | Content and metadata |
| 2 | Mistral AI | 15 Rue des Halles, 75001 Paris, France | Provision of AI API for data extraction | EU | Content and metadata |
| 3 | Google Ireland Ltd. / Google LLC | Gordon House, Barrow Street, Dublin 4, Ireland / 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Provision of AI API for data extraction | EU/EEA, USA (with SCC) | Content and metadata |
| 4 | Cloudflare, Inc. | 101 Townsend St, San Francisco, CA 94107, USA | Content Delivery Network (CDN), Web Application Firewall (WAF), DDoS Protection | Global (Data processing primarily in EU/EEA, USA with SCC) | Metadata |
| 5 | Stripe Technology Europe, Limited / Stripe, Inc. | The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland / 354 Oyster Point Blvd, South San Francisco, CA 94080, USA | Payment processing for subscriptions | EU/EEA, USA (with SCC) | Metadata |
| 6 | Supabase, Inc. | 970 Terra Bella Ave, Mountain View, CA 94043, USA | Authentication, User Database | Frankfurt (Germany), USA (with SCC for support/admin) | Metadata |
| 7 | PostHog, Inc. | 2261 Market Street #4008, San Francisco, CA 94114, USA | Product analytics, session replay (EU Cloud) | EU (Frankfurt, Germany) | Metadata |
| 8 | Vercel, Inc. | 340 S Lemon Ave #4133, Walnut, CA 91789, USA | Frontend hosting | EU/EEA, USA (with SCC) | Metadata |
| 9 | Koyeb SAS | 15 Rue des Halles, 75001 Paris, France | Hosting of web application and backend infrastructure | EU | Content and metadata |
| 10 | Brevo | 106 boulevard Haussmann, 75008 Paris, France | Transactional and marketing email delivery | EU | Metadata |
Transfers to third countries (e.g., USA) are based on Standard Contractual Clauses (SCC) according to Art. 46 GDPR, supplemented by additional measures where necessary.
Annex 2: Technical and Organizational Measures (TOMs)
1. Confidentiality (Art. 32 para. 1 lit. b GDPR)
- Access Control (Physical): Physical access to servers is controlled by the data center operators of the contracted hosting providers using industry-standard measures (security service, video surveillance, access systems). No direct physical access for Processor personnel.
- Access Control (Logical): Protection of systems against unauthorized use through: Use of firewalls (Cloudflare WAF, system firewalls), encryption of communication (SSL/TLS), strong password policies and multi-factor authentication (MFA) for administrative access, role-based authorization concept with least privilege.
- Access Control (Data): Ensuring that authorized persons can only access the data for which they have access authorization, and that data cannot be read, copied, modified, or removed without authorization during processing, use, and after storage through: Detailed authorization concept, logging of system-level access, encryption of data carriers (where relevant, although no persistent storage of customer data occurs), commitment of employees to confidentiality.
- Separation Control: Logical separation of customer data through multi-tenancy in the application. Strict separation of production, testing, and development systems.
2. Integrity (Art. 32 para. 1 lit. b GDPR)
- Transmission Control: Ensuring that data cannot be read, copied, modified, or removed without authorization during electronic transmission or transport through: Encryption of data transmission (SSL/TLS) for all external connections (user frontend, API calls to sub-processors). Use of secure protocols (HTTPS, SSH).
- Input Control: Traceability of whether and by whom data has been entered, modified, or removed through: Logging of essential processing steps and system events (audit logs). No possibility for the user to directly modify uploaded data after processing starts.
3. Availability and Resilience (Art. 32 para. 1 lit. b GDPR)
- Availability Control: Protection against accidental destruction or loss through: Use of redundant systems at the contracted hosting providers, regular backup of system configuration and application data (but not processed customer documents), monitoring of system availability, DDoS protection by Cloudflare.
- Rapid Recovery (Art. 32 para. 1 lit. c GDPR): Ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident through: Backup and recovery processes for system components, use of Infrastructure-as-Code for rapid environment restoration.
4. Procedures for Regular Testing, Assessment, and Evaluation (Art. 32 para. 1 lit. d GDPR; Art. 25 para. 1 GDPR)
- Regular review of security settings and TOMs.
- Use of tools for vulnerability detection and automated patch management.
- Data protection by design and by default (Privacy by Design/Default): Data minimization (no storage of processed documents beyond the processing operation), purpose limitation.
- Incident Response Management to react to security incidents.
- Order Control: Ensuring processing is bound by instructions through clear processes and documentation.