This Data Processing Agreement is available in English, Italian, and German. In case of any discrepancy, the German version is legally binding.
Between the Invoice-Converter.com Customer (hereinafter referred to as "Controller") and Felix Graeber, CAYA Postbox 652326, 96035 Bamberg, Germany, Email: (hereinafter referred to as "Processor"), the following agreement is concluded.
The subject matter of the order is the performance of the services agreed upon in the Main Agreement, in particular the automated conversion of invoice documents (e.g., PDF, XML) into structured electronic invoice formats (e.g., ZUGFeRD, XRechnung) using artificial intelligence (AI). This includes the extraction, validation, standardization, and conversion of invoice data.
The term of this DPA corresponds to the term of the Main Agreement between the Controller and the Processor. It automatically terminates upon the termination of the Main Agreement.
The purpose of the processing is to enable the functionalities of Invoice-Converter.com described in the Main Agreement, primarily the conversion of invoice documents. The Processor processes personal data exclusively for the purpose of providing the services according to the Main Agreement and the instructions of the Controller.
Within the scope of using Invoice-Converter.com, the following types of personal data may be processed, insofar as they are contained in the invoice documents uploaded by the Controller or arise during use:
The categories of data subjects affected by the processing include:
In accordance with Art. 32 GDPR, the Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk for the processed personal data. These measures are detailed in Annex 2 of this agreement and include, in particular, measures to ensure the confidentiality, integrity, availability, and resilience of the systems.
The Processor will rectify, erase, or restrict the processing of data processed on behalf of the Controller only upon documented instruction from the Controller. If a data subject contacts the Processor directly, this request will be forwarded to the Controller immediately, at the latest within 24 hours. Upon termination of the Main Agreement, the data will be deleted in accordance with the provisions in Section 11 of this DPA.
The Processor ensures in particular:
No Data Protection Officer has been appointed at the Processor, as the requirements of Art. 37 GDPR are not met. Contact person: Felix Graeber, .
The Processor is entitled to engage sub-processors to provide the contractual services. The sub-processors currently engaged and approved by the Controller are listed in Annex 1 of this agreement. The Processor shall inform the Controller 14 calendar days before engaging a new sub-processor via email and give the Controller the opportunity to object in writing within this period. Contracts that meet the requirements of Art. 28 GDPR will be concluded with the sub-processors.
The Controller is solely responsible for assessing the lawfulness of the processing and for safeguarding the rights of the data subjects. The Controller shall issue all orders or instructions in documented form. Oral instructions must be confirmed immediately in writing or text form.
The Controller has the right to audit the Processor's compliance with the statutory data protection provisions and the contractual agreements to the necessary extent. The Processor undertakes to provide the Controller with the necessary information upon request and to make available evidence (e.g., regarding TOMs, certifications).
If the remote evidence is objectively insufficient, the Controller may conduct an on-site audit after at least 14 days' notice during usual business hours. The costs of an on-site audit shall be borne by the Controller, unless the audit reveals a significant breach of this agreement or applicable data protection laws by the Processor. The Processor's effort is limited to four (4) working hours.
The Processor shall notify the Controller without undue delay of any breach of data protection provisions or the contractual agreements made in connection with the processing of its data. This applies in particular to personal data breaches pursuant to Art. 33 GDPR.
The Processor may process data only within the framework of the agreements made and according to the instructions of the Controller. The Processor shall immediately inform the Controller if it believes that an instruction infringes applicable data protection laws.
Upon termination of the Main Agreement or at any time upon request by the Controller, the Processor shall, at the choice of the Controller, either delete or return all personal data subject to this DPA, unless there is a statutory obligation for the Processor to retain the data. If the Controller does not issue an instruction within 30 days after the end of the contract, all personal data will be deleted by default.
Uploaded documents are deleted immediately after processing as part of normal operation and are not stored persistently.
The parties shall be liable towards data subjects pursuant to Art. 82 GDPR as joint and several debtors. In the internal relationship, the following applies: Each party shall compensate the other for damages for which it is responsible; the Processor shall indemnify the Controller against claims insofar as these are based on a culpable breach of duty by the Processor.
Version: April 28, 2025
The Controller agrees to the engagement of the following sub-processors on the condition of a contractual agreement in accordance with Art. 28 (2-4) GDPR:
| No. | Company | Address | Service | Processing Location | Data Access |
|---|---|---|---|---|---|
| 1 | Render, Inc. | 525 Brannan St STE 300, San Francisco, CA 94107, USA | Hosting of the web application and backend infrastructure | Frankfurt (Germany) | Content and metadata |
| 2 | OpenAI Ireland Ltd. / OpenAI, L.L.C. | 6th Floor, South Bank House, Barrow Street, Dublin 4, Ireland / 3180 18th St, San Francisco, CA 94110, USA | Provision of AI API (GPT models) for data extraction | EU/EEA (primary), USA (with SCC) | Content and metadata |
| 3 | Mistral AI | 15 Rue des Halles, 75001 Paris, France | Provision of AI API for data extraction | EU | Content and metadata |
| 4 | Google Ireland Ltd. / Google LLC | Gordon House, Barrow Street, Dublin 4, Ireland / 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Provision of AI API for data extraction | EU/EEA, USA (with SCC) | Content and metadata |
| 5 | Cloudflare, Inc. | 101 Townsend St, San Francisco, CA 94107, USA | Content Delivery Network (CDN), Web Application Firewall (WAF), DDoS Protection | Global (Data processing primarily in EU/EEA, USA with SCC) | Metadata |
| 6 | Stripe Technology Europe, Limited / Stripe, Inc. | The One Building, 1 Grand Canal Street Lower, Dublin 2, Ireland / 354 Oyster Point Blvd, South San Francisco, CA 94080, USA | Payment processing for subscriptions | EU/EEA, USA (with SCC) | Metadata |
| 7 | Supabase, Inc. | 970 Terra Bella Ave, Mountain View, CA 94043, USA | Authentication, User Database | Frankfurt (Germany), USA (with SCC for support/admin) | Metadata |
| 8 | Google Ireland Ltd. / Google LLC | Gordon House, Barrow Street, Dublin 4, Ireland / 1600 Amphitheatre Parkway, Mountain View, CA 94043, USA | Google Tag Manager & Google Analytics (Web analytics, Tag management) | EU/EEA, USA (with SCC) | Metadata |
| 9 | Vercel, Inc. | 340 S Lemon Ave #4133, Walnut, CA 91789, USA | Frontend hosting | EU/EEA, USA (with SCC) | Metadata |
| 10 | Koyeb SAS | 15 Rue des Halles, 75001 Paris, France | Hosting of web application and backend infrastructure | EU | Content and metadata |
Transfers to third countries (e.g., USA) are based on Standard Contractual Clauses (SCC) according to Art. 46 GDPR, supplemented by additional measures where necessary.