Data Processing Agreement according to Art. 28 GDPR

Preamble

This Data Processing Agreement ("DPA") supplements the main agreement between the customer using Invoice Converter as controller ("Controller") and Sine Aspera Ad Astra GmbH i.G., Adalbertstraße 56, 80799 Munich, Germany, represented by Felix Graeber. Commercial register entry pending at Amtsgericht München.The company acts as processor ("Processor").

This DPA applies where the Processor processes personal data on behalf of the Controller in connection with invoice conversion, validation, review, External API usage, support, diagnostics, and related services.

1. Subject Matter, Duration, and Instructions

The subject matter is the automated and assisted conversion of invoices and invoice-like documents into structured electronic invoice formats, including extraction, validation, standardization, artifact generation, strict API issuance, support, and troubleshooting.

The term of this DPA follows the term of the main agreement. The Controller's documented instructions are the main agreement, these Terms, the DPA, order forms, API documentation, and written instructions accepted by the Processor. The Processor will inform the Controller if it believes an instruction infringes data protection law.

2. Processing Details

Purpose: providing invoice conversion, validation, download, External API, billing support, security, troubleshooting, incident handling, and customer support.

Data categories: invoice content, supplier and buyer master data, contact data, tax identifiers, VAT IDs, bank details, invoice numbers, line items, amounts, service descriptions, account user data, tenant IDs, API key IDs and prefixes, idempotency keys, request hashes, correlation IDs, usage and audit events, credit-ledger data, validation proofs, artifact hashes, filenames, support diagnostics, and technical metadata.

Data subjects: Controller users, employees or contractors, invoice issuers, invoice recipients, suppliers, customers, contact persons, and other persons named in invoice content.

Restricted data: the Controller must not upload special-category data, criminal-offence data, payment-card data, identity documents, passwords, secrets, HR records, healthcare records, or unrelated sensitive datasets unless strictly necessary and expressly agreed in writing.

3. Processor Obligations

The Processor processes personal data only on documented instructions, binds personnel to confidentiality, implements appropriate technical and organizational measures, supports the Controller with data-subject requests where reasonably possible, and deletes or returns personal data as described below unless statutory retention applies.

Customer invoice content is not used for model training, reusable datasets, benchmarking, or product analytics unless the Controller gives explicit written permission.

4. Controller Obligations

The Controller is responsible for the lawfulness of uploaded data, data minimization, transparency to affected data subjects, source-data accuracy, review, delivery, archiving, tax/accounting decisions, and ensuring that the Service is not used as the sole process for deadline-critical invoicing obligations.

5. Subprocessing and Transfers

The Controller authorizes the subprocessors listed in Annex 1. The Processor may replace or add subprocessors by giving at least 14 calendar days' notice by email, account notice, changelog, or another reasonable channel. The Controller may object for material data protection reasons. Third-country transfers are protected by Standard Contractual Clauses and additional safeguards where required.

6. Security Measures

• Transport encryption using HTTPS/TLS for external service communication.
• Role-based administrative access and least-privilege access controls.
• Logical tenant separation for account, API, task, billing, and artifact data.
• Hashed API keys; plaintext live API keys are only shown at creation.
• Rate limits, request-size limits, abuse controls, and security audit logging.
• Temporary artifact retention rather than permanent invoice-content archiving.
• Separate production and non-production environments where operationally applicable.
• Error filtering and telemetry minimization where technically feasible.
• Subprocessor selection with contractual safeguards and transfer mechanisms.
• Incident review and customer notification where required by law.

7. Audits and Evidence

The Processor will provide reasonable remote evidence of compliance, such as this DPA, subprocessor list, TOMs, retention summary, incident process, and written security questionnaire responses. On-site audits, source-code access, infrastructure access, secrets, credentials, logs unrelated to the Controller, or access to other tenants are not included unless separately agreed in writing.

8. Personal Data Breaches

The Processor will notify the Controller without undue delay after confirming a personal data breach affecting Controller personal data and will provide available information required for the Controller's statutory notifications as it becomes available. No hard 12-hour or 24-hour notice deadline, contractual penalty, or service credit applies unless expressly agreed in writing.

9. Deletion, Return, and Retention

The Processor does not operate a permanent central archive of customer invoice documents. Terminal processing tasks are usually available for about 10 minutes after completion or failure. External API idempotency records expire after 24 hours by default. Debug bundles are retained for up to 14 days by default. Event logs follow the deployed retention setting, currently expected to be 30 days unless changed; aggregate logs may be retained up to 365 days by default. Billing and accounting records are retained as required by law.

Upon termination, the Processor will delete or return personal data within a reasonable period unless legal retention, security, fraud-prevention, dispute, backup, or audit integrity requirements justify longer retention.

10. Liability

Mandatory liability toward data subjects under Art. 82 GDPR remains unaffected. As between Controller and Processor, contractual and internal reimbursement claims under or in connection with this DPA are subject to the liability limitations in the main agreement and applicable order form to the extent legally permitted. The Processor does not accept uncapped indemnities, contractual penalties, or liquidated damages unless expressly agreed in a separate signed writing.

11. Final Provisions

German law applies. Changes to this DPA must be documented in text form unless stricter form requirements apply. If individual provisions are invalid, the remaining provisions remain effective. Where legally permissible, the courts at the Processor's registered seat have jurisdiction.