The Data Processing Agreement (the “DPA”) is an integral part of the Terms of Service regarding the Envoice Products. Unless otherwise defined in this DPA, capitalised terms used in DPA will have the same meaning they do in the Terms of Service. By accepting the Terms of Service, the Client is also deemed to have accepted this DPA.
This DPA incorporates the Annex to the European Commission’s implementing decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors (the “SCCs”) available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en.
The following options shall apply in relation to this DPA:
Clauses in the SCCs | Agreed Option |
Clause 1 (a) | Option 1 |
Clause 5 | Shall not apply. |
Clause 7.7 (a) | Option 2: general written authorisation.
The agreed list of sub-processors is provided in Annex IV to the SCCs. Changes are to be notified at least 14 days in advance. |
Clause 8 (c) 4) | Option 1 |
Clause 9.1 (b) | Option 1 |
Clause 9.1 (c) | Option 1 |
Clause 9.2 third paragraph | Option 1 |
ANNEX I to the SCCs – Parties
Processor / Supplier | |
Name: | Envoice OÜ |
Address: | Tartu mnt 2, 10145 Tallinn, Estonia |
Contact person’s name, position and contact details: | Data Protection Officer, dpo@envoice.eu |
Signature and accession date: | Date of acceptance of the Terms of Service by the Client. |
Controller / Client | |
Name | A legal entity whose representative has accepted Evoice’s Terms of Service. |
Address | |
Contact person’s name, position and contact details: | Contact details of the contact person are provided in the Client Account registration form. |
Signature and accession date: | Date of acceptance of the Terms of Service by the Client. |
ANNEX II to the SCCs – Description of Processing
-
Categories of data subjects whose personal data is processed and categories of personal data
Categories of data subjects:
- Employees of the Client
- Users of the Software designated by the Client
- Clients (natural persons) of the Client
- Representatives of the Client’s Clients
- Other individuals whose personal data are included in the documents provided to Envoice by the Client.
- Anyone else who submits documents to Envoice for Client or on Client’s behalf
The types of personal data processed
- Identity Data includes: first name, last name, username or similar identifier, personal identification code, title, date of birth, gender, job title and tax registration numbers.
- Contact Data includes: billing address, email address and telephone numbers.
- Transaction Data includes: details about payments, receipts or invoices; details about payments and other details of products and services purchased from Envoice.
- Technical Data includes: internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access the Envoice Products.
- Profile Data includes: username and password, purchases or orders made, user preferences, feedback and survey responses.
- Usage Data includes: information about usage of the Software and Envoice Products
-
Sensitive data processed (if applicable)
Invoices uploaded to Envoice may potentially include special categories of personal data. The processor will apply all technical and organisational measures set forth in Annex III to safeguard such data.
-
Nature of the processing and purpose(s) for which the personal data is processed on behalf of the controller
Provision of Envoice software and services pursuant to the Subscription Plan.
-
Duration of the processing
During the validity of the service agreement (Terms of Service) between the Client and the Supplier and for up to 60 days after the termination unless agreed with the Client otherwise.
-
Breach Notification
In the event of a data breach affecting personal data processed under this DPA, the Processor (Envoice) shall notify the Controller (Client) without undue delay and, where feasible, within 72 hours after becoming aware of the breach.
The notification shall include at least:
- A description of the nature of the data breach, including the categories and approximate number of data subjects and records concerned.
- The likely consequences of the breach.
- Measures taken or proposed by the Processor to address the breach and mitigate any possible adverse effects.
The Processor will assist the Controller in complying with their obligations under Articles 33 and 34 of the GDPR, including any required communications with data subjects or supervisory authorities.
ANNEX III to the SCCs – Technical and Organisational Measures
The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) of the EU SCC’s are those established and maintained under clause 4 of this Data Processor Agreement and includes without limitation those found at https://envoice.eu/en/information-security/ as amended from time to time.
ANNEX IV to the SCCs – List of Sub-processor(s)
A list of Sub-processors We use can be found below. This list may be amended from time to time:
Name | Category / Feature | Jurisdiction |
Google Cloud EMEA Limited | Cloud infrastructure (IaaS) | EU: (Google Cloud, Europe-West1, Belgium – active location) |
Microsoft Ireland Operations Limited | Cloud infrastructure (IaaS) | EU: (Microsoft Azure EU West) |
Intercom R&D Unlimited Company | Cloud-based customer support services | US: (AWS N. Virginia) |
Mailgun Technologies, Inc | Cloud-based email services | EU: Germany |
HubSpot, Inc | Customer relationship management | EU / US |
Braintree (PayPal (Europe) S.à r.l. et Cie, S.C.A.) | Payment provider | EU |
Messente Communications OÜ | Transactional SMS | EU |
Mixpanel, Inc. | Analytics provider | EU: Germany |
Segment (Twilio Inc.) | Platform instrumentation | US: Oregon |
ProductBoard, Inc. | Product management | US: (AWS) |
Registrite ja Infosüsteemide Keskus | Estonian e-Invoicing | EU: Estonia |
Slack Technologies, Inc. | Instant messaging services | US |
Atlassian Pty Ltd | Issue management | EU: (AWS) |
Calendly, LLC | Meeting scheduling | US |