Data Processing Agreement

Last update: September 24, 2024

The Data Processing Agreement (the “DPA”) is an integral part of the Terms of Service regarding the Envoice Products. Unless otherwise defined in this DPA, capitalised terms used in DPA will have the same meaning they do in the Terms of Service. By accepting the Terms of Service, the Client is also deemed to have accepted this DPA.

This DPA incorporates the Annex to the European Commission’s implementing decision (EU) 2021/915 of 4 June 2021 on standard contractual clauses between controllers and processors (the “SCCs”) available at: https://eur-lex.europa.eu/legal-content/EN/TXT/?uri=CELEX%3A32021D0915&locale-en.

The following options shall apply in relation to this DPA:

Clauses in the SCCs Agreed Option
Clause 1 (a) Option 1
Clause 5 Shall not apply.
Clause 7.7 (a) Option 2: general written authorisation.

The agreed list of sub-processors is provided in Annex IV to the SCCs. Changes are to be notified at least 14 days in advance.

Clause 8 (c) 4) Option 1
Clause 9.1 (b) Option 1
Clause 9.1 (c) Option 1
Clause 9.2 third paragraph Option 1

ANNEX I to the SCCs – Parties

Processor / Supplier
Name: Envoice OÜ
Address: Tartu mnt 2, 10145 Tallinn, Estonia
Contact person’s name, position and contact details: Data Protection Officer, dpo@envoice.eu
Signature and accession date: Date of acceptance of the Terms of Service by the Client.

 

Controller / Client
Name A legal entity whose representative has accepted Evoice’s Terms of Service.
Address
Contact person’s name, position and contact details: Contact details of the contact person are provided in the Client Account registration form.
Signature and accession date: Date of acceptance of the Terms of Service by the Client.

ANNEX II to the SCCs – Description of Processing

  • Categories of data subjects whose personal data is processed and categories of personal data

Categories of data subjects:

  • Employees of the Client
  • Users of the Software designated by the Client
  • Clients (natural persons) of the Client
  • Representatives of the Client’s Clients
  • Other individuals whose personal data are included in the documents provided to Envoice by the Client.
  • Anyone else who submits documents to Envoice for Client or on Client’s behalf

The types of personal data processed

  • Identity Data includes: first name, last name, username or similar identifier, personal identification code, title, date of birth, gender, job title and tax registration numbers.
  • Contact Data includes: billing address, email address and telephone numbers.
  • Transaction Data includes: details about payments, receipts or invoices; details about payments and other details of products and services purchased from Envoice.
  • Technical Data includes: internet protocol (IP) address, login data, browser type and version, time zone setting and location, browser plug-in types and versions, operating system and platform, and other technology on the devices used to access the Envoice Products.
  • Profile Data includes: username and password, purchases or orders made, user preferences, feedback and survey responses.
  • Usage Data includes: information about usage of the Software and Envoice Products
  • Sensitive data processed (if applicable) 

Invoices uploaded to Envoice may potentially include special categories of personal data. The processor will apply all technical and organisational measures set forth in Annex III to safeguard such data.

  • Nature of the processing and purpose(s) for which the personal data is processed on behalf of the controller

Provision of Envoice software and services pursuant to the Subscription Plan.

  • Duration of the processing

During the validity of the service agreement (Terms of Service) between the Client and the Supplier and for up to 60 days after the termination unless agreed with the Client otherwise.

  • Breach Notification

In the event of a data breach affecting personal data processed under this DPA, the Processor (Envoice) shall notify the Controller (Client) without undue delay and, where feasible, within 72 hours after becoming aware of the breach.

The notification shall include at least:

  • A description of the nature of the data breach, including the categories and approximate number of data subjects and records concerned.
  • The likely consequences of the breach.
  • Measures taken or proposed by the Processor to address the breach and mitigate any possible adverse effects.

The Processor will assist the Controller in complying with their obligations under Articles 33 and 34 of the GDPR, including any required communications with data subjects or supervisory authorities.

ANNEX III to the SCCs – Technical and Organisational Measures

The technical and organisational security measures implemented by the data importer in accordance with Clauses 4(d) and 5(c) of the EU SCC’s are those established and maintained under clause 4 of this Data Processor Agreement and includes without limitation those found at https://envoice.eu/en/information-security/ as amended from time to time.

ANNEX IV to the SCCs – List of Sub-processor(s)

A list of Sub-processors We use can be found below. This list may be amended from time to time:

Name Category / Feature Jurisdiction
Google Cloud EMEA Limited Cloud infrastructure (IaaS) EU: (Google Cloud, Europe-West1, Belgium – active location)
Microsoft Ireland Operations Limited Cloud infrastructure (IaaS) EU: (Microsoft Azure EU West)
Intercom R&D Unlimited Company Cloud-based customer support services US: (AWS N. Virginia)
Mailgun Technologies, Inc Cloud-based email services EU: Germany
HubSpot, Inc Customer relationship management EU / US
Braintree (PayPal (Europe) S.à r.l. et Cie, S.C.A.) Payment provider EU
Messente Communications OÜ Transactional SMS EU
Mixpanel, Inc. Analytics provider EU: Germany
Segment (Twilio Inc.) Platform instrumentation US: Oregon
ProductBoard, Inc. Product management US: (AWS)
Registrite ja Infosüsteemide Keskus Estonian e-Invoicing EU: Estonia
Slack Technologies, Inc. Instant messaging services US
Atlassian Pty Ltd Issue management EU: (AWS)
Calendly, LLC Meeting scheduling US