Data Processing Agreement

For the purposes of this DPA, the following terms have the meanings set out below:

• "Data Controller": The natural or legal person who determines the purposes and means of processing personal data
• "Data Processor": The natural or legal person who processes personal data on behalf of the Data Controller
• "Data Subject": An identified or identifiable natural person
• "Personal Data": Any information relating to an identified or identifiable natural person
• "Processing": Any operation performed on personal data
• "Data Protection Laws": GDPR, CCPA, and other applicable data protection regulations

This DPA applies to the processing of personal data by NovaInvoice on behalf of the Data Controller in connection with:

• Invoice creation and management services
• Client relationship management
• Payment processing and financial transactions
• Email communications and notifications
• Usage analytics and service improvement

As the Data Controller, you are responsible for:

• Determining the purposes and means of processing personal data
• Ensuring you have a lawful basis for processing
• Obtaining necessary consents from data subjects
• Providing privacy notices to data subjects
• Responding to data subject requests
• Ensuring data accuracy and completeness
• Implementing appropriate data protection measures

As the Data Processor, NovaInvoice is responsible for:

• Processing personal data only on documented instructions from the Data Controller
• Implementing appropriate technical and organizational measures
• Assisting with data subject requests
• Maintaining records of processing activities
• Notifying the Data Controller of any data breaches
• Returning or deleting personal data upon termination

The personal data processed under this DPA includes:

The data subjects whose personal data is processed include:

• Account Holders: Individuals who create and manage NovaInvoice accounts
• Invoice Recipients: Clients and customers who receive invoices
• Authorized Users: Employees or agents acting on behalf of account holders
• Payment Contacts: Individuals involved in payment processing

NovaInvoice processes personal data for the following purposes:

• Providing invoice management services
• Facilitating payment processing through Stripe Connect
• Sending invoice notifications and reminders
• Tracking invoice delivery and engagement
• Providing customer support services
• Analyzing usage patterns for service improvement
• Ensuring security and preventing fraud
• Complying with legal and regulatory requirements

Personal data may be transferred to and processed in countries outside the European Economic Area (EEA). When such transfers occur, NovaInvoice ensures appropriate safeguards are in place:

• Standard Contractual Clauses (SCCs) approved by the European Commission
• Adequacy decisions by the European Commission
• Binding Corporate Rules (where applicable)
• Other appropriate safeguards as recognized by data protection authorities

NovaInvoice implements appropriate technical and organizational measures to protect personal data:

Technical Measures:

• Encryption of data in transit and at rest
• Access controls and authentication mechanisms
• Regular security monitoring and vulnerability assessments
• Secure data backup and recovery procedures
• Network security and firewall protection

Organizational Measures:

• Data protection training for employees
• Access controls and need-to-know basis
• Regular security audits and assessments
• Incident response procedures
• Data protection impact assessments

NovaInvoice will assist the Data Controller in responding to data subject requests, including:

• Right of Access: Providing copies of personal data
• Right to Rectification: Correcting inaccurate data
• Right to Erasure: Deleting personal data
• Right to Restriction: Limiting processing activities
• Right to Data Portability: Exporting data in a structured format
• Right to Object: Objecting to certain types of processing

Personal data will be retained for the following periods:

• Account Data: For the duration of the account plus 30 days
• Invoice Data: 7 years for accounting and tax purposes
• Payment Data: 7 years for financial compliance
• Usage Logs: 2 years for security and analytics
• Communication Data: 3 years for customer support

In the event of a personal data breach, NovaInvoice will:

• Notify the Data Controller without undue delay (within 72 hours)
• Provide details of the breach, including affected data and individuals
• Describe the likely consequences and mitigation measures
• Assist in breach notification to supervisory authorities
• Cooperate in communication with affected data subjects

NovaInvoice may engage sub-processors to assist in providing services. Current sub-processors include:

• Stripe: Payment processing and financial services
• Email Service Providers: Email delivery and communication
• Cloud Infrastructure Providers: Hosting and data storage

We will inform you of any changes to sub-processors and obtain your consent where required.

NovaInvoice will:

• Maintain records of processing activities
• Provide information necessary for demonstrating compliance
• Allow for and contribute to audits by the Data Controller
• Cooperate with supervisory authorities

Upon termination of this DPA, NovaInvoice will:

• Return all personal data to the Data Controller, or
• Delete all personal data at the Data Controller's choice
• Provide certification of deletion when requested
• Ensure sub-processors comply with the same obligations

For questions about this DPA or data protection matters: