Data Processing Agreement
This Data Processing Agreement ("DPA") forms part of the CSVInvoice Terms of Service and applies whenever a customer uses CSVInvoice to process documents that contain personal data. By accepting the Terms of Service, the customer also accepts this DPA.
1. Definitions
"Controller" means the customer — the natural or legal person who determines the purposes and means of processing personal data by using the CSVInvoice Service.
"Processor" means CSVInvoice, which processes personal data on behalf of the Controller.
"Personal Data", "Processing", "Data Subject", "Supervisory Authority", and "Sub-processor" have the meanings given in Regulation (EU) 2016/679 (GDPR).
"Service" means the CSVInvoice platform as described in the Terms of Service.
2. Scope and Relationship
This DPA applies where the Controller uploads documents to the Service that contain personal data — for example, invoices that include the names, addresses, or contact details of individuals.
CSVInvoice acts solely as a Processor in this context. The Controller determines the purpose and means of processing; CSVInvoice processes the data only to the extent necessary to deliver the Service.
3. Details of Processing
| Item | Details |
|---|---|
| Subject matter | AI-assisted extraction of structured data from PDF invoice files |
| Duration | For the duration of each processing request; data is not retained after processing |
| Nature of processing | Automated analysis and extraction, performed entirely in memory |
| Purpose | Converting invoice documents into structured CSV or Excel output as instructed by the Controller |
| Types of personal data | Names, addresses, email addresses, phone numbers, and financial data appearing on invoices |
| Categories of data subjects | Contacts, suppliers, customers, and employees whose details appear on invoice documents |
4. Controller Obligations
The Controller represents and warrants that:
- It has a valid legal basis under applicable law to process the personal data contained in documents uploaded to the Service.
- It is authorised to instruct CSVInvoice to process that data on its behalf.
- The personal data provided to CSVInvoice is accurate and its processing complies with applicable data protection law.
5. Processor Obligations
CSVInvoice agrees to:
5.1 Process Only on Instructions
Process personal data only on the documented instructions of the Controller — specifically, to extract and convert invoice data as requested. CSVInvoice will inform the Controller if, in its opinion, an instruction infringes applicable data protection law.
5.2 Confidentiality
Ensure that all personnel authorised to process personal data are bound by appropriate confidentiality obligations.
5.3 Security
Implement and maintain appropriate technical and organisational measures to protect personal data against accidental or unlawful destruction, loss, alteration, or unauthorised disclosure or access. These measures are described on our Security page.
5.4 In-Memory Processing
Invoice files are processed entirely in memory and are never written to disk or stored in any database. Personal data contained in uploaded documents is not retained by CSVInvoice after processing is complete.
5.5 Assistance with Data Subject Rights
Assist the Controller, by appropriate technical and organisational measures, in fulfilling its obligations to respond to requests from data subjects exercising their rights under applicable law (access, rectification, erasure, portability, restriction, objection).
5.6 Assistance with Security and Breach Notification
Assist the Controller in ensuring compliance with its obligations under Articles 32–36 GDPR, including security obligations, breach notification, data protection impact assessments, and prior consultation with supervisory authorities.
5.7 Deletion on Termination
Upon termination of the Service, all personal data processed under this DPA is immediately discarded from memory as part of normal operation. No additional deletion step is required given the in-memory processing model.
5.8 Information and Compliance
Provide the Controller with all information reasonably necessary to demonstrate compliance with the obligations set out in this DPA, upon written request to [email protected].
CSVInvoice does not grant on-site audit rights. Where applicable law requires an audit right that cannot be satisfied by information provision, the parties will agree on a reasonable process in good faith.
6. Sub-processors
The Controller grants CSVInvoice general authorisation to engage sub-processors to assist in providing the Service.
The current list of sub-processors is available on our Subprocessors page.
CSVInvoice will notify the Controller of any intended changes to that list (additions or replacements) with at least 14 days' notice by updating the Subprocessors page and, for material changes, by email. The Controller may object to a new sub-processor within that notice period by contacting [email protected]. If the parties cannot resolve the objection in good faith, the Controller may terminate the Service.
CSVInvoice remains fully liable to the Controller for the performance of sub-processors' obligations under this DPA.
7. International Data Transfers
Personal data processed under this DPA is primarily stored and processed within the European Economic Area on Hetzner infrastructure in Falkenstein, Germany.
Where sub-processors are located outside the EEA (currently Stripe and Cloudflare), CSVInvoice ensures an adequate level of protection through one or more of the following mechanisms:
- The European Commission's Standard Contractual Clauses (SCCs) as adopted by Commission Implementing Decision (EU) 2021/914.
- An adequacy decision by the European Commission for the relevant country.
Details of the transfer mechanisms in place for each sub-processor are available on request at [email protected].
8. Data Breach Notification
In the event of a personal data breach affecting data processed under this DPA, CSVInvoice will notify the Controller without undue delay and, where feasible, within 72 hours of becoming aware of the breach.
Notification will include, to the extent known at the time:
- The nature of the breach and categories of data affected.
- The likely consequences of the breach.
- The measures taken or proposed to address the breach.
The Controller is responsible for assessing whether the breach requires notification to the relevant supervisory authority or to affected data subjects.
9. Data Subject Rights
Where CSVInvoice receives a request directly from a data subject exercising their rights in relation to personal data processed under this DPA, CSVInvoice will promptly forward the request to the Controller. CSVInvoice will not respond to such requests on the Controller's behalf unless instructed to do so.
10. Termination
This DPA terminates automatically upon termination of the Terms of Service. Given that personal data is processed in memory only and not retained after processing, no further deletion action is required on termination.
11. Order of Precedence
In the event of a conflict between this DPA and the Terms of Service with respect to the processing of personal data, this DPA takes precedence.
12. Governing Law
This DPA is governed by the same law as the Terms of Service. Any disputes arising from this DPA will be resolved in accordance with the dispute resolution process set out in the Terms of Service.
13. Contact
For questions about this DPA or to make a written request under Section 5.8, contact us at [email protected].