Data Processing Addendum

Introduction

This Data Processing Addendum ("DPA") forms part of the InvoiceBest Terms of Service and applies where InvoiceBest processes Personal Data on behalf of Customer (the "Controller") in the course of providing the Services.

This DPA is designed to meet the requirements of the EU General Data Protection Regulation (GDPR), the UK GDPR, and other applicable data protection laws.

1. Definitions

• "Controller" means the entity that determines the purposes and means of processing Personal Data (you, the customer).
• "Processor" means InvoiceBest, which processes Personal Data on behalf of the Controller.
• "Personal Data" means any information relating to an identified or identifiable natural person as defined by applicable data protection law.
• "Sub-processor" means any third party engaged by InvoiceBest to process Personal Data.
• "Data Subject" means an identified or identifiable natural person about whom Personal Data is processed.

2. Scope and Subject Matter

Subject matter: Provision of invoicing and business management services.

Duration: The term of the Services agreement.

Nature and purpose: Processing of customer contact information, invoice data, and business records to enable invoice creation, payment tracking, and business management features.

Categories of Personal Data: Names, email addresses, phone numbers, business addresses, payment information, tax IDs, and other business contact details you choose to include in invoices and customer records.

Categories of Data Subjects: Your customers, clients, vendors, and any other individuals whose information you include in the Service.

3. InvoiceBest's Obligations as Processor

InvoiceBest shall:

• Process only on instructions: Process Personal Data only in accordance with your documented instructions (via use of the Service features) and not for any other purpose.
• Confidentiality: Ensure that persons authorized to process Personal Data are bound by confidentiality obligations.
• Security: Implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption, access controls, and monitoring. See Section 9 of the Privacy Policy.
• Sub-processors: Engage Sub-processors only with your prior general authorization and under written contracts imposing substantially the same obligations as this DPA. Current Sub-processors are listed at invoicebest.com/legal/subprocessors.
• Data Subject requests: Assist you in responding to Data Subject requests (access, rectification, deletion, etc.) by providing export tools and account controls.
• Breach notification: Notify you without undue delay upon becoming aware of a Personal Data breach affecting your data.
• Deletion or return: Delete or return all Personal Data upon termination of Services, subject to legal retention requirements and backup cycles (up to 90 days).
• Audits: Make available information necessary to demonstrate compliance and allow for reasonable audits or inspections by you or your appointed auditor.

4. Your Obligations as Controller

You (the Controller) shall:

• Ensure you have a lawful basis for processing the Personal Data you submit to the Service.
• Obtain all necessary consents and provide required privacy notices to your customers and contacts.
• Ensure your use of the Service complies with applicable data protection laws.
• Not instruct InvoiceBest to process Personal Data in a manner that violates applicable law or this DPA.

5. Sub-processors

You authorize InvoiceBest to engage Sub-processors to assist in providing the Services. We will provide 30 days' advance notice of new Sub-processors via email. You may object to a new Sub-processor on reasonable data protection grounds. If we cannot accommodate your objection, you may terminate your subscription.

The current list of Sub-processors is available at invoicebest.com/legal/subprocessors.

6. International Transfers

InvoiceBest may transfer Personal Data to countries outside the EEA/UK. Where required, we rely on:

• The European Commission's Standard Contractual Clauses (SCCs) for data transfers to third countries.
• The UK International Data Transfer Addendum to the SCCs for transfers from the UK.
• Adequacy decisions where available (e.g., for transfers to countries deemed adequate by the European Commission).

Upon request, we will provide you with copies of the Standard Contractual Clauses or other relevant transfer mechanisms.

7. Security Measures

InvoiceBest implements the following security measures:

• Encryption: TLS 1.3 for data in transit; AES-256 encryption at rest.
• Access control: Row-Level Security (RLS), role-based access controls, multi-factor authentication.
• Monitoring: Security monitoring, intrusion detection, automated vulnerability scanning.
• Data isolation: Strict tenant separation to prevent cross-customer data access.
• Backups: Encrypted daily backups with secure storage and retention policies.
• Personnel: Background checks and confidentiality agreements for personnel with access to Personal Data.

8. Data Subject Rights

InvoiceBest provides tools to help you fulfill Data Subject requests:

• Access: Export features allow you to retrieve Personal Data in standard formats (CSV, PDF).
• Rectification: Edit capabilities in the Service allow you to correct inaccurate data.
• Deletion: You can delete customer records and account data from your workspace.
• Portability: Data export tools provide data in portable formats.

For requests InvoiceBest receives directly from your customers, we will redirect them to you unless legally required to respond directly.

9. Data Breach Notification

InvoiceBest will notify you without undue delay (and in any event within 72 hours where feasible) after becoming aware of a Personal Data breach affecting your data. The notification will include:

• The nature of the breach, including categories and approximate numbers of affected Data Subjects and records.
• The likely consequences of the breach.
• Measures taken or proposed to address the breach and mitigate its effects.

10. Deletion and Return of Data

Upon termination of Services, InvoiceBest will:

• Delete all Personal Data within 30 days (up to 90 days for backup deletion cycles), unless legally required to retain certain data.
• Provide you with the opportunity to export your data before deletion using our export tools.
• Certify deletion upon request.

11. Liability and Indemnity

Each party's liability under this DPA is subject to the limitation of liability provisions in the Terms of Service. InvoiceBest is liable only for damages caused by its breach of this DPA to the extent required by applicable data protection law.

12. Term and Termination

This DPA remains in effect for as long as InvoiceBest processes Personal Data on your behalf. The obligations in Sections 3 (security and confidentiality), 9 (breach notification), and 10 (deletion) survive termination.

13. Standard Contractual Clauses

For transfers of Personal Data from the EEA or UK to countries without an adequacy decision, the parties agree to be bound by the EU Standard Contractual Clauses (Module 2: Controller to Processor) and the UK International Data Transfer Addendum, as applicable.

Copies of the SCCs and UK Addendum are available upon request by contacting legal@invoicebest.com.

14. Contact

For questions about this DPA or to request signed copies or additional documentation, contact:

Email: legal@invoicebest.com
Data Protection Officer: privacy@invoicebest.com