Data Processing Agreement
Last updated: January 9, 2026
Overview
This Data Processing Agreement ("DPA") forms part of the agreement between Invoice Navigator B.V. ("Processor") and you ("Controller") for the provision of e-invoicing validation services.
The DPA is available to Growth and Enterprise customers. Contact us to execute a DPA for your organization.
Request a DPA
For Growth and Enterprise customers, we provide a pre-signed DPA that can be countersigned electronically.
Request DPADPA Summary
Subject Matter & Duration
- Subject: Processing of invoice data for validation services
- Duration: Term of the Service Agreement
- Nature: Automated validation, storage, evidence generation
- Purpose: E-invoice compliance validation
Types of Personal Data
- Business contact information (names, emails)
- Invoice data (may contain names, addresses, transaction details)
- Account credentials (hashed)
Categories of Data Subjects
- Customer employees
- Customer's clients (invoice recipients)
- Customer's suppliers (invoice senders)
Key Terms
Sub-Processors
Current list available at /legal/sub-processors. 30-day notice for changes. Controller may object within 14 days.
Data Subject Rights
Processor shall assist Controller with access, rectification, deletion, and portability requests. Response time: 5 business days.
Data Breach Notification
Notification within 24 hours of discovery. Includes: nature, categories affected, likely consequences, measures taken.
Deletion/Return
Upon termination: delete all Personal Data within 30 days. Provide deletion certificate. Return data in standard format on request.
Audits
Controller may request SOC 2 report annually. Remote audit with 30 days notice. On-site audit (Enterprise only) with 60 days notice.
International Transfers
Primary processing: EU (Frankfurt). Sub-processors outside EU: Standard Contractual Clauses apply.
Data Location
| Data Type | Location | Provider |
|---|---|---|
| Database | EU (Frankfurt) | Supabase |
| File Storage | EU (Frankfurt) | AWS S3 eu-central-1 |
| Backups | EU (Frankfurt) | AWS S3 eu-central-1 |
| CDN | EU edge locations | Vercel |
| Email* | US | Resend |
*Transactional emails only, no invoice content
Enterprise Data Residency Options
EU-Only Strict
All processing in EU. No US sub-processors. EU-based email provider.
Germany-Only
All data processing and storage within Germany only.
On-Premises
Self-hosted validation engine. Data never leaves your infrastructure. Enterprise Plus only.
Contact
For DPA requests or questions about data processing:
- Email: legal@invoicenavigator.eu
- Privacy: privacy@invoicenavigator.eu