Data Processing Agreement

Last updated: March 25, 2025

This Data Processing Agreement ("DPA") forms part of the Terms of Use and Privacy Policy (collectively the "Agreement") between:

  1. The Customer: The entity using the Invoice Maker service who acts as a data controller ("Customer", "Controller", "you", or "your"); and
  2. The Service Provider: Appnova EU OÜ, a company registered in Estonia with registry code 17175318 and registered address at Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe/1, 74626, Estonia ("Appnova", "Service Provider", "Processor", "we", "us", or "our").

1. Definitions

The terms "Controller", "Processor", "Data Subject", "Personal Data", "Personal Data Breach", "Processing", "Appropriate Technical and Organizational Measures", and "Supervisory Authority" shall have the meanings given to them in applicable Data Protection Laws, including but not limited to the EU General Data Protection Regulation (GDPR).

"Data Protection Laws" means all laws and regulations applicable to the Processing of Personal Data under the Agreement, including but not limited to the GDPR and any national implementing laws, regulations, and secondary legislation, as amended or updated from time to time.

"Sub-processor" means any Processor engaged by Appnova to process Personal Data on behalf of the Customer.

"Service" refers to the Invoice Maker application and related services provided by Appnova.

2. Subject Matter and Duration

2.1 This DPA applies to the Processing of Personal Data by Appnova on behalf of the Customer in connection with the provision of the Service.

2.2 This DPA will commence on the date you agree to the Terms of Use and Privacy Policy or start using the Service, whichever is earlier, and will continue until the Agreement is terminated.

3. Nature and Purpose of Processing

3.1 Appnova will Process Personal Data only as necessary to provide the Service to the Customer in accordance with the Agreement and this DPA.

3.2 The types of Personal Data processed and the categories of Data Subjects whose Personal Data is processed are set out in Annex 1 to this DPA.

4. Customer's Obligations

4.1 The Customer warrants that:

  1. It has all necessary rights and authority to provide the Personal Data to Appnova for Processing under this DPA;
  2. Its instructions to Appnova regarding the Processing of Personal Data will comply with Data Protection Laws;
  3. It has provided all necessary notices to Data Subjects and obtained all necessary consents to transfer the Personal Data to Appnova and allow Appnova to Process the Personal Data in accordance with this DPA; and
  4. It will not instruct Appnova to Process Personal Data in a manner that would violate Data Protection Laws.

5. Appnova's Obligations

5.1 Appnova will:

  1. Process the Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by EU or Member State law to which Appnova is subject; in such a case, Appnova shall inform the Customer of that legal requirement before Processing, unless that law prohibits such information on important grounds of public interest;
  2. Ensure that persons authorized to Process the Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality;
  3. Implement Appropriate Technical and Organizational Measures to ensure a level of security appropriate to the risk, as set out in Section 6 of this DPA;
  4. Respect the conditions for engaging Sub-processors as set out in Section 7 of this DPA;
  5. Taking into account the nature of the Processing, assist the Customer by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Customer's obligation to respond to requests from Data Subjects exercising their rights under Data Protection Laws;
  6. Assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of Processing and the information available to Appnova;
  7. At the choice of the Customer, delete or return all the Personal Data to the Customer after the end of the provision of services relating to Processing, and delete existing copies unless EU or Member State law requires storage of the Personal Data;
  8. Make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Customer or another auditor mandated by the Customer, subject to the conditions set out in Section 8 of this DPA.

6. Security Measures

6.1 Appnova shall implement and maintain Appropriate Technical and Organizational Measures to protect the Personal Data from Personal Data Breaches and to ensure a level of security appropriate to the risk, including, as appropriate:

  1. The pseudonymization and encryption of Personal Data;
  2. The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services;
  3. The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident;
  4. A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the Processing.

6.2 In assessing the appropriate level of security, Appnova shall take into account the risks presented by the Processing, particularly from accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to Personal Data.

7. Sub-processors

7.1 The Customer provides general authorization for Appnova to engage Sub-processors to Process Personal Data on behalf of the Customer, provided that Appnova:

  1. Maintains an up-to-date list of its Sub-processors on its website or within the Service, including their identities and locations;
  2. Imposes the same data protection obligations on the Sub-processor as are set out in this DPA;
  3. Remains fully liable to the Customer for the performance of the Sub-processor's obligations.

7.2 Appnova shall inform the Customer of any intended changes concerning the addition or replacement of Sub-processors, thereby giving the Customer the opportunity to object to such changes. If the Customer objects to a new Sub-processor, and if Appnova cannot reasonably accommodate the Customer's objection, the Customer may terminate the Agreement.

7.3 Current Sub-processors: As of the date of this DPA, Appnova uses the following categories of Sub-processors for the Processing of Personal Data:

Sub-processor CategoryPurposeLocation
Cloud Infrastructure ProvidersHosting of the ServiceEuropean Union
Payment Processing ServicesProcessing of paymentsEuropean Union, United States
Customer Support ToolsCustomer service and supportEuropean Union
Email Service ProvidersSending of notifications and communicationsEuropean Union
Analytics ServicesAnalysis of Service usage and performanceEuropean Union

8. Audit Rights

8.1 Upon Customer's request, and subject to confidentiality obligations, Appnova shall make available to the Customer information necessary to demonstrate compliance with this DPA.

8.2 No more than once per year, and upon at least thirty (30) days' prior written notice, the Customer may conduct an audit of Appnova's data protection practices relevant to Personal Data processed on behalf of the Customer. Such audit shall:

  1. Be subject to mutual agreement on timing, scope, and duration;
  2. Be conducted at the Customer's expense;
  3. Be restricted to information relevant to the Customer (not other customers);
  4. Be conducted in a manner that does not disrupt Appnova's normal business operations.

8.3 The Customer may use a third-party auditor, provided that the third party executes a confidentiality agreement acceptable to Appnova before the audit.

8.4 Alternatively, Appnova may provide the Customer with certifications, audit reports, or other documentation demonstrating compliance with this DPA and applicable Data Protection Laws, which the Customer may use to assess such compliance.

9. Data Transfers

9.1 Appnova may transfer and Process Personal Data in and to countries outside the European Economic Area (EEA) only if such transfer is necessary for the purposes of carrying out the obligations under the Agreement and:

  1. The transfer is to a country that has been determined by the European Commission to provide an adequate level of protection for Personal Data;
  2. The transfer is subject to appropriate safeguards, such as Standard Contractual Clauses approved by the European Commission; or
  3. Another lawful data transfer mechanism applies under Data Protection Laws.

9.2 If Appnova intends to rely on Standard Contractual Clauses for transfers of Personal Data, the Standard Contractual Clauses shall be deemed incorporated into this DPA by reference.

10. Data Breach Notification

10.1 Appnova shall notify the Customer without undue delay after becoming aware of a Personal Data Breach affecting the Personal Data processed on behalf of the Customer.

10.2 The notification will, at a minimum:

  1. Describe the nature of the Personal Data Breach including, where possible, the categories and approximate number of Data Subjects concerned and the categories and approximate number of Personal Data records concerned;
  2. Communicate the name and contact details of the data protection officer or other contact point where more information can be obtained;
  3. Describe the likely consequences of the Personal Data Breach;
  4. Describe the measures taken or proposed to be taken to address the Personal Data Breach, including, where appropriate, measures to mitigate its possible adverse effects.

10.3 Appnova shall document all Personal Data Breaches, including the facts relating to the breach, its effects, and the remedial action taken.

11. Return or Deletion of Data

11.1 Upon termination of the Agreement or upon Customer's written request, Appnova shall, at the Customer's choice, return all Personal Data to the Customer or delete such data, including any copies, unless EU or Member State law requires storage of the Personal Data.

11.2 The Customer may extract Personal Data from the Service using the export features available within the Service before termination of the Agreement.

11.3 Appnova may retain Personal Data to the extent required by applicable laws, provided that Appnova ensures the confidentiality of such Personal Data and ensures that the Personal Data is only processed as necessary for the purpose(s) specified in the applicable laws requiring its storage.

12. Liability

12.1 Each party shall be liable for any damages caused by its breach of this DPA, subject to the limitations of liability set forth in the Agreement.

12.2 If one party is held liable for a violation of this DPA committed by the other party, the latter will, to the extent to which it is liable, indemnify the first party for any cost, charge, damages, expenses, or loss incurred.

13. Governing Law and Jurisdiction

13.1 This DPA shall be governed by the laws of Estonia, without regard to its conflict of laws principles.

13.2 Any dispute arising out of or in connection with this DPA shall be subject to the exclusive jurisdiction of the courts of Estonia, except where mandatory law applies.

14. Modification and Severability

14.1 Appnova may modify this DPA if necessary to comply with applicable law or regulation, with notice to the Customer.

14.2 If any provision of this DPA is found to be unenforceable, the remainder shall be enforced as fully as possible and the unenforceable provision shall be deemed modified to the limited extent required to permit its enforcement in a manner most closely approximating the intention of the parties as expressed herein.

15. Precedence

In the event of any conflict or inconsistency between the provisions of this DPA and the Agreement, the provisions of this DPA shall prevail with respect to the parties' data protection obligations. In case of doubt, the provisions of this DPA shall be interpreted in a manner that complies with Data Protection Laws.

ANNEX 1: DETAILS OF PROCESSING

A. Subject Matter and Duration of Processing

The subject matter of the Processing is the provision of the Invoice Maker service to the Customer. The duration of the Processing will be for the term of the Agreement between Appnova and the Customer.

B. Nature and Purpose of Processing

Appnova will Process Personal Data as necessary to provide the Service to the Customer in accordance with the Agreement, including:

  • Creating and managing user accounts
  • Creating, storing, and managing invoices
  • Processing payments
  • Providing customer support
  • Sending notifications and communications related to the Service
  • Analyzing usage of the Service to improve functionality
  • Maintaining the blacklist feature and associated data
  • Ensuring the security and availability of the Service

C. Categories of Data Subjects

The Personal Data Processed may relate to the following categories of Data Subjects:

  • Customer's personnel who use the Service (e.g., employees, contractors)
  • Customer's clients and business partners to whom invoices are issued
  • Other individuals whose Personal Data is included in invoices or related documents
  • Individuals or representatives of businesses included in the blacklist feature

D. Types of Personal Data

The Personal Data Processed may include the following types of data:

  • Contact information (e.g., name, email address, phone number, physical address)
  • User account information (e.g., username, password)
  • Business information (e.g., company name, VAT number, registration number)
  • Financial information (e.g., bank account details, payment information)
  • Invoice data (e.g., products/services purchased, prices, payment terms)
  • Blacklist data (information about problematic clients and related notes)
  • Usage data (e.g., IP address, browser information, device information)
  • Communications data (e.g., support requests, correspondence)

By using the Service, the Customer acknowledges that they have read and agree to be bound by this Data Processing Agreement.

For Appnova EU OÜ
Address: Harju maakond, Kuusalu vald, Pudisoo küla, Männimäe/1, 74626, Estonia
Registry Code: 17175318
Contact: info@appnova.io