This Data Processing Agreement (“DPA”) governs the processing of personal data that the user enters, uploads or processes in Facturio in relation to their clients, contractors, contact persons and other third parties.
This DPA forms part of the Facturio Terms of Use and applies where Facturio processes personal data on behalf of the user as a data processor.
1. Parties
User - the person or organisation using Facturio and determining the purposes and means of processing personal data of their clients, contractors, employees, contact persons or other data subjects.
Facturio / Creative Brain OÜ - the provider of the Facturio service:
Creative Brain OÜ
Reg. No.: 14375123
VAT ID: EE102063301
Address: Paepargi tn 47-9, 11417 Tallinn, Estonia
Email: info@facturio.eu
Website: facturio.eu
2. Roles of the parties
For data relating to clients, contractors and contact persons entered into Facturio by the user, the user usually acts as the controller and Facturio acts as the processor.
The user is responsible for the lawfulness of collecting, entering and processing such data in Facturio.
Facturio processes such data only under this DPA, the Terms of Use, the Privacy Policy and the user's documented instructions.
3. Subject matter of processing
Facturio processes personal data to provide the user with service features, including creating and storing invoices, managing clients and contact persons, generating PDF documents, exporting data to CSV, DATEV or other formats, sending documents and reminders by email, maintaining reports, managing paid access, providing technical support, security and service maintenance.
4. Duration of processing
Processing continues for the period during which the user uses Facturio.
After account deletion or termination of service use, Facturio deletes or anonymises personal data in accordance with the Privacy Policy, unless further retention is required by law, for dispute resolution, abuse prevention, security or protection of rights.
5. Nature and purpose of processing
The nature of processing may include collection, recording, storage, organisation, structuring, modification, viewing, use, transfer, export, deletion and other operations necessary to provide Facturio features.
The purpose of processing is to provide the user with a tool for managing invoices, clients, products and services, documents, email sending, reports and related business processes.
6. Categories of personal data
names and company names;
addresses;
email addresses;
contact persons;
tax data;
registration data;
bank details, if entered by the user;
invoice and document data;
products, services, prices, taxes and amounts;
payment statuses;
credit notes, debts and related documents;
email messages, templates and attachments;
technical logs where related to data processing.
7. Categories of data subjects
Facturio users;
the user's clients;
contact persons of the user's clients;
the user's contractors;
recipients of invoices, documents and email messages;
employees, representatives or contractors of the user, if the user enters their data;
other persons whose data the user enters into Facturio.
8. User instructions
Facturio processes data only on the basis of the user's documented instructions.
User instructions include actions performed by the user in the Facturio interface, account settings, creating, editing, sending, exporting or deleting data, support requests submitted by the user, these Terms, this DPA and related documents.
If Facturio believes that a user instruction violates applicable data protection law, Facturio may notify the user, unless such notification is prohibited by law.
9. Obligations of Facturio as processor
Facturio undertakes to process personal data only in accordance with this DPA and the user's instructions; ensure confidentiality of persons with access to personal data; apply reasonable technical and organisational security measures; assist the user with data subject requests where possible; use subprocessors only in accordance with this DPA; and, after termination of service use, delete or return data in accordance with this DPA and the Privacy Policy.
10. Obligations of the user
The user undertakes to have a lawful basis for processing data entered into Facturio; provide data subjects with the necessary information; ensure the accuracy and relevance of data; use Facturio only for lawful purposes; not upload data that the user has no right to process; independently check the content of documents, email messages, exports and reports; and export data in time where needed for accounting, reporting, archiving or other purposes.
11. Confidentiality
Facturio ensures that persons with access to personal data process such data only for the purpose of providing the service and are bound by confidentiality obligations.
12. Security measures
Facturio applies reasonable technical and organisational security measures, including, where applicable, access controls, access right limitations, protected storage of sensitive data, logging and monitoring, backups, account and authentication protection, infrastructure protection, and measures to prevent unauthorised access, loss, alteration or disclosure of data.
A more detailed description of security measures is provided in Appendix 2 to this DPA.
13. Subprocessors
Facturio may use subprocessors to provide the service.
Stripe - payment processing and payment events;
Google OAuth - registration and login through Google;
Google Analytics - service usage analytics;
hosting and server infrastructure providers;
data and file storage providers;
email delivery or SMTP infrastructure providers;
monitoring, logging, security and support providers.
Facturio remains responsible to the user for the performance of subprocessors' obligations to the extent provided by applicable law and this DPA.
Facturio may change the list of subprocessors. The user may request current information about subprocessors at info@facturio.eu.
14. International transfers
If subprocessors or service providers process personal data outside the European Economic Area, Facturio applies available legal safeguards where required by applicable law. Such safeguards may include standard contractual clauses, adequacy decisions or other legal instruments provided by law.
15. Data subject requests
If a data subject contacts Facturio directly about data that the user entered into Facturio as controller, Facturio may forward the request to the user where permitted by law.
Facturio provides the user with reasonable assistance in responding to data subject requests where possible, taking into account the nature of the service and available information.
16. Security incidents
If Facturio becomes aware of a personal data security incident affecting data processed on behalf of the user, Facturio will notify the user without undue delay where such notification is required by applicable law.
The notification may include information about the nature of the incident, affected data, possible consequences and measures taken or planned to address the consequences, where such information is available.
17. Deletion or return of data
The user may export data using available Facturio features, where such features are provided.
The user may request deletion of the account or data by contacting info@facturio.eu.
After termination of service use, Facturio deletes or anonymises data in accordance with the Privacy Policy, unless further retention is required by law, for dispute resolution, abuse prevention, security or protection of rights.
18. Audit and compliance information
Facturio provides the user with reasonable information necessary to demonstrate compliance with this DPA where such obligation is required by applicable law.
Any audit must be conducted in a reasonable manner and without compromising security, confidentiality, the rights of other users or normal operation of the service.
Facturio may refuse to provide information or access where the request is excessive, unreasonable, compromises security or affects trade secrets, third-party rights or data of other users.
19. Order of precedence
In the event of a conflict between this DPA and the Terms of Use regarding the processing of personal data on behalf of the user, this DPA prevails.
For all other matters, the Facturio Terms of Use and Privacy Policy apply.
20. Contact
For questions about this DPA, you can contact us:
Creative Brain OÜ
Email: info@facturio.eu
Website: facturio.eu
Appendix 1. Processing details
| Parameter | Description |
|---|---|
| Subject matter of processing | Providing the user with Facturio features for managing invoices, clients, products and services, documents, email sending, reports, exports and related business processes. |
| Duration of processing | The period during which the user uses Facturio and an additional period required for deletion, return, backups, compliance with legal obligations or protection of rights. |
| Nature of processing | Collection, recording, storage, modification, viewing, use, transfer, export, deletion and other operations necessary to provide the service. |
| Purpose of processing | Providing Facturio features to the user. |
| Categories of data | Account, company, client, contact person, invoice, document, product, service, email message, payment status, export and technical data. |
| Categories of data subjects | Users, the user's clients, contact persons, contractors, recipients of documents and email messages. |
Appendix 2. Security measures
access control for systems;
restriction of access rights on a need-to-know basis;
account and authentication protection;
protected storage of sensitive data;
logging of technical events;
backups;
use of secure data transmission channels where applicable;
monitoring of errors and technical events;
restricted access to production data;
measures for recovery after technical failures;
organisational confidentiality measures for persons with access to data.
Appendix 3. Subprocessors
| Subprocessor / category | Purpose |
|---|---|
| Stripe | Payment processing and payment events |
| Google OAuth | Registration and login through Google |
| Google Analytics | Service usage analytics |
| Hosting / server infrastructure | Application operation and data storage |
| File / data storage | Storage of user files and documents |
| Email / SMTP providers | Sending email messages and documents |
| Monitoring / logging / security | Diagnostics, protection and service stability |
The user may request current information about subprocessors at info@facturio.eu.