TradeInvoiceSign In

Data Processing Agreement

Last updated: 26 March 2026

1. Scope and Purpose

This Data Processing Agreement ("DPA") forms part of the Terms of Service between TradeInvoice (the "Processor") and the user (the "Controller"). TradeInvoice processes personal data on behalf of its users, who are the data controllers for the client data they enter into the platform.

2. Data Processed

Users enter and manage the following categories of personal data through TradeInvoice:

  • Client names
  • Client email addresses
  • Client phone numbers
  • Client postal addresses
  • Invoice details (descriptions, amounts, dates)

3. Purpose of Processing

Processing is limited to providing the invoicing service as described in the Terms of Service. This includes storing client data, generating invoices, sending invoices and payment reminders via email, and tracking payment status. TradeInvoice does not process personal data for any other purpose.

4. Sub-processors

TradeInvoice uses the following sub-processors to deliver the service. The Controller authorises the use of these sub-processors:

  • Vercel Inc. (USA) - Application hosting and deployment.
  • Neon Inc. (USA) - PostgreSQL database hosting (EU region).
  • Stripe Inc. (USA) - Payment processing.
  • Resend Inc. (USA) - Transactional email delivery.
  • Cloudflare Inc. (USA) - CAPTCHA and bot protection.

We will notify users of any changes to our sub-processors. Each sub-processor is bound by data processing agreements that provide at least the same level of protection as this DPA.

5. Data Security Measures

TradeInvoice implements appropriate technical and organisational measures to protect personal data, including:

  • Encryption in transit (TLS) for all data transfers
  • Encryption at rest for database storage
  • Rate limiting and CAPTCHA protection against abuse
  • Input sanitisation to prevent injection attacks
  • OWASP-recommended security headers
  • Secure session management with automatic expiration
  • Access control ensuring users can only access their own data
  • Security event logging for audit and incident response

6. Data Breach Notification

In the event of a personal data breach, TradeInvoice will notify affected users without undue delay and no later than 72 hours after becoming aware of the breach, in accordance with Article 33 of the GDPR. The notification will include the nature of the breach, the categories and approximate number of data subjects affected, and the measures taken to address it.

7. Data Deletion

Upon account termination or deletion, TradeInvoice will delete all personal data associated with the user within 30 days, except where retention is required by law (e.g., Dutch fiscal law requires invoice records to be retained for 7 years). Users can request account deletion at any time through the Settings page.

8. Data Subject Rights

TradeInvoice will assist the Controller in fulfilling data subject requests (access, rectification, erasure, portability, restriction, and objection) by providing self-service tools in the application (data export, account editing, account deletion) and by responding to requests sent to support@tradeinvoice.app.

9. International Transfers

Where personal data is transferred outside the European Economic Area, such transfers are protected by the EU-US Data Privacy Framework and Standard Contractual Clauses (SCCs) as approved by the European Commission.

10. Contact

For questions about this DPA, contact us at support@tradeinvoice.app.