INVAPI

Data Processing Agreement (DPA)

Data Processing Agreement (DPA)

pursuant to Art. 28 GDPR

Version: February 2025

The Controller (Client): The customer using the services of invapi.org.

The Processor (Contractor): Goetz-Mikus GmbH & Co KG, Zimmermanngasse 8, 1090 Vienna, Austria

1. Subject Matter of the Agreement

(1) The subject of this agreement is the performance of the following tasks by the Processor:

  • Invoice digitization: AI-powered extraction of structured data from uploaded PDF and image files of invoices
  • E-invoice conversion: Conversion of invoice data into XRechnung (UBL), CII, and ZUGFeRD formats
  • E-invoice validation: Validation of e-invoices against EN 16931, XRechnung, and KoSIT rules
  • Invoice management: Storage and management of invoice data in the Controller's account

This agreement supplements the General Terms of Service of invapi.org.

(2) The following categories of data are processed:

  • Names and company names
  • Addresses (street, city, postal code, country)
  • Contact details (email address, phone number)
  • VAT identification numbers and tax registration numbers
  • Bank account details (IBAN, BIC, account holder)
  • Invoice numbers, amounts, and line items

(3) The following categories of data subjects are affected by the processing:

  • Invoice issuers (sellers/suppliers)
  • Invoice recipients (buyers/customers)
  • Contact persons of the aforementioned parties

2. Duration of the Agreement

The agreement is concluded for an indefinite period and ends upon termination of the service agreement between the Controller and the Processor. The right to extraordinary termination for good cause remains unaffected.

3. Obligations of the Processor

(1) The Processor undertakes to process data and processing results exclusively within the scope of the Controller's written instructions. If the Processor receives an official order to disclose the Controller's data, it shall β€” where legally permissible β€” inform the Controller without delay and refer the authority to the Controller. Likewise, any processing of data for the Processor's own purposes requires written authorization.

(2) The Processor declares in a legally binding manner that all persons entrusted with data processing have been obligated to maintain confidentiality prior to commencing their activities, or are subject to an appropriate statutory obligation of secrecy. In particular, the confidentiality obligation of persons entrusted with data processing shall remain in force after the termination of their activities and departure from the Processor.

(3) The Processor declares in a legally binding manner that it has taken all necessary measures to ensure the security of processing pursuant to Art. 32 GDPR (details are set out in Annex 1).

(4) The Processor shall take technical and organizational measures to enable the Controller to fulfill the rights of data subjects under Chapter III of the GDPR (information, access, rectification and erasure, data portability, objection, and automated individual decision-making) within the statutory deadlines at all times, and shall provide the Controller with all necessary information. If a corresponding request is directed to the Processor and it is apparent that the applicant mistakenly considers the Processor to be the Controller, the Processor shall forward the request to the Controller without delay and inform the applicant accordingly.

(5) The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (data security measures, notification of personal data breaches to the supervisory authority, notification of data subjects affected by a breach, data protection impact assessment, prior consultation).

(6) The Processor is informed that it must maintain a record of processing activities pursuant to Art. 30 GDPR for this processing.

(7) The Controller is granted the right to inspect and audit the data processing facilities at any time, including through third parties commissioned by the Controller, with respect to the processing of data provided by the Controller. The Processor undertakes to provide the Controller with the information necessary to verify compliance with the obligations set out in this agreement.

(8) Upon termination of this agreement, the Processor is obligated to return all processing results and documents containing data to the Controller, or to destroy them on the Controller's behalf. Data shall be returned in a common, machine-readable format (e.g., JSON, XML).

Invoice data processed through the API or web interface is automatically and immediately deleted after processing due to the stateless architecture. Account data and consciously stored invoices are deleted within 30 days of contract termination. The Controller may request the return of data before the expiry of this period.

(9) The Processor shall inform the Controller without delay if it is of the opinion that an instruction from the Controller violates data protection provisions of the Union or the Member States.

4. Location of Data Processing

Data processing is carried out within the European Union. The infrastructure operates on Cloudflare Workers with EU jurisdiction. The database (D1) and file storage (R2) are restricted to EU jurisdiction. Only EU-based providers are used for AI-powered data extraction.

Where sub-processors process data in third countries (see Section 5), this is done on the basis of EU Standard Contractual Clauses (SCCs) pursuant to Implementing Decision 2021/914 and/or the EU-US Data Privacy Framework (DPF).

5. Sub-processors

The Processor is authorized to engage the following companies as sub-processors:

Sub-processorRegistered OfficeType of ActivityTransfer Mechanism
Cloudflare, Inc.USA / EU (data in EU)Hosting, CDN, database, file storageSCCs, EU Data Localization
Mistral AIParis, France / EUAI-powered invoice digitizationEU processing
Stripe Payments Europe, Ltd.Dublin, Ireland / EUPayment processingEU processing, SCCs + DPF
Resend, Inc.USATransactional emails (verification)DPF + SCCs
GitHub, Inc. (Microsoft)USAOAuth authentication (login)SCCs + DPF
Google Ireland Ltd.Dublin, Ireland / USAOAuth authentication (login)SCCs + DPF

Intended changes to sub-processors shall be communicated to the Controller in writing in sufficient time to allow the Controller to object. The Processor shall conclude the necessary agreements within the meaning of Art. 28(4) GDPR with each sub-processor. It is ensured that the sub-processor assumes the same obligations that apply to the Processor under this agreement.

If the sub-processor fails to fulfill its data protection obligations, the Processor shall be liable to the Controller for compliance with the sub-processor's obligations.

6. Data Breach Notification

The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall include at least:

  • A description of the nature of the personal data breach
  • The categories and approximate number of data subjects affected
  • The likely consequences of the breach
  • The measures taken or proposed to address the breach and mitigate its effects

Annex 1 β€” Technical and Organizational Measures

A. Confidentiality

Physical access control:

  • No physical server location β€” infrastructure runs entirely on Cloudflare Workers (edge computing)
  • Administrative access secured by multi-factor authentication

System access control:

  • Passwords with appropriate policy
  • Two-factor authentication for administrative access
  • Automatic locking mechanisms
  • API key authentication for API access

Data access control:

  • Standard authorization profiles on a "need to know" basis
  • Stateless processing: invoice data is processed exclusively in-memory and never stored on disk
  • Strict separation of data between different Controllers (tenant isolation)
  • No sharing of invoice data with third parties for training purposes

B. Data Integrity

Transfer control:

  • Encryption of all data transmissions using TLS/SSL
  • API key-based authentication for all interfaces

Input control:

  • Input validation and data integrity checks
  • Logging of API calls (usage statistics)

C. Availability and Resilience

Availability control:

  • Hosting on Cloudflare Workers with global high availability and automatic scaling
  • DDoS protection through Cloudflare
  • Rate limiting to protect against overload
  • Automated security updates of infrastructure

Rapid recoverability:

  • Yes β€” ensured through stateless architecture and automatic scaling on Cloudflare Workers

D. Procedures for Regular Review, Assessment, and Evaluation

  • Regular security reviews of infrastructure
  • Privacy by design defaults: stateless processing, no persistent storage of processing data, EU-based AI providers exclusively
  • Clear contractual arrangements with all sub-processors

Contact Details

Processor:

Goetz-Mikus GmbH & Co KG Zimmermanngasse 8 1090 Vienna, Austria Email: max@goetz-mikus.com

By using the services of invapi.org, the Controller agrees to the terms of this Data Processing Agreement.

This document is based on the template of the Austrian Economic Chambers (WKO) for data processing agreements pursuant to Art. 28 GDPR.