Data Processing Addendum (DPA)

Last updated: 11 September 2025

1. Definitions

“Personal Data”, “Controller”, “Processor”, “Data Subject”, “Processing”, “Supervisory Authority” have the meanings set out in applicable data protection laws (UK GDPR/EU GDPR).

“Services” means the SendInvoice SaaS platform and related support services provided under the Agreement.

“Sub-processor” means any processor engaged by SendInvoice to assist with processing Personal Data for the Services.

2. Roles of the Parties

Customer is the Controller and appoints SendInvoice as its Processor to process Personal Data on Customer’s behalf to provide the Services in accordance with the Agreement and this DPA.

3. Scope and Instructions

• SendInvoice will process Personal Data only on documented instructions from Customer, including via the Services’ configuration and the Agreement, unless required by law to do otherwise; in such case, SendInvoice will inform Customer unless prohibited by law.
• The subject matter, duration, nature and purpose of processing, types of Personal Data and categories of Data Subjects are described in Data Processing and/or the Order.
• Customer is responsible for the accuracy, quality and legality of Personal Data and the means by which it acquired Personal Data.

4. Confidentiality

SendInvoice ensures persons authorised to process Personal Data are subject to appropriate confidentiality obligations.

5. Security

Taking into account the state of the art, costs, and nature, scope, context and purposes of processing, SendInvoice implements appropriate technical and organisational measures to ensure a level of security appropriate to the risk. See our security overview in the Data Processing page.

6. Sub-processors

• Customer authorises SendInvoice to engage Sub-processors for the provision of the Services. A current list or categories of Sub-processors may be provided on request or via a published page.
• SendInvoice will impose data protection terms on Sub-processors that provide at least the same level of protection as this DPA.
• SendInvoice remains responsible for Sub-processor performance with respect to Personal Data.

7. Data Subject Requests

Taking into account the nature of the processing, SendInvoice will assist Customer by appropriate technical and organisational measures, insofar as possible, to fulfil Customer’s obligations to respond to requests to exercise Data Subject rights (access, rectification, erasure, restriction, portability, objection). Where a request is made directly to SendInvoice, we will notify Customer without undue delay.

8. Assistance with Compliance

Taking into account the nature of processing and information available, SendInvoice will assist Customer with its obligations under Articles 32–36 GDPR, including security, breach notifications, data protection impact assessments, and prior consultations with Supervisory Authorities, as reasonably required for the Services.

9. International Transfers

Where Personal Data is transferred outside the UK/EU to a country not subject to an adequacy decision, SendInvoice will ensure appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) and any UK addenda, as applicable. The parties agree to enter into such instruments as necessary to legitimise transfers.

10. Personal Data Breach

SendInvoice will notify Customer without undue delay after becoming aware of a Personal Data Breach affecting Customer Data. Such notification will include information available to SendInvoice to assist Customer in meeting any obligations to notify affected individuals or authorities.

11. Return and Deletion

Upon termination or expiry of the Services, upon Customer’s written instruction and subject to legal obligations, SendInvoice will delete or return Personal Data and delete existing copies within a reasonable period, unless retention is required by law.

12. Audits and Demonstration of Compliance

• SendInvoice will make available information necessary to demonstrate compliance with this DPA and, upon reasonable prior written notice, allow for audits by Customer or an independent auditor mandated by Customer, no more than once annually, during normal business hours, without undue disruption and subject to confidentiality.
• SendInvoice may satisfy audit obligations by providing recent third-party audit reports, certifications, or summaries thereof (e.g., ISO/SOC reports) that reasonably demonstrate compliance.

13. Liability

Liability arising from or in connection with this DPA is subject to the limitations and exclusions of liability set forth in the Agreement, except to the extent prohibited by applicable law.

14. Customer Responsibilities

• Customer will ensure that its instructions to SendInvoice comply with applicable laws.
• Customer is responsible for providing legally sufficient privacy notices and obtaining necessary consents from Data Subjects.
• Customer is responsible for securing its own systems, credentials, and access controls to the Services.

15. Order of Precedence

In case of conflict between this DPA and the Agreement, this DPA shall prevail with respect to data protection matters. Otherwise, the Agreement governs.

16. Term and Termination

This DPA is effective for the term of the Agreement. Termination of the Agreement will trigger the data return/deletion obligations in Section 11.

17. Governing Law and Jurisdiction

This DPA will be governed by and construed in accordance with the governing law and jurisdiction set forth in the Agreement.

18. Contact

SendInvoice Ltd (Processor)
Email: [email protected]

Signatures

This DPA may be executed electronically and/or incorporated by reference in the Order/Subscription. If wet signatures are required, complete the blocks below.