Data Processing Agreement

Last updated: May 25, 2026

Effective date: May 25, 2026 Last updated: May 25, 2026

This Data Processing Agreement (the “DPA”) forms an integral part of the Terms of Service (the “Terms”) between you (“Customer” or “Controller”) and All Digital Group, UAB (“InvoHub”, “we”, “Processor”). The DPA governs how we process personal data on your behalf when you use the InvoHub service.

By accepting the Terms, you accept this DPA. If you do not agree with any part of this DPA, you must not use the service.

1. Definitions

The following terms have the meanings set out below. Other terms used in this DPA have the meanings given in the GDPR.

“GDPR” means Regulation (EU) 2016/679 of the European Parliament and of the Council on the protection of natural persons with regard to the processing of personal data (General Data Protection Regulation).
“Customer Data” means any personal data that is uploaded to, collected through, or processed by the InvoHub service on behalf of the Customer, including invoice content, mailbox data, and metadata about that processing. Customer Data does not include personal data we process about you as our user of the service (which is governed by our Privacy Policy).
“Customer Personal Data” means personal data within Customer Data, as defined by GDPR Article 4(1).
“Sub-processor” means any third-party processor engaged by InvoHub to process Customer Personal Data on Customer’s behalf.
“SCCs” means the Standard Contractual Clauses approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021, including their modules and clauses applicable to international data transfers under GDPR Article 46.
“Data Subject” has the meaning given in GDPR Article 4(1).
“Processing” has the meaning given in GDPR Article 4(2).
“Service” means the InvoHub software-as-a-service platform described in the Terms.

2. Scope and applicability

2.1 When this DPA applies

This DPA applies to all Processing of Customer Personal Data carried out by InvoHub on behalf of Customer in connection with Customer’s use of the Service. The specific Processing activities are described in Annex II (Description of Processing).

2.2 Roles of the parties

For the Processing covered by this DPA:

Customer is the Controller of the Customer Personal Data, as defined in GDPR Article 4(7), or where Customer is itself acting as a Processor for its own Controller, Customer acts as the Controller’s representative under this DPA.
InvoHub is the Processor of the Customer Personal Data, as defined in GDPR Article 4(8).

2.3 What this DPA does not cover

This DPA does not govern:

Personal data we process about Customer’s individual users as part of operating the Service (such as user account data, authentication metadata, session information). That processing is covered by our Privacy Policy, where we act as Controller.
Any processing of personal data that is not on Customer’s behalf, including aggregated and anonymised analytics about Service usage that does not identify any individual or organisation.

3. Processor obligations

We undertake to comply with the obligations set out below in respect of Customer Personal Data.

3.1 Documented instructions

We will process Customer Personal Data only on documented instructions from Customer, including with regard to international transfers, unless required to do so by EU or Member State law. The instructions are constituted by:

This DPA
The Terms of Service
The configuration options Customer selects within the Service (such as connector settings, automation rules, retention overrides)
Specific written instructions Customer provides to privacy@invohub.eu

If we believe that an instruction violates the GDPR or other applicable data protection law, we will inform Customer promptly and may suspend the affected Processing until the instruction is clarified.

3.2 Confidentiality of personnel

We ensure that all personnel authorised to access Customer Personal Data are bound by confidentiality obligations of at least the standard required under our internal policies. Access to Customer Personal Data by our personnel is governed by the Support Access privacy gate described in our Privacy Policy Section 5, which by default prevents human access to mail-derived data without Customer’s explicit consent.

3.3 Security of Processing

We implement and maintain appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context, and purposes of Processing, as well as the risk to Data Subjects.

The specific measures we implement are set out in Annex III (Technical and Organisational Measures). We may update these measures from time to time, provided that the overall level of protection is not diminished.

3.4 Sub-processors

The general and specific terms governing our use of Sub-processors are set out in Section 4 of this DPA and Annex IV (Sub-processors).

3.5 Data Subject rights

Taking into account the nature of the Processing, we assist Customer by appropriate technical and organisational measures, insofar as possible, in fulfilling Customer’s obligation to respond to requests for exercising the Data Subject’s rights under Chapter III of the GDPR.

Specifically, we provide:

Self-service data export functionality (XLSX, ZIP) within the Customer’s workspace, fulfilling the practical aspects of the Right to data portability (GDPR Article 20)
Self-service workspace deletion functionality, fulfilling the practical aspects of the Right to erasure (GDPR Article 17) for the Customer’s workspace data
Manual support for individual Data Subject requests via privacy@invohub.eu, with response within 30 days of receipt or 7 days extension notification

If a Data Subject contacts us directly with a request relating to Customer Personal Data, we will forward the request to Customer and not respond ourselves unless legally required, except to acknowledge receipt and explain that the Controller will respond.

3.6 Personal data breach assistance

We assist Customer in ensuring compliance with the obligations pursuant to GDPR Articles 32 to 36 (security of processing, breach notification, communication of breach to data subjects, data protection impact assessment, prior consultation). Specific breach notification procedures are in Section 6 of this DPA.

3.7 Deletion or return after end of Processing

At the choice of Customer, after the end of the provision of services relating to Processing, we delete or return all Customer Personal Data to Customer, and delete existing copies unless EU or Member State law requires storage of the personal data.

The default behaviour is: workspace data is automatically deleted 30 days after Customer terminates the service (the “Grace Period”), through an automated daily cron job. During the Grace Period, Customer may export the data at any time. After the Grace Period, deletion is irreversible, with the exceptions identified in Annex II Section 2 (user accounts and consent records preserved as required by GDPR Article 7(1)).

3.8 Records of processing activities

We maintain records of Processing carried out on behalf of Customer, as required by GDPR Article 30(2). These records are available to Customer on request to privacy@invohub.eu for the purpose of demonstrating compliance.

3.9 Compliance documentation

We make available to Customer all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28. This documentation includes:

This DPA, including its Annexes
Our Privacy Policy
Our public Sub-processors page
Sub-processor DPAs (made available on request to privacy@invohub.eu)
Security documentation summaries (made available on request to qualified Customers)

3.10 Audit cooperation

We allow for and contribute to audits, including inspections, conducted by Customer or an auditor mandated by Customer. The specific scope, timing, and modalities of audits are set out in Section 8 of this DPA.

3.11 Notification of legally compelled disclosure

If we are legally compelled to disclose Customer Personal Data (for example, by a subpoena, court order, or government request), we will, unless legally prohibited:

Notify Customer in advance and without undue delay
Provide Customer reasonable opportunity to seek a protective order
Limit disclosure to what is legally required
Use reasonable efforts to ensure that the receiving party treats the data as confidential

3.12 No retention of personal data after instruction to delete

We do not retain Customer Personal Data after Customer instructs us to delete it, except where retention is required by EU or Member State law, in which case we will inform Customer of the legal requirement before processing.

4. Sub-processors

4.1 General authorisation

Customer authorises us to engage Sub-processors to process Customer Personal Data on Customer’s behalf, subject to the conditions in this Section 4 and the list of authorised Sub-processors set out in Annex IV and at our public Sub-processors page.

4.2 Sub-processor obligations

For each Sub-processor we engage, we ensure by contract that the Sub-processor:

Provides at least the same level of data protection as set out in this DPA
Implements appropriate technical and organisational measures equivalent to those in Annex III
Processes Customer Personal Data only as necessary to provide the contracted service
Is subject to confidentiality obligations
Cooperates with audit requests where reasonably necessary
For international transfers, implements appropriate safeguards under GDPR Chapter V

4.3 Change notification

We will inform Customer of any intended changes concerning the addition or replacement of Sub-processors, giving Customer the opportunity to object to such changes.

The notification mechanism is described in detail in our Sub-processors page. In summary:

New Sub-processors are announced via in-application banner notifications visible to every signed-in user
The banner remains visible until acknowledged by the user
Acknowledgment creates a 30-day objection window
Objections may be submitted to privacy@invohub.eu

4.4 Customer objection

If Customer objects to a Sub-processor change within the 30-day objection window, we will work with Customer in good faith to find a solution. Such solutions may include:

Confirming that the Sub-processor will not process Customer’s specific data
Providing additional information that addresses the objection
Offering an alternative arrangement

If no mutually acceptable solution can be found, Customer may terminate the affected portion of the Service through workspace deletion, and we will assist with data export during the standard 30-day Grace Period.

4.5 Liability for Sub-processors

We remain fully responsible for the performance of our Sub-processors and for any acts or omissions of our Sub-processors that result in a breach of this DPA.

5. International transfers

5.1 Transfer mechanism

Where personal data is transferred to a Sub-processor located outside the European Economic Area (EEA), we ensure that the transfer is protected by appropriate safeguards under GDPR Article 46.

For all such transfers, the European Commission’s Standard Contractual Clauses (Implementing Decision (EU) 2021/914 of 4 June 2021) are incorporated by reference into our agreements with the relevant Sub-processors, with the module applicable to the relationship (Module 2 controller-to-processor, or Module 3 processor-to-processor) selected according to the role each party plays.

5.2 Transfers covered

Currently, the following transfers occur (full details in Annex IV):

United States transfers: Anthropic (Claude API), Replit (application hosting), and certain processing operations of Google and Microsoft
European Union processing: AWS S3/KMS, Neon PostgreSQL hosting, EU regions of Google and Microsoft services where selected

Customer Personal Data at rest is stored in EU regions wherever the Sub-processor offers region selection (AWS, Neon). Application runtime processing on Replit (US) is limited to in-memory request handling — persistent data does not reside on Replit infrastructure.

5.3 Adequacy decisions

If the European Commission issues an adequacy decision for the United States that covers any of our US-based Sub-processors, the adequacy decision will apply to transfers to those Sub-processors. The SCCs will continue to apply unless and until such an adequacy decision is in effect.

5.4 Government access requests

We will not respond to government access requests for Customer Personal Data without first notifying Customer (where lawful) and giving Customer the opportunity to seek protective measures. This commitment also flows down to our Sub-processors through our contracts.

6. Personal data breaches

6.1 Notification timing

We will notify Customer without undue delay, and in any case within 72 hours, of becoming aware of a personal data breach that affects Customer Personal Data.

The 72-hour clock begins when we have a reasonable degree of certainty that a breach has occurred — not at the moment of first suspicion. We may extend the initial notification with subsequent updates as more information becomes available.

6.2 Notification content

Our breach notification to Customer will include, to the extent the information is available:

The nature of the breach, including (where possible) the categories and approximate number of Data Subjects and personal data records concerned
The likely consequences of the breach
The measures we have taken or propose to take to address the breach and to mitigate adverse effects
The contact point at InvoHub for follow-up information
Whether other Sub-processors are involved

6.3 Cooperation

We will cooperate with Customer’s investigation of the breach and Customer’s obligations to notify the supervisory authority and affected Data Subjects under GDPR Articles 33 and 34.

6.4 Breach register

We maintain an internal register of personal data breaches, including the facts of the breach, its effects, and the remedial action taken, as required by GDPR Article 33(5). Customer may request to inspect entries relating to Customer Personal Data on reasonable notice.

7. Data subject rights assistance

7.1 Self-service tools

Customer can fulfil many Data Subject requests using the self-service tools built into the Service:

Right	Tool	Limitation
Access (Article 15)	Workspace data view + Export feature	Limited to data within the workspace
Rectification (Article 16)	Manual edit of invoice fields, account settings	Customer manages
Erasure (Article 17)	Workspace deletion, manual invoice deletion	30-day Grace Period applies
Portability (Article 20)	Export feature (XLSX, ZIP, CSV)	Customer manages
Restriction (Article 18)	Contact `privacy@invohub.eu`	Manual support

7.2 Manual assistance

For Data Subject requests that cannot be fulfilled through self-service tools, we provide manual support via privacy@invohub.eu:

Acknowledgment within 5 business days
Response or completion within 30 days of receipt, or 7-day extension notification with reason
No charge for reasonable requests; reasonable fee for manifestly unfounded or excessive requests (GDPR Article 12(5))

7.3 Identity verification

We may require Customer to verify the identity of the Data Subject making a request, to prevent unauthorised disclosure of personal data. Where the Data Subject contacts us directly, we will forward the request to Customer as the Controller.

8. Audits

8.1 Customer audit rights

Customer has the right to audit our compliance with this DPA, including by:

Reviewing our compliance documentation (Section 3.9)
Submitting written questionnaires to privacy@invohub.eu
Where mutually agreed, conducting an on-site or remote audit at our offices

8.2 Audit modalities

To balance Customer’s audit rights with our operational realities and the privacy of other customers, the following apply:

Frequency: Once per year is presumed reasonable; more frequent audits require legitimate cause (such as a breach, regulator request, or material change in Sub-processors)
Notice: At least 30 days advance written notice required for on-site audits
Auditor qualifications: External auditors must be reputable, bound by confidentiality, and not direct competitors of InvoHub
Costs: Each party bears its own costs; if the audit reveals material non-compliance by us, we will reimburse Customer’s reasonable audit costs
Scope: Limited to InvoHub’s compliance with this DPA; no access to other customers’ data or to information that would compromise security or confidentiality of other customers

8.3 Existing certifications

To reduce the burden of audits, Customer may rely on:

Annual independent security assessments we undergo (such as the Google Cloud Application Security Assessment for our Gmail integration)
Sub-processor certifications (SOC 2, ISO 27001, etc.) — list available on request
Our internal documentation of security controls (Annex III)

We will share summaries of these assessments on request, subject to confidentiality.

9. Liability

The liability of the parties under this DPA is governed by the limitations set out in the Terms of Service, including Section 13.3 (Limitation of liability).

In addition:

Liability between Customer and InvoHub for any acts or omissions of Sub-processors is allocated as set out in Section 4.5 (InvoHub remains responsible for Sub-processors)
Nothing in this DPA limits Customer’s right to seek a judicial remedy or to lodge a complaint with a supervisory authority under the GDPR

10. Term and termination

10.1 Term

This DPA takes effect on the same date as the Terms of Service and continues for as long as we process Customer Personal Data on Customer’s behalf.

10.2 Termination

This DPA terminates automatically:

When Customer terminates the Service through workspace deletion (subject to the 30-day Grace Period during which data may be exported)
When InvoHub terminates the Service in accordance with the Terms (with reasonable notice)
Upon mutual written agreement

Sections that by their nature should survive termination — including confidentiality, liability for past Processing, and breach notification obligations for breaches occurring during the term — continue to apply after termination.

10.3 Effect of termination

Upon termination of this DPA, we will delete or return Customer Personal Data as set out in Section 3.7.

11. Miscellaneous

11.1 Order of precedence

In the event of conflict between this DPA and the Terms of Service, this DPA prevails with respect to matters concerning the Processing of Customer Personal Data. The Terms of Service prevail in all other commercial matters.

11.2 Changes to this DPA

We may update this DPA from time to time to reflect changes in our service, applicable law, or business practices. Material changes affecting Customer’s rights or obligations will be notified through the in-application banner mechanism described in Section 4.3 with at least 30 days advance notice.

For non-material updates (such as updates to references, clarifications, or formatting), we may update without prior notice.

11.3 Severability

If any provision of this DPA is held to be invalid, illegal, or unenforceable, the remaining provisions continue in full force and effect. The invalid provision is to be interpreted to be valid and enforceable to the maximum extent permitted by applicable law.

11.4 Governing law

This DPA is governed by the laws of the Republic of Lithuania, consistent with the Terms of Service Section 14.

11.5 Language

This DPA is originally drafted in English. Translations into other languages are provided for convenience. In the event of conflict between language versions, the English version prevails for the purpose of legal interpretation.

Annex I — List of Parties

Controller (Customer)

The Customer is the natural person who accepted the Terms of Service via the Service’s electronic OAuth-based registration flow, acting on behalf of the legal entity they represent.

At the time of registration, the Service collects from the Customer’s identity provider (Google or Microsoft) only:

The Customer’s name (as recorded with the OAuth provider)
The Customer’s email address (as recorded with the OAuth provider)
The Customer’s OAuth provider identifier

The Customer confirms, by accepting the Terms of Service, that they are authorised to bind the legal entity on whose behalf they use the Service. The Customer agrees to provide the following additional identification details on InvoHub’s reasonable request, including for the purpose of completing this Annex I, invoicing for paid features (when introduced), responding to a data protection authority enquiry, or fulfilling Sub-processor change notifications:

Field	Source when requested
Legal name of the entity	Customer’s response to the request
Company registration code	Customer’s response to the request
VAT identification number (if applicable)	Customer’s response to the request
Registered office address	Customer’s response to the request
Designated contact for data protection matters	Customer’s response to the request (defaults to the Customer’s OAuth-provided email until specified otherwise)
Role	Controller

For the avoidance of doubt, until the Customer provides the additional identification details above, the natural person who accepted the Terms of Service serves as the operative contact and signatory for the purposes of this DPA, acting in their authorised capacity for the legal entity they represent.

Processor (InvoHub)

Field	Value
Name	All Digital Group, UAB
Company code	305453299
VAT code	LT100012967017
Registered address	Žalgirio g. 94, LT-09300 Vilnius, Lithuania
Contact for data protection matters	privacy@invohub.eu
Role	Processor

Acceptance and signing

This DPA does not require ink-on-paper signatures.

Customer’s acceptance. The Customer accepts this DPA at the time the Customer accepts the Terms of Service through the Service’s electronic registration flow. The acceptance record retained by the Service includes:

The OAuth-provided name and email address of the natural person who accepted
The acceptance timestamp
The IP address from which acceptance was performed
The User-Agent string recorded at the time of acceptance
The version (effective date) of the DPA that was accepted

This acceptance record is retained for the duration of the Customer’s account and for at least 6 years thereafter as evidence of consent (GDPR Article 7(1)). The record is available to the Customer on request to privacy@invohub.eu.

Processor’s acceptance. InvoHub accepts this DPA by publishing it at https://invohub.eu/legal/data-processing-agreement and operating the Service in accordance with its terms.

Material changes to this DPA. If we materially update this DPA in a way that affects the Customer’s rights or obligations, we will obtain renewed acceptance from the Customer through the in-application banner mechanism described in Section 4.3, with at least 30 days notice. Continued use of the Service after the renewed acceptance deadline constitutes acceptance of the updated DPA.

Countersigned hard copy (optional). If the Customer requires a countersigned hard copy of this DPA for the Customer’s internal compliance records, the Customer may request one by writing to privacy@invohub.eu. We will provide a countersigned copy reflecting the legal-entity details the Customer provides at the time of the request.

Annex II — Description of the Processing

II.1 Subject matter of the Processing

The subject matter of the Processing under this DPA is the collection, storage, AI-assisted data extraction, and export of business invoice documents received in the Customer’s business email accounts (Google Workspace / Gmail or Microsoft 365 / Outlook), together with the structured invoice data extracted from those documents.

InvoHub’s role is to automate the collection and structured-data extraction of incoming business invoices that would otherwise require manual handling by the Customer’s staff.

II.2 Duration of the Processing

The Processing continues for the duration of the service agreement between InvoHub and the Customer, plus a 30-day Grace Period after termination during which the Customer may export, dispute, or recover data.

After the 30-day Grace Period, InvoHub performs an automated hard-delete of all Customer-specific personal data and business records, with the following narrow exceptions retained for operational accountability:

User accounts and authentication links — preserved across workspace deletions because individual users may belong to multiple workspaces. Erasure on individual request to privacy@invohub.eu.
Consent records — preserved indefinitely as required by GDPR Article 7(1) to demonstrate compliance.
Platform-level audit log — preserved for a minimum of 5 years for security and accountability.

II.3 Nature and purpose of the Processing

Nature of the Processing. The Processing comprises the following operations:

Collection — connection to the Customer’s email mailbox via OAuth (Gmail API or Microsoft Graph), retrieval of incoming messages with PDF attachments
Filtering — automated pre-processing to identify invoice messages, plus link discovery for messages with invoice links
Storage — short-term cache and long-term object storage of invoice PDFs in encrypted form (AWS S3 with KMS encryption, EU regions)
AI-assisted extraction — submission of PDF content to Anthropic’s Claude API for OCR-equivalent text and structured-data parsing
Validation — automated business-rule checking (VAT ID format, financial totals consistency)
Structuring and storage — persistence of extracted structured data in PostgreSQL (Neon, EU regions)
Display and export — making invoices available to authorised users through a web interface, plus XLSX/ZIP exports
Routine deletion — automated retention enforcement per the schedule in II.6

InvoHub does not engage in profiling or automated decision-making with legal effects on Data Subjects (GDPR Article 22), direct marketing to Data Subjects, or disclosure of personal data to third parties other than the Sub-processors in Annex IV.

Purpose of the Processing. The Processing exists for one purpose: to automate the collection and structured-data extraction of incoming business invoices for the Customer’s accounting and bookkeeping workflows. The Processor does not repurpose personal data received in invoice documents for any secondary purpose (analytics on Data Subjects, AI model training, marketing, or onward transfer to unrelated third parties).

II.4 Type of personal data

The Processing involves the following categories of personal data, drawn from incoming invoice documents and from the Customer’s own user accounts.

Categories appearing in invoice documents:

Identification data — names of natural persons (directors, sole traders, individuals receiving invoices in their personal name)
Contact data — business email addresses, telephone numbers, postal addresses (which may be home addresses for sole traders and individual entrepreneurs)
Fiscal identifiers — tax identification numbers (PVM kodas / VAT IDs), personal identification numbers where they appear on invoices from individual entrepreneurs (IĮ) or free-lance workers (FA), Lithuanian personal codes (asmens kodas)
Financial data — bank account numbers where present (IBAN), invoice totals, VAT amounts, line-item descriptions
Date data — invoice dates, due dates, periods of service supplied

Categories appearing in Customer user accounts:

Identification data — names of Customer’s staff
Contact data — business email addresses
Authentication metadata — OAuth provider identifiers, session metadata
Activity data — login timestamps, IP addresses, User-Agent strings, action audit log entries
Preference data — language preference, support access toggle state, consent acceptance records

Special categories (GDPR Article 9): The Processing does not involve special categories of personal data in the ordinary course of business. If a special-category data point inadvertently appears in an invoice document (for example, a medical clinic invoice naming a patient), the data is processed in the same automated manner as other invoice content, and is subject to the same security, retention, and deletion measures. InvoHub does not specifically extract, index, or surface such data.

II.5 Categories of Data Subjects

The Processing involves personal data of the following categories of Data Subjects:

The Customer’s staff — natural persons employed by or acting on behalf of the Customer’s organisation who use the Service through user accounts
The Customer’s suppliers and counterparties — natural persons (or natural persons acting on behalf of business entities) who issue invoices to the Customer, including directors of supplier companies, sole traders (IĮ), free-lance workers (FA), and service-provider individuals named on invoices
The Customer’s customers (where applicable) — where the Customer uses the Service to process its own outgoing invoices, the personal data of the Customer’s customers appearing on those invoices

The Processing does not normally involve personal data of vulnerable groups (children, persons under disability-related protection, asylum seekers, etc.). Where such data inadvertently appears, it is processed without distinction from other invoice content under the same security and retention regime.

II.6 Frequency of Processing

The Processing is continuous and automated, triggered by:

Inbound webhook from Gmail Pub/Sub when a new message arrives in a connected Gmail mailbox
Scheduled polling of Microsoft Graph (every 10 minutes) for connected Outlook mailboxes
Scheduled retry crons for failed or stuck items (every 5 minutes)
Customer-initiated actions — manual upload, manual export, manual rule application

Average daily volume varies widely based on Customer’s invoice traffic — from less than 10 invoices per day for a small business to several hundred per day for an active accounting firm managing multiple end-clients.

II.7 Geographic scope

InvoHub markets the Service in the European Union, with primary focus on Lithuania, Latvia, Estonia, and Poland (Baltic and Central European SMB market), and is open to Customers established elsewhere in the EU/EEA.

Personal data is processed at the locations of the Sub-processors listed in Annex IV. Sub-processors offering region selection are configured for EU regions; others (Anthropic, Replit) are based in the United States and are covered by SCCs incorporated in their respective DPAs.

Annex III — Technical and Organisational Measures

The following measures are implemented and maintained by InvoHub to ensure the security of personal data processed on behalf of the Customer. Each measure category follows the structure recommended by EU Commission Implementing Decision 2021/915 Annex III.

III.1 Encryption and pseudonymisation

Encryption at rest:

Invoice PDFs encrypted in AWS S3 using SSE-KMS envelope encryption when configured; SSE-S3 (AES-256) fallback otherwise
OAuth refresh and access tokens encrypted at the application layer with AES-256-GCM, using a key derived via AWS KMS. Encryption context binds ciphertext to workspace identity — ciphertext from one workspace cannot be decrypted as another
PostgreSQL at-rest encryption enabled by platform default (Neon vendor control)

Encryption in transit:

TLS 1.2 or higher enforced on all external connections
HTTP Strict Transport Security header with max-age=31536000; includeSubDomains

Pseudonymisation:

Mail scan log snippets auto-cleared after 30 days via daily cron (data minimisation per GDPR Article 5(1)(c))
Cross-tenant aggregation stores only aggregate counts, never tenant identifiers in API responses

III.2 Confidentiality, integrity, availability, resilience

Confidentiality:

PostgreSQL Row-Level Security (RLS) with FORCE ROW LEVEL SECURITY on all tenant-scoped tables
Dedicated application database role with NOSUPERUSER + NOBYPASSRLS privileges — application code cannot bypass tenant isolation
Three-layer tenant isolation: session-level binding, application context propagation, PostgreSQL Row-Level Security
Per-user Support Access privacy gate (default OFF) controlling admin access to mail metadata
Self-service privacy endpoints reject impersonation sessions

Integrity:

Input validation on all state-changing endpoints (Zod schemas, ~78% endpoint coverage)
Parameterised database queries throughout; no raw SQL with string concatenation
CSRF double-submit cookie protection on state-changing endpoints
File-upload magic-bytes validation (uploaded PDFs verified to start with %PDF- signature)
Tenant deletion uses two-stage atomic pattern to prevent race conditions

Availability:

Application platform with automatic restart on container crash
Database connection pool tuned for cold-start tolerance
Stuck-job recovery cron (every 5 minutes)
External uptime monitoring on health endpoint

Resilience:

Idempotent upserts for mail message deduplication
State-tracked syncs (only update tracking IDs after batch completion)
Worker logs with explicit START/END markers for crash-vs-failure diagnosability

III.3 Backup and recovery

PostgreSQL platform-managed automated backups per Neon vendor retention policy
AWS S3 per-object versioning available; bucket versioning configurable
Customer-initiated data export (ZIP + XLSX + CSV) at any time before workspace deletion
Documented recovery playbooks for production outage, database unreachability, processing pipeline stuck

III.4 Continuous testing and assessment

TypeScript strict mode catches type-related errors at every commit
Dependency vulnerability tracking; production dependencies pinned to exact versions
Security audit completed 2026-05-04 with 15 of 16 findings closed
CASA Tier 2 assessment in progress for Gmail restricted scope access
Production smoke testing on every deploy
Threat model documented and reviewed every 6 months and after any incident

III.5 User identification and authorisation

OAuth-only authentication (Google OAuth + Microsoft OAuth); password storage abolished
Session management with 7-day cookie expiry, httpOnly + secure + sameSite=lax attributes
Multi-factor authentication delegated to OAuth provider per the provider’s configuration
Role-based access control with platform-level and workspace-level roles
Administrator middleware enforced on all administrative routes
Impersonation governance: 2-hour session limit, audit log entries at start and end, target’s privacy state recorded

III.6 Data transmission and storage protection

TLS 1.2+ on all external connections (see III.1)
HTTP-to-HTTPS redirect in production
OAuth credentials never transmitted to the application in cleartext; OAuth provider handles authentication
Per-workspace S3 key prefix isolation
Signed URLs scoped to specific objects with bounded TTL
KMS encryption context binding for cryptographic operations

III.7 Physical security

All processing occurs at Sub-processor data centres. Physical security is the responsibility of the relevant Sub-processors per their respective DPAs. No personal data is processed at InvoHub office premises.

III.8 Event logging

Tenant-scoped audit log records every privileged action with userId, tenantId, ipAddress, userAgent, before/after snapshots; RLS-protected
Platform-level audit log for super-admin actions and workspace lifecycle events; minimum 5-year retention
Worker structured logs with explicit START/END markers
Production application logs retained for short-term diagnostics

III.9 System configuration

Configuration validation at application boot; application fails fast if critical environment variables are missing
Default seed administrator removed from production
Dual-URL pattern for database connections (runtime role vs migration role)
All secrets managed through platform Secrets store; no secrets in code or committed configuration files

III.10 Internal IT governance

Operating principles documented in CLAUDE.md (internal invariants reference)
Decision log maintained in compliance documentation
Code review through AI assistant pairing; commit history serves as the review record
Staged deploys (Dev environment → smoke test → Production)

III.11 Certifications

CASA Tier 2 assessment for Google API Services User Data Policy compliance (in progress)
Sub-processor certifications relied upon (SOC 2, ISO 27001, ISO 27017, ISO 27018, ISO 27701 across the chain)

III.12 Data minimisation

Tenant deletion two-stage model (soft + 30-day Grace + hard purge)
30-day snippet retention for mail scan metadata
No tenant identifiers in Claude API prompts (only the PDF and a minimal extraction prompt)
OAuth scope minimisation (gmail.readonly, not full Gmail access; Mail.Read, not Mail.ReadWrite)

III.13 Data quality

AI extraction output parsed as strict JSON; invalid responses quarantine the invoice for human review
Parsed JSON further validated via schema + VAT rule validator before any database write
VAT auto-matching for invoices by tax identifier with vendor fallback mapping
Pre-AI image filter rejects banner images and pixel trackers before reaching the AI extraction stage

III.14 Data portability and erasure

Customer-initiated export (ZIP + XLSX + CSV) at any time
Self-service workspace deletion through Settings; soft delete immediate, hard purge 30 days later
Expedited individual erasure available on request to privacy@invohub.eu

Annex IV — List of Sub-processors

The Customer has authorised InvoHub to use the following Sub-processors. The same list is published at our public Sub-processors page, where it is maintained as the live record of current Sub-processors.

#	Name and contact	Description of Processing	Location	Vendor DPA
1	Anthropic, PBC — support@anthropic.com	Invoice content extraction via Claude API. PDF content sent for OCR-equivalent text and structured-data extraction.	United States (SCCs apply)	anthropic.com/legal/data-processing-addendum
2	Amazon Web Services, Inc. — aws-sec@amazon.com	Object storage for invoice PDFs (S3 service); envelope encryption key custody (KMS service).	European Union (EU regions selected)	aws.amazon.com/service-terms
3	Neon, Inc. — privacy@neon.tech	PostgreSQL hosting for all structured platform data.	European Union (EU regions selected)	neon.com/dpa
4	Google LLC — data-protection-office@google.com	(a) Gmail API for mailbox access; (b) Cloud Pub/Sub for webhook delivery; (c) Gmail SMTP for outbound transactional email; (d) Google OAuth for user authentication.	EU/US (SCCs apply via Google CDPA explicitly accepted)	cloud.google.com/terms/data-processing-addendum
5	Microsoft Corporation — MSPrivacy@microsoft.com	(a) Microsoft Graph for Outlook mailbox access; (b) Microsoft OAuth for user authentication.	EU/US (SCCs apply; EU Data Boundary commitment)	aka.ms/DPA
6	Replit, Inc. — legal@replit.com	Application runtime hosting — Node.js process serving the API, frontend, workers, and cron jobs. Container memory only; no persistent data at rest.	United States (SCCs apply)	replit.com/dpa

IV.1 Notes on specific Sub-processors

Outbound email (Gmail SMTP). Outbound transactional email from hello@invohub.eu is sent through Gmail SMTP, a feature of the Google Workspace account that operates hello@invohub.eu. It is covered by the Google Cloud DPA in row 4 above; no separate vendor contract or DPA is required.

Persistent storage vs runtime. The architecture separates persistent storage of Customer Personal Data (which lives in EU regions through AWS and Neon) from application runtime (which runs on Replit’s US infrastructure). The runtime processes data in memory only while a request is being served; persistent Customer data does not reside on Replit infrastructure.

IV.2 Change notification

The mechanism for notifying Customer of Sub-processor changes is described in Section 4.3 of this DPA. In summary:

New or replacement Sub-processors are announced via in-application banner notifications visible to every signed-in user
The banner remains visible until acknowledged by the user
Acknowledgment creates a 30-day objection window
Objections may be submitted to privacy@invohub.eu

Document history

Version	Date	Summary of changes
1.0	May 25, 2026	Initial publication under InvoHub branding

Contact

For any questions about this Data Processing Agreement or to exercise rights under it:

Email: privacy@invohub.eu Postal address: All Digital Group, UAB · Žalgirio g. 94 · LT-09300 Vilnius · Lithuania Supervisory authority: Valstybinė duomenų apsaugos inspekcija (VDAI), Lithuania, vdai.lrv.lt

Terms of Service — the commercial agreement under which the Customer uses InvoHub
Privacy Policy — how InvoHub processes personal data about Customer’s users (where InvoHub acts as Controller)
Sub-processors — public list of Sub-processors with change notification mechanism