InvoNorm Data Processing Agreement (DPA)
This DPA forms part of the Terms of Service between the Merchant ("Controller") and Fengjing (Shenzhen) Trading Co., Ltd. ("Processor") and applies to all processing of personal data under Art. 28 GDPR.
1. Subject matter, duration, nature and purpose
Processing of order-related personal data for the generation, delivery, transmission and statutory archiving of electronic invoices via the InvoNorm application, for the duration of the app installation plus the agreed archive/export grace period.
2. Categories of data and data subjects
Data subjects: the Controller's customers and staff. Data: name, company, billing/shipping address, email, order line items, prices, tax data, payment status (no card data).
3. Obligations of the Processor
The Processor shall: (a) process personal data only on documented instructions of the Controller (the app's functions constitute such instructions); (b) ensure confidentiality commitments of all persons authorised to process; (c) implement the technical and organisational measures in Annex II; (d) engage subprocessors only per Section 5; (e) assist the Controller with data subject requests and Art. 32–36 obligations; (f) delete or return all personal data after the end of services per the Privacy Policy retention rules; (g) make available information necessary to demonstrate compliance and allow audits (remote audits and completed questionnaires accepted as first line, on-site audits with 30 days' notice at Controller's cost).
4. Personal data breach
The Processor notifies the Controller without undue delay and at the latest within 48 hours of becoming aware of a personal data breach, including the information required by Art. 33(3) GDPR.
5. Subprocessors
General authorisation is granted for the subprocessors listed in the Privacy Policy. The Processor informs the Controller of intended changes at least 14 days in advance; the Controller may object on reasonable data protection grounds, in which case the Controller's sole remedy is termination.
6. International transfers
Primary processing and storage occur in the EU. Remote support access from China is safeguarded by the EU Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914), Module Two (controller→processor), which are hereby incorporated by reference with: Clause 7 (docking) included; Clause 9(a) Option 2 (general authorisation, 14 days); Clause 11 optional language not used; Clause 17 Option 1 — law of Ireland; Clause 18(b) — courts of Ireland. Annex I/II of the SCCs correspond to Sections 1–3 and Annex II of this DPA. Supplementary measures: EU data residency, default masking of personal data in support tooling, per-ticket unmasking with logging, encryption at rest and in transit.
7. Liability and precedence
Liability follows the Terms of Service. In case of conflict regarding data protection, this DPA prevails; the SCCs prevail over both.
Annex II — Technical and organisational measures (summary)
- EU-only storage; AES-256 at rest; TLS 1.2+ in transit; separated production/test environments (no production personal data in test)
- Role-based access, MFA on all administrative accounts, per-ticket support unmasking with audit log
- Encrypted backups with the same EU residency; tested restore procedure
- Tamper-evident archive hashing; sequential-numbering audit trail
- Vulnerability management: dependency scanning in CI; security patches applied promptly
- Data minimisation: only fields required for legally compliant invoices are ingested