Data Processing Agreement
Version 1.0 · Effective 2026-05-28
Provider notice. The Pactaro service is currently operated by Wassim Ben Salem, an individual entrepreneur (sole trader) based in the European Union, pending the formation of Pactaro B.V. in the Netherlands. Until the B.V. is registered with the Dutch Chamber of Commerce (KvK), all references in this DPA to “Pactaro B.V.”, “Pactaro”, “Processor”, “we”, “us”, or “our” shall be read as referring to the Operator personally. Upon B.V. registration, this DPA will be assigned by way of novation to Pactaro B.V. with 30 days' advance written notice; the Customer may terminate this DPA without penalty during that notice period if it objects to the assignment.
Customer-facing contact for all data-protection matters under this DPA: bswassim@gmail.com. The Operator's registered address is available on request to that email.
This Data Processing Agreement (“DPA”) forms an integral part of the Terms of Service between the Operator described above (“Pactaro”, “Processor”) and the customer entity that accepted those Terms (the “Customer”, “Controller”). It applies where Pactaro processes Personal Data on behalf of the Customer in connection with the Services and is required by Article 28 of the General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”).
This DPA is drafted in alignment with GDPR Article 28, the European Data Protection Board's guidelines on controller-processor relationships (EDPB Guidelines 07/2020), and — where applicable — Commission Implementing Decision (EU) 2021/914 of 4 June 2021 on Standard Contractual Clauses for the transfer of personal data to third countries (“SCCs”).
1. Definitions
Terms capitalised in this DPA but not defined here have the meaning given to them in the Terms of Service or in the GDPR.
- “Customer Data” means any data submitted by or generated on behalf of the Customer in connection with the use of the Services, including invoice data ingested from Customer's accounting software, archived invoice artefacts, and Customer's account configuration.
- “Personal Data” means any Customer Data relating to an identified or identifiable natural person, as defined in GDPR Article 4(1).
- “Data Subject” means the natural person to whom the Personal Data relates.
- “Personal Data Breach” has the meaning given in GDPR Article 4(12).
- “Sub-processor” means any third party engaged by Pactaro to process Personal Data on Pactaro's behalf in order to provide the Services.
- “Supervisory Authority” means the independent public authority established under GDPR Article 51, competent for the Customer.
2. Parties and Roles
2.1 Controller (Customer)
The Customer is the controller for Personal Data contained in invoices (buyer and seller details, VAT identification numbers, line items, and any other personal information present in the invoice payload) that the Customer submits to Pactaro for processing. The Customer determines the purposes and means of processing of that Personal Data and is responsible for ensuring that it has a lawful basis under GDPR Article 6 (and, where applicable, Article 9) for the processing it instructs Pactaro to carry out.
For business-to-consumer invoices (notably required under Italian Sistema di Interscambio regulations and equivalent regimes), buyer Personal Data — including individual names and addresses — is included in Customer Data. The Customer remains controller of this data.
2.2 Processor (Pactaro)
The Operator (as identified in the Provider notice above) is the processor. Pactaro processes Personal Data only on the documented instructions of the Customer (as expressed through use of the Services and the Terms) and for no other purpose, save where required by Union or Member State law to which Pactaro is subject — in which case Pactaro shall inform the Customer of that legal requirement before processing, unless that law prohibits such notification on important grounds of public interest.
2.3 Independent Controller Activities
Pactaro acts as an independent controller — not as Customer's processor — for Personal Data it collects directly about the Customer's account holders and billing contacts in order to manage the customer relationship, send service and billing communications, and (with consent) send product marketing. This processing is governed by Pactaro's Privacy Policy and falls outside the scope of this DPA.
3. Scope, Subject Matter, and Duration
A complete description of the processing — its subject matter, nature, purpose, types of Personal Data, categories of Data Subjects, and duration — is set out in Annex 1 to this DPA. The following summary is non-exhaustive:
- Subject matter: Processing of invoice data and associated Personal Data for EU e-invoicing compliance (format conversion, network delivery, and archival).
- Duration: This DPA takes effect on the Effective Date of the Terms of Service and remains in force for the duration of the Customer's subscription and thereafter until all Customer Data is returned or deleted in accordance with Section 11, subject to the statutory retention obligations set out in Section 11.3.
4. Processing Instructions
Pactaro shall process Personal Data only on documented instructions from the Customer, including with regard to transfers of Personal Data to a third country or international organisation, unless required to do so by Union or Member State law (see Section 2.2). The Customer's instructions for the processing of Personal Data are set out in this DPA, the Terms of Service, and the Customer's configuration choices in the Services (such as selected destination country and delivery channel).
Pactaro shall promptly inform the Customer if, in Pactaro's opinion, an instruction infringes the GDPR or other applicable Union or Member State data protection provisions.
5. Confidentiality of Personnel
Pactaro shall ensure that persons authorised to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. Access to Personal Data is granted on a strict need-to-know basis and is subject to documented access controls.
6. Sub-processors
The Customer grants Pactaro a general written authorisation to engage the sub-processors listed in Annex 3 and at pactaro.com/subprocessors, subject to the conditions in this Section.
Pactaro shall give the Customer at least thirty (30) days' advance notice of any intended addition or replacement of a sub-processor, by email to the Customer's account billing contact and/or by in-app notification. The Customer may object to the proposed sub-processor in writing to bswassim@gmail.com within fourteen (14) days of receipt of the notice, stating reasonable grounds based on data protection concerns.
If the parties cannot reach a mutually acceptable resolution within thirty (30) days of Pactaro's receipt of the objection, the Customer may, as its sole and exclusive remedy, terminate the affected Services on written notice without further fees or penalties accruing after the date of termination, and Pactaro shall refund pre-paid fees for the unused portion of the affected subscription period.
Pactaro shall impose data protection obligations on each Sub-processor by way of a written contract that provides — in substance — the same level of protection as required of Pactaro under this DPA. Pactaro shall remain fully liable to the Customer for the performance of each Sub-processor's obligations.
7. Security Measures
Pactaro shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, as required by GDPR Article 32. The measures in force as of the Effective Date are described in Annex 2.
Pactaro may update its security measures from time to time, provided that any change does not materially decrease the overall level of protection of Personal Data.
8. Personal Data Breach Notification
Pactaro shall notify the Customer of any Personal Data Breach affecting Customer Data without undue delay and in any event within seventy-two (72) hours of Pactaro becoming aware of the breach. Notification shall be sent by email to the Customer's designated account billing contact and to any data protection contact the Customer has registered with Pactaro.
The notification shall, to the extent available, include:
- A description of the nature of the Personal Data Breach, including the categories and approximate number of Data Subjects and Personal Data records affected;
- The name and contact details of Pactaro's Data Protection Officer (or equivalent contact);
- A description of the likely consequences of the breach;
- A description of the measures taken or proposed to address the breach, including, where appropriate, measures to mitigate possible adverse effects.
Where, and in so far as, it is not possible to provide the information at the same time, the information may be provided in phases without further undue delay. The Customer remains responsible for notifying its competent Supervisory Authority and affected Data Subjects where required under GDPR Articles 33 and 34.
9. Assistance to Controller (Articles 32–36)
9.1 Data Subject Rights (Articles 12–22)
Taking into account the nature of the processing, Pactaro shall assist the Customer by appropriate technical and organisational measures, insofar as this is possible, in fulfilling the Customer's obligation to respond to requests for the exercise of Data Subject rights laid down in GDPR Chapter III (Articles 12–22).
On written request from the Customer to bswassim@gmail.com, Pactaro shall, within ten (10) business days:
- Provide a data extract for the specified Data Subject in a structured, commonly used, machine-readable format (Article 20);
- Delete or restrict processing of specified Personal Data, subject to the statutory retention exceptions in Section 11.3 (Articles 17, 18);
- Correct specified inaccurate Personal Data where technically feasible (Article 16).
9.2 Security, DPIAs, and Prior Consultation (Articles 32–36)
Pactaro shall, taking into account the nature of processing and the information available to it, assist the Customer in ensuring compliance with the Customer's obligations under GDPR Articles 32 to 36, including (where applicable):
- Security of processing (Article 32): by maintaining the measures in Annex 2 and providing reasonable information to support the Customer's own risk assessment;
- Personal Data Breach notification (Articles 33–34): in accordance with Section 8 above;
- Data Protection Impact Assessment (Article 35): by providing, on reasonable written request, information about Pactaro's processing activities relevant to the Customer's DPIA;
- Prior consultation (Article 36): by providing reasonable assistance and information to support any prior consultation with the Supervisory Authority that the Customer is obliged to undertake.
Pactaro may charge the Customer a reasonable fee for assistance that exceeds what is reasonably necessary to meet Pactaro's direct obligations under Articles 32–36 and that requires significant engineering or specialist effort. Pactaro shall provide an estimate before commencing such work.
10. Audit Cooperation
Pactaro shall make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in GDPR Article 28 and shall allow for and contribute to audits, including inspections, conducted by the Customer or a third-party auditor mandated by the Customer, subject to the following conditions:
- Audit requests must be made in writing to bswassim@gmail.com with at least thirty (30) days' advance notice, except in the event of a suspected Personal Data Breach, where reasonable shorter notice is acceptable;
- Audits shall be conducted during ordinary business hours, with minimum disruption to Pactaro's operations, and shall not occur more than once in any twelve (12) month period unless required by a Supervisory Authority or following a Personal Data Breach;
- Any third-party auditor must be professionally qualified, must not be a competitor of Pactaro, and must be bound by appropriate confidentiality obligations no less stringent than those between the parties;
- The Customer shall bear the reasonable costs of any audit it commissions, including any reasonable costs Pactaro incurs in cooperating with the audit; and
- The audit shall not extend to information of other Pactaro customers or to information that would compromise the security of the Services.
In lieu of an on-site audit, Pactaro may at its discretion satisfy reasonable audit requests by providing a current third-party security certification (for example, ISO 27001, SOC 2 Type II) or a recent independent audit report, where available.
11. Return and Deletion at End of Contract
11.1 Customer Election
Upon termination or expiry of the Terms of Service, Pactaro shall, at the Customer's written election made within thirty (30) days of the effective termination date:
- Return: make available to the Customer a complete data export of Customer Data in a structured, machine-readable format (ZIP archive containing source payloads, e-invoice XML/PDF artefacts, and metadata), within thirty (30) days of the termination date; or
- Delete: permanently delete all Customer Data from Pactaro's production systems within thirty (30) days of the termination date and from all backups within sixty (60) days of the termination date, providing written confirmation of deletion at completion.
If the Customer does not make an election within thirty (30) days of the effective termination date, Pactaro shall default to deletion.
11.2 Self-Service Export
Throughout the term of the subscription and for a minimum of sixty (60) days after termination, the Customer may export its data at any time using the export functionality in the Services.
11.3 Statutory Retention Exception
Pactaro shall retain invoice records that are subject to statutory retention obligations under EU Council Directive 2010/45/EU (the VAT Directive), German Grundsätze zur ordnungsmäßigen Führung und Aufbewahrung von Büchern, Aufzeichnungen und Unterlagen in elektronischer Form (GoBD), Italian tax code provisions on conservazione sostitutiva, and equivalent national tax-law obligations of other Member States, for the legally required period (generally ten (10) years from the date of issue).
During the statutory retention period, such records shall be:
- kept in immutable, encrypted EU storage with access restricted to the statutory retention purpose only;
- subject to the security and confidentiality obligations of this DPA; and
- not processed by Pactaro for any other purpose.
Pactaro shall delete such records without undue delay upon expiry of the applicable retention period.
12. International Data Transfers
Pactaro processes and stores Customer Data within the European Economic Area (EEA). Pactaro's primary infrastructure providers (Supabase Frankfurt, Cloudflare R2 EU jurisdiction, Vercel EU edge, Sentry EU) all maintain data residency within the EEA.
Where a Sub-processor stores account-level metadata or operational logs outside the EEA — currently applicable to Resend (transactional email account metadata stored in the United States) — Pactaro relies on the Standard Contractual Clauses adopted by the European Commission under Implementing Decision (EU) 2021/914 (Module 2 or Module 3 as applicable), together with the supplementary measures recommended by EDPB Recommendations 01/2020. The current list of relevant transfer mechanisms is published with the sub-processor list at pactaro.com/subprocessors.
Pactaro shall not initiate any new transfer of Personal Data outside the EEA without an appropriate transfer mechanism in place and without giving the Customer prior notice in accordance with Section 6.
13. Liability and Order of Precedence
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service, except where applicable mandatory law (including GDPR Article 82) provides otherwise.
In the event of any conflict or inconsistency between the provisions of this DPA and the Terms of Service in relation to the processing of Personal Data, the provisions of this DPA shall prevail. In the event of a conflict between this DPA and the Standard Contractual Clauses referenced in Section 12, the Standard Contractual Clauses shall prevail.
14. Survival
Sections relating to confidentiality, statutory retention (Section 11.3), audit cooperation (Section 10) in respect of completed processing, liability (Section 13), and any obligations of either party that by their nature should survive, shall survive termination of this DPA until the relevant statutory retention period or applicable limitation period expires.
15. Contact and Governing Law
Data protection inquiries under this DPA:
Wassim Ben Salem — Operator, Pactaro service
(Pactaro B.V. — Netherlands — in formation)
bswassim@gmail.com
Registered address available on request.
This DPA is governed by the laws of the Netherlands, excluding its conflict-of-law provisions. Disputes arising in connection with this DPA shall be subject to the exclusive jurisdiction of the competent courts of Amsterdam, the Netherlands, without prejudice to any mandatory consumer protections or jurisdictional rules of the Data Subject's country of residence.
Annex 1 — Description of Processing
A1.1 Subject Matter and Nature of Processing
Reading invoice data from the Customer's accounting software via OAuth; converting invoices to the EU electronic format required by the destination jurisdiction (ZUGFeRD 2.3, Factur-X 1.07, XRechnung 3.0.2 in CII or UBL syntax, Peppol BIS Billing 3.0, FatturaPA, or other EN 16931 profile); delivering invoices to the appropriate national e-invoicing network or recipient endpoint; storing the source payload, converted artefact, and delivery receipt in immutable EU-resident archival storage for the statutory retention period.
A1.2 Purpose of Processing
To enable the Customer to comply with EU and Member State e-invoicing mandates, the EU VAT Directive (2010/45/EU), and applicable national tax law requiring electronic invoicing and immutable archival.
A1.3 Categories of Data Subjects
- The Customer's account holders, billing contacts, and Users;
- The Customer's business counterparties (B2B buyers and sellers) named in invoices;
- Individual consumers named in B2C invoices, where required by destination-country regulation (e.g. Italian SDI).
A1.4 Types of Personal Data
- Names of individuals and contact persons;
- Business email addresses;
- Company names and registered postal addresses;
- VAT identification numbers and equivalent tax registration numbers;
- Invoice line items, amounts, currency, and payment terms;
- Bank account details (IBAN, BIC) where present in source invoice data;
- OAuth refresh tokens granting read-only access to the Customer's accounting software (encrypted at rest);
- Technical identifiers (IP addresses, session cookies, request identifiers) recorded for the operation and security of the Services.
Pactaro does not process special categories of Personal Data within the meaning of GDPR Article 9. The Customer undertakes not to submit special category data through the Services.
A1.5 Frequency and Duration
Continuous, for the duration of the Customer's subscription. Each invoice transit through the Services typically involves an active processing window of less than five (5) minutes; archived records are retained for the statutory retention period (generally ten years).
A1.6 Geographic Location of Processing
European Economic Area, primarily Germany (Frankfurt) and other Western European Sub-processor regions. See Section 12 and pactaro.com/subprocessors for the limited metadata-only transfers covered by Standard Contractual Clauses.
Annex 2 — Security Measures
Pactaro maintains the following technical and organisational security measures, as required by GDPR Article 32 and assessed against the level of risk to the rights and freedoms of Data Subjects.
A2.1 Encryption (Article 32(1)(a))
- In transit: TLS 1.2 minimum, TLS 1.3 preferred, for all connections between the client, Pactaro's infrastructure, and Sub-processors. HSTS enforced with
max-age=63072000; includeSubDomains; preload. - At rest: AES-256 (or stronger) for the underlying database storage (Supabase / PostgreSQL) and object storage (Cloudflare R2).
- Application-layer encryption of OAuth tokens: OAuth refresh tokens are additionally encrypted at the application layer using libsodium XChaCha20-Poly1305 (via Postgres pgsodium) with per-tenant + per-integration additional authenticated data, before persistence.
A2.2 Confidentiality, Integrity, Availability, Resilience (Article 32(1)(b))
- Tenant isolation: PostgreSQL row-level security (RLS) policies enforce logical separation of Customer Data between tenants.
- Access control: Least-privilege access. Production database and infrastructure access restricted to a small number of authorised personnel using multi-factor authentication. All access is logged.
- Network controls: Web application firewall, rate limiting on authentication and OAuth endpoints, strict Content Security Policy, security headers (CSP, HSTS, X-Frame-Options, X-Content-Type-Options).
- Vulnerability management: Continuous dependency scanning, automated security patches for managed services, periodic security review.
A2.3 Ability to Restore Availability (Article 32(1)(c))
- Database backups: Continuous write-ahead log archiving with point-in-time recovery within the retention window of the database provider, all stored within the EU.
- Object storage durability: Cloudflare R2 provides eleven-nines (99.999999999%) annual durability with multi-region replication within the EU.
- Immutable archive: Archived invoice artefacts are stored with bucket-policy-enforced immutability for the statutory retention period, preventing accidental or malicious deletion.
A2.4 Process for Regular Testing and Evaluation (Article 32(1)(d))
- Automated test suite executed on every code change.
- Continuous error monitoring via Sentry (EU region).
- External penetration test planned annually from 2026; ISO 27001 audit targeted Q3 2026. Reports available on request to enterprise customers under non-disclosure.
A2.5 Organisational Measures
- Personnel subject to written confidentiality undertakings extending beyond termination of engagement.
- Documented incident response procedure with 72-hour notification target.
- Data Protection contact at bswassim@gmail.com.
Annex 3 — Approved Sub-processors
The current list of approved Sub-processors, with jurisdiction, purpose, data accessed, and transfer mechanism (where relevant), is maintained at pactaro.com/subprocessors and forms part of this DPA. Changes are governed by the notice procedure in Section 6.