Pactaro./Legal
DRAFT — NOT YET BINDING. These terms are under legal review. They are based on open-source templates and have not been reviewed by a qualified attorney for your jurisdiction. Do not rely on this document until it is finalized and the DRAFT banner is removed. Contact hello@pactaro.eu with questions.

Data Processing Agreement

Last updated 2026-05-25 (DRAFT)

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between Pactaro B.V. (“Processor”) and the Customer (“Controller”). It applies where Pactaro processes personal data on behalf of the Customer in connection with the Services and is required by GDPR Article 28.

This DPA is drafted following the requirements of GDPR Article 28 and the EDPB's guidance on controller-processor relationships. It is binding upon acceptance of the Terms of Service.

1. Parties and Roles

1.1 Controller (Customer)

The Customer is the controller for personal data contained in invoices (buyer and seller details, VAT IDs, line items) that the Customer submits to Pactaro for processing. The Customer determines the purposes and means of processing that personal data.

For B2C invoices (notably required in Italy), buyer personal data — including individual names and addresses — is included in Customer Data. The Customer is the controller of this data and is responsible for ensuring they have a lawful basis for sharing it with Pactaro for processing.

1.2 Processor (Pactaro)

Pactaro B.V. is the processor. It processes Customer Data only on the documented instructions of the Customer (as expressed through use of the Services) and for no other purpose.

1.3 Pactaro as Controller for Marketing Data

Pactaro is an independent controller for personal data it collects about Customer's representatives (account holders, billing contacts) for the purpose of managing the customer relationship, sending billing communications, and — with consent — product marketing. This processing is governed by the Privacy Policy.

2. Scope, Subject Matter, and Duration

  • Subject matter: Processing of invoice data and associated personal data for EU e-invoicing compliance (format conversion, network delivery, and archival).
  • Nature and purpose: Reading invoice data from Customer's accounting software via OAuth; converting invoices to required EU electronic formats; delivering invoices to national e-invoicing networks; storing invoices in a compliant archive.
  • Categories of data subjects: Customer's business contacts (Users); counterparties named in invoices (B2B buyers/sellers); individual consumers named in B2C invoices.
  • Types of personal data: Names, business email addresses, company names, postal addresses, VAT identification numbers, invoice line items, bank account details where present in invoice data.
  • Duration: This DPA remains in force for the duration of the Terms of Service and until all Customer Data is returned or deleted in accordance with Section 9, subject to statutory retention obligations under EU tax law.

3. Processing Instructions

Pactaro shall process Customer Data only on documented instructions from the Controller, as set out in these Terms and the DPA. Pactaro shall not process Customer Data for any other purpose unless required by EU or Netherlands law, in which case Pactaro shall inform the Controller before processing unless the law prohibits this.

Pactaro shall ensure that persons authorised to process Customer Data are bound by appropriate obligations of confidentiality.

4. Sub-processors

The Controller authorises Pactaro to engage the sub-processors listed at pactaro.eu/subprocessors. Pactaro shall notify the Controller at least 30 days in advance of any intended change to this list (addition or replacement of a sub-processor) by email and/or in-app notification.

The Controller may object to a new sub-processor in writing within 14 days of notification. If the parties cannot resolve the objection, the Controller may terminate the Services on written notice.

Pactaro shall impose equivalent data protection obligations on each sub-processor and remains fully liable to the Controller for the performance of those obligations.

5. Security Measures

Pactaro implements and maintains the following technical and organisational security measures (GDPR Article 32):

  • Encryption in transit: TLS 1.3 for all data transmitted between the client, Pactaro's servers, and sub-processors.
  • Encryption at rest: All Customer Data is encrypted at rest in our PostgreSQL database (Supabase, Frankfurt). OAuth refresh tokens are additionally encrypted using pgsodium (libsodium XChaCha20-Poly1305).
  • Access controls: Least-privilege access model. Production database access is restricted to automated service accounts and a limited number of authorised engineers (break-glass access). All access is logged and auditable.
  • Data isolation: Row-level security (RLS) in PostgreSQL ensures Customer Data is logically isolated between tenants.
  • Backups: Daily encrypted backups with point-in-time recovery, stored within the EU.
  • Infrastructure: Hosted on Supabase (Frankfurt, Germany, eu-central-1 region). Invoice files stored in Cloudflare R2 (EU region).
  • ISO 27001: Audit planned for Q3 2026. Pactaro will provide certification on completion upon request.

6. Data Breach Notification

Pactaro shall notify the Controller without undue delay — and in any event within 72 hours of becoming aware — of any personal data breach affecting Customer Data, as required by GDPR Article 33.

The notification shall include, to the extent available:

  • A description of the nature of the breach, including the categories and approximate number of data subjects and personal data records affected.
  • The name and contact details of Pactaro's data protection contact.
  • A description of the likely consequences of the breach.
  • A description of the measures taken or proposed to address the breach.

The Controller is responsible for notifying the relevant supervisory authority (Autoriteit Persoonsgegevens in the Netherlands, or the Customer's local authority) where required.

7. Data Subject Rights Assistance

Pactaro shall assist the Controller in fulfilling its obligations to respond to data subject rights requests (GDPR Articles 15–22), taking into account the nature of the processing and the information available to Pactaro.

Specifically, upon written request from the Controller, Pactaro shall within 10 business days:

  • Provide a data extract for the specified data subject in machine-readable format.
  • Delete or restrict processing of specified personal data, subject to statutory retention obligations.
  • Correct specified inaccurate personal data where technically feasible.

Requests shall be submitted to dpo@pactaro.eu.

8. Audit Cooperation

Pactaro shall make available to the Controller all information necessary to demonstrate compliance with the obligations of GDPR Article 28 and shall allow for and contribute to audits, including inspections, conducted by the Controller or a mandated auditor.

Audit requests must be made in writing with at least 30 days' notice. Audits must be conducted during business hours in a manner that minimises disruption to Pactaro's operations. The Controller shall bear the costs of any audit it commissions.

In lieu of a full audit, Pactaro may provide a current third-party security certification or audit report, where available, to satisfy reasonable audit requests.

9. Return and Deletion at End of Contract

Upon termination or expiry of the Terms of Service, Pactaro shall, at the Controller's choice:

  • Return: Provide a full data export (ZIP file) of all Customer Data in machine-readable format, within 30 days of termination; or
  • Delete: Permanently delete all Customer Data from active systems and backups within 60 days of termination, providing written confirmation of deletion.

Pactaro shall retain invoice records that are subject to statutory retention obligations (see Privacy Policy — Legal Retention Exceptions) for the legally required period, during which they will be subject to the security and access restrictions set out in this DPA. Pactaro shall delete such records immediately upon expiry of the applicable retention period.

10. International Data Transfers

Customer Data is stored and processed within the European Economic Area (EEA) at all times. Pactaro does not transfer Customer Data outside the EEA. If any sub-processor requires a transfer outside the EEA, Pactaro will ensure that an appropriate transfer mechanism is in place (Standard Contractual Clauses or equivalent) and will notify the Controller in advance.

11. Liability

Each party's liability under this DPA is subject to the limitations set out in the Terms of Service. Where Pactaro is responsible for a GDPR violation that results in damage to a data subject, Pactaro shall bear liability to the extent of its responsibility as processor.

12. Contact

Data protection inquiries under this DPA:

Pactaro B.V. — Data Protection Officer
Prinsengracht 412, 1016 HP Amsterdam, Netherlands
dpo@pactaro.eu

This DPA is governed by the laws of the Netherlands. Disputes are subject to the exclusive jurisdiction of the courts of Amsterdam.