Data Processing Addendum

Capitalized terms not otherwise defined here have the meaning given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act (as amended by the CPRA), or the Invoset Terms of Service, as applicable.

• "Customer Personal Data" means personal data that Invoset processes on behalf of the Customer in connection with the service.
• "Data Subject" means an identified or identifiable natural person whose personal data is included in Customer Personal Data.
• "Sub-processor" means a third party engaged by Invoset to process Customer Personal Data, as listed at /legal/subprocessors.
• "Standard Contractual Clauses" or "SCCs" means the European Commission Implementing Decision (EU) 2021/914 module clauses for transfers of personal data to third countries.

For purposes of GDPR and UK GDPR, the Customer is the Controller of Customer Personal Data and Invoset acts as the Processor. For CCPA purposes, the Customer is the Business and Invoset acts as a Service Provider. Invoset will process Customer Personal Data only to provide the service in accordance with the Customer's instructions, the Terms of Service, and applicable law.

• Subject matter: provision of the Invoset accessibility scanning, monitoring, and reporting service.
• Duration: the term of the underlying Terms of Service, plus any retention or return-and-deletion period required by Section 11 of this DPA.
• Nature and purpose: automated scanning of Customer-submitted websites against WCAG 2.1 Level AA, generation of reports, badge issuance, transactional notifications, and audit-trail archiving.
• Categories of Data Subjects: Customer's employees and authorized users who hold accounts on the service.
• Categories of Personal Data: name, business email address, account credentials processed via Supabase Auth, IP and device metadata for security telemetry, account activity logs.
• Special Categories of Personal Data: none are intended to be processed; Customers must not submit special-category data through scanned pages or scan inputs.

Invoset will process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country or international organization, unless required to do so by Union or Member State law to which Invoset is subject. The Terms of Service, this DPA, and the documented in-product configuration constitute the Customer's complete and final instructions to Invoset.

Invoset ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate training on data protection. Access is limited to personnel who require it to provide the service.

Invoset implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 via Supabase managed Postgres and storage).
• Row-level security and least-privilege database access; service-role keys are not exposed to the browser.
• Authentication via Supabase Auth with ES256 JWT signing and short-lived session tokens.
• Logical separation of customer data through tenant identifiers and row-level policies.
• Continuous monitoring and audit logging across the API and worker tier.
• A documented vulnerability disclosure policy and a process for evaluating and remediating reported issues.
• Regular review of sub-processor security posture as part of vendor management.

See our Security page for the full description of our security commitments.

The Customer authorizes Invoset to engage the sub-processors listed at /legal/subprocessors. Invoset will impose data protection obligations on each sub-processor that are no less protective than those in this DPA. Invoset will provide at least 30 days' prior notice of any new sub-processor that will process Customer Personal Data; the Customer may object on reasonable data-protection grounds and, if the parties cannot find a workable solution, terminate the underlying subscription.

Taking into account the nature of the processing, Invoset will assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligations to respond to requests from Data Subjects to exercise their rights under applicable law (including access, rectification, erasure, restriction, portability, and objection). Customer-initiated rights actions can be performed through the dashboard or by contacting legal@invoset.com.

The Customer authorizes the transfer of Customer Personal Data to countries outside the EEA, the UK, or Switzerland where necessary to provide the service. Where such transfers occur, Invoset relies on the Standard Contractual Clauses (Module Two: Controller-to-Processor) and any required UK or Swiss addenda, which are incorporated by reference into this DPA. For transfers to the United States, Invoset may also rely on the EU-U.S. Data Privacy Framework where the recipient sub-processor is certified.

Invoset will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include, to the extent known at the time, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

On termination of the underlying subscription, the Customer may export reports and account data through the dashboard for up to 30 days. After that period, Invoset will delete or return Customer Personal Data, unless retention is required by applicable law (for example, financial records, dispute resolution, or audit-trail retention obligations). Backups containing Customer Personal Data are purged on the next scheduled rotation cycle, which is no longer than 90 days after subscription termination.

Invoset will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. In place of on-site audits, which are not practical for a small SaaS, Invoset will respond to reasonable written information requests, share applicable third-party audit reports of its sub-processors when permitted by license, and answer security questionnaires submitted in good faith.

For Customer Personal Data subject to the CCPA, Invoset is a Service Provider and certifies that it: (a) will not retain, use, or disclose Customer Personal Data outside the direct business relationship with the Customer or for any purpose other than the specific business purpose of providing the service; (b) will not sell or share Customer Personal Data; and (c) will not combine Customer Personal Data with personal information received from any other source, except as permitted by the CCPA for service-provider business purposes.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Where applicable law (including GDPR Article 82) provides for joint and several liability, that allocation governs as between the parties and the affected Data Subject.

For most customers, this DPA is incorporated by reference into the Terms of Service and no additional signature is required. If your organization needs a counter-signed copy (for example, as part of a procurement process), email legal@invoset.com with your legal entity name, registered address, and the name and title of the signatory. We will return a counter-signed PDF within five business days.

This DPA is governed by, and forms part of, the Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Customer Personal Data, this DPA prevails.

Registered name

Ravencord OÜ

Registry

Estonian Business Register · 17088619

D-U-N-S

536440446

Address

Meistri tn 6, Tallinn 13517, Estonia

Phone

+45 71 35 29 44

Email

tech@ravencord.com