Data Processing Agreement (DPA)

1. Parties

Controller: the customer that contracts the eleata Peppol API service ("Customer").

Processor: eleata, operated as a sole proprietorship established in Italy (EU) ("eleata", "we").

2. Subject matter

This Data Processing Agreement ("DPA") sets out the conditions under which eleata processes personal data on behalf of the Customer in connection with the eleata Peppol API service (the "Service"), in accordance with Article 28 of Regulation (EU) 2016/679 (the "GDPR").

3. Nature and purpose of processing

• Nature: validation of XML invoice documents against published Schematron rules, storage of validation metadata, transmission of validation results to the Customer.
• Purpose: providing the validation Service to the Customer.
• Categories of data subjects: the Customer's suppliers, customers, and employees identified in the validated invoices.
• Categories of personal data: name, address, VAT identifier, contact email, bank account number (IBAN), invoiced amounts and items.
• Special categories of data: none expected. The Service is not designed for processing health, biometric, criminal, or other special-category data.
• Duration: for the term of the customer's subscription, plus retention periods set out in our Privacy Policy.

4. Obligations of the Processor

eleata will:

• Process personal data only on documented instructions from the Customer (the customer's configuration of the Service constitutes such instructions)
• Ensure that personnel authorised to process the data are bound by confidentiality
• Implement appropriate technical and organisational measures (Section 7)
• Engage subprocessors only in accordance with Section 6
• Assist the Customer in responding to data-subject rights requests
• Notify the Customer of personal data breaches without undue delay and within 72 hours
• Delete or return personal data after the end of the Service, in accordance with the Privacy Policy
• Make available all information necessary to demonstrate compliance with this DPA

5. Obligations of the Controller

The Customer warrants that:

• It has lawful basis under GDPR Art. 6 to provide the personal data to eleata
• It has provided the necessary information to data subjects under GDPR Art. 13–14
• It will not submit special-category data unless it has separately notified eleata

6. Subprocessors

The Customer authorises eleata to engage the subprocessors listed at /subprocessors/. eleata will give the Customer 30 days' notice of any new subprocessor by email and via that page. The Customer may object to a new subprocessor for reasonable data-protection reasons; if no acceptable solution is reached, the Customer may terminate the affected portion of the Service.

eleata remains liable for the acts and omissions of its subprocessors as if they were its own.

7. Security measures (GDPR Art. 32)

• TLS 1.2+ enforced for all connections; HSTS and modern security headers
• API keys stored as bcrypt hashes; private signing keys with chmod 600 file permissions
• Disk encryption at rest (provided by the data centre operator)
• XML parser hardened against XXE, billion-laughs, external DTDs (defusedxml)
• Stripe webhook signatures verified before processing
• Rate limiting per API key and per IP address
• Auto-deletion of validated XML payloads within 72 hours
• Audit logs for authentication, API key creation, and key revocation
• Vulnerability scanning (gitleaks, pip-audit, osv-scanner) integrated in CI
• Annual disaster recovery test and database restore verification

8. International transfers

Personal data may be transferred to:

• Argentina (validation processing & storage origin) — recognised by the European Commission as offering an adequate level of protection (Decision 2003/490/EC of 30 June 2003, periodically re-confirmed under GDPR Art. 45). Personal data flowing from the EU to Argentina is therefore subject to the same legal regime as intra-EU transfers — no Standard Contractual Clauses are required.
• The European Union (Cloudflare EU-region edge nodes for TLS termination and routing; Resend eu-west-1 region for transactional email) — within the EU/EEA, no transfer mechanism required.
• The United States (Stripe, Cloudflare US legal entity, Sentry, GitHub) — under EU Standard Contractual Clauses (SCCs Module 2 and Module 3) and, where applicable, the EU-US Data Privacy Framework certification of the relevant subprocessor.

The Customer can request a copy of the executed SCCs and the Transfer Impact Assessment (TIA) by emailing privacy@eleata.io.

9. Audit rights

The Customer may, at its own cost and with at least 30 days' written notice, audit eleata's compliance with this DPA, no more than once per year, except in the event of a material data breach. eleata will respond to reasonable security questionnaires and provide a security brief on request.

10. Liability

Each party's liability under this DPA is subject to the limitation of liability set out in the Terms of Service. Nothing in this DPA limits a party's liability for breaches of GDPR for which liability cannot be excluded under applicable law.

11. Term and termination

This DPA is in force for the duration of the Customer's subscription. Upon termination, eleata will delete or return all personal data in accordance with the Privacy Policy and Section 7, unless retention is required by law.

12. Governing law

This DPA is governed by GDPR and by the laws of Italy. Mandatory provisions of the law of the Customer's habitual residence within the EU/EEA continue to apply where they provide a higher level of protection.

13. Signature

By accepting the Terms of Service and signing up for a paid plan, the Customer is deemed to have entered into this DPA. A signed counterpart is available on request to legal@eleata.io.