Data Processing Agreement

Effective Date: January 19, 2026

1. Introduction

This Data Processing Agreement (DPA) is entered into between you (the Controller) and DocsLine (the Processor), and supplements our Terms of Service.

This DPA sets out the terms that apply when we process personal data on your behalf in connection with your use of DocsLine services.

2. Definitions

Controller: You, the user who determines the purposes and means of processing personal data.

Processor: DocsLine, which processes personal data on behalf of the Controller.

Personal Data: Any information relating to an identified or identifiable natural person.

Processing: Any operation performed on personal data (collection, storage, use, etc.).

Sub-processor: A third party engaged by DocsLine to process personal data.

3. Scope of Processing

Nature of Processing: Invoice data extraction, storage, and analysis

Purpose: Providing invoice management and financial analytics services

Categories of Data Subjects: Your employees, clients, and vendors whose information appears on invoices

Types of Personal Data: Names, addresses, email addresses, financial information, tax IDs

Duration: For the duration of your use of DocsLine services

4. Sub-Processors

The following sub-processors are approved to process personal data on our behalf. All are located in the EU and have signed Data Processing Agreements with us.

Supabase, Inc.

Service: Database & file storage

Location: West EU (Paris, France - AWS eu-west-3)

DPA: supabase.com/dpa

Hetzner Online GmbH

Service: Backend & Frontend hosting, OCR processing

Location: Datacenter nbg1-dc3 (Nuremberg, Germany)

DPA: hetzner.com/legal/privacy-policy

Clerk, Inc.

Service: Authentication

Location: EU servers

DPA: clerk.com/legal/dpa

We will notify you of any new sub-processors with 30 days notice and right to object.

5. Processor Obligations

DocsLine commits to:

Process personal data only on your documented instructions
Ensure personnel are bound by confidentiality obligations
Implement appropriate technical and organizational security measures
Assist you in responding to data subject requests
Delete or return all personal data upon termination of services
Make available all information necessary to demonstrate compliance
Allow for and contribute to audits conducted by you or your auditor

6. Security Measures

We implement the following security measures:

Encryption of personal data at rest (AES-256) and in transit (TLS 1.3)
Regular security assessments and penetration testing
Access controls and authentication mechanisms
Logging and monitoring of data access
Incident response procedures
Business continuity and disaster recovery plans
Employee security training

7. Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay (and in any event within 72 hours) after becoming aware of the breach.

The notification will include:

Description of the nature of the breach
Categories and approximate number of data subjects affected
Contact point for more information
Likely consequences of the breach
Measures taken or proposed to address the breach

8. International Transfers

No transfers outside the EU: All personal data is processed and stored exclusively within the European Union (Nuremberg, Germany & Paris, France).

We do not transfer personal data to countries outside the EU/EEA. If this changes in the future, we will ensure appropriate safeguards are in place (e.g., Standard Contractual Clauses) and update this DPA accordingly.

9. Term and Termination

This DPA is effective as long as we process personal data on your behalf.

Upon termination of services, we will, at your choice:

Return all personal data to you in a portable format, and/or
Delete all personal data within 30 days

Unless retention is required by applicable law.

For questions about this DPA, contact:

Data Protection Officer: dpo@docsline.eu

Legal Department: legal@docsline.eu