Data Processing Addendum

This Data Processing Addendum ("DPA") describes how EU e-Invoice Hub processes personal data on behalf of merchants when delivering the service.

Roles

Merchants are the data controller for customer personal data. EU e-Invoice Hub acts as a data processor and only processes data according to merchant instructions and applicable law.

Data we process

• Identifiers needed to create and deliver invoices (order IDs, shop IDs).
• Invoice metadata and line-item details required by tax authorities.
• System logs and technical telemetry for security and reliability.

Purpose and legal basis

We process personal data to generate compliant invoices, route them to Peppol or local authorities, and provide audit trails. Processing is limited to what is necessary for these purposes.

Security measures

• Encryption in transit and at rest.
• Region-scoped storage and access controls.
• Monitoring for availability and security events.

Subprocessors

We use Cloudflare infrastructure to host and deliver the service. If additional subprocessors are added, we will update this DPA.

Retention

Invoice artifacts and metadata are retained to meet operational and regulatory requirements, and are deleted or anonymized when no longer needed.

Data subject requests

Merchants can request data access or deletion by contacting hello@eueinvoicehub.com. We will support merchants in responding to data subject requests.

Contact

Questions about this DPA can be sent to hello@eueinvoicehub.com.