Data Processing Addendum

This Data Processing Addendum ("DPA") describes how EU e-Invoice Hub processes personal data on behalf of merchants when delivering the service.

Roles

Merchants are the data controller for customer personal data. EU e-Invoice Hub acts as a data processor and only processes data according to merchant instructions and applicable law.

Data we process

• Identifiers needed to create and deliver invoices (order IDs, shop IDs).
• Invoice metadata and line-item details required by tax authorities.
• System logs and technical telemetry for security and reliability.

Purpose and legal basis

We process personal data to generate compliant invoices, route them to Peppol or local authorities, and provide audit trails. Processing is limited to what is necessary for these purposes.

Security measures

• Encryption in transit and at rest.
• Region-scoped storage and access controls.
• Access logging for operational data.
• Monitoring for availability and security events.
• Provider-managed backups encrypted at rest.

Subprocessors

We use Cloudflare infrastructure to host and deliver the service. If additional subprocessors are added, we will update this DPA.

Retention

Invoice artifacts and submission records are retained for up to 10 years to meet regulatory requirements. Operational logs are retained for shorter windows (typically 30 days). Data is deleted or anonymized when no longer needed or when lawful deletion requests are received.

Data subject requests

Merchants can request data access or deletion by contacting hello@eueinvoicehub.com. We will support merchants in responding to data subject requests.

Contact

Questions about this DPA can be sent to hello@eueinvoicehub.com.