Data Processing Agreement (DPA)

This Data Processing Agreement (hereinafter referred to as "DPA") is concluded pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) between the User of the Fakturuj.si service (hereinafter referred to as the "Controller") and Elite Digital Services, LLC, the operator of the Fakturuj.si service (hereinafter referred to as the "Processor"). This DPA is an integral part of the Terms and Conditions.

1. Definitions

  • Controller – The User of the Fakturuj.si service who determines the purposes and means of processing personal data of their clients through the service.
  • Processor – Elite Digital Services, LLC, which processes personal data on behalf of the Controller through the Fakturuj.si service.
  • Data Subject – a natural person whose personal data are processed (User's clients, contact persons).
  • Personal Data – any information relating to an identified or identifiable natural person within the meaning of Article 4(1) of the GDPR.
  • Processing – any operation or set of operations performed on personal data within the meaning of Article 4(2) of the GDPR.
  • Sub-processor – a third party engaged by the Processor to carry out part of the personal data processing.

2. Scope and Purpose of Processing

2.1 Subject Matter

The subject matter of this DPA is the processing of personal data by the Processor on behalf of the Controller through the online invoicing platform Fakturuj.si.

2.2 Duration

The processing of personal data shall last for the entire duration of the contractual relationship between the Controller and the Processor (i.e., for the duration of the User's active account in the Fakturuj.si service).

2.3 Nature and Purpose

The purpose of processing is to provide a SaaS platform for creating, managing, and sending invoices and related documents. Personal data are processed for the purposes of:

  • Creating and managing invoices, price quotations, and delivery notes
  • Managing the User's client records
  • Generating and sending documents by email
  • Data export in various formats

2.4 Categories of Data Subjects

  • User's clients (invoice recipients)
  • Contact persons of the User's clients

2.5 Types of Personal Data

  • Contact details: first name, last name, email address, phone number, postal address
  • Billing data: billing address, bank details (IBAN, SWIFT/BIC)
  • Company identification data: business name, company ID, tax ID, VAT ID, registered office

3. Obligations of the Processor

The Processor undertakes to:

  1. Process personal data exclusively in accordance with the documented instructions of the Controller, including instructions regarding the transfer of personal data to third countries, unless required by Union or Member State law.
  2. Ensure that persons authorised to process personal data have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement all security measures required under Article 32 of the GDPR, as set out in Section 4 of this DPA.
  4. Comply with the conditions for engaging sub-processors as set out in Section 5 of this DPA.
  5. Assist the Controller in fulfilling data subject requests to exercise their rights under Chapter III of the GDPR (right of access, rectification, erasure, data portability, etc.).
  6. Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR (security of processing, data protection impact assessment, prior consultation).
  7. Upon termination of the provision of services, delete or return all personal data to the Controller at the Controller's choice, and delete existing copies, unless Union or Member State law requires retention.
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations under Article 28 of the GDPR and allow for and contribute to audits, including inspections.
  9. Maintain a record of all categories of processing activities carried out on behalf of the Controller in accordance with Article 30(2) of the GDPR.
  10. Apply the principles of data protection by design and by default (privacy-by-design and privacy-by-default) in accordance with Article 25 of the GDPR.

4. Security Measures

The Processor implements and maintains the following technical and organisational security measures:

  • Encryption in transit: TLS 1.2+ for all communication between client and server.
  • Data encryption: encryption of sensitive data in storage (encryption at rest).
  • Access control: role-based access control (RBAC) and multi-factor authentication (MFA) for administrator access.
  • Backups: daily automatic backups with a retention period of 30 days.
  • Hosting: služba je hostovaná na cloudovej infraštruktúre (región: EÚ) s certifikáciami SOC 2 Type II a ISO 27001.
  • Updates: regular software updates and security patches.
  • Password hashing: User passwords are stored exclusively in hashed form using modern algorithms.
  • Logging and monitoring: logging of access and security events, availability and performance monitoring.
  • Incident response: established incident response procedures including personal data breach notification.

5. Sub-processors

5.1 Approved Sub-processors

The Controller grants general written authorisation for the engagement of sub-processors. Current list of approved sub-processors:

Sub-processor Purpose Location
Cloud infrastructure provider Hosting and infrastructure
Brevo (Sendinblue) Email communication (sending invoices, notifications) France, EU
Sentry (Functional Software, Inc.) Application error and performance monitoring USA (EU data processed in the EU)
Stripe, Inc. Processing of payment transactions USA / EU

The Provider does not own, lease, or operate its own data centres or physical infrastructure in any country. All services are operated through the cloud infrastructure of the above-listed sub-processors.

5.2 Notification of Changes

The Processor shall inform the Controller of any intended changes to the list of sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes.

If the Controller raises a justified objection against a new sub-processor within 30 days of the notification, the Processor shall use reasonable efforts to provide an alternative solution. If no alternative solution is possible, the Controller is entitled to terminate the agreement with respect to the affected services.

5.3 Equal Obligations

The Processor shall ensure that each sub-processor is contractually bound by the same data protection obligations as those set out in this DPA.

6. Data Subject Rights

  • The Processor shall notify the Controller without undue delay of any data subject request to exercise their rights (DSAR - Data Subject Access Request).
  • The Processor shall provide the Controller with reasonable assistance in handling data subject requests.
  • The Fakturuj.si service provides tools for exporting and deleting client data, which the Controller may use to fulfil data subject requests.

7. Data Protection Impact Assessment (DPIA)

Conducting a Data Protection Impact Assessment (DPIA) under Article 35 of the GDPR is the responsibility of the Controller. The Processor shall provide the Controller with all information necessary to carry out a DPIA in relation to the processing of personal data through the Fakturuj.si service.

8. Personal Data Breach Notification

The Processor undertakes to:

  • Notify the Controller of any personal data breach without undue delay, and no later than 72 hours after becoming aware of the breach.
  • Provide the Controller with sufficient information to fulfil the notification obligation under Articles 33 and 34 of the GDPR, including the nature of the breach, the categories and number of data subjects affected, the likely consequences, and the measures taken.

9. Data Retention and Deletion

  • Upon termination of the agreement (account cancellation), the Controller has 30 days to export all their data using the service's export tools.
  • After the 30-day period, the Processor shall securely delete all personal data processed on behalf of the Controller, unless legal regulations require further retention.
  • Upon the Controller's request, the Processor shall provide written confirmation of data deletion.

10. International Data Transfers

In the event of transferring personal data outside the European Economic Area (EEA), the Processor shall ensure appropriate safeguards in accordance with Chapter V of the GDPR, in particular:

  • Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2) of the GDPR.
  • The EU-US Data Privacy Framework, if the data recipient is certified under this programme.
  • Transfer Impact Assessment (TIA) to ensure an adequate level of protection in the destination country.

11. Audits and Inspections

  • The Controller has the right to conduct an audit of the Processor's compliance with this DPA, subject to prior written notice of at least 30 days.
  • Audits shall be conducted no more than once every 12 months, unless an audit is triggered by a specific breach or a request from a supervisory authority.
  • The costs of the audit shall be borne by the Controller, unless the audit reveals a material breach of this DPA by the Processor.

12. Liability

The liability of the contracting parties shall be governed by the provisions of the Terms and Conditions of the Fakturuj.si service and applicable legal regulations.

13. EU Representative

The Processor, as a company established outside the EU, has appointed an EU representative pursuant to Article 27 of the GDPR. The EU representative solely fulfils the functions under Article 27 of the GDPR and does not carry out any commercial activities on behalf of the Processor. The representative does not establish a Permanent Establishment of the Processor in the EU.

Euro business company Kft.
Headquarters: Rómer Flóris utca 8/B. 3.em., 1024 Budapest, Hungary
Tax number: 28959364-2-41
VAT ID: HU28959364
E-mail: [email protected]

14. Governing Law

This Data Processing Agreement shall be governed by the laws of the State of Delaware, USA, and constitutes an integral part of the Terms and Conditions. In matters of personal data protection, only the mandatory provisions of Regulation (EU) 2016/679 (GDPR) shall apply to the extent they are directly applicable.

15. Contact

If you have any questions regarding this DPA, please contact us:

Elite Digital Services, LLC
Headquarters: 1111B S Governors Ave #21653, Dover, DE 19904, USA
E-mail: [email protected]
Web: www.fakturuj.si

Last updated: April 2026