Oris Invoiceby ORIS Intelligence
Start free
🇧🇪 Belgium home
Belgium · BE

Data Processing Agreement

The data-processing terms that apply when Oris Invoice processes personal data on your behalf as a data processor.

Aligned with: GDPR + Belgian DPA·Effective: April 29, 2026

Not legal advice. This page is a templated baseline aligned with GDPR + Belgian DPA. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.

1. Definitions

"Controller", "Processor", "Personal Data", "Processing", "Data Subject" have the meanings set out in GDPR Art. 4 and the Belgian Data Protection Act. "Customer Personal Data" means Personal Data within Customer Data we process on your behalf.

2. Roles and instructions (GDPR Art. 28(3)(a))

You are the Controller. We are the Processor. We process Customer Personal Data only on your documented instructions, including with regard to international transfers, unless required by EU or member-state law.

3. Confidentiality and personnel (GDPR Art. 28(3)(b))

Personnel authorised to process Customer Personal Data are bound by confidentiality and have received data-protection training. Access on a need-to-know basis with role-based access controls.

4. Security measures (GDPR Art. 32)

Encryption at rest (AES-256-GCM) and in transit (TLS 1.3); regular vulnerability scanning and penetration testing; network segmentation, least-privilege access, centralised logging; incident detection and response; background checks for personnel with production access.

5. Sub-processors (GDPR Art. 28(2), 28(4))

You authorise us to engage sub-processors. Current list available; 30 days' notice before adding or replacing one (with a reasonable objection right). We remain liable for sub-processor performance under Art. 28(4).

6. Data subject rights (GDPR Art. 28(3)(e))

We assist you in responding to access, rectification, erasure, restriction, portability, and objection requests via self-service export tools and processor support.

7. Data breach notification (GDPR Art. 33)

We notify you without undue delay (and within 72 hours of becoming aware) of any Personal Data Breach affecting Customer Personal Data, with information you need for your Art. 33/34 obligations.

8. International transfers

Where transfers occur outside the EEA, we rely on EU Commission Adequacy Decisions or EU SCCs (2021/914) plus a Transfer Impact Assessment per Schrems II.

9. Audits (GDPR Art. 28(3)(h))

You may audit compliance on reasonable notice and at your cost, no more than once per 12 months (or following a Personal Data Breach). SOC 2 Type II + ISO 27001 reports satisfy most audit requirements.

10. Return or deletion

On termination we return Customer Personal Data in machine-readable format and/or delete it (subject to 35-day backup retention and the 7-year statutory invoice retention under Belgian VAT Code Art. 60).

11. Liability and conflicts

This DPA forms part of, and is subject to, our Terms of Service. In conflict, this DPA prevails on data-protection matters. Liability subject to Terms limits except where GDPR mandates otherwise.

12. Effective date

This DPA is effective on Terms acceptance. Material changes notified at least 30 days in advance.