Oris Invoiceby ORIS Intelligence
Start free
🇳🇱 Netherlands home
Netherlands · NL

Data Processing Agreement

The data-processing terms that apply when Oris Invoice processes personal data on your behalf as a data processor.

Aligned with: GDPR + UAVG·Effective: April 29, 2026

Not legal advice. This page is a templated baseline aligned with GDPR + UAVG. It does not constitute independent legal advice and has not been reviewed by counsel for your specific circumstances. For questions or to request the executed PDF version, email legal@orisinvoice.com.

1. Definitions

"Controller", "Processor", "Personal Data", "Processing", "Data Subject" have the meanings in GDPR Art. 4 + UAVG. "Customer Personal Data" means Personal Data within Customer Data we process on your behalf.

2. Roles and instructions (GDPR Art. 28(3)(a))

You are the Controller; we are the Processor. We process Customer Personal Data only on your documented instructions, including international transfers, unless required by EU or member-state law.

3. Confidentiality and personnel (GDPR Art. 28(3)(b))

Personnel are bound by confidentiality and trained on data protection. Access is need-to-know with role-based access controls.

4. Security measures (GDPR Art. 32)

Encryption at rest (AES-256-GCM) and in transit (TLS 1.3); regular vulnerability scanning; network segmentation; least-privilege access; incident detection and response; personnel background checks.

5. Sub-processors (GDPR Art. 28(2), 28(4))

You authorise sub-processor engagement. Current list available; 30 days' notice before changes (with reasonable objection right). We remain liable for sub-processor performance.

6. Data subject rights (GDPR Art. 28(3)(e))

We assist you in responding to data-subject requests via self-service export tools and processor support.

7. Data breach notification (GDPR Art. 33)

We notify you without undue delay (within 72 hours of becoming aware) of any Personal Data Breach, with information needed for your Art. 33/34 obligations to the Autoriteit Persoonsgegevens and data subjects.

8. International transfers

Transfers outside the EEA rely on Adequacy Decisions or EU SCCs (2021/914) plus Transfer Impact Assessment per Schrems II.

9. Audits (GDPR Art. 28(3)(h))

Audit on reasonable notice at your cost, max once per 12 months (or after a Personal Data Breach). SOC 2 Type II + ISO 27001 reports satisfy most audit requirements.

10. Return or deletion

On termination, return data in machine-readable format and/or delete it (subject to 35-day backup retention and 7-year Dutch statutory invoice retention).

11. Liability and conflicts

This DPA forms part of our Terms of Service. In conflict, this DPA prevails on data-protection matters. Liability subject to Terms limits except where GDPR mandates otherwise.

12. Effective date

Effective on Terms acceptance. Material changes notified 30 days in advance.