Data Processing Addendum

This Data Processing Addendum (the "DPA") forms part of the Drupd Terms of Service between you (the "Controller") and Drupd (the "Processor") and governs the processing of personal data carried out by Drupd on the Controller's behalf in the course of providing the Drupd invoicing service.

Capitalized terms not defined here have the meaning given in the Terms of Service. "Personal data", "processing", "controller", "processor", "data subject", "supervisory authority", and related terms have the meanings given in the EU General Data Protection Regulation 2016/679 ("GDPR") and the UK GDPR.

This DPA applies to the extent Drupd processes personal data on behalf of the Controller that is subject to GDPR, UK GDPR, the Swiss Federal Act on Data Protection, or other applicable data protection law. In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to the processing of personal data.

The Controller is the controller of any personal data it submits to Drupd (including client names, contact details, billing information, and any data contained in invoices or attachments). Drupd is the processor of that personal data and processes it only on the Controller's documented instructions.

The Controller's instructions are: (a) the Terms of Service; (b) this DPA; (c) the use of features and configuration choices made available within the Drupd product; and (d) any additional written instructions agreed in writing between the parties. Drupd will not process personal data for any purpose other than to provide, secure, support, and improve the Drupd service.

Drupd will immediately inform the Controller if, in its opinion, an instruction infringes GDPR, UK GDPR, or other applicable data protection law, and may suspend the affected processing pending clarification.

Subject matter: the provision of the Drupd invoicing service.

Duration: for the term of the Terms of Service and any post-termination retention period set out in this DPA.

Nature and purpose of processing: hosting, storing, transmitting, rendering, and otherwise processing personal data so the Controller can create, send, track, and store invoices and related billing records.

Categories of data subjects: (a) the Controller's authorized users (account holders); (b) the Controller's clients and invoice recipients; (c) anyone whose personal data the Controller includes in invoice content, attachments, or workspace records.

Categories of personal data: name, email address, postal address, billing identifiers, tax identifiers (e.g., VAT number), phone number, invoice line-item descriptions, payment amounts, payment status, uploaded logos and signatures, and any other personal data the Controller chooses to enter into the service.

Special categories of data: the service is not designed to process special-category data (e.g., health, biometric, political opinions) and the Controller must not submit such data without first agreeing additional safeguards in writing with Drupd.

Drupd will process personal data only on documented instructions from the Controller, including with regard to transfers of personal data to a third country, unless required to do so by EU, UK, or Member State law to which Drupd is subject. In such a case, Drupd will inform the Controller of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest.

Drupd ensures that persons authorized to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Drupd takes all measures required under Article 32 GDPR (security of processing), as further described in this DPA.

Drupd assists the Controller, by appropriate technical and organizational measures, insofar as possible, in fulfilling the Controller's obligation to respond to requests for exercising data subject rights under Chapter III GDPR.

Drupd assists the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 GDPR (security, breach notification, impact assessments, prior consultation), taking into account the nature of processing and the information available to Drupd.

At the choice of the Controller, Drupd will delete or return all personal data to the Controller after the end of the provision of services relating to processing, and delete existing copies unless EU, UK, or Member State law requires storage of the personal data.

Drupd makes available to the Controller all information necessary to demonstrate compliance with the obligations laid down in this DPA and Article 28 GDPR, and allows for and contributes to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller, subject to reasonable notice, confidentiality obligations, and Drupd's security policies. Drupd may satisfy audit requests by providing a summary of its most recent third-party audit report or equivalent evidence where available.

The Controller grants Drupd a general authorization to engage sub-processors to assist in providing the service, subject to the conditions in this section. Drupd's current list of sub-processors, including each sub-processor's identity, purpose, hosting region, and a link to its data processing agreement, is published at /subprocessors and is incorporated into this DPA by reference.

Drupd will notify the Controller of any intended changes concerning the addition or replacement of sub-processors that have access to customer personal data, thereby giving the Controller the opportunity to object to such changes. Notification will be given by email to the Controller's account address or by an update to the /subprocessors page at least 30 days before the new sub-processor begins processing personal data, unless a shorter notice period is required for security, legal, or business-continuity reasons.

If the Controller objects to a new sub-processor on reasonable data protection grounds within 30 days of notification, the Controller may, as its sole remedy, terminate the affected portion of the service by giving written notice to Drupd. Drupd will refund any prepaid fees for the unused portion of the current term following such termination.

Where Drupd engages a sub-processor, Drupd will impose data protection obligations on that sub-processor that are no less protective than those set out in this DPA, in particular providing sufficient guarantees to implement appropriate technical and organizational measures so that the processing meets the requirements of GDPR and UK GDPR. Drupd remains fully liable to the Controller for the performance of each sub-processor's obligations.

Drupd stores Controller personal data primarily in the European Union (Supabase on AWS eu-west-1, Ireland). Certain sub-processors are hosted outside the EU/UK/Switzerland, including in the United States, as set out at /subprocessors.

Where personal data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a country that has not received an adequacy decision from the European Commission, the UK Government, or the Swiss Federal Data Protection and Information Commissioner, Drupd relies on the European Commission's Standard Contractual Clauses (Commission Implementing Decision (EU) 2021/914 of 4 June 2021), the UK International Data Transfer Addendum, and the Swiss adaptations issued by the FDPIC, as applicable. By entering into this DPA, the parties are deemed to have entered into the relevant Standard Contractual Clauses with respect to such transfers, with Drupd acting as data importer (where Drupd is the importer) or as data exporter to its sub-processors (where applicable).

Drupd has carried out transfer impact assessments where required and applies supplementary technical, contractual, and organizational measures (including encryption in transit and at rest, access controls, and contractual onward-transfer restrictions) to address risks identified by Schrems II and subsequent guidance.

Drupd implements and maintains appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, damage, alteration, or disclosure. These measures include, at minimum:

Encryption: TLS 1.2+ for data in transit; AES-256 (or equivalent) for data at rest; encrypted database storage on managed infrastructure.

Access control: role-based access control with least-privilege defaults; row-level security policies in the database to isolate organizations; multi-factor authentication on production access for Drupd personnel; separation of production and non-production environments.

Authentication & sessions: industry-standard password hashing; secure, HTTP-only session cookies with rotation; session revocation on password change.

Network security: deployment on Cloudflare Workers with DDoS protection and web application firewall; Cloudflare Turnstile bot mitigation on authentication endpoints; restricted database ingress.

Logging & monitoring: application error monitoring (Sentry, consent-gated for end-user clients); audit logging of significant administrative actions; alerting on anomalous activity.

Personnel: confidentiality obligations on all personnel with access to personal data; security awareness measures appropriate to role.

Resilience: automated backups with defined retention; tested restore procedures; documented incident response plan.

Drupd reviews and updates its security measures periodically. Drupd may update specific measures, provided that the level of security is not materially degraded.

Drupd will notify the Controller without undue delay after becoming aware of a personal data breach affecting Controller personal data, and in any event within 72 hours where required by applicable law. The notification will, to the extent then known, describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach and mitigate its possible adverse effects.

Drupd will provide reasonable assistance to the Controller in fulfilling the Controller's obligations under Articles 33 and 34 GDPR (notification to supervisory authorities and to affected data subjects), at the Controller's cost where such assistance materially exceeds the support included in the Controller's plan.

Notification of, or response to, a personal data breach is not an acknowledgement by Drupd of fault, liability, or breach of this DPA, the Terms of Service, or applicable law.

The Drupd service provides functionality that enables the Controller to access, correct, export, and delete personal data within its workspace, which the Controller can use to respond to data subject requests directly.

Where a data subject contacts Drupd directly with a request relating to personal data processed on the Controller's behalf, Drupd will, where the relevant Controller can be identified, redirect the data subject to the Controller and notify the Controller of the request without undue delay. Drupd will not respond to such requests on the merits except on the Controller's documented instructions or where required by applicable law.

Drupd will assist the Controller in responding to data subject requests, taking into account the nature of the processing and the information available to Drupd, through reasonable technical and organizational measures.

Drupd retains Controller personal data for as long as the Controller's account is active and as needed to provide the service. The Controller can export and delete personal data at any time through in-product functionality.

On termination of the Terms of Service or written request from the Controller, Drupd will, at the Controller's choice, delete or return all Controller personal data, and delete existing copies, within a reasonable period (and in any event within 30 days of the request or termination), unless EU, UK, or Member State law requires further storage.

Backups containing Controller personal data may persist for up to 30 days after deletion before being overwritten in the ordinary course of backup rotation, and Drupd will not restore such data after the Controller has requested deletion except where required by law.

Drupd may retain limited information necessary to comply with legal obligations, defend legal claims, resolve disputes, enforce its agreements, or detect and prevent fraud or abuse, in each case subject to appropriate confidentiality and security measures.

Each party's liability arising out of or related to this DPA, whether in contract, tort, or under any other theory of liability, is subject to the limitations and exclusions of liability set out in the Terms of Service. Nothing in this DPA limits or excludes any liability that cannot be limited or excluded under applicable law.

The aggregate liability of Drupd under this DPA and the Terms of Service is subject to the overall cap set out in the Terms of Service, regardless of whether the claim arises under contract, the Standard Contractual Clauses, statute, or otherwise.

This DPA enters into force on the date the Controller accepts the Terms of Service or begins using the Drupd service and remains in force for the duration of the processing of personal data by Drupd on behalf of the Controller.

Drupd may update this DPA from time to time to reflect changes in law, sub-processors, security measures, or product functionality, provided that no update will materially reduce the level of data protection afforded to Controller personal data. Material updates will be notified by email to the Controller's account address or by a notice on the marketing site, with at least 30 days' prior notice where reasonably practicable.

If any provision of this DPA is held invalid or unenforceable, the remaining provisions remain in full force, and the invalid provision will be reformed to the minimum extent necessary to make it valid and enforceable while preserving the parties' original intent.

This DPA is governed by, and will be interpreted in accordance with, the law specified in the Terms of Service, subject to any mandatory data protection law that applies regardless of choice of law.

This DPA was last updated on May 16, 2026.

Questions about this DPA, requests to invoke its terms, or requests for additional documentation (such as a signed counterpart) should be sent to privacy@drupd.com. We aim to respond to substantive requests within a reasonable time.