Data Processing Agreement (DPA)

This Data Processing Agreement (hereinafter "DPA") is concluded pursuant to Article 28 of Regulation (EU) 2016/679 of the European Parliament and of the Council (GDPR) between the User of the Fakturuj.si service (hereinafter "Controller") and Elite Digital Services, LLC, the operator of the Fakturuj.si service (hereinafter "Processor"). This DPA forms an inseparable part of the Terms and Conditions.

1. Definitions

  • Controller – The User of the Fakturuj.si service who determines the purposes and means of processing the personal data of their clients through the service.
  • Processor – Elite Digital Services, LLC, which processes personal data on behalf of the Controller through the Fakturuj.si service.
  • Data subject – a natural person whose personal data are processed (the User's clients, contact persons).
  • Personal data – any information relating to an identified or identifiable natural person within the meaning of Article 4(1) of the GDPR.
  • Processing – any operation or set of operations on personal data within the meaning of Article 4(2) of the GDPR.
  • Sub-processor – a third party engaged by the Processor to carry out part of the processing of personal data.

2. Scope and Purpose of Processing

2.1 Subject Matter

The subject matter of this DPA is the processing of personal data by the Processor on behalf of the Controller through the Fakturuj.si online invoicing platform.

2.2 Duration

The processing of personal data lasts for the entire duration of the contractual relationship between the Controller and the Processor (i.e. for the duration of the User's active account in the Fakturuj.si service).

2.3 Nature and Purpose

The purpose of processing is the provision of a SaaS platform for creating, managing and sending invoices and related documents. Personal data are processed for the purposes of:

  • Creating and managing invoices, price offers and delivery notes
  • Recording the User's clients
  • Generating and sending documents by email
  • Data export in various formats

2.4 Categories of Data Subjects

  • The User's clients (invoice recipients)
  • Contact persons of the User's clients

2.5 Types of Personal Data

  • Contact details: first name, last name, email address, telephone number, postal address
  • Billing data: billing address, bank details (IBAN, SWIFT/BIC)
  • Company identification data: business name, company registration number, tax ID, VAT number, registered office

3. Obligations of the Processor

The Processor undertakes:

  1. Process personal data solely in accordance with the Controller's documented instructions, including instructions regarding transfers of personal data to third countries, unless required to do so by Union or Member State law.
  2. Ensure that persons authorised to process personal data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
  3. Implement all security measures required under Article 32 of the GDPR, as set out in point 4 of this DPA.
  4. Comply with the conditions for engaging sub-processors set out in point 5 of this DPA.
  5. Assist the Controller in responding to requests from data subjects exercising their rights under Chapter III of the GDPR (right of access, rectification, erasure, data portability, etc.).
  6. Assist the Controller in ensuring compliance with the obligations under Articles 32 to 36 of the GDPR (security of processing, data protection impact assessment, prior consultation).
  7. Upon termination of the service, delete or return all personal data to the Controller at the Controller's choice and delete existing copies, unless Union or Member State law requires retention.
  8. Make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections.
  9. Maintain records of all categories of processing activities carried out on behalf of the Controller in accordance with Article 30(2) of the GDPR.
  10. Apply data protection principles by design and by default (privacy-by-design and privacy-by-default) in accordance with Article 25 of the GDPR.

4. Security Measures

The Processor implements and maintains the following technical and organisational security measures:

  • Transmission encryption: TLS 1.2+ for all communication between client and server.
  • Data encryption: encryption of sensitive data at rest (encryption at rest).
  • Access control: role-based access control (RBAC) and multi-factor authentication (MFA) for administrative access.
  • Backups: daily automatic backups with 30-day retention.
  • Hosting: the service is hosted on DigitalOcean infrastructure (region: Frankfurt, Germany, EU) with SOC 2 Type II and ISO 27001 certifications.
  • Updates: regular software updates and security patches.
  • Password hashing: User passwords are stored exclusively in hashed form using modern algorithms.
  • Logging and monitoring: logging of access and security events, monitoring of availability and performance.
  • Incident response: established procedure for responding to security incidents, including reporting personal data breaches.

5. Sub-processors

5.1 Approved Sub-processors

The Controller grants general written authorisation to engage sub-processors. Current list of approved sub-processors:

Sub-processor Purpose Headquarters
DigitalOcean, LLC Hosting and infrastructure USA / EU
Brevo (Sendinblue) Email communication (sending invoices, notifications) France, EU
Sentry (Functional Software, Inc.) Application error and performance monitoring USA (EU data processed in EU)
Stripe, Inc. Processing of payment transactions USA / EU

The Provider does not own, lease or operate its own data centres or physical infrastructure in any country. All services are operated through the cloud infrastructure of the sub-processors listed above.

5.2 Change Notification

The Processor shall inform the Controller of any intended changes to the list of sub-processors at least 30 days in advance, thereby giving the Controller the opportunity to object to such changes.

If the Controller raises a legitimate objection to a new sub-processor within 30 days of notification, the Processor shall use reasonable efforts to provide an alternative solution. If an alternative solution is not possible, the Controller is entitled to terminate the contract with respect to the affected services.

5.3 Same Obligations

The Processor shall ensure that the same data protection obligations as those set out in this DPA are imposed on each sub-processor by contract.

6. Rights of Data Subjects

  • The Processor shall without undue delay notify the Controller of any request from a data subject exercising their rights (DSAR - Data Subject Access Request).
  • The Processor shall provide the Controller with reasonable assistance in handling requests from data subjects.
  • The Fakturuj.si service provides tools for exporting and deleting client data that the Controller can use to handle requests from data subjects.

7. Data Protection Impact Assessment (DPIA)

Carrying out a data protection impact assessment (DPIA) pursuant to Article 35 of the GDPR is the responsibility of the Controller. The Processor shall provide the Controller with all information necessary to carry out a DPIA in connection with the processing of personal data through the Fakturuj.si service.

8. Notification of Personal Data Breach

The Processor undertakes:

  • Notify the Controller of any personal data breach without undue delay and at the latest within 72 hours of becoming aware of the breach.
  • Provide the Controller with sufficient information to fulfil the notification obligation under Articles 33 and 34 of the GDPR, including the nature of the breach, the categories and number of data subjects concerned, the likely consequences and the measures taken.

9. Data Retention and Deletion

  • Upon termination of the contract (account cancellation), the Controller has 30 days to export all of their data using the service's export tools.
  • After the 30-day period has elapsed, the Processor shall securely delete all personal data processed on behalf of the Controller, unless applicable laws require their continued retention.
  • Upon the Controller's request, the Processor shall provide written confirmation of data deletion.

10. International Data Transfers

In the event of a transfer of personal data outside the European Economic Area (EEA), the Processor shall ensure adequate safeguards in accordance with Chapter V of the GDPR, in particular:

  • Standard Contractual Clauses (SCCs) approved by the European Commission pursuant to Article 46(2) of the GDPR.
  • The EU-US Data Privacy Framework (DPF), if the data recipient is certified under this programme.
  • A Transfer Impact Assessment (TIA) to ensure an adequate level of protection in the destination country.

11. Audits and Inspections

  • The Controller has the right to conduct a compliance audit of the Processor with this DPA, with prior written notice of at least 30 days.
  • Audits shall be conducted a maximum of once every 12 months, unless an audit is triggered by a specific breach or a request from a supervisory authority.
  • The costs of the audit shall be borne by the Controller, unless the audit reveals a material breach of this DPA by the Processor.

12. Liability

The liability of the parties is governed by the provisions of the Terms and Conditions of the Fakturuj.si service and the applicable legislation.

13. EU Representative

The Processor, as a company established outside the EU, has appointed an EU representative pursuant to Article 27 of the GDPR. The EU representative performs exclusively the functions under Article 27 of the GDPR and does not carry out any commercial activity on behalf of the Processor. The representative does not create a Permanent Establishment of the Processor in the EU.

Euro business company Kft.
Headquarters: Rómer Flóris utca 8/B. 3.em., 1024 Budapest, Hungary
Tax number: 28959364-2-41
VAT ID: HU28959364
E-mail: [email protected]

14. Governing Law

This Data Processing Agreement is governed by the laws of the State of Delaware, USA, and forms an inseparable part of the Terms and Conditions. In matters of personal data protection, only the mandatory provisions of Regulation (EU) 2016/679 (GDPR) apply to the extent that they are directly applicable.

15. Contact

If you have any questions regarding this DPA, please contact us:

Elite Digital Services, LLC
Headquarters: 1111B S Governors Ave #21653, Dover, DE 19904, USA
E-mail: [email protected]
Web: www.fakturuj.si

Last updated: March 2026