1.1 On the one hand: the contracting entity responsible for providing the Services (hereinafter, “INVOFOX”):
The CLIENT shall contract the Services with the entity designated in the Purchase Order.
1.2 On the other hand: the CLIENT, a legal entity contracting the Services of INVOFOX.
1.3 Hereinafter, INVOFOX and the CLIENT shall be jointly referred to as the “Parties” and individually as a “Party”.
1.4 The Parties mutually acknowledge that they have sufficient legal capacity to contract and to fulfil their respective obligations.
2.1 The Parties agree to execute this data processing agreement for the purpose of regulating the personal data processing operations carried out by INVOFOX, establishing the procedure that will govern the processing of personal data, as well as the rights, responsibilities, and obligations inherent to its role as data processor (hereinafter, the “Data Processing Agreement”).
2.2 Based on the contractual relationship and the nature of INVOFOX’s services, the CLIENT is the data controller (hereinafter, the “CONTROLLER”), and INVOFOX is the data processor (hereinafter, the “PROCESSOR”).
2.3 The Parties agree that this Data Processing Agreement shall be governed by EU Regulation 2016/679 (General Data Protection Regulation – GDPR) and by Spanish Organic Law 3/2018 of 5 December on Personal Data Protection and Guarantee of Digital Rights (hereinafter, the “LOPDGDD”), as well as any applicable regulations and the terms established herein.
2.4 The CLIENT’s signature of the Purchase Order entails full acceptance of the Data Processing Agreement, unless INVOFOX has expressly agreed in writing to any modification.
Through this Data Processing Agreement, the PROCESSOR is authorised to process, on behalf of the CONTROLLER, the personal data necessary for the provision of INVOFOX services. The processing shall mainly consist of:
The CONTROLLER provides the PROCESSOR with the information contained in the Documents subject to digitisation and processing services, including but not limited to:
Under no circumstances shall the PROCESSOR be responsible for the type of information contained in the Documents sent by the CONTROLLER.
The CONTROLLER undertakes to:
a. Apply and comply with the GDPR, the LOPDGDD, and any applicable data protection regulations.
b. Provide data subjects with the information required under the GDPR at the moment their personal data is collected.
c. Where possible, anonymise or pseudonymise data and, in any case, provide the PROCESSOR only with the data referred to in Clause 4.
d. Conduct a data protection impact assessment for the processing operations to be carried out by the PROCESSOR.
e. Perform any necessary prior consultations.
f. Supervise the processing, including conducting audits and inspections of the PROCESSOR.
g. Ensure, prior to and throughout the processing, that the PROCESSOR complies with applicable regulations.
The PROCESSOR undertakes to:
a. Use personal data only for the purpose described in this Agreement. The PROCESSOR may not use the data for its own purposes except as provided in Clause 10.4 of the General Terms and Conditions.
b. Process the data according to the CONTROLLER’s instructions. If any instruction infringes the GDPR, the LOPDGDD or any applicable regulation, the PROCESSOR shall immediately inform the CONTROLLER.
c. Maintain a written record of all categories of processing activities carried out on behalf of the CONTROLLER, including:
d. Not disclose data to third parties without express authorisation from the CONTROLLER unless legally required.
e. Subcontract cloud storage services only with the entities listed in Annex 1, or others duly notified in writing to the CONTROLLER, following the applicable authorisation procedure.
f. Maintain confidentiality even after the termination of services.
g. Ensure that authorised personnel commit in writing to confidentiality and to following security measures.
h. Maintain documentation proving compliance with the above obligations.
i. Ensure necessary data protection training for authorised personnel.
j. Assist the CONTROLLER, where possible, in responding to data subject rights requests (access, rectification, erasure, opposition, restriction, portability, and objection to automated decisions).
k. Provide information to data subjects when collecting data.
l. Notify the CONTROLLER of any personal data breach without undue delay and no later than 48 hours.
m. Assist the CONTROLLER in performing data protection impact assessments.
n. Provide all necessary information to demonstrate compliance.
o. Implement mechanisms to ensure:
p. After termination of the Contract, retain and allow the CLIENT to download Extracted Data for one (1) year. After that period, the PROCESSOR may delete the data unless the CONTROLLER requests deletion or return in writing, unless retention is required by law.
7.1 The PROCESSOR shall be considered a CONTROLLER if it processes data for a different purpose, communicates it, or uses it contrary to this Agreement. In such cases, the PROCESSOR shall be personally liable for any infringements.
7.2 The PROCESSOR shall compensate the CONTROLLER for any damages arising from the breach of this Agreement.
7.3 INVOFOX holds a valid civil liability insurance policy with a reputable insurer, including coverage for personal data breaches and sanctions arising from such breaches.
Identical wording to the Confidentiality Agreement:
9.1 Personal data may only be transferred outside the EEA where strictly necessary to fulfil this Agreement and to jurisdictions not covered by an adequacy decision.
9.2 Any such transfer shall be governed by the applicable Standard Contractual Clauses (Module 4), which are incorporated by reference and shall prevail in case of conflict.
9.3 Other mechanisms under applicable legislation may also apply.
9.4 The CONTROLLER expressly accepts that personal data may be transferred to or stored by subprocessors outside the EEA, including jurisdictions without adequacy decisions, provided conditions in Clauses 9.2 and 9.3 are met.
The Data Protection Officer appointed is:
Equal Consulting, S.L.P.
Tax ID: B86823267
Address: calle Santa Engracia 17, 6th floor, 28010 Madrid (Spain)
Email: equaldpo@equalprotecciondedatos.com
Telephone: +34 914 456 569
Last revision date: October 2025
List of entities authorised by the CONTROLLER to subcontract the services related to the cloud storage of the content accessible from the INVOFOX Platform:
