1. Parties
1.1 Of the one part: the contracting entity providing the Services (hereinafter, “INVOFOX”):
- INVOFOX, Inc., a company of US nationality, registered with the Delaware Division of Corporations under number 7218056, with address for these purposes at 251 Little Falls Drive, Wilmington, New Castle County, DE 19808, Delaware (United States), and email [email protected].
- INVOFOX INC SUCURSAL EN ESPAÑA, a Spanish branch, with Spanish Tax Identification Number (NIF) W0265699I, with address at calle Aranjuez 2, local, 28039 Madrid (Spain), and email [email protected].
The CLIENT shall contract the Services with the entity designated in the Purchase Order.
1.2 Of the other part: the CLIENT, the legal entity contracting INVOFOX’s Services.
1.3 Hereinafter, INVOFOX and the CLIENT shall be jointly referred to as the “Parties” and individually as a “Party”.
1.4 The Parties have all necessary authority to enter into this Agreement.
2. Purpose of the agreement
2.1 The Parties agree to enter into this data processing agreement in order to govern the personal data processing operations carried out by INVOFOX, to establish the procedure that will rule the processing of personal data, as well as the rights, responsibilities and obligations inherent to its capacity as data processor (hereinafter, the “Data Processing Agreement” or the “Agreement”).
2.2 On the basis of the contractual relationship established and the nature of INVOFOX’s services, the CLIENT is the controller of the data (hereinafter also referred to as the “CONTROLLER”) and INVOFOX is the processor (hereinafter also referred to as the “PROCESSOR”).
2.3 The Parties agree that this Data Processing Agreement shall be governed by Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of natural persons with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46/EC (General Data Protection Regulation) (hereinafter, “GDPR”), and by Organic Law 3/2018 of 5 December on the Protection of Personal Data and Guarantee of Digital Rights (hereinafter, the “LOPDGDD”), as well as by the regulations applicable from time to time and the other terms set forth in this Data Processing Agreement.
2.4 The CLIENT’s signature of the Purchase Order entails the full acceptance of the Data Processing Agreement, unless INVOFOX has expressly accepted its modification in writing.
3. Purpose of the processing
By means of this Data Processing Agreement, the PROCESSOR is authorized to process, on behalf of the CONTROLLER, the personal data necessary for the provision of INVOFOX’s services. The processing shall mainly consist of:
- The digitization and processing of the Documents transmitted by the CONTROLLER to the PROCESSOR through the various channels enabled for that purpose.
- The storage of such Documents transmitted by the CONTROLLER, and of the data processed, on storage servers managed by the PROCESSOR, accessible at all times by both Parties through the INVOFOX Platform.
- The provision of a maintenance and support service for the INVOFOX Platform.
- The generation and use of statistical data for the purpose of improving the services rendered by the PROCESSOR.
4. Duration of the processing
4.1 The processing of personal data subject to this Data Processing Agreement shall be carried out throughout the entire term of the Contract.
4.2 Once the Contract has been terminated for any reason, the PROCESSOR may retain the personal data during the retention periods provided for in clause 7.p) of this Data Processing Agreement and in clause 13.2 of the General Terms and Conditions, as well as during the legal retention periods that may apply. Once such periods have elapsed, the PROCESSOR shall act in accordance with the provisions of the aforementioned clauses.
5. Identification of the affected information
5.1 The CONTROLLER makes available to the PROCESSOR the information contained in the Documents subject to the processing and digitization services, the enumeration of which is purely indicative and not exhaustive, as follows:
- Identification data, such as: first and last names, national ID (DNI) numbers, passport numbers, tax identification (NIF) numbers, social security numbers, mutual insurance numbers, healthcare cards issued by public and private entities, dates of birth, signatures, email addresses, telephone numbers, bank account numbers, IP addresses, etc.
- Professional or employment data, such as: professional categories, positions and job titles, professional experience, professional qualifications, licenses, professional association data, salaries, remuneration, withholdings, registrations and de-registrations, leave, etc.
- Academic data, such as: qualifications, academic records, specific training, etc.
- Other data, such as: usernames and passwords of the Authorized Users, geographical areas and Platform usage data.
5.2 The CONTROLLER, in its capacity as controller of the processing, is solely competent to determine the actual typology of personal data made available to the PROCESSOR through the Documents. The PROCESSOR does not control, does not systematically review and does not assume any responsibility for the specific typology of personal information contained in the Documents transmitted by the CONTROLLER.
In this regard, in no event shall the CONTROLLER make available to the PROCESSOR Documents containing special categories of personal data within the meaning of Article 9 of the GDPR (data revealing racial or ethnic origin, political opinions, religious or philosophical beliefs or trade union membership; genetic data; biometric data for the purpose of uniquely identifying a natural person; data concerning health; or data concerning the sex life or sexual orientation), nor personal data within the meaning of Article 10 of the GDPR (data relating to criminal convictions and offences), save where the Parties have previously agreed in writing on the enhanced technical and organizational measures and additional safeguards that shall apply. The CONTROLLER shall hold the PROCESSOR harmless from any claims, damages, losses, sanctions or costs arising from the breach of this obligation.
5.3 The categories of data subjects whose personal data may be processed under this Data Processing Agreement are determined exclusively by the CONTROLLER on the basis of the nature, content and origin of the Documents made available to the PROCESSOR. In no event shall the determination of the categories of data subjects fall to the PROCESSOR, nor shall the PROCESSOR assume any responsibility for them, such determination being the sole and exclusive responsibility of the CONTROLLER.
6. Obligations of the CONTROLLER
- a. To apply and comply with the GDPR, the LOPDGDD and all applicable data protection regulations.
- b. At the time of collecting the personal data, to provide the data subjects affected by the processing operations with the information required under the GDPR.
- c. To the extent possible, to anonymize or pseudonymize the data and, in any event, to make available to the PROCESSOR only the data referred to in Clause 5.
- d. In the cases where it is required by the applicable data protection regulations, to carry out a data protection impact assessment of the processing operations to be performed by the PROCESSOR.
- e. In the cases where it is required by the applicable data protection regulations, to carry out the corresponding prior consultations.
- f. To supervise the processing, including the performance of audits and inspections of the PROCESSOR.
- g. To ensure, prior to and throughout the entire processing, the compliance by the PROCESSOR with the regulations in force.
7. Obligations of the PROCESSOR
- a. To use the personal data subject to processing, or such data as it may collect for inclusion, solely for the purpose of this assignment. In no event may the PROCESSOR use the data for its own purposes, save as provided for in Clause 10.4 of the General Terms and Conditions.
- b. To process the data in accordance with the CONTROLLER’s instructions. If the PROCESSOR considers that any of the instructions infringes the GDPR, the LOPDGDD or any other applicable data protection regulations, the PROCESSOR shall immediately inform the CONTROLLER.
c. To keep, in writing, a record of all categories of processing activities carried out on behalf of the CONTROLLER, containing:
- i. The name and contact details of the PROCESSOR and of each CONTROLLER on whose behalf the PROCESSOR acts and, where applicable, of the representative of the CONTROLLER or of the PROCESSOR, and of the data protection officer.
- ii. The categories of processing carried out on behalf of each CONTROLLER.
- iii. Where applicable, the transfers of personal data to a third country or international organization, including the identification of such third country or international organization and, in the case of transfers referred to in the second subparagraph of Article 49(1) of the GDPR, the documentation of suitable safeguards.
- iv. A general description of the technical and organizational security measures relating to: the pseudonymization and encryption of personal data; the ability to ensure the ongoing confidentiality, integrity, availability and resilience of processing systems and services; the ability to restore the availability and access to personal data in a timely manner in the event of a physical or technical incident; and the process for regularly testing, assessing and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
- d. Not to disclose the data to third parties, unless it has the express authorization of the CONTROLLER, in cases legally admissible. The PROCESSOR may disclose the data to other processors of the same CONTROLLER, in accordance with the CONTROLLER’s instructions. In such case, the CONTROLLER shall identify, in advance and in writing, the entity to which the data are to be disclosed, the data to be disclosed and the security measures to be applied for the disclosure. If the PROCESSOR is required to transfer personal data to a third country or to an international organization under Union law or the law of a Member State applicable to it, it shall inform the CONTROLLER of that legal requirement in advance, unless such law prohibits this on important grounds of public interest.
- e. The CONTROLLER authorizes the PROCESSOR to subcontract the services necessary for the provision of the Platform Service with the entities listed from time to time in the updated list of sub-processors accessible through the INVOFOX Trust Center: https://trust.invofox.com (hereinafter, the “List of Sub-processors”). The PROCESSOR undertakes to keep the List of Sub-processors updated and to notify the CONTROLLER, with a minimum advance notice of fifteen (15) calendar days, of the addition or replacement of any sub-processor, either through its publication on the said link or, where applicable, through the email address designated by the CONTROLLER to the PROCESSOR in the General Terms and Conditions. The subcontracted entity, which also has the status of processor, is likewise obliged to comply with the obligations set forth in this Agreement and with the instructions issued by the CONTROLLER. It is the responsibility of the initial PROCESSOR to govern the new relationship, in such a way that the new processor is subject to the same conditions (instructions, obligations, security measures, etc.) and to the same formal requirements as the initial PROCESSOR, with regard to the proper processing of personal data and the safeguarding of the rights of the data subjects. In the event of a breach by the sub-processor, the initial PROCESSOR shall remain fully liable to the CONTROLLER for the fulfilment of the obligations. In such case, the subcontracting may be carried out provided that the CONTROLLER does not raise a justified objection on reasonable data protection grounds within fifteen (15) calendar days from the date on which the PROCESSOR has notified the subcontracting in writing. The PROCESSOR may freely entrust the performance, in whole or in part, of the processing to any company of the same group that controls it or is controlled by it, in accordance with Article 42 of the Spanish Commercial Code.
- f. To maintain the duty of confidentiality with regard to the personal data to which it has had access by virtue of this assignment, even after the purpose of the assignment has been fulfilled.
- g. To ensure that the persons authorized to process personal data expressly undertake, in writing, to respect confidentiality and to comply with the corresponding security measures, of which they must be duly informed.
- h. To keep at the CONTROLLER’s disposal the documentation evidencing compliance with the obligation set forth in the preceding paragraph.
- i. To ensure the necessary training in personal data protection for the persons authorized to process personal data.
- j. To the extent possible, to assist the CONTROLLER in responding to the exercise of the rights of access, rectification, erasure, objection, restriction of processing, data portability, and the right not to be subject to automated individual decision-making. Where the data subjects exercise directly before the PROCESSOR the rights of access, rectification, erasure and objection, restriction of processing, data portability, and the right not to be subject to automated individual decision-making, the PROCESSOR shall notify the CONTROLLER thereof by email. Such notification shall be made immediately and in no case later than the business day following receipt of the request, together with any other information that may be relevant to resolve the request.
- k. At the time of collecting the data, the PROCESSOR must provide the information relating to the data processing operations to be carried out.
- l. To notify the CONTROLLER, without undue delay and in any event within a maximum period of forty-eight (48) hours, through the email address designated by the CONTROLLER to the PROCESSOR in the General Terms and Conditions, of any personal data breaches affecting the data in its custody of which it becomes aware, together with all the information relevant to the documentation and communication of the incident in accordance with the applicable data protection regulations. Notification shall not be required where the personal data breach is unlikely to result in a risk to the rights and freedoms of natural persons.
- m. To support the CONTROLLER, where appropriate, in carrying out data protection impact assessments.
- n. To make available to the CONTROLLER all the information necessary to demonstrate compliance with its obligations.
o. In any event, the PROCESSOR shall implement mechanisms to:
- i. Ensure the near-permanent confidentiality, integrity, availability and resilience of processing systems and services.
- ii. Restore the availability and access to personal data in a timely manner in the event of a physical or technical incident.
- iii. Regularly verify, assess and evaluate the effectiveness of the technical and organizational measures implemented to ensure the security of the processing.
- p. In accordance with the provisions of the General Terms and Conditions, once the Contract has been terminated, the CLIENT shall have a period of three (3) months to consult and download the Extracted Data from the Platform. Once the period of three (3) months has elapsed, INVOFOX shall have no obligation to store the Extracted Data, including personal data, or any Documents of the CLIENT, and may delete them. Where applicable, once the three (3) month period has elapsed, upon express written request of the CONTROLLER, the PROCESSOR shall erase all personal data or return them to the CONTROLLER, and shall destroy any existing copies, unless European Union or Member State law requires the retention of the personal data.
8. Liabilities of the PROCESSOR
8.1 The PROCESSOR shall be deemed CONTROLLER in the event that it uses the data for another purpose, discloses them or uses them in breach of this Data Processing Agreement. In such cases, the PROCESSOR shall be liable for the infringements personally incurred.
8.2 The PROCESSOR shall indemnify the CONTROLLER for the direct and foreseeable damages and losses that may result from the breach of the obligations assumed under this Data Processing Agreement, in accordance with and within the limits set forth in clause 11.3 of the General Terms and Conditions, which the Parties agree shall also apply to this Data Processing Agreement.
8.3 INVOFOX has in force a civil liability insurance policy with a solvent and reputable insurance company. Among others, the policy includes (1) coverage for civil liability arising from personal data breaches and (2) coverage for sanctions for personal data breaches.
9. Notices
9.1 Notices between the Parties relating to the Data Processing Agreement shall be given in writing by email.
9.2 Notices addressed to the CLIENT shall be sent to the email address designated by the CLIENT in its identification details; notices addressed to INVOFOX shall be sent to the email address [email protected].
9.3 For all notices between the Parties, the date recorded by the system used as the date of dispatch shall be deemed valid for the purposes of calculating time limits, regardless of the date on which the recipient accessed the notice.
10. International data transfers
10.1 The Parties agree that personal data may only be transferred to and/or held with the recipient outside the European Economic Area (hereinafter, the “EEA”) in a country, territory or jurisdiction not covered by an adequacy decision issued by the European Commission on an exceptional basis and only if it is necessary in order to fulfil the obligations of this Data Processing Agreement.
10.2 Where applicable, such transfer shall be governed, in addition to by the provisions of the Data Processing Agreement, by the standard contractual clauses adopted by Commission Implementing Decision (EU) 2021/914 of 4 June 2021, in the module that corresponds depending on the actual flow of the data.
The standard contractual clauses are incorporated into this Data Processing Agreement by reference.
In the event of any contradiction, inconsistency or incompatibility between the provisions of the Data Processing Agreement and the provisions of the standard contractual clauses, the provisions of the standard contractual clauses shall prevail. Any replacement, revision or update of the standard contractual clauses adopted in accordance with the GDPR shall automatically replace the standard contractual clauses incorporated into the Data Processing Agreement.
10.3 In addition to the availability of an adequacy decision or the adoption of standard contractual clauses, other mechanisms provided for under the applicable data protection regulations may apply.
10.4 The CONTROLLER expressly accepts that personal data may be transferred to sub-processors and/or stored by such sub-processors outside the EEA, including in a country, territory or jurisdiction not covered by an adequacy decision issued by the European Commission, for the purpose of providing the Platform Service, provided that the conditions of clauses 10.2 and 10.3 of the Data Processing Agreement are met.
11. Miscellaneous
11.1 The Data Processing Agreement forms an integral part of the Agreement for all purposes. Accordingly, the duration of this Data Processing Agreement shall be subject to the duration of the contractual relationship established by the Parties.
In the event of any contradiction, inconsistency or incompatibility between the General Terms and Conditions and the Data Processing Agreement, the Data Processing Agreement shall prevail as to its subject matter over the General Terms and Conditions.
11.2 The legal relationship constituted between the Parties as CONTROLLER and PROCESSOR is governed by this single Data Processing Agreement and by the Privacy Policy of the INVOFOX Platform, being the sole valid data processing agreement existing between the Parties, and it supersedes any prior agreement or commitment on the same subject matter, whether written or oral, and may only be modified by an agreement signed by both Parties.
11.3 The Parties may not assign, in whole or in part, their rights or obligations under this Data Processing Agreement to any third party without the prior written consent of the other Party.
Notwithstanding the foregoing, as the sole exception, prior written consent shall not be required where INVOFOX assigns, in whole or in part, its rights or obligations in favor of companies, subsidiaries or branches over which it exercises control or that are companies, subsidiaries or branches belonging to the same group of companies.
11.4 Any change of address of one of the Parties shall be notified to the other immediately and by means that ensure receipt of the message.
11.5 If any clause or covenant set forth in the Data Processing Agreement is declared null or voidable, illegal or unenforceable, the validity, legality and enforceability of the remaining provisions shall not be affected or impaired thereby.
11.6 INVOFOX may revise, update and modify the Data Processing Agreement at any time to adapt it to legislative, case-law or interpretative developments of the Spanish Data Protection Agency (“AEPD”), as well as to reflect any changes that may arise in the Platform and the Services. INVOFOX shall inform the CLIENT in writing prior to its entry into force.
12. Data Protection Officer
Equal Consulting, S.L.P., with Spanish Tax Identification Number (NIF) B86823267, with address at calle Santa Engracia 17, 6th floor, 28010 Madrid (Spain), email [email protected] and telephone +34 914 456 569, has been designated as the Data Protection Officer.
Date of last revision: May 2026