Saltar al contenido Nuevo Te presentamos nuestra oferta Perfect Docs Guaranteed — +99% de precisión para equipos de alto volumen. Plazas limitadas. Saber más

Service Legal Agreements

1. Parties

1.1 On the one hand: the contracting entity responsible for providing the Services (hereinafter, "INVOFOX"):

  • INVOFOX, Inc., a company incorporated under the laws of the United States, registered in the Delaware Commercial Register under number 7218056, with its registered address for these purposes at 251 Little Falls Drive, Wilmington, New Castle County, DE 19808, Delaware (United States), and email address support@invofox.com.
  • INVOFOX INC SUCURSAL EN ESPAÑA, a branch incorporated under the laws of Spain, with Tax ID W0265699I, with registered address at calle Aranjuez 2, local, 28039 Madrid (Spain), and email address support@invofox.com.

The CLIENT shall contract the Services with the entity designated in the Purchase Order.

1.2 On the other hand: the CLIENT, a legal entity contracting the Services of INVOFOX.

1.3 Hereinafter, INVOFOX and the CLIENT shall be jointly referred to as the "Parties" and individually as a "Party".

1.4 The Parties mutually acknowledge that they have sufficient legal capacity to contract and to fulfil their respective obligations.

2. Purpose of the Agreement

2.1 The Parties agree to execute this data processing agreement for the purpose of regulating the personal data processing operations carried out by INVOFOX, establishing the procedure that will govern the processing of personal data, as well as the rights, responsibilities, and obligations inherent to its role as data processor (hereinafter, the "Data Processing Agreement").

2.2 Based on the contractual relationship and the nature of INVOFOX's services, the CLIENT is the data controller (hereinafter, the "CONTROLLER"), and INVOFOX is the data processor (hereinafter, the "PROCESSOR").

2.3 The Parties agree that this Data Processing Agreement shall be governed by EU Regulation 2016/679 (General Data Protection Regulation – GDPR) and by Spanish Organic Law 3/2018 of 5 December on Personal Data Protection and Guarantee of Digital Rights (hereinafter, the "LOPDGDD"), as well as any applicable regulations and the terms established herein.

2.4 The CLIENT's signature of the Purchase Order entails full acceptance of the Data Processing Agreement, unless INVOFOX has expressly agreed in writing to any modification.

3. Subject Matter of the Processing

Through this Data Processing Agreement, the PROCESSOR is authorised to process, on behalf of the CONTROLLER, the personal data necessary for the provision of INVOFOX services. The processing shall mainly consist of:

  • Digitisation and processing of Documents that the CONTROLLER sends to the PROCESSOR via the channels enabled for this purpose.
  • Storage of said Documents and of the processed data on servers managed by the PROCESSOR and accessible to both Parties at all times through the INVOFOX Platform.
  • Provision of maintenance and support services for the INVOFOX Platform.
  • Generation and use of statistical data to improve the services provided by the PROCESSOR.

4. Identification of the Information Affected

The CONTROLLER provides the PROCESSOR with the information contained in the Documents subject to digitisation and processing services, including but not limited to:

  • Identification data: names and surnames, national ID numbers, passport numbers, tax ID numbers, social security numbers, insurance numbers, public and private healthcare identification, dates of birth, signatures, email addresses, telephone numbers, bank account numbers, IP addresses, etc.
  • Professional or employment data: job categories, positions, professional experience, professional certifications, licences, professional association data, salaries, remuneration, withholdings, hiring and termination data, permits, etc.
  • Academic data: qualifications, academic records, specific training, etc.
  • Other data: usernames and passwords of Authorised Users, geographical areas, and usage data of the Platform.

Under no circumstances shall the PROCESSOR be responsible for the type of information contained in the Documents sent by the CONTROLLER.

5. Obligations of the CONTROLLER

The CONTROLLER undertakes to:

  • a. Apply and comply with the GDPR, the LOPDGDD, and any applicable data protection regulations.
  • b. Provide data subjects with the information required under the GDPR at the moment their personal data is collected.
  • c. Where possible, anonymise or pseudonymise data and, in any case, provide the PROCESSOR only with the data referred to in Clause 4.
  • d. Conduct a data protection impact assessment for the processing operations to be carried out by the PROCESSOR.
  • e. Perform any necessary prior consultations.
  • f. Supervise the processing, including conducting audits and inspections of the PROCESSOR.
  • g. Ensure, prior to and throughout the processing, that the PROCESSOR complies with applicable regulations.

6. Obligations of the PROCESSOR

The PROCESSOR undertakes to:

  • a. Use personal data only for the purpose described in this Agreement. The PROCESSOR may not use the data for its own purposes except as provided in Clause 10.4 of the General Terms and Conditions.
  • b. Process the data according to the CONTROLLER's instructions. If any instruction infringes the GDPR, the LOPDGDD or any applicable regulation, the PROCESSOR shall immediately inform the CONTROLLER.

c. Maintain a written record of all categories of processing activities carried out on behalf of the CONTROLLER, including:

  • Contact details of the PROCESSOR and CONTROLLER (and representatives, if applicable).
  • Categories of processing carried out.
  • International transfers, where applicable.
  • Description of security measures applied (pseudonymisation, encryption, confidentiality, integrity, availability, resilience, recovery, auditing, etc.).
  • d. Not disclose data to third parties without express authorisation from the CONTROLLER unless legally required.
  • e. Subcontract cloud storage services only with the entities listed in Annex 1, or others duly notified in writing to the CONTROLLER, following the applicable authorisation procedure.
  • f. Maintain confidentiality even after the termination of services.
  • g. Ensure that authorised personnel commit in writing to confidentiality and to following security measures.
  • h. Maintain documentation proving compliance with the above obligations.
  • i. Ensure necessary data protection training for authorised personnel.
  • j. Assist the CONTROLLER, where possible, in responding to data subject rights requests (access, rectification, erasure, opposition, restriction, portability, and objection to automated decisions).
  • k. Provide information to data subjects when collecting data.
  • l. Notify the CONTROLLER of any personal data breach without undue delay and no later than 48 hours.
  • m. Assist the CONTROLLER in performing data protection impact assessments.
  • n. Provide all necessary information to demonstrate compliance.

o. Implement mechanisms to ensure:

  • Confidentiality, integrity, availability, and resilience of systems.
  • Rapid restoration of data availability after incidents.
  • Regular verification and evaluation of security measures.
  • p. After termination of the Contract, retain and allow the CLIENT to download Extracted Data for one (1) year. After that period, the PROCESSOR may delete the data unless the CONTROLLER requests deletion or return in writing, unless retention is required by law.

7. Liability of the PROCESSOR

7.1 The PROCESSOR shall be considered a CONTROLLER if it processes data for a different purpose, communicates it, or uses it contrary to this Agreement. In such cases, the PROCESSOR shall be personally liable for any infringements.

7.2 The PROCESSOR shall compensate the CONTROLLER for any damages arising from the breach of this Agreement.

7.3 INVOFOX holds a valid civil liability insurance policy with a reputable insurer, including coverage for personal data breaches and sanctions arising from such breaches.

8. Notices

Identical wording to the Confidentiality Agreement:

  • Notices must be in writing via email.
  • Notices to the CLIENT shall be sent to the email address designated by the CLIENT; notices to INVOFOX shall be sent to support@invofox.com.
  • The sending timestamp shall be used for all deadline calculations.

9. International Data Transfers

9.1 Personal data may only be transferred outside the EEA where strictly necessary to fulfil this Agreement and to jurisdictions not covered by an adequacy decision.

9.2 Any such transfer shall be governed by the applicable Standard Contractual Clauses (Module 4), which are incorporated by reference and shall prevail in case of conflict.

9.3 Other mechanisms under applicable legislation may also apply.

9.4 The CONTROLLER expressly accepts that personal data may be transferred to or stored by subprocessors outside the EEA, including jurisdictions without adequacy decisions, provided conditions in Clauses 9.2 and 9.3 are met.

10. Miscellaneous

  • The Data Processing Agreement forms an integral part of the Contract.
  • In case of conflict, this Agreement prevails over the General Terms and Conditions regarding data protection matters.
  • Assignments require prior written consent, except those made by INVOFOX to group entities.
  • Changes of address must be notified immediately.
  • Invalid clauses do not affect the remaining Agreement.
  • INVOFOX may update the Agreement to reflect legal or platform changes, notifying the CLIENT in advance.

11. Data Protection Officer

The Data Protection Officer appointed is:

  • Equal Consulting, S.L.P.
  • Tax ID: B86823267
  • Address: calle Santa Engracia 17, 6th floor, 28010 Madrid (Spain)
  • Email: equaldpo@equalprotecciondedatos.com
  • Telephone: +34 914 456 569

Last revision date: October 2025

ANNEX 1 — Authorised Subprocessors

List of entities authorised by the CONTROLLER to subcontract the services related to the cloud storage of the content accessible from the INVOFOX Platform:

  • Amazon Web Services (AWS) — Cloud infrastructure used for hosting, processing and storage of the platform, primarily within the EU.
  • Microsoft Azure — Auxiliary cloud services supporting specific components of the platform.
  • Google Cloud Platform — Cloud infrastructure services used for specific workloads and services.
  • Auth0 (Okta) — Authentication and identity management for secure access control.
  • OpenAI API — Natural language processing and AI-assisted extraction and validation of information.
  • Hugging Face — AI models and libraries used in controlled environments.
  • MongoDB — Managed database services for structured data storage.
  • Chargebee — Subscription, billing and customer account management.
  • Linear — Internal project and task management tool.
  • Pylon — Customer support and communication management platform.
  • Microsoft Office — Internal office productivity and collaboration tools.