Data Processing Agreement
Last updated: July 2026
When you use Invonio to issue or receive invoices, the invoices contain personal data about your customers or suppliers (their name, address, contact details) — data you control, not us. For that specific data, this Data Processing Agreement (DPA) applies under Article 28 GDPR: you are the controller, and Talivio Technology OÜ ("Talivio", "we") is your processor. This is separate from our Privacy Policy, which covers data about you as our own customer.
1. Subject matter and duration
We process personal data contained in the invoices you create, send or receive through Invonio, for as long as your account exists. When you delete your account, this data is permanently erased (see § 4).
2. Nature and purpose of processing
Generating, validating, delivering, receiving and archiving compliant electronic invoices (ZUGFeRD, Factur-X, XRechnung, Peppol/UBL) on your instructions — nothing beyond what is needed to provide the service.
3. Categories of data and data subjects
- Data: name, business/trading name, address, VAT ID, email address, and the invoiced line items and amounts.
- Data subjects: your invoice recipients (buyers) and, for invoices you receive, your suppliers.
4. Our obligations as processor
- We process this data only on your documented instructions (as configured in the app) — never for our own purposes. If we believe an instruction infringes applicable data protection law, we will inform you without undue delay.
- Anyone processing this data on our side is bound by confidentiality.
- We apply appropriate technical and organizational measures under Art. 32 GDPR, including encryption in transit and tamper-evident archiving.
- We assist you in responding to data subject requests concerning this data, and in fulfilling your own GDPR obligations (e.g. Art. 32-36).
- We notify you without undue delay — and no later than 48 hours after becoming aware — of a personal data breach affecting this data.
- At the end of our relationship, you may export your data at any time; upon account deletion, all of this data — including archived invoice documents — is permanently erased from our systems. Meeting any statutory retention obligation for your invoices beyond that point is your responsibility as controller, so export before deleting.
5. Sub-processors
We use the following sub-processors to provide the service:
- our hosting provider, to run the application and store data (EU-based);
- our email provider, to deliver invoices you send by email;
- where the Peppol delivery channel is available on your account and you use it, our contracted Peppol access point provider, to hand invoices over to the Peppol network.
We will inform you of any intended addition or replacement of a sub-processor, giving you the opportunity to object.
Stripe processes your own subscription payment, not your invoice recipients' data, and is not a sub-processor under this Agreement. Likewise, once an invoice has been handed over for delivery, the recipient, the recipient's Peppol access point, their email provider, and any governmental invoicing platform act independently of us and are not our sub-processors.
6. International transfers
Where a sub-processor is located outside the EU/EEA, we rely on appropriate safeguards such as the European Commission's Standard Contractual Clauses.
7. Audits
You may request information reasonably necessary to demonstrate our compliance with this Agreement by contacting us at [email protected].
8. Acceptance
By using Invonio for your business, you and Talivio Technology OÜ agree to this Data Processing Agreement without further signature, as permitted for standard-terms processor agreements under Art. 28 GDPR.
This document is a general template and does not constitute legal advice. Have it reviewed by counsel before relying on it.