Data Processing Agreement

For business data uploaded to a customer workspace, the customer is generally the controller or business owner of that data, and InvoiceAI acts as a processor or service provider.

InvoiceAI processes customer data only to provide, secure, maintain, and improve the service, or as otherwise instructed by the customer.

Processing may include storage, OCR, extraction, supplier matching, price comparison, audit scoring, report generation, support, security monitoring, and backup operations.

InvoiceAI may process personal data found in invoices, such as employee names, supplier contacts, email addresses, or document metadata.

InvoiceAI may use subprocessors for hosting, database storage, authentication, AI processing, analytics, payments, support, and security tooling.

We require subprocessors to apply appropriate technical and organizational measures for the data they process.

We apply access controls, authentication protections, row-level authorization patterns, encrypted transport, provider-level storage safeguards, and operational monitoring.

Customer administrators are responsible for managing invited users, roles, permissions, and uploaded content within their workspace.

Upon reasonable request or account termination, InvoiceAI will delete or return customer data unless retention is required for legal, security, billing, or backup purposes.

Backup and log copies may remain for a limited period before automatic deletion according to operational retention practices.