Data Processing Agreement
Last updated: January 2026
This Data Processing Agreement ("DPA") forms part of the Terms of Service between Invoicrm Inc. ("Processor", "we", "us") and the Customer ("Controller", "you").
1. Definitions
- "Personal Data" means any information relating to an identified or identifiable natural person as defined under applicable Data Protection Laws.
- "Data Protection Laws" means all applicable laws relating to data protection and privacy, including GDPR, CCPA, PIPEDA, and any other applicable regulations.
- "Processing" means any operation performed on Personal Data, including collection, storage, use, disclosure, or deletion.
- "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
- "Data Subject" means the individual to whom the Personal Data relates.
2. Scope and Purpose
This DPA applies to the Processing of Personal Data by Invoicrm on behalf of the Customer in connection with providing the Service. The purpose of Processing includes:
- Providing field service management software functionality
- Storing and managing client, lead, and job data
- Generating and sending invoices and quotes
- Facilitating communications between the Customer and their clients
- Providing analytics and reporting features
3. Categories of Personal Data
The following categories of Personal Data may be processed:
- Contact information (names, email addresses, phone numbers, addresses)
- Business information (company names, job titles)
- Financial information (invoice amounts, payment records)
- Service records (job descriptions, notes, dates)
- Communication records (emails, messages sent through the Service)
4. Categories of Data Subjects
Personal Data processed may relate to:
- Customer's employees and team members
- Customer's clients and prospects
- Customer's suppliers and contractors
- Any other individuals whose data the Customer uploads to the Service
5. Processor Obligations
As the Processor, Invoicrm agrees to:
- Process Personal Data only on documented instructions from the Controller, unless required by law
- Ensure that persons authorized to process Personal Data are bound by confidentiality obligations
- Implement appropriate technical and organizational security measures
- Assist the Controller in responding to Data Subject requests
- Assist the Controller with data protection impact assessments and consultations with supervisory authorities
- Delete or return all Personal Data upon termination of the Service, unless retention is required by law
- Make available information necessary to demonstrate compliance with this DPA
6. Controller Obligations
As the Controller, the Customer agrees to:
- Ensure lawful basis for Processing and that Data Subjects have been properly informed
- Provide clear and lawful instructions for Processing
- Comply with all applicable Data Protection Laws
- Ensure that the Personal Data provided is accurate and up to date
- Notify Invoicrm promptly of any Data Subject requests received directly
7. Security Measures
Invoicrm implements the following technical and organizational security measures:
- Encryption of data in transit using TLS 1.2 or higher
- Encryption of data at rest
- Access controls and authentication mechanisms
- Regular security assessments and vulnerability testing
- Employee security awareness training
- Incident response procedures
- Business continuity and disaster recovery plans
- Physical security controls at data center facilities
8. Sub-processors
The Controller authorizes Invoicrm to engage the following Sub-processors:
| Sub-processor | Purpose | Location |
|---|---|---|
| Supabase Inc. | Database hosting and authentication | United States |
| Vercel Inc. | Application hosting | United States |
| Stripe Inc. | Payment processing | United States |
| Resend Inc. | Email delivery | United States |
| Sentry (Functional Software Inc.) | Error monitoring | United States |
Invoicrm will notify the Controller of any intended changes to Sub-processors, providing an opportunity to object. If the Controller objects and the parties cannot reach an agreement, the Controller may terminate the affected Services.
9. International Data Transfers
Personal Data may be transferred to and processed in countries outside the European Economic Area (EEA), including the United States. For such transfers, Invoicrm ensures appropriate safeguards are in place:
- Standard Contractual Clauses (SCCs) approved by the European Commission
- Sub-processors with valid data processing agreements and appropriate certifications
- Technical measures to ensure data protection regardless of location
10. Data Subject Rights
Invoicrm will assist the Controller in responding to Data Subject requests to exercise their rights under applicable Data Protection Laws, including:
- Right of access
- Right to rectification
- Right to erasure ("right to be forgotten")
- Right to restriction of processing
- Right to data portability
- Right to object
Invoicrm will promptly notify the Controller of any Data Subject requests received directly, unless prohibited by law.
11. Data Breach Notification
In the event of a Personal Data breach, Invoicrm will:
- Notify the Controller without undue delay, and in any event within 72 hours of becoming aware of the breach
- Provide sufficient information to enable the Controller to meet any obligations to report the breach to supervisory authorities or Data Subjects
- Cooperate with the Controller and take reasonable steps to assist in the investigation and mitigation of the breach
12. Data Retention and Deletion
Upon termination of the Service or upon the Controller's request:
- Invoicrm will delete or return all Personal Data to the Controller within 90 days
- Invoicrm will delete existing copies unless retention is required by applicable law
- The Controller may request a certificate of deletion
13. Audit Rights
Invoicrm will make available to the Controller information necessary to demonstrate compliance with this DPA. Upon reasonable notice:
- The Controller may request audit reports, certifications, or other documentation
- The Controller may conduct audits or inspections, subject to reasonable confidentiality and scheduling requirements
- Audits shall be at the Controller's expense unless they reveal material non-compliance by Invoicrm
14. Liability
Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Nothing in this DPA limits liability that cannot be excluded or limited under applicable law.
15. Term and Termination
This DPA shall remain in effect for as long as Invoicrm processes Personal Data on behalf of the Controller. The DPA will automatically terminate when the underlying Terms of Service terminate or expire.
16. Governing Law
This DPA shall be governed by the same governing law as the Terms of Service, except where Data Protection Laws require otherwise. For EEA Data Subjects, nothing in this DPA limits any rights under GDPR.
17. Contact Information
For questions about this DPA or to exercise any rights related to data processing, please contact:
Data Protection Contact: hello@invoicrm.com
Address:
Invoicrm Inc.
1337 Wellington St W
Ottawa, ON K1Y 3B6
Canada