Data Processing Addendum

Template — incorporated by reference into the Terms of Service.

1. Roles

Customer is the Controller. FawtaraX is the Processor.

Processing of invoice and customer master data necessary to deliver the e-invoicing service and meet OTA requirements.

For the term of the subscription plus the 10-year retention period.

Storage, transformation (UBL, hash chain, QR), transmission to OTA, archival, retrieval.

Customer employees, end customers (buyers), suppliers.

Identifiers, contact data, tax identifiers, invoice line items.

Listed in the Privacy Policy. We notify in advance of changes.

See /security. Includes RLS isolation, encryption in transit (TLS 1.2+) and at rest, role-based access, audit logging, HMAC-verified webhooks.

All sub-processors are bound by equivalent confidentiality and security obligations.

We assist Customer in fulfilling access, rectification, deletion and portability requests within 30 days.

We notify Customer of a confirmed personal-data breach without undue delay and within 72 hours.

On termination, Customer may export all data. We delete copies after the OTA retention period, except where legally required to retain.

Customer may request audit reports (e.g. SOC 2 from sub-processors) once per year. On-site audits subject to mutual agreement.

Signed copy available on request: legal@fawtara.daftari.app