← Back

Data Processing Agreement (DPA)

Compliant with Article 28 of the GDPR — Last updated: 28 April 2026

Article 1 — Purpose

This Data Processing Agreement ("DPA") is entered into between:

  • The Data Controller: the Creditor-User of the Reddivo Service (hereinafter "the Controller")
  • The Data Processor: Reddivo SAS, publisher of the Reddivo SaaS software (hereinafter "the Processor")

The Processor processes personal data on behalf of the Controller in connection with the provision of the Reddivo Service, in accordance with the Controller's documented instructions and the Terms of Use.

Article 2 — Data Processed

  • Categories of data subjects: debtors of the Controller (the Creditor's clients)
  • Types of data: first name, last name, company name, email address, phone number, invoiced amounts, invoicing and due dates
  • Purpose: automation of payment reminders and generation of reminder documents on behalf of the Controller
  • Duration: duration of the Service agreement + 90 days, subject to legal retention obligations (10 years for accounting data)

Article 3 — Obligations of the Processor

The Processor undertakes to:

  • Process data only on documented instructions from the Controller, including with regard to transfers outside the EU
  • Ensure the confidentiality of data by ensuring that persons authorised to process the data are subject to a confidentiality obligation
  • Implement appropriate technical and organisational measures (Article 32 GDPR): TLS encryption in transit, encryption at rest, secure authentication, backups, access logging
  • Not sub-process without prior authorisation. Authorised sub-processors are listed in Article 5
  • Assist the Controller in fulfilling their obligations (data subject rights, impact assessments, breach notifications)
  • Upon termination of the agreement, delete or return data at the Controller's choice, within 90 days
  • Make available to the Controller all information necessary to demonstrate compliance with the obligations of this agreement

Article 4 — Breach Notification

In the event of a personal data breach (Article 33 GDPR), the Processor shall notify the Controller within a maximum of 72 hours after becoming aware of the breach. The notification shall include:

  • The nature of the breach
  • The categories and approximate number of data subjects concerned
  • The likely consequences
  • The measures taken or proposed to remedy the breach

Article 5 — Sub-processors

The Controller authorises the use of the following sub-processors:

  • Supabase, Inc. (USA) — Database hosting, authentication
  • Vercel, Inc. (USA) — Web application hosting
  • Stripe, Inc. (USA) — Payment processing (PCI DSS Level 1)
  • Resend, Inc. (USA) — Transactional email delivery
  • Anthropic, PBC (USA) — AI invoice extraction (one-time processing)

The Processor shall inform the Controller of any addition or replacement of a sub-processor with 30 days' notice. The Controller may object within 15 days.

Article 6 — Transfers Outside the EU

Data transfers to the United States (Supabase, Vercel, Stripe, Resend, Anthropic) are governed by:

  • The European Commission's Standard Contractual Clauses (SCCs) (Implementing Decision 2021/914)
  • The EU-US Data Privacy Framework where the recipient entity is certified

Article 7 — Right to Audit

The Controller has the right to audit the data processing conditions. The audit may be carried out by the Controller or an appointed third party, subject to reasonable notice of 30 days and confidentiality obligations.

Article 8 — Contact

Data protection contact: dpo@reddivo.io

Terms of UsePrivacy PolicyLegal Notice