Greenstamp

This Data Processing Agreement ("DPA") describes how Greenstamp Software Inc ("Greenstamp," "Processor," "we," or "us") processes personal data on behalf of our clients ("Controller," "you") in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This DPA forms part of and is incorporated into our Terms of Service.

By creating a Greenstamp account, you agree to this DPA as the Controller of personal data processed through our platform.

1. Scope of Processing

Greenstamp processes personal data solely to provide our electronic invoicing platform and related services as described in our Terms of Service. We process data only on your documented instructions, unless required by law to do otherwise.

What We Process

The following categories of personal data are processed on your behalf:

Business contact data: Names, email addresses, phone numbers, and postal addresses of your customers and suppliers (counterparties)
Business identifiers: Tax identification numbers, business registration numbers
Invoice data: Amounts, line item descriptions, tax breakdowns, payment terms, issuance dates
User account data: Names, email addresses, login credentials (encrypted), and role assignments for your team members
Audit logs: Timestamps, IP addresses, and descriptions of actions taken on the platform

We do not process special categories of personal data (Article 9 GDPR) such as health data, biometric data, racial or ethnic origin, or political opinions.

2. Our Obligations

Confidentiality

All persons authorized to process personal data on our platform have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security Measures

We implement the following technical and organizational measures to protect your data:

AES-256 encryption for all sensitive data at rest, including digital certificates and authentication secrets
TLS 1.3 encryption for all data in transit
Role-based access controls with multi-factor authentication for administrative access
Comprehensive audit trail logging for all operations on personal data
Anonymization and pseudonymization capabilities for data under legal retention
Regular testing and evaluation of security measures

Data Subject Rights

We assist you in responding to requests from individuals exercising their GDPR rights, including access, rectification, erasure, portability, restriction, and objection. We provide self-service data export (JSON format) and data deletion capabilities through the platform.

Breach Notification

We will notify you without undue delay upon becoming aware of a personal data breach affecting your data. Our notification will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address it.

3. Sub-Processors

You authorize us to engage the following sub-processors to deliver our services. Each sub-processor is bound by data processing obligations no less protective than those in this DPA.

Sub-Processor	Location	Purpose
Storecove B.V.	Netherlands	PEPPOL network connectivity for European e-invoicing
SW Sapien S.A. de C.V.	Mexico	CFDI invoice stamping and validation (PAC)
Render Services, Inc.	United States	Cloud hosting, compute, and database
Amazon Web Services, Inc.	United States	File storage (S3) for invoice PDFs, receipts, and data exports
Stripe, Inc.	United States	Subscription payment processing
Anthropic PBC	United States	AI-powered invoice classification and validation

We will notify you at least 30 days before adding or replacing a sub-processor. If you object, we will discuss the concern in good faith. If no resolution is reached, you may terminate the affected services.

4. International Data Transfers

Greenstamp is based in the United States. Personal data transferred from the European Economic Area (EEA) to the United States is protected by the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), which are incorporated into this DPA by reference.

Copies of the applicable Standard Contractual Clauses are available upon request at privacy@greenstamp.io.

5. Data Retention and Deletion

We retain your data for the following periods:

Invoice and billing data: 5 years from issuance, to comply with tax record-keeping requirements
Filing records: 10 years for regulatory audit purposes
Audit logs: 7 years for accountability and dispute resolution
User account data: Duration of your subscription plus 90 days

Upon termination of your subscription, we will, at your choice, delete or return all personal data and delete existing copies — unless law requires further retention. Where legal retention applies, we anonymize the data by removing personal identifiers while preserving aggregate financial records as required.

6. Audit Rights

We will make available all information necessary to demonstrate compliance with this DPA and GDPR Article 28. We will allow for and contribute to audits conducted by you or your mandated auditor, subject to reasonable notice. We may satisfy audit requests by providing relevant certifications or audit reports, written responses to your questionnaire, or on-site access upon reasonable notice (no more than once per calendar year, at your expense).

7. Term

This DPA remains in effect for the duration of your Greenstamp subscription. Obligations relating to confidentiality, data retention, and deletion survive termination.

8. EU Representative

As required by GDPR Article 27, we have appointed EU Rep as our Representative. All GDPR queries from EU Data Subjects or Data Protection Authorities should be submitted to eurep.ie via their dedicated form.

BizLegal Ltd trading as EU Rep
27 Cork Road, Midleton, Co. Cork, Ireland
Company number 635921

9. Contact

For questions about this Data Processing Agreement or to exercise your rights:

Data protection: privacy@greenstamp.io
General: info@greenstamp.io
Address: 2093 Philadelphia Pike #6970, Claymont, DE 19703, United States