Legal
Data Processing Agreement
Last updated: July 2026This Data Processing Agreement ("DPA") is entered into between the customer accepting the Billingz® Subscription Terms ("Customer", acting as data controller) and Billingz EOOD ("Billingz", acting as data processor). It governs the processing of personal data contained in Customer Data under Article 28 of Regulation (EU) 2016/679 ("GDPR") and is incorporated by reference into the Subscription Terms.
1. Parties and role
Billingz EOOD
Registered office: Vranya Str. 32, fl. 4, ap. 11, Sofia 1233, Bulgaria
Company registration number (EIK): 208766693
VAT number: BG208766693
Email: support@billingz.com
For clarity: for the Customer’s own account, billing, and usage data, Billingz acts as an independent controller as described in the Privacy Policy. This DPA covers only personal data that the Customer enters into the Service about third parties.
2. Subject matter, duration, nature and purpose
- Subject matter: hosting, storage, computation, and display of Customer Data within the Service.
- Duration: the term of the Customer’s subscription plus the deletion period in Section 9.
- Nature and purpose: providing the Billingz operational control features (invoicing records, client records, expense tracking, derived indicators).
3. Categories of data subjects and personal data
- Data subjects: the Customer’s clients, suppliers, and business contacts.
- Categories of data: names, company names, contact details (email, phone, address), tax identifiers, invoice line items, amounts, payment status, and related business records.
- No special categories of data (Article 9 GDPR) are intended to be processed. The Customer agrees not to enter such data into the Service.
4. Instructions
Billingz processes Customer Data only on documented instructions from the Customer, including with regard to international transfers, unless required to do otherwise by EU or Member State law. The Subscription Terms and the Customer’s use of Service features constitute the Customer’s complete instructions. Billingz will inform the Customer if, in its opinion, an instruction infringes the GDPR.
5. Confidentiality and security
- Persons authorized to process Customer Data are bound by confidentiality obligations.
- Billingz implements appropriate technical and organizational measures under Article 32 GDPR, summarized in the Annex.
- Billingz assists the Customer, taking into account the nature of processing, in fulfilling obligations regarding data subject rights, security, breach notification, and data protection impact assessments (Articles 32 to 36 GDPR).
6. Personal data breach
Billingz notifies the Customer without undue delay after becoming aware of a personal data breach affecting Customer Data, and provides information reasonably required for the Customer to meet its own notification obligations.
7. Subprocessors
The Customer grants general authorization for the engagement of the subprocessors listed below. Billingz will inform the Customer of intended additions or replacements at least 14 days in advance, giving the Customer the opportunity to object on reasonable data protection grounds.
| Subprocessor | Purpose | Location |
|---|---|---|
| Amazon Web Services EMEA SARL | Cloud hosting and storage (region eu-central-1, Frankfurt) | EU |
| Stripe Payments Europe Ltd | Payment processing and billing | EU / Ireland |
| Cloudflare Inc. | Content delivery, DDoS protection, DNS | EU / US (SCCs) |
| Zoho Corporation | Business email and support communication | EU / US (SCCs) |
Billingz imposes data protection obligations on subprocessors that are no less protective than those in this DPA and remains liable for their performance.
8. International transfers
Customer Data is hosted in the European Union. Where a subprocessor processes personal data outside the European Economic Area, the transfer is protected by an adequacy decision or Standard Contractual Clauses approved by the European Commission, together with supplementary measures where appropriate.
9. Deletion and return
Upon termination of the subscription, the Customer may export Customer Data within 30 days. After this period, Billingz deletes Customer Data from production systems within 30 days and from backups within 90 days, unless EU or Member State law requires longer retention.
10. Audit
Billingz makes available information reasonably necessary to demonstrate compliance with Article 28 GDPR and allows for audits, including inspections, conducted by the Customer or an auditor mandated by the Customer, no more than once per year, on at least 30 days notice, during business hours, without disruption to operations, and subject to confidentiality. Billingz may first satisfy the request through existing third-party certifications or reports.
11. Liability and order of precedence
Liability under this DPA is subject to the limitations of liability in the Subscription Terms, except where such limitation is not permitted by the GDPR. In case of conflict between this DPA and the Subscription Terms with respect to processing of Customer Data, this DPA prevails.
Annex. Technical and organizational measures (summary)
- Encryption of data in transit (TLS) and at rest.
- Access control: role-based access, least privilege, MFA for administrative access.
- Infrastructure hosted in AWS eu-central-1 with network isolation and managed security services.
- Logical separation of customer workspaces.
- Regular backups with defined retention; tested restore procedures.
- Vulnerability management and timely application of security patches.
- Logging and monitoring of administrative and system events.
- Personnel confidentiality undertakings and need-to-know access.