Data Processing Agreement (DPA)

Last updated: 19 May 2026 · Version: 2.0

This Data Processing Agreement (the "DPA") governs the processing of personal data carried out by Intellizy S.L. ("Intellizy" or "we") on behalf of the customer of the Involy service (the "Customer" or "you") within the contractual relationship established by the Terms of Service. This DPA is entered into in accordance with Article 28 of Regulation (EU) 2016/679 (the "GDPR") and, where applicable, with Spanish Organic Law 3/2018, of 5 December, on the Protection of Personal Data and the Guarantee of Digital Rights ("LOPDGDD").

This DPA is incorporated by reference into the Terms of Service. By accepting the Terms of Service at the time of subscription, the Customer also accepts this DPA.

1. Background and purpose

The Customer uses the Involy service (the "Service") to issue invoices to its own customers. To provide the Service, Intellizy processes on behalf of the Customer certain personal data that the Customer enters into the application, including data about the recipients of the invoices. This DPA sets out the conditions, rights and obligations of the Parties in relation to that processing, in compliance with Article 28 GDPR.

This DPA does not affect the processing that Intellizy carries out as controller in respect of the Customer's own data (account data, subscription billing data, technical data, support communications), which is governed by our Privacy Policy.

2. Definitions

Capitalised terms not defined in this DPA have the meaning given to them in Article 4 GDPR. For the purposes of this DPA:

"Customer Data" means the personal data that the Customer, acting as controller, enters or transmits to the Involy application for Intellizy to process on its behalf in connection with the provision of the Service. It includes, in particular, the content of the invoices the Customer issues to its own customers.
"Processor" means Intellizy in relation to the Customer Data.
"Controller" means the Customer in relation to the Customer Data.
"Sub-processor" means any third party engaged by Intellizy to process Customer Data on behalf of Intellizy.
"Data Subject" means the natural person to whom the Customer Data relates.
"Service" means the Involy platform and the related services provided by Intellizy to the Customer in accordance with the Terms of Service.
"Terms of Service" means the Involy terms and conditions accepted by the Customer at the time of subscription.
"Personal Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorised disclosure of, or access to, Customer Data, in accordance with Article 4(12) GDPR.

3. Subject matter and details of processing

The details of the processing (subject matter, duration, nature, purpose, categories of personal data and categories of Data Subjects) are set out in Annex 1 to this DPA.

4. Roles of the Parties

For the purposes of Customer Data:

The Customer acts as controller and retains the responsibility to determine the purposes and means of the processing, as well as to comply with the obligations imposed on the controller by the GDPR.
Intellizy acts as processor and processes Customer Data exclusively on behalf of the Customer, in accordance with the Customer's documented instructions and this DPA.

Decisions about which personal data is entered into the Service, to whom invoices are issued, the items invoiced and any other substantive decision about the processing are the Customer's sole responsibility.

5. Processor obligations

In compliance with Article 28(3) GDPR, Intellizy:

(a) Documented instructions. Will process Customer Data only on documented instructions from the Customer, including with regard to transfers of personal data to a third country or an international organisation, unless required to do so by Union or Member State law applicable to Intellizy; in such case, Intellizy will inform the Customer of that legal requirement before processing, unless that law prohibits such information on important grounds of public interest. The Customer's documented instructions include, without limitation: (i) the Terms of Service, (ii) this DPA and (iii) the Customer's use of the Service in accordance with its documented functionality.
(b) Confidentiality. Will ensure that persons authorised to process Customer Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.
(c) Security measures. Will implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, in accordance with Article 32 GDPR. The measures in force are described in Annex 2.
(d) Sub-processors. Will comply with the conditions for engaging other processors set out in Clause 6 and Annex 3.
(e) Assistance with Data Subject rights. Will assist the Customer, by appropriate technical and organisational measures, insofar as possible, in fulfilling its obligation to respond to requests for the exercise of the Data Subject rights laid down in Chapter III GDPR.
(f) Assistance with Controller obligations. Will assist the Customer in ensuring compliance with the obligations laid down in Articles 32 to 36 GDPR, taking into account the nature of the processing and the information available to Intellizy.
(g) Return or deletion. At the Customer's choice, will delete or return all Customer Data once the Service has ended, including existing copies, unless retention of the data is required by Union or Member State law. The detail of return and deletion is set out in Clause 12.
(h) Information and audits. Will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR, and will allow for and contribute to audits in accordance with Clause 11.

Intellizy will inform the Customer immediately if, in its opinion, an instruction from the Customer infringes the GDPR or other applicable data protection law.

6. Sub-processors

The Customer grants Intellizy a general authorisation to engage Sub-processors for the provision of the Service, provided that such Sub-processors offer sufficient guarantees to implement appropriate technical and organisational measures under the GDPR and are bound by data protection obligations equivalent to those set out in this DPA.

The current categories of Sub-processors are set out in Annex 3. The list of current Sub-processors identified by name is available to any Customer upon written request to support@involy.com.

Material changes to Sub-processor categories. If Intellizy adds a new Sub-processor or replaces an existing one and the change involves a material modification of the categories listed in Annex 3 (for example, a new processing category or the relocation of a category outside the EU/EEA), Intellizy will notify the Customer at least 30 days in advance. During that period, the Customer may object to the change on reasonable grounds. If the objection is valid and the Parties cannot reach a solution within 30 days from the notification, the Customer may terminate the part of the Service affected by the change, and will be entitled to a pro-rata refund of the unused portion of the pre-paid subscription, limited to the affected Service.

Non-material changes within a category already disclosed. The replacement of one Sub-processor by another within the same category disclosed in Annex 3 (for example, replacing one European hosting provider with another equivalent European provider) does not constitute a material modification and therefore does not require individual notification nor give rise to a right to object. The updated list of Sub-processors identified by name will in any event be available upon request.

7. Assistance with Data Subject requests

Intellizy will assist the Customer, insofar as reasonably possible and taking into account the nature of the processing, so that the Customer can respond to requests from Data Subjects relating to the exercise of their rights under the GDPR (access, rectification, erasure, restriction, objection, portability, automated decisions and withdrawal of consent).

If Intellizy receives directly a request from a Data Subject that should be handled by the Customer as controller, Intellizy will notify the Customer without undue delay and will refrain from responding directly, unless instructed otherwise by the Customer or where a response is required by applicable law.

Intellizy may pass on to the Customer the reasonable costs of assistance where the requests are manifestly unfounded or excessive, in accordance with Article 12(5) GDPR.

8. Technical and organisational measures (TOMs)

Intellizy implements the technical and organisational measures described in Annex 2, designed to protect Customer Data against unauthorised access, alteration, disclosure or accidental or unlawful destruction.

These measures may evolve to reflect technological developments and newly identified risks. Intellizy will not materially reduce the effective level of security of the Service without reasonable cause.

9. Personal Data Breach notification

Intellizy will notify the Customer, without undue delay, of any Personal Data Breach affecting Customer Data, in accordance with Article 33(2) GDPR. The notification will include, to the extent of the information available at that time, the elements set out in Article 33(3) GDPR (nature of the breach, categories and approximate number of Data Subjects and records concerned, likely consequences, measures taken or proposed).

Intellizy will reasonably cooperate with the Customer so that the Customer can comply, as applicable, with its obligation to notify the competent supervisory authority under Article 33 GDPR and to communicate the breach to the Data Subject under Article 34 GDPR.

A notification made by Intellizy to the Customer does not constitute an admission of fault or liability for the breach.

10. International data transfers

As a general rule, Intellizy and its Sub-processors process Customer Data within the European Union or the European Economic Area (EU/EEA). At present no international transfers of Customer Data are carried out outside the EU/EEA.

If a transfer outside the EU/EEA were to become necessary in the future, Intellizy will ensure that it is covered by one of the mechanisms set out in Chapter V GDPR: an adequacy decision of the European Commission, Standard Contractual Clauses approved by the European Commission, or any other valid mechanism, supplemented by any additional measures that may be required following the corresponding transfer impact assessment. Any international transfer will be treated as a material change for the purposes of Clause 6.

11. Right to audit

Upon reasonable written request from the Customer, Intellizy will provide the Customer with the documentation necessary to demonstrate compliance with the obligations set out in Article 28 GDPR. This documentation will include, where applicable and available:

a written description of the technical and organisational measures in force;
a summary of the data-flow map and the categorical list of Sub-processors;
the updated list of Sub-processors identified by name;
a summary of the relevant Personal Data Breach history;
information reasonably necessary for the Customer to assess the Processor's compliance.

Unless required by a competent authority, this audit right will be exercised by remote documentary review, no more than once per calendar year, save for justified cause (for example, a relevant Personal Data Breach). On-site audits or audits carried out by third-party external auditors are outside the scope of this DPA and will require a specific written agreement between the Parties.

12. Term, termination, return or deletion

Term. This DPA will remain in force for as long as Intellizy processes Customer Data on behalf of the Customer. Its duration is tied to that of the Terms of Service.

Termination. This DPA will terminate automatically upon termination of the Terms of Service, without need for additional notice, without prejudice to those clauses which, by their nature, are intended to survive.

Return and deletion of Customer Data. Upon termination of the Service:

The Customer may, at any time before termination, export its data through the export functionality available within the Involy application.
Following termination and once any outstanding amounts have been resolved (collected or recorded as uncollectible), Intellizy will delete in full the Customer Data stored in the Involy application, in accordance with the retention model described in the Privacy Policy.
Certain operational system logs may retain minimal technical references associated with the Customer's operations (for example, internal identifiers or email addresses) for a maximum period of 30 days from cancellation, for security, diagnostic and operational traceability purposes. After that period, the logs are deleted automatically.
Intellizy will retain, in its internal accounting records held separately from the Involy application, copies of the invoices issued in respect of the Customer's subscription, for the periods required by Article 30 of the Spanish Commercial Code (Código de Comercio — 6 years) and, where applicable, the applicable tax legislation. This retention is based on Article 17(3)(b) GDPR.
Where outstanding amounts remain unpaid, the identifying and billing data necessary for collection will be retained until collection is completed or the amount is recorded as uncollectible, in accordance with Article 17(3)(e) GDPR.
Upon reasonable written request from the Customer, Intellizy will issue a certificate of deletion once completed.

13. Liability and indemnification

Each Party's liability arising out of or in connection with this DPA is subject to the limitations of liability set out in the Terms of Service, in particular the aggregate cap on liability agreed therein.

In accordance with Article 82 GDPR, each Party will be liable for the damage caused by processing that infringes the GDPR and that is attributable to it. The joint and several liability between Controller and Processor provided for in Article 82(4) GDPR will apply only on the terms set out in the Regulation itself.

The Customer will hold Intellizy harmless against any claim brought by a Data Subject or third party arising out of (a) the Customer's decisions about the purposes and means of the processing, (b) the personal data the Customer enters into the Service, or (c) any breach by the Customer of its obligations as Controller under the GDPR, all within the terms and limits set out in the Terms of Service.

14. Order of precedence

In the event of a conflict between this DPA and the Terms of Service on matters relating to the processing of personal data, the provisions of this DPA will prevail. On any other matter, the Terms of Service will prevail.

In the event of a conflict between this DPA and the Privacy Policy in relation to the processing of Customer Data as processor, the provisions of this DPA will prevail. The Privacy Policy will continue to govern the processing that Intellizy carries out as controller of the Customer's own data.

15. Governing law and dispute resolution

This DPA is governed by Spanish law, without prejudice to the direct applicability of the GDPR and other European data protection legislation.

Any dispute arising out of this DPA will be submitted to the dispute resolution mechanisms set out in the Terms of Service. The foregoing is without prejudice to the right of Data Subjects to lodge complaints with the Spanish Data Protection Authority (AEPD) or with the competent supervisory authority, and to the rights available to them under Articles 77 to 79 GDPR.

16. Modifications to this DPA

Intellizy may modify this DPA to reflect changes in the Service, in processing practices or in applicable law. The current version is always available on this page, together with the date of the last update.

Non-material changes will take effect on the date indicated in the DPA itself and will be communicated through a visible notice in the application.

Material changes — meaning those that reduce the safeguards Intellizy offers as processor, materially modify the categories of Sub-processors, or reduce the Customer's rights as controller — will be notified at least 30 days in advance through a visible notice in the application and, where technically feasible, by email. During that period the Customer may object to the change on reasonable grounds in accordance with Clause 6.

Annex 1 — Details of processing

Subject matter of the processing. Processing by Intellizy, on behalf of the Customer, of the personal data the Customer enters into the Involy application for the purpose of issuing invoices to the Customer's own customers.

Duration. For the duration of the Terms of Service and the subsequent periods set out in Clause 12.

Nature of the processing. Collection, recording, storage, structuring, modification, consultation, use for the generation of invoices, transmission to the Spanish Tax Authority (Agencia Estatal de Administración Tributaria, "AEAT") in VERI*FACTU mode pursuant to Spanish Royal Decree 1007/2023, communication to invoice recipients, retention and deletion.

Purpose. Provision of the Involy Service to the Customer, including the issuance and management of the invoices the Customer chooses to issue to its own customers through the application.

Categories of Data Subjects.

Where the Customer issues invoices to natural persons, those natural persons will be Data Subjects in respect of the personal data appearing on the invoice (name, surname(s), tax identification number, postal address, etc.).
Where the Customer issues invoices to legal persons (companies, entities), the identifying data of the entity itself (corporate name, tax identification number, postal address) does not, as a general matter, constitute personal data under Article 4(1) GDPR, given that the GDPR protects exclusively data relating to natural persons. However, if the invoice includes personal data of identifiable natural persons (for example, a contact name or a personal email address), those natural persons will be Data Subjects in respect of that data.
Any other natural person whose personal data the Customer chooses to enter into the application for invoicing purposes.

Categories of personal data. On behalf of the Customer, and to the extent that the data entered by the Customer constitutes personal data under Article 4(1) GDPR, Intellizy processes the following categories of data relating to Data Subjects:

Identifying data: name and surname(s).
Tax and billing data: tax identification number, corporate name where applicable, postal address and country. The postal address and country appear on the invoice for tax reasons (in particular, determination of the applicable VAT and tax obligations, including those arising from cross-border transactions) and, where applicable, also serve as contact data for the recipient.
Contact data: email address of the recipient, where the Customer provides it for the delivery of the invoice.
Contractual and economic data: items invoiced, descriptions, quantities, amounts, dates, invoice numbers.
Any other personal data the Customer chooses to enter into the application.

Intellizy does not require or recommend that the Customer enter special categories of personal data (Article 9 GDPR) nor data relating to criminal convictions and offences (Article 10 GDPR). The Service is not designed to process such categories of data.

Annex 2 — Technical and organisational measures (TOMs)

Intellizy applies, at a minimum, the following technical and organisational measures, in accordance with Article 32 GDPR:

Encryption in transit: all communications between the user's browser and Involy's servers are carried out using TLS.
Encryption of credentials: passwords are stored exclusively as salted hashes, with no plaintext storage.
Payment data: Intellizy does not collect, access or store credit or debit card data; such data is entered and managed directly by the payment service provider in accordance with applicable standards (for example, PCI DSS).
Access controls: access by authorised personnel to the infrastructure and to Customer Data is governed by the principle of least privilege, with individual identification and traceability.
Logging and traceability: Intellizy maintains system event logs that enable auditing of access and relevant operations, for reasonable retention periods.
Continuity and recovery: Intellizy performs periodic backups and has restoration procedures to ensure the availability and integrity of Customer Data.
Personnel confidentiality: personnel authorised to process Customer Data are bound by confidentiality, whether by contract or by statutory obligation.
Sub-processor management: Intellizy selects Sub-processors that offer sufficient guarantees and binds them by contract to obligations equivalent to those of this DPA.
Continuous review: the measures are reviewed periodically and updated when new risks or technological developments are identified.
Internal training: authorised personnel receive training on data protection and information security.

Intellizy may update these measures over time. Any update will maintain a level of protection equivalent to or higher than the one described above.

Annex 3 — Categories of Sub-processors

The categories of Sub-processors that Intellizy currently uses for the provision of the Service are:

Cloud hosting provider located in the EU/EEA.
Payment service provider.
Language model (artificial intelligence) provider located in the EU/EEA.
Speech-to-text provider located in the EU/EEA.
Application performance monitoring (APM) provider located in the EU/EEA.

The updated list of Sub-processors identified by name is available to any Customer upon written request to support@involy.com.

In addition, invoice records are transmitted to the Spanish Tax Authority (AEAT) in accordance with VERI*FACTU mode under Spanish Royal Decree 1007/2023. AEAT does not act as a Sub-processor of Intellizy: it is a public administration that processes the data on its own legal basis and for its own purposes.