Data Processing Agreement

1. Definitions

• "Personal Data" means any information relating to an identified or identifiable natural person, as defined in Article 4(1) GDPR.
• "Processing" means any operation performed on Personal Data, as defined in Article 4(2) GDPR.
• "Data Subject" means the individual to whom Personal Data relates (e.g. your clients whose contact information is stored in Duefy).
• "Sub-processor" means any third party engaged by the Processor to process Personal Data.

2. Subject Matter and Purpose

Duefy processes Personal Data on your behalf for the purpose of providing the Duefy accounts receivable automation service, including:

• Storing client contact information you upload
• Sending payment reminder emails to your clients
• Sending SMS reminders (if enabled)
• Processing and recording payments via Stripe
• Generating reports and analytics

Categories of Personal Data

• Client names and contact details (email, phone, address)
• Invoice and payment information
• Email communication records

Categories of Data Subjects

• Your clients and their representatives

3. Processor Obligations

Duefy LLC agrees to:

1. Process Personal Data only on documented instructions from the Controller (i.e. as directed by your use of the Duefy service and this DPA).
2. Ensure that persons authorised to process Personal Data are subject to confidentiality obligations.
3. Implement appropriate technical and organisational security measures pursuant to Article 32 GDPR.
4. Not engage Sub-processors without prior authorisation (see Section 5 for current Sub-processors).
5. Assist the Controller in responding to Data Subject rights requests (Articles 15-22 GDPR).
6. Notify the Controller without undue delay (within 72 hours) upon becoming aware of a Personal Data breach.
7. Delete or return all Personal Data upon termination of the service, at the Controller's choice.
8. Make available all information necessary to demonstrate compliance with Article 28 GDPR.

4. Controller Obligations

You agree to:

1. Ensure you have a lawful basis for sharing Personal Data with Duefy (e.g. legitimate interests in debt collection, or contractual necessity).
2. Provide accurate and lawful instructions to Duefy.
3. Ensure Data Subjects have been informed about the processing through your own privacy notices.

5. Sub-processors

You hereby authorise Duefy to engage the following Sub-processors. Duefy will notify you of any changes to this list with 30 days' notice via email.

6. Security Measures

Duefy implements the following technical and organisational security measures:

• All data encrypted in transit (TLS 1.2+)
• Database access restricted to application servers only
• API keys stored as one-way hashes (SHA-256)
• Passwords stored using bcrypt hashing
• Regular automated backups with encryption
• Access logging and monitoring
• Two-factor authentication available for all accounts
• Role-based access controls (Team plan)

7. International Transfers

Where Personal Data is transferred outside the European Economic Area (EEA) or United Kingdom, Duefy relies on Standard Contractual Clauses (SCCs) as approved by the European Commission under Decision 2021/914.

8. Duration and Termination

This DPA remains in effect for the duration of your Duefy subscription. Upon termination:

• Your data is retained for 90 days to allow export
• After 90 days, all Personal Data is permanently deleted
• Billing records may be retained for up to 7 years as required by applicable law

9. Governing Law

This DPA is governed by the laws of the State of Wyoming, USA, consistent with the Terms of Service, and the mandatory provisions of GDPR where applicable.

10. Contact

For questions about this DPA or to exercise your rights:

Duefy LLC
30 N Gould St, Ste N, Sheridan, WY 82801
Email: privacy@duefy.ai