Data Processing Agreement

Version 1.0 · Effective date: April 5, 2026

This Data Processing Agreement (“DPA”) forms part of the Terms of Service between EuroValidate and the Customer. It applies whenever EuroValidate processes Personal Data on behalf of the Customer in the course of providing the Service. A signable PDF copy is available on request at [email protected].

1. Definitions

GDPR means Regulation (EU) 2016/679 (General Data Protection Regulation).
Personal Data, Processing, Controller, Processor, Sub-processor, and Data Subject have the meanings given to them in the GDPR.
Customer means the entity or individual that has entered into the Terms of Service with EuroValidate.
EuroValidate means the sole trader registered in Portugal that operates the API at api.eurovalidate.com.
Service means the EuroValidate REST API, SDKs, dashboard, and related offerings.
Customer Data means any Personal Data submitted by the Customer to the Service for processing.
SCCs means the Standard Contractual Clauses approved by the European Commission (Decision 2021/914), Module Two (Controller-to-Processor).

2. Roles of the Parties

The parties acknowledge that, with respect to Customer Data, the Customer is the Controller and EuroValidate is the Processor. EuroValidate processes Customer Data only on documented instructions from the Customer, as set out in Annex I and in the Customer’s use of the Service.

For data EuroValidate collects independently to operate the Service (its own account records, billing data, security logs) EuroValidate acts as an independent Controller governed by the Privacy Policy.

3. Subject Matter, Duration, Nature, Purpose

See Annex I for the detailed description of the Processing.

4. Customer Instructions

EuroValidate shall process Customer Data only on the documented instructions of the Customer, including with regard to transfers of Personal Data to a third country, unless required to do so by Union or Member State law. EuroValidate shall immediately inform the Customer if, in its opinion, an instruction infringes the GDPR or other applicable data protection law.

5. Confidentiality

EuroValidate ensures that persons authorised to process Customer Data have committed themselves to confidentiality (or are under an appropriate statutory obligation of confidentiality) and have received appropriate data protection training.

6. Security (Art. 32 GDPR)

EuroValidate shall implement appropriate technical and organisational measures to ensure a level of security appropriate to the risk, taking into account the state of the art, the costs of implementation, and the nature, scope, context and purposes of Processing. These measures are described in Annex II.

7. Sub-processors

The Customer grants EuroValidate a general authorisation to engage Sub-processors listed in Annex III. EuroValidate will:

enter into a written agreement with each Sub-processor imposing substantially the same data-protection obligations as in this DPA;
remain fully liable to the Customer for the performance of each Sub-processor;
give the Customer at least 30 days’ notice (by email and/or on the sub-processors page) of any intended addition or replacement of a Sub-processor.

If the Customer reasonably objects to a new Sub-processor on legitimate data-protection grounds, it may terminate the affected portion of the Service by written notice within the 30-day window. EuroValidate will refund any pre-paid fees for the unused portion.

8. Data Subject Requests

Taking into account the nature of the Processing, EuroValidate shall assist the Customer by appropriate technical and organisational measures, insofar as possible, for the fulfilment of the Customer’s obligation to respond to requests for exercising the Data Subject’s rights (Art. 12–23 GDPR).

If EuroValidate receives a request directly from a Data Subject relating to Customer Data, it will not respond on the merits but will promptly forward the request to the Customer.

9. Assistance with Articles 32–36

EuroValidate shall, taking into account the nature of Processing and information available to it, assist the Customer in ensuring compliance with the obligations pursuant to Articles 32 (security), 33 (breach notification), 34 (communication to Data Subjects), 35 (DPIA) and 36 (prior consultation) of the GDPR.

10. Personal Data Breach Notification

EuroValidate shall notify the Customer of any Personal Data Breach affecting Customer Data without undue delay and within 72 hours of becoming aware of it. The notification shall contain, to the extent known, the information required by Art. 33(3) GDPR. EuroValidate will provide updates as additional information becomes available.

11. International Transfers

Primary processing takes place on servers located in Germany (EU). Certain Sub-processors (Stripe Inc., functionalities of Cloudflare) may process Customer Data in the United States. Where such transfers occur, they are subject to the SCCs (Module Two, Controller-to-Processor), which are incorporated into this DPA by reference and executed between EuroValidate and the relevant Sub-processor. Copies are available on request.

For transfers from the Customer (Controller) to EuroValidate (Processor) where the Customer is established outside the EEA and EuroValidate is established inside the EEA, the parties agree that Module Four of the SCCs (Processor-to-Controller) shall apply where legally required.

12. Audit Rights

EuroValidate shall make available to the Customer all information necessary to demonstrate compliance with this DPA. On no more than once per twelve-month period, the Customer may conduct an audit — at its own cost, on reasonable written notice of at least 30 days, during normal business hours, and subject to confidentiality — by requesting documentation, completing a security questionnaire, or (for Enterprise customers) commissioning a qualified independent third-party assessor. Audits must not unreasonably disrupt the Service or compromise the security of other customers.

13. Return and Deletion

Upon termination of the Service, EuroValidate shall, at the Customer’s choice, delete or return all Customer Data, and delete existing copies, unless Union or Member State law requires further storage. Default behaviour: deletion within 30 days of termination.

14. Term

This DPA takes effect on the date the Customer accepts the Terms of Service and continues for as long as EuroValidate processes Customer Data. Clauses that by their nature should survive termination (confidentiality, liability, audit records) shall survive.

15. Liability

Each party’s liability under this DPA is subject to the limitations set out in the Terms of Service. Nothing in this DPA limits either party’s liability for damages caused by its own willful misconduct, gross negligence, or breaches of the GDPR.

16. Conflict

In the event of any conflict between this DPA and the Terms of Service, this DPA prevails with respect to data protection matters. In the event of any conflict between this DPA and the SCCs, the SCCs prevail.

17. Contact

Data protection queries: [email protected].

Annex I — Description of the Processing

A. List of Parties

Data Exporter (Controller): The Customer, as identified by the account registered with EuroValidate.
Data Importer (Processor): EuroValidate, Portugal. Contact: [email protected].

B. Categories of Data Subjects

The Customer’s own customers, suppliers, or business contacts whose business identifiers (VAT/IBAN/EORI/LEI) are submitted to the API for validation.
To the extent these identifiers belong to sole traders or self-employed persons, they may relate to identifiable natural persons.

C. Categories of Personal Data

Business identifiers: VAT number, IBAN, EORI number, LEI code.
Associated business metadata returned by government sources: registered name, registered address, activity status.
Webhook URLs and monitoring configuration set by the Customer.

No special categories of data (Art. 9 GDPR) are processed.

D. Frequency of Processing

On-demand (each API call); continuous (for monitored entities with scheduled re-validation).

E. Nature and Purpose of Processing

Validation of submitted identifiers against upstream government sources (VIES, HMRC, GLEIF).
Caching of validation results to reduce latency and upstream load.
Delivery of webhook notifications to the Customer when a monitored entity’s status changes.
Operational logging and security monitoring.

F. Duration of Processing

For the duration of the Service. Cached identifiers expire automatically per the retention schedule in Annex II.

G. Data Subjects to be Notified

The Customer is responsible for providing privacy notices to its own Data Subjects and for establishing a lawful basis for submitting identifiers to EuroValidate.

Annex II — Technical and Organisational Measures

Pseudonymisation and Encryption

All data in transit is protected by TLS 1.2+ with modern cipher suites.
Data at rest is stored on encrypted volumes (LUKS on the production host).
API keys are stored as SHA-256 hashes, never in plaintext.
Customer email addresses in logs are masked to the first 3 characters.

Confidentiality, Integrity, Availability, Resilience

Principle of least privilege on all infrastructure: SSH key-only access, no root login, UFW firewall limited to ports 22/80/443.
Dedicated non-privileged Unix account (deploy) for application management.
Automatic OS security updates (unattended-upgrades).
Application containers run as a non-root user, with read-only root filesystem and no-new-privileges.
Per-country circuit breakers and caching layer protect against upstream outages.
Daily encrypted off-site backups of the PostgreSQL database, retained for 14 days.

Data Retention

Data type	Retention
VAT validation results (cache)	24 hours
EORI validation results (cache)	24 hours
IBAN validation results (cache)	1 hour
Company (GLEIF) data (cache)	7 days
API usage logs	12 months, then anonymised
Account data	For the life of the account + 30 days
Backups	14 days

Access Control and Authentication

Production access is restricted to authorised personnel using SSH keys stored on hardware-backed devices.
All customers authenticate via unique API keys with per-key rate limits.
Cloudflare Turnstile protects registration from automated abuse.

Logging and Monitoring

Structured JSON logs with request IDs.
Error tracking via a self-hosted GlitchTip instance.
External uptime monitoring via Uptime Robot.
Sensitive values (API keys, full IBANs, full email addresses) are never logged.

Incident Management

Documented incident response procedure.
Personal Data Breach notification to Customers within 72 hours (see Section 10).

Restoration of Availability

Targeted RTO of 4 hours and RPO of 24 hours for the production database.
Quarterly restore tests.

Data Protection by Design and by Default

No personal data is collected beyond what is strictly necessary for the Service.
Customers are given self-service GDPR endpoints (/v1/gdpr/*) for export, purge, and account deletion.

Annex III — Authorised Sub-processors

The current list is maintained at /subprocessors and summarised below:

Sub-processor	Purpose	Location
Hetzner Online GmbH	Hosting, compute, storage	Germany (EU)
Cloudflare, Inc.	DNS, CDN, DDoS protection, bot detection	Global / USA
Stripe Payments Europe, Ltd. / Stripe, Inc.	Billing, subscription management, invoicing	Ireland (EU) / USA
Resend Inc.	Transactional email delivery	USA
GitHub, Inc.	Source code and deployment pipelines (no Customer Data)	USA

Transfers to Sub-processors established in the United States are governed by the SCCs (Module Three, Processor-to-Processor) and/or applicable adequacy mechanisms (e.g. EU-US Data Privacy Framework where the Sub-processor is certified).