Data Processing Agreement (DPA)
Version 1.0, 2026-06-10. This DPA is incorporated into the terms accepted by installing the Faktwise app and is concluded between the merchant (controller) and Emanuel Luís, sole trader, Portugal, operating Faktwise (processor), per Art. 28 GDPR.
1. Subject matter and duration
Processing of order and customer data solely to generate, store, deliver and export invoices and credit notes on the controller's documented instruction (given through app configuration), for the duration of the app installation plus statutory retention periods.
2. Nature and purpose
Generation of legally required invoices (PDF, ZUGFeRD/Factur-X, XRechnung), archiving (10 years), email delivery to end customers when enabled, VAT ID validation via VIES, reporting exports.
3. Categories of data and data subjects
Data subjects: the controller's customers. Data: name, billing/shipping address, email, country, VAT ID, purchased items and amounts. No special categories (Art. 9) are processed.
4. Subprocessors
| Subprocessor | Purpose | Location |
|---|---|---|
| alwaysdata SAS | Hosting, database, email delivery (SMTP) | Paris, France (EU) |
| Proton AG | Support mailbox (only data you include in support requests) | Switzerland (EU adequacy decision) |
The controller grants general authorization for these subprocessors. We will inform merchants of intended additions or replacements at least 30 days in advance (in-app or by email); the merchant may object on reasonable data-protection grounds, in which case the merchant may terminate by uninstalling the app before the change takes effect.
Note: VAT IDs are validated against VIES, a service of the European Commission. VIES is a public authority service acting as a separate controller, not our subprocessor. Shopify, as your commerce platform, likewise acts under its own agreement with you.
5. Security measures (Art. 32)
- TLS for all transport; OAuth tokens encrypted at rest (AES-256-GCM)
- Per-tenant data isolation enforced at the data layer
- EU-only hosting; dedicated database user; daily backups
- Immutable, append-only invoice storage with audit log (GoBD)
6. Assistance and deletion
We implement Shopify's GDPR webhooks: data-subject requests are surfaced to the controller; on uninstallation, operational data is deleted within 48 hours while invoice archives are retained for the statutory period (Art. 17(3)(b) GDPR), after which they are deleted.
7. Audit
On request, we provide the information reasonably necessary to demonstrate compliance with this DPA (Art. 28(3)(h) GDPR).