Data Processing Agreement (DPA)

This Data Processing Agreement ("DPA") supplements the Terms of Service of the Fiscora service and is entered into between the Customer (Data Controller) and Devura Digital SL (Data Processor), pursuant to Article 28 of Regulation (EU) 2016/679 (GDPR).

Data Controller: The Customer using Fiscora to manage personal data in the context of its business or professional activities.

Data Processor: Devura Digital SL, NIF B24830317, registered at av. Ferrocarril, 83, 12560 Benicassim, Castelló, ES.

The Processor processes personal data on behalf of the Controller in order to host, operate, maintain, and support the Fiscora service, in line with the functionalities contracted or enabled by the Controller.

Depending on the enabled modules, processing may include invoicing, quoting, recurring workflows, expenses, document storage, payroll and employee management, bank reconciliation, direct debit collections, exports, traceability, technical support, and service-related automations.

Identification and contact data, tax and accounting data, invoicing and payment data, banking data, payroll and employment data, document attachments, audit records, technical identifiers, and any other information uploaded by the Controller into the service.

The Controller's personnel, customers, suppliers, employees, collaborators, invoice recipients, payers, and any other individuals whose data the Controller enters into the service.

This DPA remains in force for the duration of the service. After the contract ends, the Processor will delete or return personal data in accordance with the Controller's instructions and reasonable technical offboarding timelines, unless applicable law requires longer retention or blocking.

1. Process personal data only on documented instructions from the Controller.
2. Ensure that persons authorized to process data have committed to confidentiality.
3. Implement appropriate technical and organizational measures to ensure the security of processing in accordance with Article 32 GDPR.
4. Not engage another processor without the Controller's prior specific or general authorization and impose equivalent data protection obligations on that sub-processor.
5. Assist the Controller in fulfilling data subject rights requests (access, rectification, erasure, portability, objection).
6. Assist the Controller in obligations related to security of processing, breach notification, data protection impact assessments, and prior consultations.
7. At the Controller's choice, delete or return all personal data after the end of the service provision.
8. Make available to the Controller all information necessary to demonstrate compliance with the obligations of Article 28 GDPR, and allow and contribute to audits.

The Processor remains liable to the Controller for the acts of its sub-processors and limits access to personal data to staff and providers who need it to deliver the service.

The Controller grants a general authorization for the Processor to use sub-processors and technical providers required to deliver Fiscora. As of this version, they may include, depending on the enabled modules:

• MongoDB Atlas — database hosting and managed backups.
• Cloudflare R2 — file storage, exports, and attachments.
• EU application hosting, such as Hetzner or Scaleway, depending on the active infrastructure.
• Postmark or equivalent SMTP providers — transactional notifications and email delivery.
• Afterbanks and/or GoCardless Bank Data — bank connectivity and transaction sync when the Controller enables those functions.
• OpenAI or similar OCR/AI document-processing providers — extraction of data from expenses or supporting documents only if the Controller enables those features.

Where we add or replace a material sub-processor, we will update this list or notify the change through reasonable means. If the Controller raises a justified objection and no reasonable alternative is available, the affected functionality may be discontinued or the service terminated in line with the contract. The Customer's own subscription billing through Stripe and disclosures to public authorities may be governed by their own terms as recipients or independent controllers where applicable.

The Processor will notify the Controller of any personal data breach without undue delay and in any case within 48 hours of becoming aware, providing all available information about the nature, scope, and measures taken.

Upon reasonable request from the Controller, and with adequate notice, the Processor will provide information about the safeguards in place and cooperate with audits or reviews that are proportionate to the risk, provided they do not compromise security, third-party confidentiality, or amount to an abuse of audit rights.

The Controller remains responsible for the lawfulness of the personal data and the instructions it provides to the Processor. In particular, the Controller warrants that it:

• Has a valid legal basis to disclose personal data to the Processor and to use the contracted modules.
• Has provided data subjects with the privacy information required in its relationship with them.
• Will not instruct the Processor to carry out unlawful processing or upload categories of data that are unnecessary for the intended purpose.

The Processor prioritizes hosting and providers within the EEA, but some sub-processors or optional features may involve transfers or remote access from third countries. Where that happens, the Processor will apply the appropriate transfer mechanism under Chapter V GDPR, including adequacy decisions, the Standard Contractual Clauses, and supplementary measures where required.

This DPA is governed by Spanish law and the GDPR. Any disputes shall be submitted to the Courts of Castellón de la Plana.