Data Processing Addendum

Capitalized terms not otherwise defined here have the meaning given in the GDPR (Regulation (EU) 2016/679), the UK GDPR, the California Consumer Privacy Act (as amended by the CPRA), or the Invoset Terms of Service, as applicable.

• "Customer Personal Data" means personal data that Invoset processes on behalf of the Customer in connection with the service.
• "Data Subject" means an identified or identifiable natural person whose personal data is included in Customer Personal Data.
• "Sub-processor" means a third party engaged by Invoset to process Customer Personal Data, as listed at /legal/subprocessors.
• "Standard Contractual Clauses" or "SCCs" means the European Commission Implementing Decision (EU) 2021/914 module clauses for transfers of personal data to third countries.

For purposes of GDPR and UK GDPR, the Customer is the Controller of Customer Personal Data and Invoset acts as the Processor. For CCPA purposes, the Customer is the Business and Invoset acts as a Service Provider. Invoset will process Customer Personal Data only to provide the service in accordance with the Customer's instructions, the Terms of Service, and applicable law.

• Subject matter: provision of the Invoset accessibility scanning, monitoring, and reporting service.
• Duration: the term of the underlying Terms of Service, plus any retention or return-and-deletion period required by Section 11 of this DPA.
• Nature and purpose: automated scanning of Customer-submitted websites against WCAG 2.1 Level AA, generation of reports, badge issuance, transactional notifications, and audit-trail archiving.
• Categories of Data Subjects: (a) Customer's employees and authorized users who hold accounts on the service; (b) end-visitors of the Customer's websites whose interactions, identifiers, or content may be incidentally captured in scanned HTML, DOM snapshots, or page screenshots, to the extent such data is rendered on public pages submitted for scanning.
• Categories of Personal Data: name, business email address, account credentials processed via Supabase Auth, IP and device metadata for security telemetry, account activity logs, and any personal data incidentally present in scanned HTML or page screenshots from the Customer's websites (Invoset does not target this data; it is collected only as part of automated WCAG analysis).
• Special Categories of Personal Data: none are intended to be processed; Customers must not submit special-category data through scanned pages or scan inputs.

Invoset will process Customer Personal Data only on documented instructions from the Customer, including with regard to transfers to a third country or international organization, unless required to do so by Union or Member State law to which Invoset is subject. The Terms of Service, this DPA, and the documented in-product configuration constitute the Customer's complete and final instructions to Invoset.

Invoset ensures that personnel authorized to process Customer Personal Data are bound by confidentiality obligations and receive appropriate training on data protection. Access is limited to personnel who require it to provide the service.

Invoset implements appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including:

• Encryption of personal data in transit (TLS 1.2 or higher) and at rest (AES-256 via Supabase managed Postgres and storage).
• Row-level security and least-privilege database access; service-role keys are not exposed to the browser.
• Authentication via Supabase Auth with HMAC-SHA256 (HS256) JWT signing, server-side token verification, and short-lived session tokens.
• Logical separation of customer data through tenant identifiers and row-level policies.
• Continuous monitoring and audit logging across the API and worker tier.
• A documented vulnerability disclosure policy and a process for evaluating and remediating reported issues.
• Regular review of sub-processor security posture as part of vendor management.

See our Security page for the full description of our security commitments.

The Customer authorizes Invoset to engage the sub-processors listed at /legal/subprocessors. Invoset will impose data protection obligations on each sub-processor that are no less protective than those in this DPA. Invoset will provide at least 30 days' prior notice of any new sub-processor that will process Customer Personal Data; the Customer may object on reasonable data-protection grounds and, if the parties cannot find a workable solution, terminate the underlying subscription.

Taking into account the nature of the processing, Invoset will assist the Customer by appropriate technical and organizational measures, insofar as possible, to fulfill the Customer's obligations to respond to requests from Data Subjects to exercise their rights under applicable law (including access, rectification, erasure, restriction, portability, and objection). Customer-initiated rights actions can be performed through the dashboard or by contacting legal@invoset.com.

The Customer authorizes the transfer of Customer Personal Data to countries outside the EEA, the UK, or Switzerland where necessary to provide the service. Where such transfers occur, Invoset relies on the Standard Contractual Clauses (Module Two: Controller-to-Processor) and any required UK or Swiss addenda, which are incorporated by reference into this DPA. For transfers to the United States, Invoset may also rely on the EU-U.S. Data Privacy Framework where the recipient sub-processor is certified.

Invoset will notify the Customer without undue delay, and in any event within 72 hours of becoming aware of a Personal Data Breach affecting Customer Personal Data. The notice will include, to the extent known at the time, the nature of the breach, the categories and approximate number of Data Subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

On termination of the underlying subscription, the Customer may, for 30 days, (a) continue to download per-scan PDF reports and audit-trail PDF documents through the dashboard and (b) request a full data export by emailing legal@invoset.com, which we will fulfill within 14 days as a CSV or JSON archive. After the 30-day window, Invoset will delete or return Customer Personal Data, unless retention is required by applicable law (for example, financial records, dispute resolution, or audit-trail retention obligations). Backups containing Customer Personal Data are purged on the next scheduled rotation cycle, which is no longer than 90 days after subscription termination.

Invoset will make available to the Customer all information necessary to demonstrate compliance with the obligations laid down in Article 28 GDPR. In place of on-site audits, which are not practical for a small SaaS, Invoset will respond to reasonable written information requests, share applicable third-party audit reports of its sub-processors when permitted by license, and answer security questionnaires submitted in good faith.

For Customer Personal Data subject to the CCPA, Invoset is a Service Provider under §1798.140(ag) and certifies that it: (a) will not retain, use, or disclose Customer Personal Data outside the direct business relationship with the Customer or for any purpose other than the specific business purposes set forth in the Terms of Service and this DPA, including any commercial purpose; (b) will not sell or share Customer Personal Data; (c) will not combine Customer Personal Data with personal information received from any other source, except as permitted under §1798.140(ag)(1) for service-provider business purposes; (d) certifies that it understands and will comply with the restrictions in §1798.140(ag) and §1798.100 et seq.; and (e) grants the Customer, in its capacity as a Business under the CCPA, the right to take reasonable and appropriate steps to ensure compliance, including by reviewing the audit response described in Section 12 of this DPA, as a means of stopping and remediating any unauthorized use of Customer Personal Data.

Each party's liability under this DPA is subject to the limitations and exclusions set out in the Terms of Service. Where applicable law (including GDPR Article 82) provides for joint and several liability, that allocation governs as between the parties and the affected Data Subject.

For most customers, this DPA is incorporated by reference into the Terms of Service and no additional signature is required. If your organization needs a counter-signed copy (for example, as part of a procurement process), email legal@invoset.com with your legal entity name, registered address, and the name and title of the signatory. We will return a counter-signed PDF within five business days.

This DPA is governed by, and forms part of, the Terms of Service. In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Customer Personal Data, this DPA prevails.

Registered name

Ravencord Inc.

Registry

Delaware Division of Corporations · File number pending

Registered agent

Legalinc Corporate Services Inc.

Address

6688 Nolensville Rd, Ste 108 #2225, Brentwood, TN 37027, United States

Phone

+1 615 413 2151

Email

tech@ravencord.com