InvoiceCast — Data Processing Agreement

Last Updated: 04-24-2026

Effective Date: 04-24-2026

Version: 2026.1

This Data Processing Agreement ("DPA") forms part of the InvoiceCast Terms of Service between 9344-2481 Québec Inc. ("InvoiceCast," "we," "us," or "Processor") and the customer using the InvoiceCast Service ("Customer," "you," or "Controller").

This DPA applies when Customer uses InvoiceCast to process personal information relating to Customer’s clients, contractors, invoice recipients, employees, representatives, or other third parties.

1. Roles of the Parties

Customer is the controller of Customer Personal Data.

InvoiceCast acts as a processor when it processes Customer Personal Data on behalf of Customer through the Service.

Customer determines the purposes and means of processing Customer Personal Data. InvoiceCast processes Customer Personal Data only to provide, secure, maintain, support, and improve the Service in accordance with Customer’s instructions, the Terms of Service, this DPA, and applicable law.

For personal information relating directly to InvoiceCast’s own relationship with Customer, including account registration, billing, security, support, and legal compliance, InvoiceCast acts as an independent controller as described in the Privacy Policy.

2. Definitions

"Applicable Data Protection Laws" means all privacy and data protection laws applicable to the processing of Customer Personal Data, including, where applicable, Quebec’s Act respecting the protection of personal information in the private sector, PIPEDA, GDPR, UK GDPR, and applicable U.S. state privacy laws.

"Customer Personal Data" means personal information or personal data that Customer submits, uploads, stores, or otherwise processes through the Service and for which Customer acts as controller.

"Data Subject" means an identified or identifiable individual to whom Customer Personal Data relates.

"Processing" has the meaning given under Applicable Data Protection Laws and includes collection, storage, use, access, transmission, disclosure, deletion, and anonymization.

"Sub-processor" means a third-party service provider engaged by InvoiceCast to process Customer Personal Data on behalf of InvoiceCast.

3. Scope of Processing

InvoiceCast processes Customer Personal Data for the following purposes:

creating, storing, managing, and delivering invoices;
managing clients, contractors, users, accounts, and business profiles;
generating PDFs, Word documents, exports, and reports;
enabling timesheet submission and approval workflows;
sending transactional emails, including invoice delivery emails and account notifications;
providing support and troubleshooting;
maintaining security, fraud prevention, abuse detection, logging, backups, and service availability;
complying with legal obligations applicable to InvoiceCast.

InvoiceCast will not process Customer Personal Data for advertising, resale, third-party marketing, or AI/model training.

4. Categories of Personal Data

Customer Personal Data may include:

names;
email addresses;
phone numbers;
mailing addresses;
business names;
tax identification numbers;
invoice recipient information;
contractor information;
timesheet details;
invoice line items and descriptions;
rates, amounts, taxes, and payment-related metadata;
support communications containing Customer Personal Data;
IP addresses, logs, and technical metadata where connected to Customer’s use of the Service.

5. Categories of Data Subjects

Customer Personal Data may relate to:

Customer’s clients;
invoice recipients;
contractors;
employees;
account users;
business representatives;
service providers or other contacts entered into the Service by Customer.

6. Customer Instructions

Customer instructs InvoiceCast to process Customer Personal Data as necessary to provide the Service and as otherwise described in the Terms of Service, Privacy Policy, and this DPA.

InvoiceCast will not process Customer Personal Data outside those instructions unless required by applicable law. If InvoiceCast is legally required to process Customer Personal Data for another purpose, InvoiceCast will notify Customer unless legally prohibited from doing so.

Customer is responsible for ensuring that:

it has a lawful basis to collect and process Customer Personal Data;
it has provided required privacy notices to Data Subjects;
it has obtained any required consents;
its use of the Service complies with Applicable Data Protection Laws;
the Customer Personal Data it enters into the Service is accurate and lawful.

7. Confidentiality

InvoiceCast will ensure that persons authorized to process Customer Personal Data are bound by confidentiality obligations or are subject to appropriate statutory confidentiality duties.

InvoiceCast will limit access to Customer Personal Data to personnel and contractors who need access to provide, secure, maintain, or support the Service.

8. Security Measures

InvoiceCast will maintain appropriate technical and organizational measures designed to protect Customer Personal Data against unauthorized access, loss, misuse, alteration, disclosure, or destruction.

These measures include, as applicable:

encryption in transit using TLS;
disk-level encryption at rest;
application-level encryption for selected personal information fields;
password hashing using secure algorithms;
account-scoped authorization controls;
role-based access controls;
audit logging;
encrypted backups;
network isolation;
security patching;
access monitoring;
least-privilege access practices;
incident response procedures.

InvoiceCast may update its security measures from time to time, provided such updates do not materially reduce the overall security of the Service.

9. Sub-processors

Customer authorizes InvoiceCast to use Sub-processors to provide the Service.

InvoiceCast’s current Sub-processors include:

Sub-processor	Purpose
Amazon Web Services	Cloud infrastructure (EC2), storage (S3) , backups (S3), transactional email (SES)
Vultr	Cloud infrastructure, hosting, storage, logs
Google Cloud	Storage and backups
Brevo	Transactional email delivery
Cloudflare	CDN, DNS, DDoS protection, security, network routing
Stripe	Subscription billing and payment processing

InvoiceCast will ensure that each Sub-processor is bound by written obligations that provide at least substantially similar protection for Customer Personal Data as this DPA.

InvoiceCast remains responsible for its Sub-processors’ processing of Customer Personal Data to the extent required by Applicable Data Protection Laws.

InvoiceCast may add or replace Sub-processors from time to time. InvoiceCast will update its Privacy Policy and/or Sub-processor list and provide 30-day prior notice of new/replacement sub-processors.

Customer may object to new/replacement sub-processors by contacting InvoiceCast within the notice period. InvoiceCast will consider reasonable objections in good faith and may offer mitigation measures, which may include:

allowing Customer to export data and terminate the Service without penalty;
implementing additional contractual or technical safeguards with the new Sub-processor;
providing a transition period to allow Customer to adjust to the change.

If InvoiceCast cannot accommodate a reasonable objection, Customer may terminate the Service without penalty within the notice period.

10. International Transfers

10.1 Storage location

Customer Personal Data is stored at rest in data centers located in the United States.

10.2 Limited processing outside the United States

Certain limited processing of Customer Personal Data and related technical or transactional metadata may occur outside the United States through InvoiceCast's Sub-processors. Such processing is limited to:

Network transit and edge processing (e.g., Cloudflare's global edge network for CDN, DNS, and DDoS protection);
Transactional email delivery (e.g., Brevo's EU and global mail infrastructure used to send invoice and account emails);
Payment processing (e.g., Stripe's payment infrastructure for subscription billing);
Backup storage in regions specified in the current Sub-processor list, where applicable;
Customer support and operational tooling used by InvoiceCast personnel.

These activities do not change the primary storage location of Customer Personal Data.

10.3 Lawful transfer mechanisms

Where Customer Personal Data is transferred from the European Economic Area, the United Kingdom, or Switzerland to a third country (including the United States), InvoiceCast relies on the Standard Contractual Clauses adopted by the European Commission (Commission Implementing Decision (EU) 2021/914), the UK International Data Transfer Addendum, or another lawful transfer mechanism recognized under Applicable Data Protection Laws. InvoiceCast is not currently self-certified under the EU-US Data Privacy Framework.

InvoiceCast has carried out a Transfer Impact Assessment in accordance with EDPB Recommendations 01/2020. A redacted summary is available on request to [email protected].

10.4 Sub-processor regions

The country of import for each Sub-processor is published in the current Sub-processor list (Privacy Policy §5.2 and DPA §9). Customer will be notified of changes to Sub-processors in accordance with §9.

11. Assistance with Data Subject Requests

InvoiceCast will provide reasonable assistance to Customer in responding to Data Subject requests, including requests for access, correction, deletion, portability, restriction, or objection.

Where possible, Customer should respond to such requests using the self-service tools available in the Service.

If InvoiceCast receives a request directly from a Data Subject relating to Customer Personal Data, InvoiceCast may refer the Data Subject to Customer unless legally required to respond directly.

12. Assistance with Compliance

Taking into account the nature of the processing and information available to InvoiceCast, InvoiceCast will provide reasonable assistance to Customer with:

security obligations;
breach notification obligations;
data protection impact assessments;
regulatory consultations;
privacy compliance inquiries related to the Service.

InvoiceCast may charge reasonable fees for assistance that is outside normal support or requires significant technical, legal, or operational work.

13. Security Incidents and Breach Notification

InvoiceCast will notify Customer without undue delay and, where feasible, within 24 hours after confirming a security incident involving Customer Personal Data that presents a real risk of significant harm or otherwise requires notification under Applicable Data Protection Laws.

The notice will include, where available:

the nature of the incident;
categories of data affected;
categories and approximate number of Data Subjects affected;
likely consequences;
measures taken or proposed to address the incident;
steps Customer may take to reduce risk.

InvoiceCast’s notification of a security incident is not an admission of fault or liability.

Customer is responsible for determining whether it must notify affected Data Subjects, regulators, or other third parties, except where InvoiceCast has a direct legal obligation to do so.

14. Deletion and Return of Data

During the term of the Service, Customer may export Customer Personal Data using InvoiceCast’s self-service export tools.

Upon account deletion or termination, InvoiceCast will delete or anonymize Customer Personal Data in accordance with the Terms of Service and Privacy Policy.

InvoiceCast may retain limited data where required or permitted by law, including for tax, accounting, security, fraud prevention, dispute resolution, legal compliance, backup, or audit purposes.

Backups are deleted on a rolling schedule. Customer Personal Data may remain in encrypted backups for a limited period after deletion until those backups expire.

15. Audits and Information Rights

Upon reasonable written request, InvoiceCast will provide Customer with information reasonably necessary to demonstrate compliance with this DPA.

Customer may not conduct security testing, penetration testing, vulnerability scanning, or audits of InvoiceCast systems without prior written approval.

Where an audit is legally required, the parties will agree on reasonable scope, timing, confidentiality, and security restrictions. InvoiceCast may satisfy audit obligations by providing security summaries, policy excerpts, third-party certifications, questionnaires, or equivalent documentation.

16. No AI Training

InvoiceCast will not use Customer Personal Data, Customer Content, invoice data, client data, contractor data, or usage-derived data to train, develop, improve, fine-tune, or evaluate artificial intelligence models, machine learning systems, large language models, or similar technologies.

This restriction applies whether the AI system is operated by InvoiceCast or by a third party.

InvoiceCast may use aggregated, anonymized, non-personal usage statistics to improve the Service, provided such data cannot identify Customer, any Data Subject, or any Customer Content.

17. Government and Law Enforcement Requests

If InvoiceCast receives a legally binding request from a government authority, court, regulator, or law enforcement agency seeking Customer Personal Data, InvoiceCast will notify Customer unless legally prohibited from doing so.

InvoiceCast will disclose only the information it reasonably believes is legally required.

18. Customer Responsibilities

Customer is responsible for:

determining whether the Service is appropriate for its processing activities;
configuring the Service appropriately;
managing user access and permissions;
securing its account credentials;
obtaining required consents and authorizations;
responding to Data Subject requests;
maintaining its own required tax, accounting, legal, and business records;
ensuring that Customer Personal Data submitted to the Service is lawful and accurate.

19. Liability

Each party’s liability under this DPA is subject to the limitations and exclusions of liability in the Terms of Service, except to the extent such limitations are prohibited by Applicable Data Protection Laws.

Nothing in this DPA limits liability that cannot be limited under applicable law.

20. Conflict

If there is a conflict between this DPA and the Terms of Service, this DPA controls with respect to the processing of Customer Personal Data.

If there is a conflict between this DPA and the Privacy Policy, this DPA controls with respect to Customer Personal Data processed by InvoiceCast as processor, and the Privacy Policy controls with respect to personal information processed by InvoiceCast as controller.

21. Term

This DPA remains in effect for as long as InvoiceCast processes Customer Personal Data on behalf of Customer.

Sections that by their nature should survive termination will survive, including confidentiality, deletion, security, liability, and audit-related provisions.

22. Contact

Questions about this DPA may be sent to:

InvoiceCast
9344-2481 Québec Inc.
Email: [email protected]
Privacy Officer: [email protected]