Back to overview
Full document

FacturaOS Data Processing Addendum

This Data Processing Addendum forms part of the FacturaOS Terms when a business customer submits personal information for FacturaOS to process on its behalf.

Last updated: July 13, 2026privacy@facturaos.com
On this page
  1. 1. Parties, scope, and effect
  2. 2. Definitions
  3. 3. Roles and Customer responsibilities
  4. 4. Documented instructions and purpose limitation
  5. 5. Confidentiality and access
  6. 6. Security measures
  7. 7. Subprocessors
  8. 8. Assistance with individual rights
  9. 9. Security incidents
  10. 10. Assessments, consultations, and regulators
  11. 11. Audits and compliance information
  12. 12. Return and deletion
  13. 13. International transfers
  14. 14. U.S. state service-provider terms
  15. 15. Restricted data and no HIPAA agreement
  16. 16. Processing details

1. Parties, scope, and effect

This Data Processing Addendum (DPA) is between the customer organization that accepts the FacturaOS Terms (Customer) and J.R.SOSA & CO. (FacturaOS). It applies when FacturaOS processes Customer Personal Data on Customer's behalf in providing the service.

This DPA is incorporated into the Terms and becomes effective when Customer accepts the Terms or first submits Customer Personal Data, whichever occurs first. If there is a conflict about processing Customer Personal Data, this DPA controls, followed by the Terms.

2. Definitions

Applicable Data Protection Law means privacy or data-protection law that applies to the processing. Controller, processor, service provider, business, personal data, personal information, processing, sale, and supervisory authority have the meanings assigned by that law.

Customer Personal Data means personal information contained in Customer Data that FacturaOS processes on Customer's behalf. It excludes information FacturaOS controls independently for account administration, billing, security, legal compliance, and its own business purposes as described in the Privacy Policy.

3. Roles and Customer responsibilities

Customer is the controller or business, or a processor acting for another controller. FacturaOS is the processor or service provider for Customer Personal Data. Each party will comply with its obligations under Applicable Data Protection Law.

Customer is responsible for lawful instructions; required notices and consents; the accuracy, necessity, and legality of Customer Personal Data; responding to people whose data Customer controls; and ensuring the service is appropriate for Customer's regulatory requirements.

4. Documented instructions and purpose limitation

Customer instructs FacturaOS to process Customer Personal Data to provide, secure, support, maintain, and improve the service; prevent fraud and abuse; comply with Customer's configured actions; and fulfill the Terms. The Terms, product configuration, support requests, and Customer's lawful use of features are documented instructions.

FacturaOS will not process Customer Personal Data for an unrelated purpose or sell it. FacturaOS may process data where required by law and, unless prohibited, will inform Customer before doing so. If an instruction appears unlawful, FacturaOS may suspend the affected processing and notify Customer.

5. Confidentiality and access

FacturaOS will limit access to personnel and contractors who need it for authorized duties and who are bound by confidentiality obligations. FacturaOS will maintain reasonable access controls and periodically review access appropriate to its size, risk, and service.

6. Security measures

FacturaOS will maintain reasonable administrative, technical, and organizational measures designed to protect Customer Personal Data against accidental or unlawful destruction, loss, alteration, unauthorized disclosure, or access.

Measures include, as appropriate, encrypted transmission; authentication and role-based access; private storage controls; environment separation; logging and monitoring; provider due diligence; vulnerability and dependency management; backups and recovery processes; incident response; and data minimization. Customer acknowledges that security evolves and FacturaOS may update measures without materially reducing overall protection.

7. Subprocessors

Customer generally authorizes FacturaOS to engage subprocessors needed to provide the service. Current key providers are listed in the Subprocessor List. FacturaOS will impose data-protection obligations appropriate to each subprocessor's role and remains responsible for its own obligations under this DPA.

FacturaOS may update the list as the service changes. Customer may object within 15 days of a material new subprocessor notice by explaining reasonable data-protection grounds. The parties will work in good faith on a reasonable solution; if none is available, Customer's remedy is to stop using the affected feature or terminate the service, subject to the Refunds and Cancellation Policy and non-waivable law.

8. Assistance with individual rights

Taking into account the nature of processing, FacturaOS will provide reasonable assistance through product controls or support so Customer can respond to legally valid requests for access, correction, deletion, restriction, objection, or portability.

If FacturaOS receives a request concerning Customer Personal Data, it may direct the requester to Customer and will not respond substantively except on Customer's instructions or as required by law. Customer is responsible for verifying and answering requests.

9. Security incidents

FacturaOS will notify Customer without undue delay after confirming a security incident involving Customer Personal Data where notice is required by law or this DPA. Notice may be delivered to the account owner or other designated contact and will include available information reasonably needed for Customer's response.

Notification is not an admission of fault or liability. Customer is responsible for keeping contacts current and for its own legally required notices. Unsuccessful attacks, scans, blocked attempts, and events that do not compromise Customer Personal Data are not security incidents under this DPA.

10. Assessments, consultations, and regulators

FacturaOS will provide reasonable information needed for Customer's data-protection impact assessment or consultation with a regulator, considering the nature of processing and information available to FacturaOS. Customer remains responsible for determining whether an assessment or consultation is required.

11. Audits and compliance information

On reasonable written request no more than once annually, FacturaOS will provide available security or compliance information reasonably necessary to demonstrate compliance with this DPA. If legally required and that information is insufficient, the parties may arrange a narrowly scoped audit by an independent qualified auditor under confidentiality, during normal business hours, without accessing other customers' data or unreasonably disrupting operations.

Customer pays its audit costs and FacturaOS's reasonable costs unless the audit identifies a material uncured breach by FacturaOS. Audits do not include source code, penetration testing, privileged information, trade secrets unrelated to compliance, or infrastructure that FacturaOS does not control.

12. Return and deletion

During the subscription, Customer may access or export supported Customer Data. After termination or an authorized deletion request, FacturaOS will delete or return Customer Personal Data according to product capabilities and retention processes, unless law requires retention.

Deletion from backups, logs, payment systems, and subprocessor systems may take additional time. Retained data remains protected and is used only for the reason retained. Customer must export legally required records before deletion.

13. International transfers

Customer authorizes processing in the United States and other locations used by approved subprocessors. Where Applicable Data Protection Law requires a transfer mechanism, the parties will cooperate in good faith to implement an appropriate mechanism, such as applicable standard contractual clauses, to the extent available for FacturaOS's service and plan.

This DPA does not by itself certify that Customer's use complies with every international transfer requirement. Customer is responsible for its transfer assessment and any supplementary obligations specific to its data or jurisdiction.

14. U.S. state service-provider terms

Where U.S. state law treats FacturaOS as a service provider, contractor, or processor, FacturaOS will not sell or share Customer Personal Data; retain, use, or disclose it outside the direct business relationship except as permitted by law; combine it with personal information from unrelated sources except as permitted; or use it for targeted advertising based on activity across non-affiliated businesses.

Customer may take reasonable and appropriate steps to help ensure processing is consistent with these restrictions and may notify FacturaOS of a reasonable belief of unauthorized processing. FacturaOS will cooperate in good faith to stop and remediate confirmed unauthorized use.

15. Restricted data and no HIPAA agreement

Customer will not submit full payment-card credentials, protected health information subject to HIPAA, Social Security numbers, biometric templates, government authentication credentials, or similarly high-risk regulated data unless FacturaOS expressly authorizes it in writing.

This DPA is not a Business Associate Agreement under HIPAA and does not make FacturaOS compliant with a Customer-specific regulatory regime. Customer must obtain a separate written agreement before using FacturaOS for data that legally requires one.

16. Processing details

Subject matter and duration: providing FacturaOS for the term of the agreement plus limited retention and deletion periods. Nature and purpose: hosting, organizing, generating, transmitting, exporting, securing, supporting, and deleting business records as configured by Customer.

Data subjects may include Customer's users, clients, prospects, invoice recipients, employees, contractors, suppliers, contacts, and support participants. Data may include identifiers, contact details, business records, invoice and transaction information, photographs or files, professional-license information, device and usage records, support communications, and other data Customer chooses to submit.

Processing operations may include collection, recording, organization, structuring, storage, retrieval, consultation, use, transmission, disclosure under Customer instruction, restriction, backup, export, and deletion. Frequency is continuous or as initiated by users. Customer's rights and obligations are described in the Terms and this DPA.

Questions about this document?

Contact us and include the document name so we can route your question correctly.

Data protection contact