How we process personal data on behalf of our customers. Last updated: March 2026.
This Data Processing Addendum ("DPA") forms part of and supplements the Terms of Service ("Agreement") between THE GROVVEST AI LTD, a company registered in the Republic of Cyprus under registration number HE 478768 ("Processor", "we", "us", "our") and the customer ("Controller", "you", "your") who has accepted the Agreement.
This DPA applies where and only to the extent that the Processor processes Personal Data on behalf of the Controller in the course of providing the TaxItEasy Service ("Service") under the Agreement.
In the event of a conflict between this DPA and the Agreement, this DPA shall prevail with respect to the processing of Personal Data.
"Data Protection Laws" means all applicable laws and regulations relating to the processing of Personal Data, including but not limited to: (a) the General Data Protection Regulation (EU) 2016/679 ("GDPR"); (b) the United Kingdom General Data Protection Regulation as tailored by the Data Protection Act 2018 ("UK GDPR"); (c) the Swiss Federal Act on Data Protection ("FADP"); and (d) any other applicable data protection laws, in each case as amended or replaced from time to time.
"Personal Data" means any information relating to an identified or identifiable natural person ("Data Subject") as defined in Article 4(1) GDPR, which is processed by the Processor on behalf of the Controller under the Agreement.
"Processing" means any operation or set of operations performed on Personal Data, including but not limited to collection, recording, organization, structuring, storage, adaptation, alteration, retrieval, consultation, use, disclosure by transmission, dissemination, alignment, combination, restriction, erasure, or destruction.
"Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
"Data Breach" means a breach of security leading to the accidental or unlawful destruction, loss, alteration, unauthorized disclosure of, or access to, Personal Data transmitted, stored, or otherwise processed.
"Standard Contractual Clauses" or "SCCs" means the standard contractual clauses for the transfer of personal data to processors established in third countries, as approved by the European Commission Implementing Decision (EU) 2021/914.
"UK Transfer Addendum" means the International Data Transfer Addendum to the EU Commission Standard Contractual Clauses issued by the UK Information Commissioner under Section 119A of the Data Protection Act 2018.
All other capitalized terms not defined herein shall have the meaning given to them in the Agreement or in the GDPR.
The Controller determines the purposes and means of the processing of Personal Data. The Processor processes Personal Data solely on behalf of and under the documented instructions of the Controller, as set out in this DPA and the Agreement.
The details of the data processing are as follows:
The Processor shall:
(a) Process Personal Data only on documented instructions from the Controller, including with regard to transfers of Personal Data to a third country, unless required to do so by applicable law. In such case, the Processor shall inform the Controller of that legal requirement before processing, unless the law prohibits such notification on important grounds of public interest.
(b) Immediately inform the Controller if, in the Processor's opinion, an instruction from the Controller infringes Data Protection Laws. The Processor shall be entitled to suspend the relevant processing until the Controller confirms or modifies the instruction.
The Processor shall ensure that all persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality. This obligation shall survive the termination of this DPA and the Agreement.
The Processor shall implement and maintain appropriate technical and organizational measures to ensure a level of security appropriate to the risk, as described in Annex 2 to this DPA. These measures shall include, as appropriate:
(a) The pseudonymization and encryption of Personal Data (AES-256 encryption at rest, TLS 1.2+ in transit).
(b) The ability to ensure the ongoing confidentiality, integrity, availability, and resilience of processing systems and services.
(c) The ability to restore the availability and access to Personal Data in a timely manner in the event of a physical or technical incident.
(d) A process for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures for ensuring the security of the processing.
The Processor shall take reasonable steps to ensure compliance with the security measures by any person acting under its authority.
(a) The Processor shall notify the Controller without undue delay, and in no event later than 48 hours after becoming aware of a Data Breach affecting Personal Data processed under this DPA.
(b) Such notification shall include, to the extent reasonably available:
(c) The Processor shall cooperate with the Controller and take reasonable commercial steps to assist in the investigation, mitigation, and remediation of each Data Breach.
(d) The Processor's notification of a Data Breach shall not be construed as an acknowledgment of fault or liability.
(a) Taking into account the nature of the processing, the Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, in fulfilling the Controller's obligations to respond to requests by Data Subjects to exercise their rights under Data Protection Laws (including rights of access, rectification, erasure, restriction, portability, and objection).
(b) The Processor shall promptly notify the Controller if it receives a request from a Data Subject in respect of Personal Data processed under this DPA. The Processor shall not respond to such request directly unless instructed to do so by the Controller or required by applicable law.
The Processor shall provide reasonable assistance to the Controller with any data protection impact assessments and prior consultations with supervisory authorities, taking into account the nature of the processing and the information available to the Processor.
(a) Upon termination or expiration of the Agreement, the Processor shall, at the Controller's election, delete or return all Personal Data to the Controller and delete existing copies, unless applicable law requires storage of the Personal Data.
(b) The Controller may export Personal Data during the 30-day retention period following termination. After this period, Personal Data shall be deleted from active systems. Removal from encrypted backups shall occur within an additional 90 days.
(c) The Processor shall certify the deletion to the Controller upon request.
The Controller provides general written authorization for the Processor to engage Sub-processors for the processing of Personal Data, subject to the conditions set out in this Section 4.
The current list of Sub-processors is set out in Annex 3 to this DPA and is available at taxiteasy.org/subprocessors.
(a) The Processor shall notify the Controller at least 30 days before engaging any new Sub-processor or replacing an existing Sub-processor, by updating the Sub-processor list on the website and sending notification to the email address associated with the Controller's account.
(b) The Controller may object to the appointment of a new Sub-processor within 14 days of receiving notification. The objection must be based on reasonable, documented data protection grounds.
(c) If the Controller objects and the Processor cannot reasonably accommodate the objection, either party may terminate the Agreement with respect to the affected processing activities. The Processor shall refund any prepaid fees for the period after the effective date of termination.
The Processor shall:
(a) Impose data protection obligations on each Sub-processor that are no less protective than those set out in this DPA by way of a written contract.
(b) Remain fully liable to the Controller for the performance of each Sub-processor's obligations.
Personal Data shall be processed within the European Economic Area (EEA). To the extent that any processing involves a transfer of Personal Data outside the EEA, the Processor shall ensure that appropriate safeguards are in place as required by Data Protection Laws.
Where transfers outside the EEA are necessary (e.g., to Sub-processors located outside the EEA), the Processor shall ensure one of the following safeguards is in place:
(a) The destination country has an adequacy decision from the European Commission (including transfers to the United States under the EU-U.S. Data Privacy Framework, where the recipient is a certified participant).
(b) The Standard Contractual Clauses (Module 3: Processor to Sub-processor) are executed between the Processor and the Sub-processor.
(c) Other appropriate safeguards under Article 46 GDPR.
For transfers of Personal Data subject to UK GDPR that require additional safeguards, the UK Transfer Addendum shall apply in addition to the SCCs.
For transfers of Personal Data subject to the Swiss FADP, the SCCs shall apply with the modifications set out by the Swiss Federal Data Protection and Information Commissioner.
The Processor shall make available to the Controller all information reasonably necessary to demonstrate compliance with Article 28 GDPR and this DPA, and shall allow for and contribute to audits, including inspections, conducted by the Controller or an auditor mandated by the Controller.
(a) The Controller shall provide at least 30 days' prior written notice for any audit (except in the case of an audit required by a supervisory authority, in which case reasonable notice shall be given).
(b) Audits shall be conducted during normal business hours and shall not unreasonably disrupt the Processor's operations.
(c) The Controller shall bear the costs of any audit, unless the audit reveals a material non-compliance by the Processor, in which case the Processor shall bear the reasonable costs.
(d) The Controller and its auditors shall maintain the confidentiality of all information obtained during the audit.
Where the Processor holds a recognized third-party certification or audit report (e.g., SOC 2 Type II, ISO 27001), the Processor may provide such report to the Controller as an alternative to an on-site audit, provided the Controller may still request an on-site audit where the report does not sufficiently address the Controller's concerns.
The liability of each party under this DPA is subject to the limitations and exclusions of liability set out in the Agreement. This DPA does not create any independent rights of action or expand the liability of either party beyond what is provided in the Agreement.
This DPA shall come into effect on the date the Controller accepts the Agreement and shall remain in effect until the later of: (a) the termination or expiration of the Agreement; or (b) the date on which the Processor ceases all processing of Personal Data on behalf of the Controller.
This DPA shall be governed by and construed in accordance with the laws stated in the Agreement, without prejudice to the mandatory provisions of Data Protection Laws.
| Detail | Description |
|---|---|
| Subject matter | Provision of the TaxItEasy platform for invoice processing and document management |
| Duration | Duration of the Agreement plus data retention/deletion period |
| Nature of processing | Storage, AI/OCR extraction, structuring, organization, retrieval, display, sharing (with authorized tax advisors), export |
| Purpose | Enabling the Controller to manage invoices, extract invoice data, organize documents, share with tax advisors, and track payments |
| Categories of data subjects | Controller's employees, customers, suppliers, business partners, and any natural persons whose data appears in uploaded documents |
| Types of personal data | Names, business addresses, email addresses, phone numbers, tax IDs (e.g., Steuernummer, USt-IdNr., VAT number), bank details (IBAN, BIC), invoice amounts, purchase details, company registration numbers |
| Special categories | Not intentionally processed. Controller must not upload health, biometric, or other Article 9 data without separate agreement |
| Retention | Active: duration of Agreement. Post-termination: 30 days (active systems) + 90 days (backups) |
| Sub-processor | Purpose | Location | Transfer Mechanism |
|---|---|---|---|
| Hetzner Online GmbH | Kubernetes cluster hosting, managed volumes, compute, and networking | Germany (EU) | N/A (within EEA) |
| Supabase, Inc. | Database hosting, authentication, and real-time APIs | Germany (EU, via AWS eu-central-1) | N/A (within EEA) |
| DigitalOcean, LLC | Encrypted backup storage (Spaces Object Storage) | Frankfurt, Germany (EU) | N/A (within EEA) |
| Anthropic, PBC | AI/OCR document processing via API (self-hosted workflows) | United States | EU-U.S. Data Privacy Framework / SCCs |
| Stripe, Inc. | Payment processing, subscription management, and billing | United States | EU-U.S. Data Privacy Framework / SCCs |
| Resend, Inc. | Transactional email delivery | United States | SCCs |
| Functional Software, Inc. (Sentry) | Application error monitoring with PII scrubbing | United States | EU-U.S. Data Privacy Framework / SCCs |
This list reflects the Sub-processors as of March 2026. The current list is always available at taxiteasy.org/subprocessors.
For transfers of Personal Data to Sub-processors located outside the EEA that are not subject to an adequacy decision, the parties agree that the Standard Contractual Clauses as approved by the European Commission Implementing Decision (EU) 2021/914 of 4 June 2021 shall apply, specifically:
The SCCs are incorporated by reference and available at: https://eur-lex.europa.eu/eli/dec_impl/2021/914/oj
For UK transfers, the UK Transfer Addendum shall apply as set forth by the UK ICO.
This Data Processing Addendum does not constitute legal advice. We recommend consulting with a qualified data protection professional for your specific compliance requirements.