Data Processing Addendum

Effective date: 9 July 2026

This Data Processing Addendum ("DPA") forms part of the terms under which Northgate Systems LLC ("Processor") provides the Docufacture application to the merchant ("Controller") and is entered into automatically upon installation of the app.

1. Roles

The merchant is the Controller of personal data relating to its customers. Docufacture is the Processor, acting only on the Controller's documented instructions, namely generating, storing, and delivering invoice and shipping documents.

2. Subject matter & duration

Processing of order and customer data as described in the Privacy Policy, for the duration of the app's installation plus the deletion windows described there.

3. Nature and purpose

Generation of legally compliant commercial documents (invoices, credit notes, packing slips), their storage, delivery by email, and export for accounting.

4. Categories of data & data subjects

Customers of the Controller's store: name, billing and shipping address, email address, order contents, prices and taxes, VAT identification number where provided. No special categories of data are processed.

5. Processor obligations

The Processor shall: process data only for the purposes above; ensure personnel are bound by confidentiality; implement appropriate technical and organizational measures (encryption in transit, access controls, EU data residency for storage); assist the Controller with data subject requests and GDPR obligations; delete or return personal data at the end of services subject to legal retention duties applicable to invoice records; and notify the Controller without undue delay upon becoming aware of a personal data breach.

6. Subprocessors

The Controller authorizes the subprocessors listed in the Privacy Policy. The Processor will update that list before adding subprocessors and remains liable for their performance.

7. International transfers

Application and document data are stored and processed in the EU by our current subprocessors. Should any future subprocessor process personal data outside the EU, such transfers will rely on the European Commission's Standard Contractual Clauses or an adequacy decision, and the subprocessor list will be updated beforehand.

8. Audit

Upon reasonable written request, the Processor will make available information necessary to demonstrate compliance with this DPA.

9. Liability & precedence

This DPA is subject to the limitations of liability in the main terms. In case of conflict regarding data protection, this DPA prevails.

Contact for this DPA: privacy@docufacture.com