Conduitt
Back to home
Calender Pen iconLast updated February 7, 2026

Data Processing Agreement

This Data Processing Agreement governs how Conduitt processes personal data on your behalf.

Summary

  • This DPA applies when Conduitt processes personal data on your behalf as a data processor.
  • We process data only according to your documented instructions.
  • We implement appropriate technical and organizational security measures.
  • We notify you of personal data breaches without undue delay.
  • We delete or return all personal data upon termination of the service.

Definitions

  • Controller: You, the customer, who determines the purposes and means of processing personal data through the Service.
  • Processor: Conduitt (operated by Oppulence Engineering), which processes personal data on behalf of the Controller.
  • Personal Data: Any information relating to an identified or identifiable natural person that you submit to or process through the Service.
  • Processing: Any operation performed on personal data, including collection, storage, use, disclosure, and deletion.
  • Sub-processor: A third party engaged by Conduitt to assist in processing personal data on the Controller's behalf.
  • Data Protection Laws: All applicable legislation relating to data protection and privacy, including GDPR, CCPA, and equivalent laws.

Scope and Purpose of Processing

Conduitt processes personal data only as necessary to provide the Service as described in our Terms and Conditions and as further instructed by you.

  • Categories of data subjects: your clients, customers, and end users whose data you enter into the Service.
  • Types of personal data: names, email addresses, postal addresses, phone numbers, invoice details, payment references, and any other data you include in invoices or client records.
  • Processing activities: storing, organizing, retrieving, transmitting, and deleting data as required to operate the invoicing service.
  • Duration: for the term of your subscription plus any retention period described in this agreement.

Our Obligations as Processor

  • Process personal data only on your documented instructions, unless required by applicable law.
  • Ensure that personnel authorized to process personal data are bound by confidentiality obligations.
  • Implement and maintain appropriate technical and organizational measures to protect personal data.
  • Assist you in responding to data subject requests, including access, rectification, erasure, and portability.
  • Assist you with data protection impact assessments and prior consultations with supervisory authorities where required.
  • Make available information necessary to demonstrate compliance with data processing obligations.
  • Notify you without undue delay upon becoming aware of a personal data breach.
  • Delete or return all personal data at the end of the service relationship, unless retention is required by law.

Your Obligations as Controller

  • Ensure you have a lawful basis for processing personal data through the Service.
  • Provide clear instructions regarding the processing of personal data.
  • Comply with all applicable data protection laws with respect to the data you submit.
  • Obtain any necessary consents from data subjects before submitting their data to the Service.
  • Notify Conduitt promptly of any changes to applicable data protection requirements that may affect processing.

Sub-processors

We use a limited number of sub-processors to help deliver the Service. We maintain a list of current sub-processors and will notify you before adding or replacing any sub-processor.

  • We carry out due diligence on sub-processors to ensure they provide sufficient data protection guarantees.
  • Sub-processor agreements impose data protection obligations equivalent to those in this DPA.
  • We remain liable for the acts and omissions of our sub-processors.
  • You may object to a new sub-processor on reasonable data protection grounds. If we cannot accommodate your objection, you may terminate the affected part of the Service.

Security Measures

We implement and maintain appropriate technical and organizational measures designed to protect personal data against unauthorized or unlawful processing and against accidental loss, destruction, or damage.

  • Encryption of personal data in transit (TLS) and at rest.
  • Access controls and authentication mechanisms to limit access to authorized personnel.
  • Regular testing and evaluation of the effectiveness of security measures.
  • Incident response procedures for identifying and addressing security events.
  • Employee training on data protection and security practices.
  • Physical security of data center facilities through our hosting providers.

Data Breach Notification

In the event of a personal data breach, we will notify you without undue delay after becoming aware of the breach.

  • Notification will include the nature of the breach, categories and approximate number of data subjects affected, and likely consequences.
  • We will describe the measures taken or proposed to address the breach and mitigate its effects.
  • We will cooperate with you and take reasonable steps to assist in the investigation, mitigation, and remediation of the breach.
  • Notification of a breach is not an acknowledgment of fault or liability.

Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests under applicable data protection laws. This includes requests for access, rectification, erasure, restriction, portability, and objection. We will promptly notify you if we receive a request directly from a data subject and will not respond independently unless authorized by you or required by law.

International Data Transfers

Where personal data is transferred outside the European Economic Area, the United Kingdom, or Switzerland, we ensure appropriate safeguards are in place.

  • We rely on Standard Contractual Clauses approved by the European Commission for transfers to countries without an adequacy decision.
  • We evaluate the laws of the destination country and implement supplementary measures where necessary.
  • We process data primarily in the United States through hosting providers that maintain appropriate certifications and safeguards.

Data Retention and Deletion

Upon termination or expiration of the Service, we will delete or return all personal data within 30 days, unless applicable law requires continued storage. You may export your data at any time during your subscription. After the deletion period, we will destroy all remaining copies unless legally required to retain them.

Audit Rights

You may audit our compliance with this DPA. We will contribute to audits by providing relevant information and access to facilities. Audits must be conducted with reasonable notice, during business hours, and in a manner that does not disrupt our operations. Where appropriate, we may satisfy audit requests by providing third-party audit reports or certifications.

Term and Termination

This DPA takes effect when you begin using the Service and remains in effect for as long as we process personal data on your behalf. The data protection obligations in this DPA survive termination of the Service.

Liability

Each party's liability arising from or related to this DPA is subject to the limitations of liability set out in the Terms and Conditions. Nothing in this DPA limits either party's liability for breaches of data protection obligations that cannot be limited under applicable law.

Changes to This Agreement

We may update this DPA to reflect changes in data protection laws or our processing practices. If changes are material, we will provide reasonable notice. Continued use of the Service after changes take effect means you accept the updated DPA.

Contact Us

Questions about this document?

Contact usChevron Right icon

We value your privacy

We use cookies to improve your experience, analyze traffic, and personalize content.