Legal
Data Processing Addendum
Last updated: 2026-04-23
This Data Processing Addendum ("DPA") forms part of the agreement between Zyntem ("Processor", "we") and the Customer ("Controller") and governs the processing of personal data carried out by the Zyntem fiscalization API on the Controller's behalf. It gives effect to Article 28 GDPR and applies to all personal data the Controller submits to the service.
A signed counter-part is available on request at privacy@zyntem.dev.
1. Scope and nature of processing
We process personal data only to deliver the Zyntem fiscalization service on the Controller's documented instructions. The processing consists of:
- Receiving fiscal-document data submitted to our API (invoices, receipts, corrective notes, and the fields required to sign and submit each document).
- Signing, validating, queueing, and forwarding those documents to the competent national tax authority.
- Persisting the submission, its response, and the cryptographic chain required by local law for the statutory retention period.
- Providing operational support, security monitoring, and abuse prevention.
Categories of data subjects: the Controller's end customers and the Controller's own employees. Categories of personal data: tax identifiers, purchase details, and any personal data that local fiscalization law requires on the document.
2. Duration
Processing begins on the effective date of the main agreement and continues until the Controller's account is terminated, after which the retention and return/deletion rules in §8 apply.
3. Sub-processors
The Controller authorises the use of the following sub-processors. We will notify the Controller at least 30 days before adding or replacing a sub-processor and offer a right to object for material changes.
| Sub-processor | Purpose | Location | Transfer safeguard |
|---|---|---|---|
| Google Cloud EMEA Limited (GCP) | Primary hosting, Cloud SQL database, managed Kubernetes, object storage for receipts. | EU (europe-west1, Belgium) | EU storage; GCP EU DPA |
| Stripe Payments Europe, Ltd. | Billing, invoicing, and payment processing for Zyntem subscriptions. Stripe acts as an independent controller for card data under its own privacy policy. | Ireland, with transfers to US | Stripe DPA & EU Standard Contractual Clauses (Commission Implementing Decision 2021/914, Modules 2 & 3). |
| National tax authorities | Submission of fiscal documents as required by law (AEAT Spain, Agenzia delle Entrate / SdI Italy, DGFiP France, AT Portugal). | EU member state of submission | Legal obligation (GDPR Art. 6(1)(c)) |
Note: Anthropic, PBC (used for AI error translation) is not a sub-processor under this DPA. The translation endpoint receives only generic error codes and error messages from the fiscal authority; it does not receive personal data submitted via the fiscalization API. No SCC is therefore required for Anthropic under this DPA.
4. International transfers
Primary processing occurs in the EU (GCP europe-west1). The only routine transfer outside the EEA is to Stripe in relation to billing, governed by the EU Standard Contractual Clauses together with the supplementary measures described in our transfer-impact assessment, which is available on request. Where a disaster-recovery failover requires transfer outside the EEA, the same SCC framework applies.
5. Security measures
We implement technical and organisational measures appropriate to the risk (GDPR Art. 32), including:
- TLS 1.2+ for all data in transit and AES-256 at-rest encryption on managed storage.
- Per-account API-key isolation with bcrypt-hashed credentials, least-privilege IAM, and audit logging of privileged access.
- Signed append-only invoice chains and tamper-evident audit trails for each fiscalised document.
- Automated vulnerability scanning (Trivy, npm audit, cargo audit), SBOM generation, and regular dependency updates.
- Documented incident-response runbook, quarterly access reviews, and annual restore testing of backups.
6. Personal-data breach notification
We will notify the Controller without undue delay, and in any event within 72 hours of becoming aware of a personal-data breach affecting the Controller's data, by email to the billing contact on file. The notification will describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address it, consistent with GDPR Art. 33(3).
7. Audit rights
Once per twelve-month period, and on reasonable written notice of at least 30 days, the Controller (or an independent auditor it mandates, subject to confidentiality) may audit our compliance with this DPA. The audit must be limited to information strictly necessary to verify compliance, must not disrupt production systems, and must not require disclosure of information concerning other customers. We may satisfy the audit obligation by providing up-to-date third-party certifications or reports (for example the GCP EU SOC 2 and ISO 27001 attestations) where they cover the relevant controls.
8. Data return and deletion on termination
On termination of the main agreement we will, at the Controller's choice, return or delete all personal data processed on its behalf, save for the portion that local fiscalization law requires us to retain for statutory evidence purposes (for example 4 years for Spain, up to 10 years for Italy and Portugal, 6 years for France). Data retained for statutory reasons is quarantined, access-restricted, and deleted at the end of the retention period.
The Controller may request export or deletion at any time via privacy@zyntem.dev. We will confirm completion in writing.
9. Assistance with data-subject rights and DPIA
Taking into account the nature of the processing, we will assist the Controller by appropriate technical and organisational measures in fulfilling its obligations to respond to data-subject requests (Arts. 15–22 GDPR) and in carrying out data-protection impact assessments and prior consultations (Arts. 35–36 GDPR).
10. Confidentiality
We ensure that personnel authorised to process personal data are bound by a duty of confidentiality, whether by contract or by statute.
11. Precedence and updates
In the event of a conflict between this DPA and the main agreement in respect of processing of personal data, this DPA prevails. We may update this DPA from time to time to reflect legal or operational changes; material changes will be notified at least 30 days in advance. The current version is always available at /legal/dpa.
12. Contact
Data-protection and DPA queries: privacy@zyntem.dev. See also our privacy policy and imprint.