Data Processing Agreement

DueTrail processes personal data on behalf of the customer (the data controller) to provide the invoice collection service described in the Terms of Service.

Processing includes storing and displaying invoice data, customer contact details, email addresses, communication history, promise-to-pay records, and audit logs uploaded or generated through the product.

The customer is the data controller for all personal data uploaded into the workspace. DueTrail acts as a data processor, processing personal data only on documented instructions from the customer.

DueTrail will not process personal data for any purpose other than providing and securing the service, unless required by applicable law.

DueTrail uses sub-processors for hosting, transactional email delivery, billing, error monitoring, and analytics. A list of current sub-processors is available upon request.

DueTrail will notify the customer before adding or replacing a sub-processor. If the customer objects, they may terminate the agreement.

DueTrail implements appropriate technical and organisational measures to protect personal data, including encryption in transit, access controls, audit logging, and regular security reviews.

Personnel with access to personal data are bound by confidentiality obligations.

DueTrail will assist the customer in fulfilling data subject requests (access, correction, deletion, portability) to the extent technically feasible.

Requests should be directed to the customer as data controller. DueTrail provides data export and account deletion tools to support these obligations.

DueTrail will notify the customer without undue delay after becoming aware of a personal data breach affecting customer data.

The notification will include the nature of the breach, the categories and approximate number of records affected, and the measures taken or proposed to address the breach.

Upon termination of the agreement or upon customer request, DueTrail will delete or return all personal data within 30 days, unless retention is required by applicable law.

The customer can initiate immediate deletion through the account deletion feature in workspace settings.

Where personal data is transferred outside the European Economic Area, DueTrail ensures appropriate safeguards are in place, such as Standard Contractual Clauses or adequacy decisions.

The data processor is Dmytro Yalanskyi, an individual entrepreneur registered in Ukraine, operating the DueTrail service.

Data-protection contact: privacy@duetrail.com. To request a signed DPA, a current sub-processor list, or notice of any sub-processor change, email the address above.