Data Processing Addendum
Last updated: 13 April 2026
Draft notice. This DPA is a free-template draft for reference only. Enterprise customers should request a signature-ready DPA with Standard Contractual Clauses (SCCs) by emailing privacy@inventroy.com. We will also countersign a customer-provided DPA where reasonable.
1. Scope and definitions
This Addendum supplements the Terms of Service between you (the "Controller", or "Customer") and Inventroy (the "Processor") and applies whenever the Processor processes Personal Data on behalf of the Controller under the Terms.
Terms capitalised but not defined here have the meaning given in the UAE Personal Data Protection Law (Federal Decree-Law No. 45 of 2021) or Regulation (EU) 2016/679 ("GDPR") as applicable. "Personal Data", "Processing", "Data Subject", "Controller", "Processor" and "Sub-processor" have those meanings.
2. Roles and instructions
For Personal Data uploaded or input into the Customer's workspace by the Customer or its end users, the Customer is the Controller and Inventroy is the Processor. Inventroy will Process Personal Data only on documented instructions from the Customer, which include:
- the Terms of Service;
- this DPA;
- the Customer's use of the Service's features;
- explicit instructions sent to privacy@inventroy.com.
Inventroy will notify the Customer if, in its opinion, an instruction infringes applicable data-protection law.
3. Nature and purpose of Processing
InventroyProcesses Personal Data to provide the Service described in the Terms: hosting Customer Data, transmitting it between the Customer and its end users, generating invoices, sending transactional emails on the Customer's behalf, providing analytics and error monitoring, and the other operations necessary to operate a cloud-hosted business-management platform.
4. Types of Personal Data and Data Subjects
- Data Subjects: the Customer's employees, contractors, end-customers, suppliers, and any other individuals whose data the Customer chooses to input.
- Categories of Personal Data: names, email addresses, phone numbers, postal addresses, roles, employment or customer-relationship metadata, content of user-uploaded files, any other data the Customer chooses to input.
- Special categories: the Service is not designed to process special-category data (e.g. health, biometric, religious, political). The Customer must not use the Service to process special-category data without a separate written agreement.
5. Sub-processors
The Customer provides general written authorisation for Inventroyto engage the sub-processors listed below. Inventroy will notify the Customer at least thirty (30) days before engaging a new or replacement sub-processor, by updating this page or via in-product notice. The Customer may object on reasonable data-protection grounds by emailing privacy@inventroy.com.
| Sub-processor | Purpose | Location |
|---|---|---|
| Neon Inc. | Managed Postgres hosting | EU (Frankfurt) |
| Vercel Inc. | Application hosting, CDN | Global (multiple regions) |
| Stripe Payments Europe Ltd. / Stripe Inc. | Payment processing | Ireland / United States |
| Resend Inc. | Transactional email delivery | United States |
| Functional Software Inc. (Sentry) | Error monitoring | United States |
| Cloudflare Inc. | DNS, DDoS protection, CDN | Global |
| GoDaddy.com LLC | Domain registration | United States |
6. Security measures
Inventroy implements the technical and organisational measures described in its Privacy Policy ("How we protect data"), which include at minimum:
- TLS 1.2+ encryption in transit; AES-256 encryption at rest;
- Per-tenant Postgres database isolation;
- Scrypt password hashing with unique salts;
- Role-based access control and audit logging;
- Least-privilege employee access;
- Selection of sub-processors with recognised security certifications where available.
7. Confidentiality
Inventroy ensures that personnel authorised to Process Personal Data are bound by confidentiality obligations.
8. International transfers
Where Personal Data is transferred outside the UAE or the European Economic Area, the transfer relies on:
- an adequacy decision under GDPR Art. 45 or PDPL Art. 22; or
- Standard Contractual Clauses (SCCs) issued by the European Commission or an equivalent mechanism recognised by the UAE Data Office.
A signed SCCs package is available from privacy@inventroy.com on request.
9. Data-subject requests
Taking into account the nature of Processing, Inventroy will provide reasonable assistance to the Customer in responding to requests from Data Subjects exercising their rights under applicable law. Where the Service includes self-service tools to export, correct, or delete data, the Customer agrees to use those tools first.
10. Personal-data breach notification
Inventroywill notify the Customer without undue delay and, where feasible, within seventy-two (72) hours after becoming aware of a Personal Data breach affecting the Customer's data. The notice will describe the nature of the breach, the likely consequences, the measures taken or proposed, and a point of contact.
11. Audit rights
On reasonable written notice and no more than once per twelve-month period (except where required by a regulator), the Customer may request Inventroy's then-current audit reports, penetration-test summaries, and security questionnaires demonstrating compliance with this DPA. On-site audits are permitted where the Customer is a regulated entity and a reasonable scope and method are agreed in advance.
12. Return or deletion on termination
On termination of the Terms, the Customer may export Personal Data using the self-service tools for thirty (30) days. Thereafter, Inventroy will delete or anonymise Customer Data within ninety (90) days, except where retention is required by law (e.g. tax records).
13. Liability
Each party's liability under this DPA is subject to the limitations and exclusions in the Terms of Service. Nothing in this DPA limits liability in a way that is impermissible under applicable data-protection law.
14. Governing law
This DPA is governed by the same law as the Terms of Service (UAE law), except to the extent that EU GDPR or equivalent local law mandates otherwise for data subjects in those jurisdictions.
15. Contact
For DPA questions, sub-processor objections, or a signature-ready SCCs package, email privacy@inventroy.com.