Data Processing Agreement
Plume · Effective 28 May 2026
1. Parties and roles
This Data Processing Agreement ("DPA") is between you ("the Controller") and Evgeny Savin, trading as Plume ("the Processor"). It governs the Processor's processing of personal data on the Controller's behalf under the GDPR, in particular Article 28.
2. Subject matter, nature, purpose and duration
- Subject matter: hosting and operation of an online invoicing tool.
- Nature and purpose: storing, organising, displaying, and generating documents from the data the Controller enters, solely to provide the Service.
- Duration: for as long as the Controller's account is active, plus any short wind-down period for deletion or return of data.
3. Types of personal data
Personal data the Controller may enter about its own clients and payees, including: names and contact names, email addresses, phone numbers, postal addresses, tax identification numbers, and bank details (such as IBAN, SWIFT/BIC, and beneficiary name).
4. Categories of data subjects
The Controller's customers, clients, payees, and their representatives.
5. Processor obligations
- Process personal data only on the Controller's documented instructions (including the use of the Service), unless required to act by law.
- Ensure that persons authorised to process the data are bound by confidentiality.
- Implement appropriate technical and organisational security measures (GDPR Art. 32), including encryption in transit, per-account data isolation, hashed credentials, and access controls.
- Assist the Controller, taking into account the nature of processing, in responding to data-subject rights requests.
- Assist the Controller with security, breach notification, and data protection impact assessments.
- On termination, delete or return all personal data at the Controller's choice, and delete existing copies unless retention is required by law.
- Make available the information needed to demonstrate compliance and allow for and contribute to audits.
6. Sub-processors
The Controller gives general authorisation for the Processor to engage the sub-processors below. The Processor will inform the Controller of any intended change and give the Controller the opportunity to object. Each sub-processor is bound by data-protection obligations no less protective than this DPA.
| Sub-processor | Purpose | Location |
|---|---|---|
| Vercel Inc. | Application hosting and content delivery | United States / global edge |
| Neon Inc. | Managed PostgreSQL database hosting | See account region (verify EU) |
7. International transfers
Where a sub-processor processes personal data outside the EEA, such transfers are made under an appropriate safeguard, primarily the European Commission's Standard Contractual Clauses, supplemented by technical measures. The Processor is reviewing hosting regions to keep data within the EEA where practical.
8. Personal data breaches
The Processor will notify the Controller without undue delay, and in any case promptly enough (targeting within 48 hours) to allow the Controller to meet its own 72-hour notification deadline, after becoming aware of a personal data breach affecting the Controller's data.
9. Liability and governing law
Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the laws of Spain.
10. Acceptance
By creating an account and accepting the Terms of Service, the Controller accepts this DPA. For a countersigned copy, contact [privacy@your-domain].