Data Processing Agreement

Plume · Effective 28 May 2026

Draft for review. Prepared with AI assistance; not legal advice. Have a qualified privacy lawyer review before relying on it.
This DPA applies to you as a data controller when you store personal data about your own clients in the Service. It forms part of the Terms of Service and is accepted when you create an account.

1. Parties and roles

This Data Processing Agreement ("DPA") is between you ("the Controller") and Evgeny Savin, trading as Plume ("the Processor"). It governs the Processor's processing of personal data on the Controller's behalf under the GDPR, in particular Article 28.

2. Subject matter, nature, purpose and duration

  • Subject matter: hosting and operation of an online invoicing tool.
  • Nature and purpose: storing, organising, displaying, and generating documents from the data the Controller enters, solely to provide the Service.
  • Duration: for as long as the Controller's account is active, plus any short wind-down period for deletion or return of data.

3. Types of personal data

Personal data the Controller may enter about its own clients and payees, including: names and contact names, email addresses, phone numbers, postal addresses, tax identification numbers, and bank details (such as IBAN, SWIFT/BIC, and beneficiary name).

4. Categories of data subjects

The Controller's customers, clients, payees, and their representatives.

5. Processor obligations

  • Process personal data only on the Controller's documented instructions (including the use of the Service), unless required to act by law.
  • Ensure that persons authorised to process the data are bound by confidentiality.
  • Implement appropriate technical and organisational security measures (GDPR Art. 32), including encryption in transit, per-account data isolation, hashed credentials, and access controls.
  • Assist the Controller, taking into account the nature of processing, in responding to data-subject rights requests.
  • Assist the Controller with security, breach notification, and data protection impact assessments.
  • On termination, delete or return all personal data at the Controller's choice, and delete existing copies unless retention is required by law.
  • Make available the information needed to demonstrate compliance and allow for and contribute to audits.

6. Sub-processors

The Controller gives general authorisation for the Processor to engage the sub-processors below. The Processor will inform the Controller of any intended change and give the Controller the opportunity to object. Each sub-processor is bound by data-protection obligations no less protective than this DPA.

Sub-processorPurposeLocation
Vercel Inc.Application hosting and content deliveryUnited States / global edge
Neon Inc.Managed PostgreSQL database hostingSee account region (verify EU)

7. International transfers

Where a sub-processor processes personal data outside the EEA, such transfers are made under an appropriate safeguard, primarily the European Commission's Standard Contractual Clauses, supplemented by technical measures. The Processor is reviewing hosting regions to keep data within the EEA where practical.

8. Personal data breaches

The Processor will notify the Controller without undue delay, and in any case promptly enough (targeting within 48 hours) to allow the Controller to meet its own 72-hour notification deadline, after becoming aware of a personal data breach affecting the Controller's data.

9. Liability and governing law

Liability under this DPA is subject to the limitations in the Terms of Service. This DPA is governed by the laws of Spain.

10. Acceptance

By creating an account and accepting the Terms of Service, the Controller accepts this DPA. For a countersigned copy, contact [privacy@your-domain].