Data Processing Agreement - Moniary

Terms used in this DPA have the meanings defined in Regulation (EU) 2016/679 ("GDPR"). "Personal Data" means any personal data processed by the Processor on behalf of the Controller in connection with the Service. "Sub-processor" means any third party engaged by the Processor to process Personal Data on behalf of the Controller.

Controller: The User is the controller of personal data contained in invoice documents, email content, and uploaded files processed through the Service. The User determines the purposes and means of processing this data by choosing to use the Service.

Processor: Moniary acts as the processor of this data, processing it solely on behalf of and according to the instructions of the Controller for the purpose of providing the Service.

Controller's Own Processing: Moniary acts as a separate controller for data it processes for its own purposes, such as account management, billing, and service improvement. This processing is governed by the Privacy Policy.

Purpose of processing: Extraction of structured data from supplier invoices using AI, organization and display of extracted data, and generation of ISDOC-format files for accounting system import.

Duration: Processing continues for the duration of the Controller's use of the Service and ceases upon termination of the Controller's account, subject to any legally required retention periods.

Nature of processing: Automated scanning, extraction, structuring, storage, and display of data from invoice documents and emails.

Types of personal data: Supplier names and contact details, invoice recipient details, bank account numbers, tax identification numbers (IČO, DIČ), email addresses, email metadata (sender, recipient, date, subject).

Categories of data subjects: The Controller's suppliers and business partners whose data appears in invoices and related email communications.

Documented instructions: The Processor shall process Personal Data only on documented instructions from the Controller, including with regard to transfers to third countries, unless required to do so by EU or Member State law. The use of the Service constitutes the Controller's documented instructions for the processing described in this DPA.

Confidentiality: The Processor shall ensure that persons authorized to process Personal Data have committed themselves to confidentiality or are under an appropriate statutory obligation of confidentiality.

Security measures: The Processor shall implement appropriate technical and organizational measures to ensure a level of security appropriate to the risk, including encryption of data in transit (HTTPS/TLS) and at rest, access controls and authentication mechanisms, regular security assessments, and backup and disaster recovery procedures.

Sub-processors: The Processor shall not engage another processor without prior general written authorization of the Controller. The Controller hereby grants general authorization for the Processor to engage sub-processors listed on the Sub-processors page. The Processor shall inform the Controller of any intended changes concerning the addition or replacement of sub-processors at least 14 days in advance, giving the Controller the opportunity to object. The current list of sub-processors is available on our website at the Sub-processors page.

Assistance with data subject rights: The Processor shall assist the Controller by appropriate technical and organizational measures, insofar as this is possible, for the fulfillment of the Controller's obligation to respond to requests for exercising data subject rights under Chapter III of the GDPR.

Breach notification: The Processor shall notify the Controller without undue delay after becoming aware of a personal data breach. The notification shall describe the nature of the breach, the categories and approximate number of data subjects and records concerned, the likely consequences, and the measures taken or proposed to address the breach.

Assistance with DPIA and prior consultation: The Processor shall assist the Controller in ensuring compliance with the obligations pursuant to Articles 32 to 36 of the GDPR, taking into account the nature of processing and the information available to the Processor.

Data deletion or return: Upon termination of the Service, the Processor shall, at the choice of the Controller, delete or return all Personal Data to the Controller and delete existing copies, unless EU or Member State law requires storage of the Personal Data. The Controller may export their data through the Service's export functionality before account termination.

Audit and inspection: The Processor shall make available to the Controller all information necessary to demonstrate compliance with the obligations laid down in Article 28 of the GDPR and allow for and contribute to audits, including inspections, conducted by the Controller or another auditor mandated by the Controller. The Processor shall immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other EU or Member State data protection provisions.

If the processing of Personal Data involves transfers to countries outside the EEA that do not benefit from an adequacy decision by the European Commission, the Processor shall ensure that appropriate safeguards are in place, such as Standard Contractual Clauses (SCCs) adopted by the European Commission. Details of current transfer mechanisms are specified in the sub-processor list.

Each party's liability under this DPA is subject to the limitations of liability set out in the Terms of Service. Nothing in this DPA limits either party's liability for breaches of the GDPR to the extent such limitation is not permitted by applicable law.

This DPA enters into force upon the Controller's acceptance of the Terms of Service and remains in effect for as long as the Processor processes Personal Data on behalf of the Controller. Upon termination of the Service, the provisions of this DPA that by their nature should survive termination shall continue to apply.

For any questions regarding this DPA or to exercise your rights as a Controller, please contact us at: