Data Processing Addendum (DPA)

This Data Processing Addendum (“DPA”) applies where KOPINFO Kft. processes personal data on behalf of a business customer (“Customer”) as part of providing MagicBill (the “Service”). It is intended to satisfy the requirements of Article 28 GDPR.

1. Parties

Processor: KOPINFO Információtechnológiai Korlátolt Felelősségű Társaság (KOPINFO Kft.)

• Address: 1118 Budapest, Rétköz u. 29., Hungary
• Contact: [email protected]

Controller: The Customer (business customer) that determines the purposes and means of processing of Customer Content.

2. Subject matter, duration, nature and purpose

• Subject matter: Processing of Customer Content (invoices, receipts and related files) and associated personal data, as instructed by Customer through use of the Service.
• Duration: For the term of the Customer’s use of the Service, plus any limited period necessary for deletion, backup expiration, dispute handling, or legal obligations.
• Nature of processing: Hosting, storage, extraction, transformation, categorization, analysis, transmission, and deletion.
• Purpose: To provide the Service (document processing, extraction, categorization, analytics, and related features), support, and security.

3. Types of personal data and categories of data subjects

Customer Content may include personal data such as names, contact details, identifiers on invoices/receipts, and transaction-related data. Data subjects may include employees, contractors, customers, suppliers, and other third parties appearing on documents.

4. Customer obligations

Customer is responsible for having a lawful basis for processing and for providing required notices to data subjects, ensuring instructions comply with law, and responding to data subject requests as required.

5. Processor obligations

Processor will process personal data only on documented instructions, ensure confidentiality, implement appropriate security measures, assist with compliance where applicable, and notify Customer of personal data breaches without undue delay after becoming aware.

6. Subprocessors

Customer authorizes Processor to use subprocessors as needed to provide the Service (e.g., hosting, authentication, payments, AI processing). Processor will maintain an up-to-date list of material subprocessors and provide notice of material changes where feasible.

7. International transfers

Where personal data is transferred outside the EEA/UK/Switzerland, Processor will implement appropriate safeguards, such as Standard Contractual Clauses (SCCs) and, for UK transfers, the UK Addendum or IDTA, as applicable.

8. Security measures

Processor implements measures such as encryption in transit (TLS), access controls, monitoring/logging, and backup/recovery processes.

9. Deletion or return

Upon termination of the Service, Processor will delete or return Customer Content and related personal data in accordance with the Service functionality and applicable retention requirements.

10. Audits

Processor will make available information reasonably necessary to demonstrate compliance with this DPA and allow audits as required by Article 28 GDPR, subject to reasonable confidentiality, security, and scheduling requirements.

11. Contact

Questions about this DPA: [email protected].