Legal · Data processing agreement
DPA on request, signed the same day.
Pre-launch. A standard GDPR Article 28 Data Processing Agreement template is maintained off-app and mailed on request. Self-serve download on the dashboard ships before the Day 14 public launch.
01 · Who needs a DPA
If you process any personal data belonging to EU data subjects via Arveleht — which a B2B invoice, strictly, always does (the buyer contact is a natural person) — you are a controller and we are a processor under GDPR Art. 28. A signed DPA is required.
02 · How to request
- Email hello@arveleht.eu with your registered company name, VAT or registration number, and signatory contact.
- We return a pre-filled PDF with your details within one business day.
- Counter-sign and return; an executed copy lands back in your inbox.
03 · What’s inside
The DPA lays out the subject-matter, duration, nature, and purpose of processing; categories of personal data; controller and processor obligations; sub-processor list (see privacy notice); international-transfer safeguards (EU-only processing today); incident notification (72 hours); and return/deletion of data on termination.
04 · Sub-processor change notice
We publish any proposed change to the sub-processor list on the privacy page 14 days before it takes effect. You can object during that window; if we cannot accommodate the objection we offer a refund pro-rata for the unused billing period.