logo

Data Processing Policy

Wizard Labs (Invoice Wizard, “we”, “us”, “our” and terms of similar meaning) operates the website hosted at the invoicewizard.io domain and all associated subdomains (the “Website”), as well as the services provided by the Website (the “Service”) in compliance with these terms and conditions of use.

Before you install our app on your store, you must read, understand and agree the terms stated here, and by using the Service you become legally bound by them.

The Service is an online invoicing software for Shopify stores. It is a mobile-compatible web application that allows the design and creation of invoices, packing slips, credit notes, and other document types. The Service is based on the SaaS (software as a service) model and requires a subscription.

Roles of the Parties


This policy shall apply where Merchant acts as a controller and Invoice Wizard as a processor, or where Merchant acts as a processor and Invoice Wizard as a sub-processor. All parties agree to keep every data and Confidential information private and secure from any third party.

Compliance with Data Protection Policies


Both parties will comply with all relevant data protection laws, regulations, and guidelines, including the General Data Protection Regulation (GDPR), the UK General Data Protection Regulation (UK GDPR) and the UK Data Protection Act 2018, the Privacy and Electronic Communications Directive, and the Swedish Data Act. These laws and regulations are designed to protect the privacy and personal data of individuals and are subject to change over time.

Processing Personal Data


Annex a specifies the extent, nature, and objective of the processing carried out by Invoice Wizard, the duration of the processing, and the types of personal data and categories of the data subjects involved.

Security


Assistance

Invoice Wizard will use reasonable efforts to provide the Merchant with the necessary tools and resources to manage and protect personal data, at the Merchant's expense. These tools include the ability for the Merchant to correct, retrieve, delete or restrict their personal data. If the Merchant is unable to handle a request from a data subject through these tools, they have the option to request additional assistance from Invoice Wizard. Upon termination of the agreement, Invoice Wizard will delete or return personal data to the Merchant unless required by law or if it has been archived on backup systems. If no written direction is provided by the Merchant, the personal data will be deleted according to the terms of the agreement.

If an individual contacts Invoice Wizard directly with a request or concern related to the processing of personal data under the agreement, Invoice Wizard will notify the Merchant and direct the individual to submit their request to the Merchant. The Merchant will be responsible for handling and responding to any requests or communications related to personal data.

Audit

Both parties agree that the Merchant has the right to evaluate Invoice Wizard's adherence to its obligations under data protection laws, when Invoice Wizard is processing data on behalf of the Merchant. The Merchant agrees that the audits described in the agreement meet their audit requirements. The Merchant will exercise their right to conduct inspections or audits by giving written notice to Invoice Wizard to proceed with the audits outlined in the agreement (including as per the Standard Contractual Clauses if applicable).

Merchant has the right to conduct an audit of Invoice Wizard's compliance with Article 28 of the GDPR. The audit must be scheduled with at least 30 days written notice to Invoice Wizard, and can only be done once per year. Invoice Wizard shall provide all necessary information to demonstrate compliance, including summaries of its information security and privacy policies, and will promptly cooperate and respond to Merchant's reasonable privacy and security questionnaires. If the request for audit occurs during a time when it would be disruptive to Invoice Wizard's business, the parties can mutually agree on an extension. Prior to the audit, the Merchant will have to sign a confidentiality agreement that is reasonably satisfactory to Invoice Wizard. The Merchant will bear their own costs and expenses for the audit, and both parties will make efforts to minimize disruption to Invoice Wizard's business activities.

Sub-Processors

The Merchant grants general written permission for Invoice Wizard to engage sub-processors, including Invoice Wizard's affiliates and third-party sub-processors (which may include other affiliates) as outlined in the Privacy policy. For the purpose of this policy, "Affiliate" means an entity that controls, is controlled by, or is under the same control as a party, in which an entity will be deemed to have control if it owns more than 50% of another entity. Invoice Wizard and its affiliates may engage such sub-processors to process personal data, as long as they have entered into a written agreement with the third-party processor that requires them to protect the personal data to the same standards outlined in this policy.

If Invoice Wizard or its affiliates appoint a new or remove an existing sub-processor, they will update the list on the Privacy Center. The Merchant can choose to receive alerts for such updates via the mechanism provided in the Privacy Center. If the Merchant has chosen to receive alerts, Invoice Wizard will send an email notification to the email address provided by the Merchant on the Privacy Center. The Merchant can object to the appointment or replacement of a sub-processor, as long as they notify Invoice Wizard in writing within 30 days of receiving the notification. If the Merchant does not object within this period, the new sub-processor will be considered accepted. If the Merchant objects and Invoice Wizard can't reasonably accommodate the objection, the Merchant can terminate the affected service(s) by giving written notice to Invoice Wizard. Any rights and obligations that have already been acquired will survive such termination.

If the Standard Contractual Clauses are applicable, both parties agree to the general written authorization outlined in section (a) of the Standard Contractual Clauses (Module Two). The Merchant acknowledges and agrees that they will be informed of any intended changes to the list of sub-processors and have the right to object in the manner described in this policy, as outlined in section (a) of the Standard Contractual Clauses (Module Two).

Invoice Wizard is still accountable for any actions or inactions of its sub-processors to the same extent as if it was performing the services of each sub-processor directly under the terms of this policy.

Both parties agree that the copies of the sub-processor agreements that Invoice Wizard provides to the Merchant for the Standard Contractual Clauses (Module Two) may have any commercial or non-relevant information removed by Invoice Wizard. Invoice Wizard will provide these copies in a manner it sees fit, when requested by the Merchant.

The Merchant acknowledges and agrees that Invoice Wizard may use telecommunications providers as part of providing the Service. The Merchant also acknowledges that in order to send communications for the Service, Invoice Wizard may have to transmit the Merchant's communications through existing telecommunications networks and suppliers, which may be companies that are required to comply with telecommunications and privacy laws, but may not have direct contracts with Invoice Wizard or the Merchant. The Merchant also acknowledges that Invoice Wizard may use payment gateways in providing the Service through companies that are required to comply with data protection laws, but may not have direct contracts with Invoice Wizard. The Merchant authorizes Invoice Wizard to transmit communications through existing telecommunications networks and use payment gateways as needed to provide the Service, and acknowledges and agrees that telecommunications networks and payment gateways suppliers are not considered sub-processors under the Agreement.

When the Merchant reports potential issues with the quality of the Service, the Merchant authorizes Invoice Wizard to work with its relevant suppliers to diagnose and resolve the reported issues, including by providing them with access to necessary data, such as recordings and logs, which may contain personal data.

Transfers of Personal Data

Invoice Wizard is obligated to comply with all relevant regulations for cross-border transfers of personal data under Data Protection Legislation.

If Invoice Wizard processes any personal data that originates from the European Economic Area (EEA) or a country that has not been deemed by the European Commission to provide an adequate level of protection for personal data, the parties will enter into the Standard Contractual Clauses for the transfer of personal data to third countries as outlined in the Annex to Commission Decision (EU) 2021/914 adopted on June 4, 2021. These clauses are incorporated into and form part of this policy.

The parties agree that the data processing details outlined in Annex A of this policy will apply for the purposes of Annex 1 of the Standard Contractual Clauses, and the technical and organizational security measures outlined in Annex B of this policy will apply for the purpose of Annex 2 to the Standard Contractual Clauses. Invoice Wizard is considered the "data importer" and the Merchant the "data exporter" under the Standard Contractual Clauses, and both parties will comply with their respective obligations under the Standard Contractual Clauses. The Merchant authorizes Invoice Wizard to execute the Standard Contractual Clauses (Module 3) with any relevant sub-processors (including Invoice Wizard Affiliates). Unless Invoice Wizard notifies the Merchant otherwise, if the European Commission subsequently amends the Standard Contractual Clauses at a later date, those amendments will supersede and replace any Standard Contractual Clauses executed between the parties. Annex C applies to the use of the Standard Contractual Clauses.

If Invoice Wizard processes any personal data that originates from a country that has not been deemed by the government to provide an adequate level of protection for personal data, and the parties have implemented a validation mechanism for such transfers, the parties agree that this mechanism will continue to apply to such transfers. Unless the Merchant notifies Invoice Wizard otherwise, if the government later recognizes the new Standard Contractual Clauses as a valid data transfer mechanism, they will supersede and replace the existing mechanism. The Annexes of this policy replace any previous data processing agreements signed between the Merchant and Invoice Wizard, except where such would represent a conflict with this section.

The parties agree that the data export solution identified in this policy will not apply if the Merchant chooses to adopt an alternative data export solution that is legally recognized under Data Protection Legislation. In this case, the Merchant will cooperate with Invoice Wizard to find a solution, and this alternative data export solution will apply instead, but only to the extent that it covers the territories to which personal data is transferred under this policy.

Other

Words following the terms "including" and similar expressions, such as "for example," do not limit the meaning of the words that come before them.

This policy replaces and supersedes any previous data processing policies, attachments, or exhibits, including privacy policies, between the parties, except as provided for in this DPA, if applicable. Any addenda, attachments, or exhibits related to security will still be in effect and supplement the security measures outlined in Annex B. If there is a conflict between Annex B and any other agreement the Merchant has with Invoice Wizard regarding information security, including administrative, physical, or technical safeguards for protecting data, the provisions that provide more protection for the data will take precedence.

Liability

Even though this policy may state otherwise, the liability of each party and each party's Affiliates under this policy will be subject to the exclusions and limitations of liability outlined in the Agreement. If there is no such provision in the Agreement, neither party will be liable for any damage which exceeds the total amount paid or payable to Invoice Wizard under the Agreement during the 12-month period before the initial claim, and neither party will have any liability to the other party for any loss of profits or revenues, loss of goodwill, loss or corruption of data or for any indirect, special, incidental, consequential or punitive damages arising out of, or in connection with the Agreement or this policy.

Governing Law and Jurisdiction

This policy will be governed by and interpreted in accordance with the provisions of governing law and jurisdiction in the terms of service, unless required otherwise by applicable Data Protection Legislation.

Termination of policy

This policy will end automatically when the app is uninstalled.

This policy becomes a binding part of the Agreement from the Effective Date of the policy.

ANNEX A - PERSONAL DATA PROCESSING PURPOSES AND DETAILS

LIST OF PARTIES

Data exporter(s): Role (controller/processor): Controller

The contact person for data protection matters, position and contact details of the data protection officer and/or representative in the European Union (if different) should be provided by the data exporter via email to helpwizard@invoicewizard.io after the Agreement has been signed.

The activities relevant to the data transferred under these Standard Contractual Clauses (SCCs) include services provided by the data importer to the data exporter that involve the transfer of personal data as outlined in the Agreement.

Data importer(s): Contact details for data protection matters: helpwizard@invoicewizard.io

The activities relevant to the data transfer include the services provided by the data importer to the data exporter that involve the transfer of personal data as outlined in the Agreement.

DESCRIPTION OF TRANSFER

Groups of individuals whose personal information is being shared.

A merchant may provide personal information to Invoice Wizard in order for the latter to provide its services. The merchant has complete control over the extent of personal data shared and this can include, but is not limited to, personal information related to certain groups of people. These are:

Categories of personal data transferred

A merchant may provide personal information to Invoice Wizard in order for the latter to provide its services. The merchant has complete control over the extent of personal data shared and this can include (depending on the type of services being provided).

The merchant may upload, submit or provide certain personal data to the service, the extent of which is determined and controlled by the merchant, and may include the following types of personal data.

If applicable, sensitive data will be transferred with strict restrictions and safeguards in place to fully consider the nature of the data and potential risks, such as specific limitations on its use, restricted access for staff who have received specialized training, keeping records of access to the data, limitations on further sharing or additional security measures.

Sensitive data may be transferred by the Merchant to Invoice Wizard only when necessary for providing the services outlined in the agreement.

The measures in place to protect this data are detailed in Annex B. The data transfer will happen continuously.

Nature of the Processing

Invoice Wizard will process personal data as required to fulfill the Services outlined in the Agreement, according to instructions provided by the Merchant (as stated in this policy) when using the Services.

Purpose of data transfer and further processing:

Invoice Wizard will process personal data for the purposes necessary to perform the Services outlined in the Agreement, according to instructions provided by the Merchant (as stated in this policy) when using the Services.

Retention period of personal data or criteria used to determine that period:

Personal data will be retained as long as required for the provision of Services by Invoice Wizard under the Agreement.

Transfers to (sub-) processors, including subject matter, nature, and duration of processing:

Subject matter and nature of processing will be done for the duration required for the data importer to provide the Services to the data exporter.

ANNEX B - TECHNICAL MEASURES

This Annex II outlines the security measures that Invoice Wizard will implement in relation to the personal data provided by the Merchant to Invoice Wizard to allow it to provide the services under the Agreement.

- Measures of encryption

Invoice Wizard encrypts personal data of the Merchant while it is being transmitted over internal networks and when it is sent to and received from Invoice Wizard's Applications.

- Measures for ensuring ongoing confidentiality, integrity, availability, and resilience

Invoice Wizard has documented plans for business continuity and disaster recovery to ensure that operations can quickly resume with minimal interruption in case of an unexpected event that could significantly affect the personal data of the Merchant or Invoice Wizard's ability to provide products and services under the Agreement.

- Measures for ensuring the ability to restore the availability

Invoice Wizard performs regular data replication and backup as necessary to prevent data loss and ensure service recovery for the Merchant.

Processes for regularly testing, assessing, and evaluating the effectiveness of technical and organizational measures in order to ensure the security of the processing.

Invoice Wizard uses various tools to continuously monitor and track security vulnerabilities, identify, report, and address network vulnerabilities. As part of ongoing information security activities, security vulnerabilities are prioritized and assigned appropriate remediation processes based on the type of vulnerability, its severity, and potential impact.

Invoice Wizard frequently conducts penetration testing on its networks, infrastructure and products, including identifying security vulnerabilities. The company further leverages automated penetration testing tools for a comprehensive view of existing vulnerabilities and attack vectors to reduce the risk of cyber attacks.

- Measures for user authorization

Invoice Wizard controls, monitors and protects user's access credentials and secrets using industry-standard tools, including its own security products. The company also secures physical access to the equipment used for storing personal data of Merchant by using industry-standard processes to limit access to authorized personnel.

Invoice Wizard's policies for internal access to personal data of Merchant are based on least privilege and need-to-know principle, according to individual roles and responsibilities. The company maintains methods and procedures to prevent unauthorized access to the Merchant's personal data and the systems that host it. It uses appropriate authentication methods to control access to the network applications and systems that contain personal data of Merchant (which may include Virtual Private Network (VPN) and Multi-Factor Authentication (MFA) and more).

- Measures for data protection during transmission

Invoice Wizard encrypts all personal data of the Merchant while it is being transmitted over internal or external networks and when it is sent to and received from Invoice Wizard.

- Measures for data protection during storage

Where feasible in relation to the services provided to the Merchant, Invoice Wizard encrypts personal data of the Merchant while it is stored in its systems.

- Measures for ensuring the physical security of locations

Invoice Wizard implements security measures at its office and facilities that host servers containing sensitive or critical information, including personal data of the Merchant, and only allows authorized personnel access to these facilities.

- Measures for ensuring events logging

We have established processes and policies to ensure that incidents are properly handled and recorded.

- Measures for ensuring system configuration

Invoice Wizard creates, documents and maintains current configurations of systems under control, and reviews these configurations at least annually. Default configurations of technical controls are removed before the system is operational.

- Measures for internal IT security governance

Invoice Wizard has established policies and procedures to ensure that roles and responsibilities related to managing and monitoring security requirements and procedures are clearly defined.

- Measures for certification of processes and products

Invoice Wizard currently adopts leading software development practices to develop its application.

- Measures for ensuring data minimization

All of Invoice Wizard's employees are required to complete initial and ongoing training on information security and GDPR compliance, including specific modules on data minimization.

Invoice Wizard's Internal Privacy Policy also includes guidance for employees to ensure that the data they handle is limited in scope and duration to what is necessary for the purpose of the processing.

Invoice Wizard processes the data provided by Merchants, the extent of which is determined and controlled by the Merchant alone.

- Measures for ensuring data quality

Invoice Wizard processes the data provided by Merchants through the Shopify API. Invoice Wizard is not responsible for the accuracy of the provided data.

The quality of the data generated by Invoice Wizard's products is ensured through the implementation of secure development practices.

- Measures for ensuring data retention

Invoice Wizard retains merchant information only for the period specified in the Agreement or documentation, except when a longer retention period is required by law or regulations.

Invoice Wizard securely disposes of personal data of merchant in accordance with the Agreement and applicable laws, ensuring that the data cannot be read or reconstructed.

- Measures for ensuring accountability

Invoice Wizard's information security framework includes practices and procedures like managing assets, managing access, physical security, people security, network security, security of third-parties, security of products, vulnerability management, security monitoring and incident response. The information security policies and standards have been approved by management and are accessible to all Invoice Wizard employees.

ANNEX C - ADDITIONAL SAFEGUARDS

This Annex is supplementary to, and should be read together with, the Standard Contractual Clauses. Any references to the 'Clauses' in this Annex should be understood as references to the Standard Contractual Clauses.

The data importer must reasonably aid the data exporter in evaluating the suitability of protection for personal data in compliance with the requirements of the applicable data protection laws.

When receiving any legally binding order or request for disclosure of personal data by a law enforcement agency or other competent government authority, the data importer will comply.