Data Processing Agreement

dekimu.com is a marketing website and collects no personal data of its own. This Data Processing Agreement (the “DPA”) does not govern dekimu.com. It is the ecosystem-wide canonical agreement that applies wherever Dekimu Labs S.L. (CIF B55431357, Spain — the “Processor”) processes personal data on behalf of a business customer (the “Controller”) through the Dekimu apps and services — for example Dekimu Hub and Invoice Up.

In those services, the Controller decides why and how end-user personal data is processed; Dekimu Labs S.L. processes it only to provide the service. This DPA forms part of, and is subordinate to, the terms of service the Controller accepts for each app. Where Dekimu Labs S.L. acts as controller in its own right (for example, account authentication, billing, or its own marketing), its Privacy Policy and Records of Processing apply instead — not this DPA.

This DPA gives effect to Article 28(3) of the EU General Data Protection Regulation (Regulation (EU) 2016/679, “GDPR”) and the Spanish implementing law (Ley Orgánica 3/2018, LOPDGDD). It applies to Controllers across the EU and EEA.

Subject-matter: the processing of personal data that the Controller submits to, or generates within, a Dekimu app while using it.

Duration: for as long as the Controller’s account or subscription for the relevant app is active, plus any post-termination period set out in Section 10.

Nature and purpose: hosting, storing, transmitting, and operating on personal data strictly to deliver the contracted features of the app — for example payment follow-up and reminders in Invoice Up, or workspace, client, and content management in Dekimu Hub. Dekimu Labs S.L. does not use Controller personal data for its own profiling, advertising, or model training.

These categories reflect Dekimu’s Records of Processing Activities (RoPA, GDPR Art. 30). The exact set depends on the app and how the Controller uses it.

Data subjects may include: the Controller’s own staff and authorised users; the Controller’s clients and contacts; and individuals named in records the Controller creates (for example, billing contacts or recipients of reminders).

Personal data categories may include:

• Identification — name, email address
• Contact — postal address, phone number
• Financial — invoice amounts, tax identifiers, payment status (where the app handles this)
• Behavioural / technical — login times, request logs, IP address
• Free-text content the Controller stores in the app, which may contain personal data

Dekimu’s services are not designed to process special categories of data (Art. 9). The Controller agrees not to submit special-category data unless a written addendum is agreed in advance.

Dekimu Labs S.L. will:

• process personal data only on the Controller’s documented instructions, including for international transfers, unless required to act otherwise by EU or Spanish law (in which case it will inform the Controller first, where legally permitted). The Controller’s instructions are this DPA and the app’s configuration and feature set;
• immediately inform the Controller if, in its opinion, an instruction infringes the GDPR or other data-protection law;
• ensure that everyone authorised to process the data is bound by a duty of confidentiality;
• not process the data for any purpose other than providing the service.

Dekimu Labs S.L. applies technical and organisational measures appropriate to the risk, including:

• Zero-knowledge, end-to-end encryption for user business content. Across the ecosystem, the user’s business content is encrypted client-side; Dekimu’s servers hold ciphertext only and cannot read it. Encryption keys are derived on the user’s device.
• Encryption in transit — all traffic is served over HTTPS with HSTS.
• Access controls — scoped, authenticated access; per-app entitlement; signed session tokens; rate-limited authentication endpoints.
• Encryption at rest for credential material and stored records held by our infrastructure providers.
• Segregation and least privilege — operational access is limited to the people who need it, and is logged.

Because business content is encrypted client-side, the practical impact of a server-side compromise is materially reduced: an attacker reaching stored data finds ciphertext, not readable records.

The Controller gives general authorisation for Dekimu Labs S.L. to engage sub-processors to deliver the service. Each sub-processor is bound by data-protection obligations no less protective than this DPA. As of the date above, the sub-processors are:

• Vercel (Vercel Inc., via Vercel International BV) — compute, hosting, content delivery, and edge logs · EU region
• Upstash — managed Redis data storage · EU region
• Resend — transactional and notification email delivery · EU region
• Stripe (Stripe Payments Europe Ltd) — subscription payment processing · Ireland (EU). Card data never touches Dekimu infrastructure; Stripe tokenises it
• Accounting agent — bookkeeping and statutory tax filings (named in our vendor register, under a bilateral DPA) · Spain

We will give the Controller advance notice of any intended change to this list (addition or replacement of a sub-processor). The Controller may object on reasonable data-protection grounds within 14 days of notice. If we cannot resolve the objection, the Controller may terminate the affected service. Where any sub-processor is located outside the EEA, the transfer is covered by the EU Standard Contractual Clauses (see Section 12).

The Controller is responsible for responding to requests from data subjects (access, rectification, erasure, restriction, portability, objection). Taking into account the nature of the processing, Dekimu Labs S.L. will assist the Controller by appropriate technical and organisational measures — including the self-service export, edit, and deletion tools built into the apps — to help the Controller fulfil those requests. If a data subject contacts us directly about Controller data, we will redirect them to the Controller.

Dekimu Labs S.L. will notify the Controller without undue delay after becoming aware of a personal data breach affecting the Controller’s data — our internal target is within 48 hours. The notification will describe, as far as known, the nature of the breach, the categories and approximate number of data subjects and records affected, the likely consequences, and the measures taken or proposed. This helps the Controller meet its own 72-hour notification duty under Art. 33 where applicable. We will also reasonably assist the Controller in communicating with data subjects under Art. 34 where required.

Taking into account the nature of the processing and the information available to us, Dekimu Labs S.L. will provide reasonable assistance to the Controller with data protection impact assessments (Art. 35) and prior consultation with the supervisory authority (Art. 36) where the Controller’s use of a Dekimu service requires them.

On termination of the relevant service, and at the Controller’s choice, Dekimu Labs S.L. will return or delete all personal data processed on the Controller’s behalf, and delete existing copies, unless EU or Spanish law requires retention. Where the Controller does not make a choice, we will delete the data after a reasonable grace period that lets the Controller export it first. Some records may be retained for the periods required by Spanish accounting and tax law (for example, 7 years under Art. 30 of the Código de Comercio); those are held only for that legal purpose.

Dekimu Labs S.L. will make available to the Controller the information reasonably necessary to demonstrate compliance with Art. 28, and will allow for and contribute to audits, including inspections, conducted by the Controller or an auditor it mandates. In the first instance we will satisfy audit requests by providing documentation (this DPA, our security overview, sub-processor list, and relevant provider certifications). On-site inspections are subject to reasonable notice, confidentiality, and scheduling so as not to disrupt the service or other customers.

Personal data is processed within the EU/EEA wherever possible; our application-layer infrastructure and primary sub-processors are configured for EU regions. Where any sub-processor processes personal data outside the EEA, Dekimu Labs S.L. relies on the European Commission’s Standard Contractual Clauses (SCCs) as the transfer mechanism, supplemented by additional safeguards where needed. Transactional emails necessarily reach recipient mail servers that may be located anywhere; that routing is necessary to perform the contract (Art. 49(1)(b)).

Each party is liable for its own breaches of the GDPR and of this DPA, in accordance with Art. 82. Liability caps and exclusions in the app’s terms of service apply to this DPA. This DPA is governed by the laws of Spain. The competent supervisory authority is the Agencia Española de Protección de Datos (AEPD), without prejudice to the Controller’s right to engage its own lead supervisory authority. Disputes are subject to the courts of Spain, without prejudice to mandatory rules of the Controller’s jurisdiction.

Data-protection matters and DPA requests: Dekimu Labs S.L. (CIF B55431357) · legal@dekimu.com. To request a countersigned copy of this DPA, email the same address.

If we make material changes — including completing external legal review or updating the sub-processor list — we will update the “Last updated” date at the top of this page and, for sub-processor changes, give notice as set out in Section 6.