Data Processing Agreement
1. Introduction
This Data Processing Agreement (“DPA”) is entered into between you, the user of the Autobillr platform (“Data Controller,” “Controller,” or “you”), and NeoForge Labs Limited, a private limited company registered in Kenya (“Data Processor,” “Processor,” “Autobillr,” or “we”).
This DPA supplements the Terms of Service and Privacy Policy and governs the processing of personal data that you entrust to Autobillr on your behalf. This DPA is required by Article 28 of the GDPR, Section 42 of the Kenya Data Protection Act, 2019, and similar provisions in other applicable data protection laws.
2. Definitions
“Data Protection Laws” means all applicable data protection and privacy laws, including the Kenya DPA, GDPR, UK GDPR, and CCPA/CPRA.
“Data Subject” means the identified or identifiable person to whom the personal data relates — typically your Clients and Invoice Recipients.
“Personal Data” means any information relating to a Data Subject processed through the Service.
“Sub-processor” means any third party engaged by the Processor to process Personal Data on behalf of the Controller.
3. Roles and Responsibilities
3.1 Data Controller (You)
You are the data controller for the personal data of your Clients and Invoice Recipients. You are responsible for: determining the purposes and means of processing, ensuring lawful basis, obtaining required consents, responding to Data Subject rights requests, and complying with Data Protection Laws.
3.2 Data Processor (Autobillr)
Autobillr processes Personal Data only in accordance with your documented instructions (constituted by your use of the Service), for the purposes of providing the Service, and in compliance with this DPA and applicable Data Protection Laws.
4. Scope of Processing
4.2 Types of Personal Data Processed
Client names, business names, email addresses, phone numbers, physical addresses, invoice details (amounts, line items, due dates), payment records, communication logs, and Client behavioral profiles (payment patterns, risk scores).
4.3 Processing Activities
Storing and displaying Client data; generating and sending invoices; sending chase communications; tracking communication delivery; generating Client payment profiles; validating invoices against contracts; producing cash flow predictions; and creating anonymized, aggregated benchmarks.
5. Processor Obligations
5.1 Confidentiality
All personnel authorized to process Personal Data are bound by obligations of confidentiality.
5.2 Security Measures
We implement appropriate technical and organizational security measures, including: encryption in transit (TLS 1.2+) and at rest (AES-256), access controls and authentication, tenant isolation through row-level database security, regular security assessments, and incident response procedures.
5.3 Sub-processors
We use Sub-processors to assist in providing the Service. We will impose data protection obligations no less protective than this DPA on all Sub-processors, notify you at least 14 days in advance of new Sub-processors, and provide you with the opportunity to object.
5.4 Data Subject Requests
We will promptly notify you of Data Subject requests and provide reasonable assistance in fulfilling them, including through technical measures for data access, rectification, erasure, and portability.
5.5 Data Breach Notification
In the event of a Personal Data breach, we will notify you within 48 hours, provide sufficient information for your breach notification obligations, and cooperate in mitigation.
5.7 Audit Rights
You have the right, subject to reasonable notice, to audit our compliance with this DPA. Audits will be conducted no more than once per year unless necessitated by a data breach or regulatory investigation.
5.8 Data Deletion and Return
Upon Account termination: we will cease processing, make your data available for export for 30 days, then delete or anonymize all Personal Data (except where retention is required by law), and provide written confirmation of deletion upon request.
6. International Data Transfers
Where Personal Data is transferred from the EEA, UK, or Switzerland, we ensure appropriate safeguards including Standard Contractual Clauses (SCCs) and supplementary measures. For transfers from Kenya, we comply with the Kenya DPA cross-border requirements.
Appendix A: Sub-processors
| Sub-processor | Processing Activity | Location |
|---|---|---|
| Render | Cloud hosting, database, compute | United States (Oregon) |
| Cloudflare (R2) | File storage | Global (edge network) |
| Resend | Email delivery | United States |
| Africa's Talking | SMS delivery (Africa) | Kenya |
| Twilio | SMS and WhatsApp delivery (Global) | United States |
| OpenRouter | AI model API routing | United States |
| Sentry | Error monitoring | United States |
Sub-processor list last updated: March 4, 2026
Contact
For questions about this DPA: privacy@autobillr.dev
By using the Autobillr Service, you enter into this Data Processing Agreement.