Last updated: July 12, 2026
This Data Processing Agreement ("DPA") describes how Greenstamp Software, Inc ("Greenstamp," "Processor," "we," or "us") processes personal data on behalf of our clients ("Controller," "you") in accordance with Article 28 of the General Data Protection Regulation (EU) 2016/679 ("GDPR"). This DPA forms part of and is incorporated into our Terms of Service.
By creating a Greenstamp account, you agree to this DPA as the Controller of personal data processed through our platform.
Greenstamp processes personal data solely to provide our electronic invoicing platform and related services as described in our Terms of Service. We process data only on your documented instructions, unless required by law to do otherwise.
The following categories of personal data are processed on your behalf:
We do not process special categories of personal data (Article 9 GDPR) such as health data, biometric data, racial or ethnic origin, or political opinions.
All persons authorized to process personal data on our platform have committed to confidentiality or are under an appropriate statutory obligation of confidentiality.
We implement the following technical and organizational measures to protect your data:
We assist you in responding to requests from individuals exercising their GDPR rights, including access, rectification, erasure, portability, restriction, and objection. We provide self-service data export (JSON format) and data deletion capabilities through the platform.
We will notify you without undue delay upon becoming aware of a personal data breach affecting your data. Our notification will include the nature of the breach, the categories and approximate number of individuals affected, the likely consequences, and the measures taken to address it.
You authorize us to engage the following sub-processors to deliver our services. Each sub-processor is bound by data processing obligations no less protective than those in this DPA.
| Sub-Processor | Location | Purpose |
|---|---|---|
| Unimaze Software | Iceland (EEA) | PEPPOL network connectivity for European e-invoicing |
| SW Sapien S.A. de C.V. | Mexico | CFDI invoice stamping and validation (PAC) |
| Render Services, Inc. | United States or EU (Frankfurt) | Cloud hosting, compute, and database (in the region of the customer's deployment) |
| Amazon Web Services, Inc. | United States or EU (Frankfurt) | File storage (S3) for invoice PDFs, receipts, and data exports (in the region of the customer's deployment) |
| Stripe, Inc. | United States | Subscription billing for the Greenstamp service. Limited to the account's billing contact and payment method — no customer invoice, tax, or financial data is shared with Stripe. |
| Amazon Web Services, Inc. (Bedrock) | United States or EU (Frankfurt) | AI model inference for invoice classification and validation (Claude via Amazon Bedrock); processed in the region of the customer's deployment and not used for model training |
| Mailgun Technologies, Inc. | United States or EU (Frankfurt) | Transactional email delivery (account, invoice, and notification emails), in the region of the customer's deployment |
| Twilio Inc. | United States or EU (Frankfurt) | SMS and WhatsApp message delivery for the Greenstamp Business Messaging program |
| Belvo Technologies, Inc. | Mexico | Read-only bank transaction import (bank feeds) for Mexico and Latin America |
| Plaid Inc. | United States | Read-only bank transaction import (bank feeds) for the United States and Canada |
| Apple Inc. | United States | In-app purchase receipt verification for the iOS app |
| Google LLC | United States | In-app purchase receipt verification for the Android app |
We will notify you at least 30 days before adding or replacing a sub-processor. If you object, we will discuss the concern in good faith. If no resolution is reached, you may terminate the affected services.
Greenstamp hosts customer data in the region of the customer's deployment — the European Union (Frankfurt) or the United States. For customers on the EU deployment, application data, files, and AI inference are processed and stored within the European Economic Area (EEA). Where personal data originating in the EEA is transferred to a sub-processor located outside the EEA (see the sub-processor table above) — for example, subscription billing in the United States — that transfer is protected by the European Commission's Standard Contractual Clauses (Implementing Decision (EU) 2021/914), Module Two (Controller to Processor), incorporated into this DPA by reference, or by an applicable adequacy decision.
Copies of the applicable Standard Contractual Clauses are available upon request at privacy@greenstamp.io.
We retain your data for the following periods:
Upon termination of your subscription, we will, at your choice, delete or return all personal data and delete existing copies — unless law requires further retention. Where legal retention applies, we anonymize the data by removing personal identifiers while preserving aggregate financial records as required.
We will make available all information necessary to demonstrate compliance with this DPA and GDPR Article 28. We will allow for and contribute to audits conducted by you or your mandated auditor, subject to reasonable notice. We may satisfy audit requests by providing relevant certifications or audit reports, written responses to your questionnaire, or on-site access upon reasonable notice (no more than once per calendar year, at your expense).
This DPA remains in effect for the duration of your Greenstamp subscription. Obligations relating to confidentiality, data retention, and deletion survive termination.
As required by GDPR Article 27, we have appointed EU Rep as our Representative. All GDPR queries from EU Data Subjects or Data Protection Authorities should be submitted to eurep.ie via their dedicated form.
BizLegal Ltd trading as EU Rep
27 Cork Road, Midleton, Co. Cork, Ireland
Company number 635921
For questions about this Data Processing Agreement or to exercise your rights:
Data protection: privacy@greenstamp.io
General: info@greenstamp.io
Address: 2093 Philadelphia Pike #6970, Claymont, DE 19703, United States