Data Processing Addendum

Effective date: April 22, 2026

This Data Processing Addendum ("DPA") supplements and is incorporated into the Invoice Link Terms of Service between you ("Controller") and Sentinel Holdings Group, Inc., a North Carolina corporation doing business as Invoice Link ("Processor", "we", "us"). It applies whenever you upload or otherwise submit data about third parties — including customers, invoice recipients, estimate recipients, and their contacts — into the Service.

1. Scope and incorporation

This DPA is incorporated by reference into the Invoice Link Terms of Service. By creating an account or using the Service, Controller is deemed to accept this DPA. In the event of a conflict between this DPA and the Terms of Service with respect to the processing of Customer Data, this DPA controls.

2. Definitions

Capitalized terms used but not defined here have the meaning given in the Terms of Service. The following definitions are drawn from the California Consumer Privacy Act (Cal. Civ. Code § 1798.140) and, where applicable, analogous U.S. state and international frameworks.

• Personal Information / Personal Data means information that identifies, relates to, or could reasonably be linked with a particular individual or household.
• Processing means any operation performed on Personal Information, including collection, storage, use, disclosure, and deletion.
• Controller (or Business under CCPA) means the party that determines the purposes and means of Processing — here, the contractor using the Service.
• Processor (or Service Provider under CCPA) means the party that Processes Personal Information on behalf of the Controller — here, Invoice Link.
• Customer Data means Personal Information that Controller uploads or submits to the Service about third parties (Controller's own customers, invoice recipients, estimate recipients, and their contacts).
• Account Data means Personal Information about Controller itself — the contractor's name, email, business details, subscription records — which Invoice Link Processes as a Business/Controller under its Privacy Policy, not under this DPA.

3. Processor obligations

With respect to Customer Data, Invoice Link will:

• (a) Process Customer Data only in accordance with documented instructions from Controller, which for these purposes consist of the Terms of Service, this DPA, and Controller's configuration choices within the Service;
• (b) Not sell or share Customer Data as those terms are defined under CCPA;
• (c) Not retain, use, or disclose Customer Data outside of the direct business relationship with Controller or for any commercial purpose other than providing the Service;
• (d) Not combine Customer Data received from Controller with Personal Information received from or on behalf of any other party, except as permitted by Cal. Civ. Code § 1798.140(ag)(1);
• (e) Ensure that personnel authorized to Process Customer Data are bound by written confidentiality obligations;
• (f) Implement and maintain reasonable and appropriate technical and organizational security measures designed to protect Customer Data (see Section 7);
• (g) Notify Controller without undue delay and in any event within 72 hours after becoming aware of a confirmed breach of security affecting Customer Data;
• (h) Provide reasonable assistance to Controller in responding to verifiable data subject requests (access, deletion, correction, opt-out) received by Controller;
• (i) Upon termination of the Service, delete or return Customer Data in accordance with Section 8; and
• (j) Make available to Controller, upon reasonable prior written notice and no more than once per twelve-month period, information reasonably necessary to demonstrate compliance with this DPA.

Invoice Link will promptly notify Controller if, in its opinion, an instruction violates applicable law, and in such case may suspend performance of the affected instruction until it is corrected.

4. Subprocessors

Controller acknowledges and authorizes Invoice Link's use of subprocessors to deliver the Service. Current subprocessors include payment processors (Stripe, PayPal), transactional email (Postmark), infrastructure and hosting (Railway, Vercel), mobile platforms and entitlement management (Apple, Google, RevenueCat), and AI/ML providers (OpenAI), among others. The current list is maintained at /privacy.

Invoice Link imposes data-protection obligations on each subprocessor that are no less protective than those in this DPA with respect to Customer Data. Invoice Link will provide at least 30 days' notice before adding or replacing a subprocessor. Controller may object to the change on reasonable data-protection grounds by emailing privacy@invoicelinkapp.com before the effective date; if the objection cannot be resolved, Controller's sole remedy is to terminate the affected portion of the Service.

5. International transfers

Customer Data is stored and Processed in the United States. If Controller or Controller's customers are located outside the United States, Controller acknowledges that the transfer of Customer Data to the United States occurs and instructs Invoice Link to make that transfer. Where legally required, Invoice Link will enter into supplementary transfer mechanisms (such as Standard Contractual Clauses) on written request to privacy@invoicelinkapp.com.

6. Data subject requests

If Invoice Link receives a privacy request (for example, a request for access, deletion, correction, or opt-out) directly from one of Controller's own customers, Invoice Link will:

• Not respond substantively on Controller's behalf without Controller's instruction;
• Forward the request to Controller within 5 business days using the email on file; and
• Provide reasonable technical assistance to Controller in fulfilling the request using features already available within the Service.

Controller is responsible for verifying the identity of the requester and for substantively responding within the time limits set by applicable law.

7. Security

Invoice Link maintains reasonable and appropriate administrative, physical, and technical safeguards designed to protect Customer Data against unauthorized or unlawful Processing and against accidental loss, destruction, or damage. Current controls include: TLS 1.2+ in transit; AES-256 encryption at rest for stored records; role-based access control on the principle of least privilege; logged and monitored administrative access; secrets managed via platform-native secret managers; and regular dependency and vulnerability review.

8. Termination and return or deletion of Customer Data

On termination of the Service for any reason, Invoice Link will delete Customer Data from active systems within 30 days and from backups on the ordinary backup rotation thereafter, except for records that Invoice Link is required to retain to comply with legal or regulatory obligations (including, without limitation, payment records retained for up to 7 years in accordance with IRS recordkeeping requirements). Controller may export Customer Data at any time prior to deletion using the Service's export features.

9. Liability and indemnity

Each party's liability arising out of or in connection with this DPA is subject to the limitations of liability and indemnification provisions in the Terms of Service. Nothing in this DPA creates liability for Invoice Link greater than the liability it would otherwise have under the Terms of Service.

10. Governing law

This DPA is governed by the laws of the State of North Carolina, without regard to conflict-of-laws principles. Disputes arising out of or relating to this DPA are subject to the dispute-resolution, arbitration, and class-action-waiver provisions in the Terms of Service.

11. Contact

For questions or requests specifically related to this DPA — including subprocessor objections, Standard Contractual Clause requests, audit requests, or forwarded data-subject requests — email privacy@invoicelinkapp.com.