Data Processing Agreement

How we handle and protect your organization's data

Last updated: May 13, 2026

1. Definitions and Roles

This Data Processing Agreement ("DPA") is entered into between the organization subscribing to InvyEasy ("Data Controller" or "Customer") and InvyEasy, LLC ("Data Processor" or "We").

  • Data Controller: Your organization. You determine the purposes and means of processing personal data (employee names, schedules, inventory records, member information, event details).
  • Data Processor: InvyEasy. We process personal data on your behalf to provide the services described in our Terms of Service.
  • Personal Data: Any information relating to an identified or identifiable individual, including employee names, email addresses, phone numbers, work schedules, PIN codes, and member records.
  • Processing: Any operation performed on personal data, including collection, storage, retrieval, use, disclosure, and deletion.

2. Scope and Purpose of Data Processing

We process your data solely to provide the InvyEasy platform services, including:

  • Staff Management: Employee profiles, roles, positions, schedules, time-off requests, and payroll data
  • Inventory Management: Product records, stock counts, supplier information, and room assignments
  • Event Planning: Event details, BEOs, guest counts, and consumption tracking
  • Reservations: Guest names, party sizes, contact information, and member records
  • Communication: Chat messages, announcements, and push notifications between your team members
  • Billing: Organization name, billing email, and subscription status (payment processing is handled by Stripe, Inc.)

We do not process your data for any purpose other than providing and improving the services. We do not sell, rent, or share your data with third parties for marketing purposes.

3. Data Storage and Security Measures

We implement appropriate technical and organizational measures to protect your data:

  • Infrastructure: Data is stored on Supabase (powered by Amazon Web Services) in the United States. All data is encrypted at rest (AES-256) and in transit (TLS 1.2+).
  • Access Control: Row-Level Security (RLS) policies ensure that each organization can only access its own data. No cross-organization data access is possible.
  • Authentication: User sessions use JWT tokens with automatic refresh. Passwords are hashed using bcrypt. PIN codes are hashed with salted SHA-256.
  • File Storage: Uploaded files (BEOs, images, documents) are stored in Supabase Storage with organization-scoped access controls.
  • Payment Processing: Credit card information is never stored on our servers. All payment processing is handled by Stripe, Inc., a PCI-DSS Level 1 certified payment processor.
  • Monitoring: Application errors are tracked via Sentry for rapid incident response.

4. Sub-processors

We use the following third-party sub-processors to provide our services:

Sub-processorPurposeLocation
Supabase, Inc.Database, authentication, file storageUnited States
Vercel, Inc.Application hosting and deploymentUnited States
Stripe, Inc.Payment processing and billingUnited States
Resend, Inc.Transactional email deliveryUnited States
Expo (Software Mansion)Mobile push notificationsUnited States
Sentry (Functional Software)Error monitoring and crash reportingUnited States

We will notify you before adding or replacing any sub-processor. You may object to a new sub-processor within 30 days of notification.

5. Data Breach Notification

In the event of a personal data breach, we will:

  • Notify you without undue delay and no later than 72 hours after becoming aware of the breach
  • Provide details of the nature of the breach, categories and approximate number of records affected, likely consequences, and measures taken or proposed to address the breach
  • Cooperate with you and any supervisory authority in investigating and resolving the breach
  • Document all breaches, including facts, effects, and remedial actions taken

6. Data Subject Rights

We will assist you in fulfilling your obligations to respond to data subject requests, including:

  • Right of Access: Individuals may request a copy of their personal data. You can export data from the platform at any time.
  • Right to Rectification: You can update any personal data directly through the platform.
  • Right to Erasure: You can delete individual records through the platform. Upon account deletion, all associated data is permanently deleted within 30 days.
  • Right to Data Portability: You can export your data in CSV format from the platform at any time.

7. Data Retention and Deletion

  • Active Subscription: Your data is retained for the duration of your subscription and is available to you at all times.
  • Subscription Cancellation: Upon cancellation, your data is retained for 30 days to allow for reactivation. After 30 days, all data is permanently deleted from our systems and backups.
  • Account Deletion: If you request account deletion (available in Settings or via email), all personal data, organization data, files, and associated records are permanently deleted within 30 days.
  • Backup Retention: Database backups are retained for up to 7 days. Data deleted from the live system will be purged from backups within 7 days of deletion.

8. Compliance and Governing Law

  • This DPA is governed by the laws of the State of New Jersey, United States.
  • We comply with applicable US data protection laws, including the California Consumer Privacy Act (CCPA) where applicable.
  • For customers in the European Economic Area (EEA), we process data in accordance with the General Data Protection Regulation (GDPR). Data transfers from the EEA to the US are covered by Standard Contractual Clauses (SCCs).
  • This DPA supplements and is incorporated into our Terms of Service and Privacy Policy.

9. Contact Information

For any questions about this DPA or to exercise your data rights, contact us at:

  • Email: invyeasy@gmail.com
  • Website: invyeasy.com/contact