FINOVO
GDPR & Zambia DPA 2021 Compliant

Data Processing Agreement

Last updated: February 2026

1. Introduction and Scope

This Data Processing Agreement ("DPA") forms part of the Terms and Conditions between VoxIt Media Consulting AB, org nr 559316-5862, operating FINOVO ("Processor", "we", "us") and the Customer ("Controller", "you") and governs the processing of personal data by FINOVO on behalf of the Customer.

This DPA applies where FINOVO processes personal data on behalf of the Customer in connection with the provision of our AI-powered accounting services.

2. Definitions

  • "Personal Data" means any information relating to an identified or identifiable natural person.
  • "Processing" means any operation performed on Personal Data.
  • "Data Subject" means the individual to whom Personal Data relates.
  • "Sub-processor" means any third party engaged by FINOVO to process Personal Data.
  • "GDPR" means the General Data Protection Regulation (EU) 2016/679.
  • "Zambia DPA" means the Zambia Data Protection Act, No. 3 of 2021, and any regulations made thereunder.
  • "Commission" means the Zambia Data Protection Commission.

3. Roles and Responsibilities

3.1 Controller Responsibilities

The Customer, as Controller, is responsible for:

  • Determining the purposes and means of processing Personal Data
  • Ensuring a lawful basis exists for the processing
  • Providing required notices to Data Subjects
  • Responding to Data Subject requests
  • Ensuring the accuracy and quality of Personal Data provided

3.2 Processor Responsibilities

FINOVO, as Processor, shall:

  • Process Personal Data only on documented instructions from the Controller
  • Ensure personnel are bound by confidentiality obligations
  • Implement appropriate technical and organizational security measures
  • Assist the Controller in responding to Data Subject requests
  • Delete or return Personal Data upon termination of services
  • Provide information necessary to demonstrate compliance

4. Categories of Data Processed

In providing our services, FINOVO may process the following categories of Personal Data:

CategoryData Types
Contact InformationNames, email addresses, phone numbers, business addresses
Financial DataBank account details, transaction records, invoice data
Employment DataEmployee names on expense reports, salary information
Technical DataIP addresses, device identifiers, access logs

5. Data Subjects

Personal Data processed may relate to:

  • Customer employees and contractors
  • Customer's clients and suppliers
  • Individuals named on receipts, invoices, and financial documents

6. Processing Purposes

FINOVO processes Personal Data solely for the following purposes:

  • Providing the AI-powered accounting and bookkeeping services
  • Document processing, data extraction, and categorization
  • Bank transaction reconciliation and matching
  • Financial reporting and analytics
  • User authentication and access management
  • Technical support and service improvement

7. Sub-processors

7.1 Authorization

The Customer grants FINOVO general authorization to engage Sub-processors for the purposes described in this DPA. FINOVO maintains a list of current Sub-processors available upon request.

7.2 Current Sub-processors

Sub-processorPurposeLocation
Amazon Web ServicesCloud infrastructureEU (Frankfurt)
MongoDB AtlasDatabase hostingEU (Ireland)
OpenAIAI document processingUSA (with DPA)
StripePayment processingEU/USA (with DPA)

7.3 Changes to Sub-processors

FINOVO will notify the Customer of any intended changes to Sub-processors at least 30 days in advance, allowing the Customer to object on reasonable grounds.

8. Security Measures

FINOVO implements the following technical and organizational measures to protect Personal Data:

Technical Measures

  • AES-256 encryption for data at rest
  • TLS 1.3 encryption for data in transit
  • Regular automated backups with encryption
  • Network firewalls and intrusion detection systems
  • Multi-factor authentication support
  • Regular security updates and patch management

Organizational Measures

  • Strict access controls based on need-to-know
  • Employee confidentiality agreements and training
  • Incident response procedures
  • Regular security audits and assessments
  • Vendor due diligence for Sub-processors

9. Data Subject Rights

FINOVO shall assist the Controller in fulfilling its obligations to respond to Data Subject requests, including:

  • Right of access
  • Right to rectification
  • Right to erasure ("right to be forgotten")
  • Right to restriction of processing
  • Right to data portability
  • Right to object

FINOVO will promptly notify the Controller if it receives a request directly from a Data Subject and will not respond without Controller authorization, unless legally required.

10. Data Breach Notification

In the event of a Personal Data breach, FINOVO shall:

  • Notify the Controller without undue delay (and within 24 hours where feasible)
  • Provide details of the breach, including categories of data affected
  • Describe likely consequences and measures taken or proposed
  • Assist the Controller in notifying supervisory authorities and Data Subjects as required
  • Where the Zambia DPA applies, assist in notifying the Zambia Data Protection Commission within the timeframe required by law (without undue delay, and in any event within 72 hours of becoming aware where feasible)

11. International Transfers

Personal Data is primarily processed within the European Economic Area (EEA). Where transfers outside the EEA are necessary, FINOVO ensures adequate safeguards through:

  • Standard Contractual Clauses (SCCs) approved by the European Commission
  • Adequacy decisions where applicable
  • Binding Corporate Rules where relevant

Zambia cross-border transfers: Where personal data of Zambian data subjects is transferred to or processed on cloud infrastructure outside Zambia, FINOVO relies on the data subject's consent and/or the necessity of the transfer for the performance of the service, applies appropriate technical and organisational safeguards (including encryption and contractual data-protection commitments with sub-processors), and complies with the cross-border transfer requirements and any directions of the Zambia Data Protection Commission under the Zambia DPA.

12. Data Retention and Deletion

Upon termination of the service agreement, FINOVO shall, at the Controller's choice:

  • Return all Personal Data in a commonly used format, and/or
  • Delete all Personal Data within 90 days

FINOVO may retain Personal Data where required by applicable law, in which case it will inform the Controller of the legal basis and expected retention period.

13. Audits and Inspections

FINOVO shall make available to the Controller information necessary to demonstrate compliance with this DPA and allow for audits, including inspections, conducted by the Controller or an authorized auditor.

Audits shall be conducted with reasonable notice (at least 30 days), during normal business hours, and in a manner that does not disrupt FINOVO's operations.

14. Liability

Each party's liability under this DPA is subject to the limitations set forth in the main Terms and Conditions, except where such limitations are not permitted by applicable data protection law.

15. Term and Termination

This DPA shall remain in effect for the duration of the service agreement and shall survive termination to the extent necessary to fulfill data protection obligations.

16. Governing Law

This DPA is governed by the laws of Sweden. Any disputes shall be resolved in accordance with the dispute resolution provisions in the main Terms and Conditions.

Where the Customer or the relevant data subjects are located in Zambia, the mandatory provisions of the Zambia Data Protection Act, No. 3 of 2021 shall additionally apply to the processing of their personal data.

17. Contact Information

For questions regarding this DPA or data protection matters: