Taxpoynt Data Protection & Processing (Draft – NDPR-aligned)

Last updated: 11 Jul 2024
Scope: Processing of customer data within Taxpoynt SI, AP, and Hybrid services.

1. Roles

• You are the data controller for your tenant’s data. Taxpoynt acts as a data processor (and in limited cases, a controller where required by law, e.g., fraud/abuse prevention).

2. Processing purposes

• Deliver e-invoicing services: ingest canonical invoices, generate IRN/QR, validate with FIRS, archive/audit, and deliver callbacks.
• Reliability, security, and support: monitoring, alerting, replay/DLQ, incident response.
• Compliance: meeting legal/regulatory obligations (e.g., FIRS retention/validation).

3. Data handling controls

• Encryption in transit and at rest; redacted logs; least-privilege access; immutable audit trails for sensitive operations.
• Secrets and crypto keysets are never echoed; callbacks carry minimal required fields.
• Tenant/environment scoping for storage and access.

4. Subprocessors

• Limited to infrastructure, email, and observability providers vetted for security posture. A current list is provided in your agreement or on request.

5. Retention and deletion

• Retention aligns with contractual and regulatory requirements. Upon termination or written request (where permitted), data will be deleted or returned, subject to legal holds.

6. Breach notification

• Security incidents with material impact will be notified without undue delay, following contractual and regulatory requirements.

7. Data subject rights (NDPR)

• Access, correction, deletion (where legally permissible), restriction, and portability requests are supported. Contact support@taxpoynt.com.

8. Contact

• For data processing questions or to review the DPA: support@taxpoynt.com.